Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Resetting Your Router the Paranoid (=Right) Way - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Resetting Your Router the Paranoid (=Right) Way

You probably heard the advice given earlier this week to reset your router due to some malware referred to as "VPNFilter" infecting a large number of routers. I do not want to second guess this advice, but instead, outline a couple of issues with "resetting" a router.

First of all: Pretty much all router malware (Mirai variants, TheMoon and various Linux Perl/bash scripts affecting routers) will not survive a simple power cycle of the router. However, the vulnerability that allowed access to the malware will. Secondly, some configuration changes may survive. In particular changes to DNS settings that are often done without actual malware, but by using CSRF vulnerabilities in the routers web-based admin interface.

My main problem with having thousands of users reset their routers to factory default settings is that they inadvertently may reset it to use a simple default password.

So here are some generic step-by-step instructions on what to do:

  1. Write down any important configuration changes that you made to the router. For example any changes to the default IP addresses or DNS settings. Safe any VPN connection settings that you need. In addition, backup your configuration via the router's admin interface as a backup, but we do not expect to use it (you do not want to restore any compromised settings)
  2. Download the latest and greatest firmware for your router. Even if you think you already run this particular version. Verify the firmware's integrity, which can be difficult. But maybe some vendors publish hashes. I do not think any vendor publishes PGP signatures. If you can not find a legit way to verify the integrity, then download it several times, using different networks, and different devices and compare hashes. Just for giggles: Call the manufacturers customer support number and ask for the hash. Maybe they will publish them if enough people complain. Most routers will do some integrity checking before applying the firmware but remember, we assume the router is compromised. Also, try to avoid the built-in "self-update" or "auto update" at this point.
  3. Disconnect the router from the internet (unplug the network cable).
  4. Reboot the router
  5. Reset the router to the factory default settings. It is very important that you do this while the router is disconnected from the internet. It will likely reset the router to use some simple default password. Keep the router disconnected from the Internet.
  6. Apply the latest firmware. Some routers may refuse to do that if they already have this version installed.
  7. Configure your router using the notes you took in step 1. A couple of points to consider:
    1. set a strong admin password
    2. make sure the password is required if you access the router locally.
    3. Disable all remote admin interfaces (http, telnet, ssh...) unless you really really really need them (and if you do: consider using the router as a VPN endpoint if you can)
    4. if possible, change the administrator user name
    5. change the IP address scheme. For example, instead of 192.168.1.0/24, use 10.123.21.0/24 (pick random octets). It doesn't do much, but every bit helps.
    6. If you do not like your ISPs default DNS server, then pick some of the known good public once (Google, OpenDNS, Quad9, Cloudflare ...). Maybe mix two of them by using 8.8.8.8 and 9.9.9.9 ?
  8. If you are really paranoid, then repeat the steps.
  9. If you are not so paranoid (brave?): reconnect the router to the internet.
  10. Post the firmware checksum to any support forums to help others verify their firmware (or learn that your firmware was compromised)

For a simple reset that will take care of > 99% of malware I see on routers:

  1. Reboot the router
  2. Verify that you use a strong password (even for access from your own network)
  3. Disable remote admin features
  4. Verify the DNS settings

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Defending Web Applications Security Essentials - SANS Amsterdam September 2018

Johannes

3321 Posts
ISC Handler
Hi Johannes
Very good post.
But I don't think changing the IP scheme is a good general recomendation. If you change IP for router LAN interface you need to change more items on the configuration, such as DHCP pool IP range or other options.
As a general advice it is going to complicate the steps providing some (very little) benefit.
The risk is that, after doing these steps, the router "just don't work", and the user will be forced to undo everything and return to an insecure status.
Anonymous
I personally like my wrt1900ac equipped with bleeding edge lede/openwrt.

Iwould never use a router that wasn't customized with ddwrt or openwrt(preferably)

Also I know for most routers to verify if the bin file is for their router they only check a few bits at the beginning of the file.

I would highly recommend getting a customizable openwrt or ddwrt friendly router. Some of them are literally ten dollars on eBay.

and FYI the super paranoid way to re flash a firmware is through serial cable attached to the motherboard...

I have had to unbrick my wrt1900ac and have come close with my wrt3200acm
jACKtheRipper

55 Posts
FWIW, the last time I updated my Cisco RV325's firmware, it broke the SOHO router -- I could no longer CONNECT to it. Momentarily panicked, I then luckily had the presence of mind to immediately factory reset the router and load up (1) the previous firmware update (which thankfully "took") and (2) the last known good startup configuration. I make startup-configuration backups after even the smallest configuration changes. Writing down all the configuration settings is not feasible.
robv

9 Posts

Sign Up for Free or Log In to start participating in the conversation!