In recent news, the FBI recommends that you reboot your router. While good advice, a lot of the news articles to do not really address why this is important and more importantly what other long term measures should be taken. The short answer is many routers used by individuals and small business to connect to the Internet, have been infected with malware that runs in memory. Since it runs in memory, turning off your router erases the content of memory and would erase any of the malicious code. When the router is turned back on, a new version of the router’s operating system is loaded (and at the time this is written, the malicious code did not infect or compromise the stored version of the routers code).
There have been a lot of questions around this topic, so let’s break down what this really means and how to be properly protected online.
Types of Malware
There are two general types of malware: persistent and non-persistent. Persistent malware will often write itself to a hard drive and infect the stored image of the operating system. Therefore, even if you reboot the system, the malware would run every time. Non-persistent malware infects the memory of the system, which is
For laptops and personal computers that are typically turned off on a daily basis. Persistent malware is the most dangerous. If a device that is turned off frequently is infected with non-persistent malware, the impact and overall damage
As of the writing of this article, the malware in question is non-persistent and only infected the running memory. This is the reason the FBI recommends turning off your router and turning it back on again. Compromising memory is often easier than compromising the actual image of the operating system that is used to load the router, each time the device is powered on. Typically, routers do not have hard drives, like a computer and even if they do, the operating system is often written into
The real question is how are the adversaries going to morph in response to the recommendation for everyone to reboot their system. On the one hand, since many people do not listen to security recommendations, many people will probably not reboot their routers, so the adversary will still have long term access. On the other hand, if enough people do, the attackers may work harder to see if there is a way to infect the system in a persistent manner, so even if the router is rebooted, the adversary still has access. Therefore, it is important to read on and be proactive.
Long Term Protection
Rebooting the router is a good recommendation and something that is recommended. But, let’s ask some simple questions: How did the adversary get in? and If the adversary got in once, even if you reboot to remove the malicious code from memory, what’s stopping the adversary from breaking in again using the same method? So is the solution to reboot your router every day, just to be safe.
With any cyber-attack, there are typically 2 steps that need to be taken: a short term fix and a long term fix. The short term fix is to reboot the router. If you are infected, this will stop the malicious code, but nothing stops the adversary from breaking back in again, and again, and again. The long term fix is to figure out how they got in and remove the original means of exploitation.
At the writing of this article the exact means of compromise are not known, but by understanding how attacks work, it is pretty easy to narrow down the list of potential areas and remove them. In order to “hack” a system there
1) visible IP;
2) means of access; and
3) method of access.
Internet routers by default need to be accessible from the Internet so there is not a lot that can be done about being visible from the Internet. However, for a home or business, those routers should not have to be accessible from the Internet because they will not need to be remotely managed. Yes, larger organizations need to be remotely managed but those routers are not the ones that have been compromised. The routers of concern are for homes and small offices. The problem is the routers that have been compromised have remote administration turned on by default. This is a problem because you should not allow access from the Internet, especially when you do not need it;
Therefore, the long term protection is to turn off the remote administrative access and change the password. Simple but effective.
The Road Ahead
Every compromise, every exploit, every