home wi-fi router attacks

6.4 percent of the most popular home wi-fi routers sold on Amazon still use the manufacturer’s default administrator credentials, Comparitech researchers found. These routers, which number in the tens of thousands, can be remotely found and attacked using publicly available passwords, granting malicious hackers access to the victim’s home network.

wi-fi routers vulnerable to default credentials attack

Comparitech’s cybersecurity research team used freely available tools to scan the web for the top 12 home wi-fi router models sold on Amazon. They then used an automated script to attempt to log into each router’s administrative dashboard using the manufacturer’s default credentials.

In total, the researchers found and tested 9,927 routers. 635 were vulnerable to default password attacks.

Our results appear to indicate that some routers could be more insistent than others that users change the default password upon first setting up the device:

Router modelSuccessful logins# Tested
Asus RT0.00%307
MikroTik0.00%463
Westell 6100G0.40%753
ZyXEL VSG14320.40%1001
Huawei HG532e1.00%546
TP-Link N3002.80%1000
Linksys E25002.90%1000
Thomson SpeedTouch 585i4.40%998
Netis WF2419 RTK13.50%1000
ZTE ZXV1015.60%859
XFinity17.50%1000
NetGear Ethernet Plus Switch18.30%1000

AsusRT and MikroTik models could not be accessed at all despite hundreds of tests, indicating they require users to change their default passwords before an internet connection is allowed through. This is ideal from a cybersecurity perspective.

On the other end of the spectrum, roughly one in six ZTE ZXV10, XFinity, and NetGear Ethernet Plus Switch routers were found to be vulnerable to default password attacks unless the default admin password is changed.

What is the threat?

If a bad actor gains access to your wi-fi router’s administrator panel, they could launch a number of attacks:

  • DNS hijacking – DNS, or domain name system, is what associates domain names like “comparitech.com” into IP addresses that computers use to communicate over the internet. By tampering with DNS entries in the router, an attacker could redirect users to malicious sites and malware downloads without their knowledge.
  • Eavesdropping – The attacker can monitor everything the victim does online on every device connected to the router, including what websites they visit and any unencrypted data sent over the network.
  • Abuse your connection – The attacker could use the router as a proxy to download pirated content, visit illicit sites, or access illegal material. You could be suspected of or held liable for these activities.

These are just a sample of a long list of potential threats. If a router is compromised, so is every device connected to it.

How to change your default administrator password

Remember that your wi-fi router’s administrative password is (or should be) different from the password you use to connect to the internet. The administrative username and password are used to log into the device’s administrative dashboard, where you can manage your router’s settings and features.

Changing your router’s admin password is critical to your home’s cybersecurity. Be sure to create a unique and strong password.

You can usually access your router’s administrative panel by connecting to it normally using wi-fi or LAN. Then, open a web browser and type “192.168.0.1” or “192.168.1.1” (no quotes) into the URL bar, and press Enter. In most cases, this leads to the router dashboard login page.

Here are resources on how to change administrative passwords for every vulnerable router in the study:

Most router manufacturers can do better

Although some of the onus is on the consumer to change their default password, router makers should be more insistent that they do so.

The most obvious solution is to require users to change the router’s default admin password upon first setting the device. Before a public internet connection is allowed, the user must change the password.

Routers could also implement two-factor authentication to access administrator accounts. A one-time code sent to the owner’s smartphone would be required to log in.

Research methodology

This research was carried out in June 2021.

Researchers focused their efforts on the top 12 router models sold on Amazon.com. The marketplace results were filtered to find the most popular and frequently bought models.

They found the IP addresses of these routers on the internet using ZoomEye and Shodan.io, search engines that scan the web for specific internet-connected devices.

The manufacturer’s default login credentials for all models in the study were gathered from publicly accessible websites.

Researchers began by individually checking the publicly-obtained default credentials for each router model, ensuring the credentials were valid.

They then wrote automated scripts to attempt logins on the entire set of collected IP addresses.

Logins were recorded as successful or unsuccessful, giving us the results in the table above.

We did not access or modify the router in any way beyond the scope of our study, which only checked for a successful login using default credentials.