Check Your Router: Spotting Tampering

TL;DR

Routers are a common target for attackers. This guide shows you how to check if yours has been messed with, from simple visual checks to more technical investigations.

How to Check If Your Router Has Been Tampered With

1. Physical Inspection:

• Look for unusual cables or devices connected. Anything you didn’t plug in is suspicious.
• Check the router’s case. Are there any new stickers, damage, or signs it has been opened? Tampering often leaves physical evidence.

Router Firmware Check: This is a key step in cyber security.

• Access your Router’s Admin Interface: Open a web browser and type in your router’s IP address (usually 192.168.1.1 or 192.168.0.1). You’ll need the admin username and password – check the bottom of the router, or the manual if you haven’t changed them.
• Find the Firmware Version: The location varies by manufacturer (usually under ‘Administration’, ‘System Tools’, or ‘Firmware Upgrade’). Note it down.
• Check for Updates: Compare your firmware version to the latest available on the router manufacturer’s website. If yours is significantly older, update it immediately!

Examine Router Logs: These record activity and can reveal suspicious events.

• Access Logs via Admin Interface: Again, log into your router’s admin panel. Look for a ‘Logs’, ‘System Log’, or similar section.
• Look for Anomalies: Pay attention to:
  • Unusual login times (especially outside of your normal usage).
  • Failed login attempts from unknown IP addresses.
  • Changes to DNS settings without your knowledge.
  • Unexpected reboots or configuration changes.

DNS Settings Check: Attackers often redirect traffic using rogue DNS servers.

• Access DNS Settings in Admin Interface: Find the ‘WAN’, ‘Internet’, or ‘Network’ settings.
• Verify DNS Servers: Your DNS servers should be those provided by your ISP, or a trusted public DNS service like Cloudflare (1.1.1.1) or Google Public DNS (8.8.8.8). If you see unfamiliar addresses, change them back.

  # Example of checking DNS using nslookup on Windows
  slookup google.com

Check Connected Devices:

• Access the ‘Connected Devices’ list in your router’s admin interface.
• Identify Unknown Devices: Look for devices you don’t recognise (e.g., strange names, MAC addresses). Investigate further – a device lookup tool can help identify the manufacturer based on the MAC address.

Review Router Configuration:

• Port Forwarding: Check for any port forwarding rules you didn’t create. Attackers use these to open backdoors.
• Firewall Settings: Ensure the firewall is enabled and configured correctly.
• Wireless Security: Confirm your Wi-Fi network uses a strong password (WPA3 if possible) and encryption protocol.

Factory Reset (Last Resort): If you strongly suspect tampering and can’t identify the source, a factory reset will restore the router to its default settings.

• Locate the Reset Button: Usually a small recessed button on the back of the router.
• Press and Hold: Press and hold the reset button for 10-30 seconds while the router is powered on. Warning: This will erase all your settings! You’ll need to reconfigure everything afterwards.

Important Note: Regularly changing your router’s admin password and keeping its firmware updated are crucial steps in cyber security.