Hacks happen, and now they’re happening more often. Consumers and companies alike have become familiar with the typical process: Malicious actors compromise a device, security teams work out a fix and the attackers are sent packing for another day.

But what if it wasn’t possible to remove the infection? What if, once compromised, devices become little more than trash? According to Motherboard, a cybercriminal going by the moniker of BestBuy claimed to have accomplished such a feat by pushing a firmware update to vulnerable routers and keeping them permanently under his control. Is immovable malware the newest iteration of infection?

Turning Routers Into Paperweights

When routers are compromised, users follow a standard response path: Turn off the device and reboot to clear the infection, then update username and password settings. This often does the trick, since software is effectively neutralized once the router goes dark.

BestBuy, however, opted for a different malicious method. The fraudster claimed to have compromised 3.2 million home routers by pushing a new firmware update. This means that even after being reset, the routers still reach out to malicious servers instead of reverting to defaults.

What’s more, BestBuy said the infected routers “will not accept new firmware from … anyone,” according to Motherboard, meaning there’s no way to remove the infection or reclaim the router. In effect, compromised routers become little more than paperweights.

URLs shared by BestBuy seem to show millions of devices already compromised. Security experts agree that his claims are plausible, although researcher Andrew Tierney pointed out that “it is easy to mess up” this kind of firmware update. BestBut doens’t appear to have any larger agenda for his army of retrained routers.

Easy Targets for Firmware

BestBuy’s ability to infect and permanently compromise routers highlights the lack of security in most internet-facing devices. When the BBC presented TalkTalk with data suggesting that its routers had been compromised, the telecommunications company argued that there was “no need” for users to change router settings, despite reliable evidence that 57,000 devices were compromised.

According to a recent article from The Register, meanwhile, users of popular Netgear routers are also at risk. The bug, CVE-2016-582384, enables attackers to take total control if they convince anyone on the local network to open a booby-trapped webpage.

The U.S. Computer Emergency Readiness Team (US-CERT) advised users to hack their own routers using a URL that disables the built-in HTTP servers used to administer devices. Although this temporarily seals the security hole, it also leaves users unable to manage or control the router through the HTTP portal. Netgear is aware of the problem and developing a fix, but no word on how long that will take.

Router breaches aren’t terribly sophisticated, but they’re effective. When administered via firmware, these attacks can permanently infect target devices. So now, the race is on between cybercriminals and security pros. Will routers get the critical corrections they need in the short term, or will it take a major network breach to prompt better default defense?

More from

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).  Top Five Cyber Crime TypesIn the past five years, the…

4 min read

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and social factors that…

4 min read

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read