Your router is a device that you might not give much thought. After all, for most of its life it runs quietly in the background, keeping your devices online and protecting your network. However, what would happen if your router was compromised and used to carry out security attacks? While it might sound far-fetched, it’s a problem that’s becoming increasingly common and online security service, WordFence, have recently tracked over 10,000 attacks that have all been traced back to hacked routers.
Some devices were more prolific than others, with some hacked routers participating in up to a thousand malicious attacks on WordPress sites, while others were only involved in around fifty of the course of a month.
To track the attacks, WordFence created a list of the attack IPs and monitored the time they had spent on attacks. Through this they ascertained a botnet that was split up across thousands of different IPs and spread the attacks across so many IP addresses to boost their evasiveness.
So, is your router likely to fall prey to one of these attacks? The chances are, you’re safe. 97% of the attacking IPs are owned by Telecom Algeria and, while WordFence did identify some attacks from other networks, they were in the vast minority. Other ISPs that are potentially at risk include BSNL (India), PLDT (the Philippines) and PTCL (Pakistan).
The security breach happened because of port 7547, which WordFence go into further detail about on their blog:
Port 7547 is a management port on home routers. It allows ISPs to manage the routers that their customers use on their home networks. It uses a protocol called TR-069 to provide a management interface. The TR-069 protocol can be used to provision devices, provide tech support and remote management, monitor routers for faults, for diagnostics, to replace a faulty configuration and to deploy upgraded firmware.
This protocol and port has had at least two serious security vulnerabilities associated with it in the past 4 years.
In fact, 6.7% of all attacks on WordPress sites protected by WordFence are from routers that have port 7547 open. WordFence suggest ISPs can help reduce any security threats by taking the following steps:
There are already a large number of compromised routers out there. ISPs should immediately start monitoring traffic patterns on their own networks for malicious activity to identify compromised routers. They should also force-update their customers to firmware that fixes any vulnerabilities and removes malware.
As always, security should be at the forefront of your mind when it comes to your website, so now’s a great time to reread some of previous posts on WordPress security tips and give your website security a spring clean.