If you’ve got an Internet connection in your home, chances are pretty good that you also have a router to manage the access by all your devices. There’s also a pretty good chance the router in your house was provided by your ISP.
Earlier this month, I pointed out why you might want a VPN to keep your ISP from seeing your Internet traffic, especially if you live in the United States. I’ve been monitoring another ongoing ISP issue for a couple of weeks and it seems like it continues to get bigger, especially for customers of smaller regional ISPs around the world.
On 11 April 2017, security firm Wordfence discovered that a number of home Internet routers around the world were being used to attack websites that use WordPress as their content management system. The one thing the ISPs all had in common were the usage of routers manufactured by Zyxel which use the Allegro RomPager embedded web server.
The embedded web server is handy in theory because it allows for some things like remote administration of your router, but this also creates some increased security risk. All of the impacted routers at ISPs around the world appear to have open ports on the router by way of this embedded web server that some bad actors are taking advantage of.
It is my personal opinion and the opinion of many security experts far smarter than I am that having your router admin accessible from outside your home network is a significant security risk. I take the paranoid stance that I’d rather purchase my own router and not rent a modem from the cable company, but I know that’s not practical for everyone.
When I first read about this vulnerability, most of the ISPs impacted were in countries where I have almost no readership. The list keeps growing and in particular India and Brazil have both popped up as places with ISPs using the impacted Zyxel hardware.
A little slower to come out is the fact that at least one U.S. based ISP was also impacted because they were also using Zyxel hardware that had a similar vulnerability. That ISP, California-based Sierra Tel, was hit at roughly the same time all the other routers around the world were impacted too.
My takeaway from this is two-fold. Check to see if the router provided by your ISP is manufactured by Zyxel. If it is, use this tool provided by Wordfence to see if the exploited port is open. My other takeaway is that you should sign in to the admin console for your router, regardless of ISP, and verify that no settings are turned on to allow for administration of the router from the public Internet.