On August 11, Verizon updated its comments and a rough guide on how to check for firmware updates

Millions of home Wi-Fi routers are under attack by botnet malware This comes just one week after researchers wrote a blog post showing how to exploit a vulnerability in the router's firmware

Researcher Evan Grant is not entirely to blame He is the one who discovered the flaw (catalog number CVE-2021-20090) in January when he disassembled a Buffalo-branded router sold in Japan After Tenable, the company Grant works for, reported it to Buffalo, a patch was released by Buffalo in April to fix the firmware flaw

The problem is that at least 36 other routers sold by 20 companies have the same or very similar flaw, and firmware patches may not yet be available for all Few people know that they need to update their router firmware in the same way they update their computers or cell phones

Some of these routers may be rented to customers by Internet Service Providers (ISPs) In that case, the ISP would be responsible for updating the firmware

Affected routers include models distributed by brands such as Asus, British Telecom, Buffalo, Deutsche Telekom, O2, Orange, SparkNZ, TelMex, Telstra, Telus, Verizon, and Vodafone The models include those distributed by brands such as Telekom, O2, Orange, SparkNZ, TelMex, Telstra, Telus, Verizon, and Vodafone, and "could affect millions of devices worldwide," according to a blog post first posted by Tenable in April and a white paper subsequently released by Tenable

Here is a complete list of the known affected models and affected firmware:

As can be inferred from the number of phone companies included among these brands, the majority of the affected models are Internet service providers giving or leasing their customers As can be inferred from the number of phone companies included among these brands, the majority of affected models are all-in-one models that combine a DSL gateway and a modem/router, which are given or leased by Internet service providers to their customers

Others use Fios or cellular data connections to gain Internet access, almost all with some form of broadband modem rather than a stand-alone router that requires a separate modem to gain broadband access combined router

All of these routers were manufactured by Arcadyan, a Taiwanese technology manufacturer, and distributed under other names as part of a "white label" agreement

The exploit is called a "path traversal vulnerability," which means that attempts to remotely access certain files in the router's file system will lead to a tamperable file, allowing an attacker to control the router from a distance

Unfortunately, if you lease or rent your home router or gateway from your ISP, your options are limited In such a situation, if the ISP is one of the brands mentioned above, check the model number of the router to see if it matches the model mentioned

Still, it is difficult to be sure because some ISPs do not list the actual model number on their units Your best bet is to contact your ISP's customer service department and ask about this

If you own the router and have some technical skills, you will need to access the administrative settings to verify the model number and firmware version The quickest way to do this is to plug an Ethernet cable from your laptop into one of the router's Ethernet ports

If your router is one of the models on this list and has older firmware, you will need to check for updated firmware There is a general guide here on how to update your router's firmware, but the actual procedure varies by model

Some newer routers may have a mechanism within the management interface to update themselves and others to check for firmware updates You may need to go to the support website of the company whose name is listed on the router and see if you can download updates from there

If you are already in the management interface, find out if you can disable remote access

If you are already in the management interface, check if you can disable remote access Turning it off will protect you from almost all router hacks that can be performed over the Internet

One of the affected models appears to be the Verizon Fios G3100, a $300 Fios combination modem/router I could not find a page on the Verizon website offering firmware updates, so I initiated a chat with a Verizon support rep

The support rep bounced us into a chat with the technical team The tech team insisted, "We guarantee that our equipment and service is secure at all levels," and said they would contact customers whose equipment was affected by the defect via text message

In a chat, we asked the technician if the firmware on the Verizon Fios G3100 had been updated to fix the CVE-2021-20090 flaw The technician replied that he did not have "in-depth knowledge" for that answer and gave us a general Verizon contact page

We emailed the Verizon press representative and will update this article as soon as we receive a response

Update: A Verizon representative issued the following statement:

"Our security team is actively addressing concerns about the recently reported router authentication bypass Verizon will be providing software and/or firmware updates for Fios routers to address this issue No action by the customer is required to receive this update

It would have been a bit easier to find a web page with firmware updates for the four Asus models that Tenable mentioned as having potential vulnerabilities Unfortunately, none of the four appear to have received new updates since at least December 2018

Below are links to the firmware update pages for each model, in case you want to check back later: DSL-AC88U, DSL-AC87VG, DSL-AC3100, and DSL-AC68VG

Grant reported on August 3 On August 6, researchers at network hardware maker Juniper Networks said a known malware crew has built Grant's technique into its arsenal and is using it to attack Arcadyan-based routers Arcadyan-based routers, he said

The malware crew infects routers with variants of the Mirai botnet, which was first discovered in the summer of 2016 and triggered several widespread attacks in the fall of that year Once infected, routers function normally, but can be secretly used by criminals to send spam and run distributed denial-of-service (DDoS) attacks

One of Buffalo's models, the WSR-2533DHPL2, has two other firmware flaws, and Tenable's blog post includes a proof-of-concept exploit Buffalo has issued firmware updates for these as well

"Vendors that sell devices do not necessarily manufacture them if a bug is found in the firmware of a consumer router, it could affect many vendors and devices, not just the vendor you are investigating"