Why would you care to check if you’re running a router that has fallen prey to hackers? Because routers aren’t immune to criminals and the device transfers a lot of sensitive data. Most people don’t pay attention to their routers, nonetheless care to check if its been hacked or even know how, the router is just that little black box right? No, its much more. The router is what all your devices connect too, where all your traffic is sent through, where everything related to your internet directs through.
A compromised router is a huge security risk. One of cybercriminals favorite methods of router hacking is DNS hijacking, which is known to cause a variety of problems. It often leads to malicious advertising and pointing real domains towards phishing sites aimed at stealing your banking, email and social network credentials. Which criminals can later abuse for profit, scams and to infect more.
Want to find out if your router has been hijacked? Drum roll please… the router checker tool is here to save the day.
Security experts over at F-Secure just announced their latest project dubbed Router Checker, a tool that can tell you if your routers DNS has been hijacked. In one click you can find if your router has been hacked, no downloads or installs required, just click start now, let the test run and you’re done. Current versions of Internet Explorer, FireFox, Chrome, Safari and Opera are all supported by the router checking webpage.
To run a test against your router to see if it has been hacked, click the big colorful start now in the middle of the webpage. Router checker will then run a test to see if DNS requests sent from your device are being routed properly or if they’re being hijacked by a third-party.
Running the test on our desktop using our default DNS, Google DNS and a VPN router all passed with no issues. Running the test on our smartphone and tablet under the same conditions including LTE returned the same results, safe and secure. Though some users have reported running into issues with their smartphone, where F-Secure notes the configured servers are not widely used, commonly occurs with ISP’s. Most have noted that seeing a yellow warning tab does not mean to panic, instead, proceed with caution til you accurately asses the risk.
My router has been hacked, what do I do?
If your router does appear to be hacked, you need to asses the situation immediately and treat it as a severe attack. First you will want to go ahead and dig into the “details of your DNS server’s IP address” portion of the tool. To do so, click the large plus sign which should open an additional panel with lots of details. Don’t worry, this is common when working with DNS tools, lots of numbers and locations.
While using this tool we were running Private Internet Access VPN on our router, appearing in the United States on a California server. The following details were returned:
Looking over your details, if on a basic home router with no VPN or third-party DNS servers setup, the details should spit out your ISP name along with your designated IP address. If the DNS servers are routing elsewhere, such as other states or countries, your router is likely hacked. To fix the issue, you will need to start by logging in to the routers administrator panel. If you do not know how to do this on your current setup, it might be worth calling your ISP and asking for assistance to gain access to the router, or you can follow the guide below.
Fixing the Hijacked Router
If you’re using a Windows machine click the start button and type CMD then hit enter. A small black command prompt should appear, where you will then type the words “ipconfig” without the quotes obviously. From there the command prompt should bring up a long list of items. Scroll up until you see “Default Gateway” where you should see a 198.168.xx.x address or similar. Copy the address and paste it into your browser.
If you’re on Mac OS X click the Apple icon on the top left corner. From there click “System Preferences”. Next, click “Network”. This should open a small panel, make sure on the left side you are on Ethernet or whatever wireless card you’re using and look for the router section. It should contain a set of numbers that you can paste into your browser.
Paste the numbers into your browser, from there it should bring a popup asking for your username and password credentials. Now if you’re using a third-party router, now would be a good time to go grab the old dusty box it came in off the shelf and see if it has any username and password credentials or setup guides. If you’re using a stock ISP router the credentials could be anything from your last name on the ISP account to the password being a phone number, last name, router brand, credentials you setup or something out of the blue. The credentials could also be “admin” for both the username and password. Again, you may need to contact your ISP here or do a quick online search for “what are my [brand name]router login credentials.”
Once you’re inside the routers admin panel, your panel may differ from ours, so bare will us. Check for anything labeled, network, DNS, tools or basic. Depending on your router, while navigating through the panels, keep an eye out for the word DNS. Now in our Tomato router panel, our DNS settings were under Basic > Network. From there we had clear access to 3 DNS servers we could choose to setup. Seeing as we wanted to use the default VPN DNS, we chose to leave our panels on the default settings. If your router is hacked, you may find a third-party DNS occupying the space you did not allow. Remove the numbers and either leave the panel blank or whatever the default is for the router, likely 0.0.0.0 or similar.
Now click save and power cycle (reset) the router by either unplugging it or resetting it from the admin panel itself. Give it a few minutes depending on your router and run the test once again. The test should come up clean. If not, your computer’s DNS could be hijacked too.
The router is clean, but the test still says I’m infected?
In the rare event that you cleaned your router off and the test still claims your infected, it could be an issue stemming directly from the PC itself.
On a Windows you will need to navigate to your DNS settings. On Windows 7 and earlier machines you can click the start button and navigate to “Control Panel” on the upper right side. Under the “Network and Internet” tab click “View network status and tasks”. From there you can click “Change adapter settings”. Find your wifi card or Ethernet switch, click on it, then right click and hit properties. Scroll down to IPv4 where you will again click properties. You will then want to assure the DNS is set to “Obtain DNS server address automatically” or whatever desired DNS you would like. You can use Google DNS at 220.127.116.11 if you would like.
On a Mac, you will navigate to the same panel you did earlier, click the Apple logo on the top left, System Preferences > Network. Below the router area there should be a “DNS Server” section in which you can edit accordingly.
You may want to clear your browser cache or reset your computer before running the test again. Once that’s done, the test should return the reassuring words “no issues were found.” If not, then the system may be compromised with malware, where you may wish to scan for malware and viruses with tools like Malwarebytes, SpyBot,SuperAntiSpyware and Eset Online Scanner.
After you run the malware and virus cleanup you can once again clear your browser cache, reset your system and try once again. If the issue persists, try it on a number of devices. If the issue continues to persist, your router may directly be infected with malware, meaning you need to contact your ISP, grab a new one from the store or flash it with open source firmware.
F-Secure’s router checker tool is not a definite way to ensure your router hasn’t been hacked, it simply checks if the DNS has changed and if the servers are malicious or unknown. There are many ways routers can be hacked, and the only definite way to ensure your router is not hacked is to sniff the traffic, or alternatively flash the router with open source firmware. But for 99% of regular internet users, F-Secure’s router checker should be a good starter test and leave you with peace of mind.
Router checker is a nice tool to bookmark and pull up every once and a while or while on the go at hotspots or other locations. You might want to pop open the tool next time you’re at a coffee shop, or airport and find out the networks health.