(May 2018) About half a million small office routers and NAS devices are infected with malware called VPNFilter. These devices are made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link, and may have private labels from ISPs. The malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. A report from Cisco said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. " FBI tells router users to reboot now to kill malware infecting 500k devices ".
(Oct 2017) There has been news recently of an attack on the WPA-2 Wi-Fi protocol called KRACK. Attackers can decrypt traffic sent over Wi-Fi and inject content into unencrypted HTTP connections.
Patches for KRACK have been announced for many devices. Microsoft patched Windows 10 in August. Apple patched KRACK on October 31 for High Sierra, Sierra, El Capitan, and iOS. Apple AirPort and Time Capsule routers are not vulnerable. Android and Linux devices are especially vulnerable. Other patches will be rolled out over the next few months. Make sure you keep up to date.
(Dec 2016) There's a new "exploit kit" aimed at infecting your router via Windows and Android devices (but that could change to include Macs any time). An article in Proofpoint gives technical detail on how it works: Home Routers Under Attack. Once they subvert your router, all of your computers are compromised, and no anti-virus scanner will find anything. The article says "there is no good way to counteract these attacks," but a couple of measures can help:
(Dec 2016) Netgear routers have a serious security hole. Netgear 6500, 7000, and 8000 series routers can be taken over by hackers. There are lots in Germany and the USA.
(Mar 2015) "At least 700,000 routers given to customers by ISPs are vulnerable to hacking." These are ADSL routers from various makers; some may be rebranded by the ISP. One brand involved was D-Link. Most of these routers seem to be in Asia but some are in the USA. The vulnerable firmware seems to originate from the same Chinese company.
This is a different security hole from the 300,000 home routers whose DNS servers were silently rerouted to hacker's servers, enabling the hackers to pretend to be any web site. The brands involved included TP-link, Micronet, D-Link, Tenda, and Zyxel.
(Jan 2015) A new bug has been found that lets any local client reconfigure ASUS wireless routers.
(Dec 2014) Additional attacks on home routers have been discovered.
(Jan 2014) Some home routers have "back doors" built into them by their manufacturers. Problems have been found in many brands of router. There are also malware programs that try to attack your router from the Internet, or from an infected web page, or from an infected computer on your network, or by somebody driving by your premises. If your router gets infected, a bad guy could take over your connection.
If you use a wireless access point or router that you don't control, it may have malware on it, either because the access point owner is malicious, or because some malicious person tampered with the router, or because it was attacked through a back door. For example, if you are staying in XYZ Hotel, you might see several wireless networks you could connect to: "XYZ HOTEL," "FREE WIFI", "THIRD FLOOR", PUBLIC." You have no way to know which of these is real and which is a fake "evil twin." I have seen these in airports as well.
A compromised router could
For example, using a hacked router, someone could spoof your online banking site and steal your money. Your Mac usually gets the addresses of the name servers that it uses to look up domain names from the router that it's connected to. Unless the router has a manually set DNS address, it will in turn ask your phone or cable modem, and that device will normally get the settings from the phone or cable provider. A hacked router can send your Mac the address of a fake DNS server, which can send you to a fake page that looks just like the real one.
Several versions of Cisco Wireless Home Gateways and cable modems have a security hole that allowes attackers to hijack the routers remotely. This problem was found in July 2014. Cisco has released a patch to cable companies so that they can pass it on to customers.
Several versions of D-Link router firmware were discovered to contain a back door that allowed any local network user to bypass the admin password. This weakness was found in October 2013. "The affected models likely include D-Link's DIR-100, DIR-120, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, DI-624S, TM-G5240 and possibly the DIR-615. The same firmware is also used in the BRL-04UR and BRL-04CW routers made by Planex." Firmware updates are available for some of these routers: others are no longer supported by D-Link, so tough.
ISE published a paper titled Exploiting SOHO Routers sometime in 2013 that listed 13 routers that were vulnerable to takeover. It listed specific model numbers for Linksys, Belkin, Netgear, TP-Link, Verizon, D-Link, ASUS, and TrendNet routers.
A back door is built into some Linksys wireless/DSL modems. It was first found in a Linksys WAG200G, but at least 190 other models from the same OEM may be affected. It uses TCP port 32674. Some Belkin, Cisco, and Netgear routers are also affected by the same backdoor as the Linksys problem. The affected Cisco routers are described in a support note. (Cisco used to own Linksys but sold it to Belkin in 2013.)
Another Linksys vulnerability was found in February 2014. It affects many models including E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N, WRT150N.
Another attack on D-Link, Micronet, Tenda, TP-Link, Zyxel, and other brands of router was discovered in March 2014. It seems to be aimed at changing the DNS settings for computers that connect through the routers.
(8/27/14) A back door is built into NETIS routers. It uses TCP port 53413.