December 15, 2016 By Douglas Bonderud 2 min read

Hacks happen, and now they’re happening more often. Consumers and companies alike have become familiar with the typical process: Malicious actors compromise a device, security teams work out a fix and the attackers are sent packing for another day.

But what if it wasn’t possible to remove the infection? What if, once compromised, devices become little more than trash? According to Motherboard, a cybercriminal going by the moniker of BestBuy claimed to have accomplished such a feat by pushing a firmware update to vulnerable routers and keeping them permanently under his control. Is immovable malware the newest iteration of infection?

Turning Routers Into Paperweights

When routers are compromised, users follow a standard response path: Turn off the device and reboot to clear the infection, then update username and password settings. This often does the trick, since software is effectively neutralized once the router goes dark.

BestBuy, however, opted for a different malicious method. The fraudster claimed to have compromised 3.2 million home routers by pushing a new firmware update. This means that even after being reset, the routers still reach out to malicious servers instead of reverting to defaults.

What’s more, BestBuy said the infected routers “will not accept new firmware from … anyone,” according to Motherboard, meaning there’s no way to remove the infection or reclaim the router. In effect, compromised routers become little more than paperweights.

URLs shared by BestBuy seem to show millions of devices already compromised. Security experts agree that his claims are plausible, although researcher Andrew Tierney pointed out that “it is easy to mess up” this kind of firmware update. BestBut doens’t appear to have any larger agenda for his army of retrained routers.

Easy Targets for Firmware

BestBuy’s ability to infect and permanently compromise routers highlights the lack of security in most internet-facing devices. When the BBC presented TalkTalk with data suggesting that its routers had been compromised, the telecommunications company argued that there was “no need” for users to change router settings, despite reliable evidence that 57,000 devices were compromised.

According to a recent article from The Register, meanwhile, users of popular Netgear routers are also at risk. The bug, CVE-2016-582384, enables attackers to take total control if they convince anyone on the local network to open a booby-trapped webpage.

The U.S. Computer Emergency Readiness Team (US-CERT) advised users to hack their own routers using a URL that disables the built-in HTTP servers used to administer devices. Although this temporarily seals the security hole, it also leaves users unable to manage or control the router through the HTTP portal. Netgear is aware of the problem and developing a fix, but no word on how long that will take.

Router breaches aren’t terribly sophisticated, but they’re effective. When administered via firmware, these attacks can permanently infect target devices. So now, the race is on between cybercriminals and security pros. Will routers get the critical corrections they need in the short term, or will it take a major network breach to prompt better default defense?

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today