7 Signs of a Hacked Router and How to Fix It

Did someone hack your router? Learn the signs of a hacked router, how to fix it, or how to prevent it from happening altogether. See if you have a hacked router and learn how to safeguard your data and devices against future attacks.

You’ll always have internet connection issues, whether it’s due to the weather, problems on your provider’s side, or those related to the equipment in your home or office.

But what if you suspect foul play? What if all your devices load the same website no matter what you type into the address bar? Or, even worse, you sit at your computer, utterly speechless, as a “ghost” seizes your mouse and opens your bank account?

Those two scenarios alone are good signs of a hacked wireless router. But don’t worry: we’ll clue you in on how to recognize a hacked router, how to fix it, and how to make sure it never happens again.

Signs that someone hacked your router

There are many signs of a possible router hack that can throw up a red flag. Some are general and could apply to other router-related issues. Others are a sure sign that someone else now controls your router.

You can’t log in to your router

You should worry about a possible hack if you can’t log in to your router or wireless gateway. Typically, routers ship with default login credentials you can use to access the settings. You’re supposed to change these credentials during the initial setup process (but not everyone does).

However, if you can’t log in to your router using the credentials you created, there’s a sign that someone hacked your router. Someone may have figured out the credentials, logged in, and changed the password to lock you out. After that, a hacker has free reign to change additional settings and make your life miserable.

Issues with your router’s firmware can cause login problems, too, and if your network behaves normally but you just can’t log in, it’s probably not compromised. In any case, you’ll need to reset the device to fix it.

Immediate action: Reset your router.

All internet browsers lead to the same site

Browser hijacking is a sure sign that you have a hacked router or wireless gateway.

In this case, a hacker logged in to your router and changed its Domain Name System (DNS) settings—the system that matches numeric IP addresses with their web domains.

By doing so, the hacker can redirect all internet traffic through your router to a malicious DNS server. This server will lock you to specific websites that can steal your information and install malicious software on every internet-connected device you own. 

Immediate action: Log in to your router and change the DNS settings and password. If you can’t log in, reset your router. You should also scan every device with antivirus software to make sure there’s nothing on your devices that’s hijacking your browser.

There’s strange software on more than one device

If you see new, unfamiliar software on more than one device—especially if you didn’t download it intentionally—there’s a good chance/sign that someone hacked your router and remotely installed malware onto your devices.

Strange, uninvited software includes browser toolbars, fake antivirus clients, and other programs that will generate random popups on your screen or within a browser.

If you have multiple computers, chances are this uninvited software is on all of them. Malware can replicate on a single device and spread across wired and wireless connections, similar to how a virus spreads from person to person.

Immediate action: Log in to your router and change the password. If you can’t log in, reset your router. Afterward, make sure your router has the latest firmware. Be sure to uninstall the strange software from your device(s) and run an antivirus client.

Pro tip:

When left unsupervised, kids can download software without fully realizing the possible consequences. This scenario is where parental tools are a great resource—check out our list of the best routers for parental controls for a few upgrade ideas. We also list the best parental control apps and tips on how to keep kids safe online.

You receive a ransomware message

Ransomware messages are a good sign that you have a hacked router. These attackers can seize control of the router and demand money in return for its release. The message may appear in the form of an email, instant message, text, or a popup generated by uninvited software installed on your device.

Immediate action: Reset your router and don’t pay a dime. Be sure that you create a unique password that hackers can’t guess.

Pro tip:

Phishing is another email-based way to hack into your router. The message could appear to originate from your internet provider stating that a hacker compromised your router and that you should click the supplied link to resolve the issue. The resulting webpage could then log in to the router using the default credentials if you never changed them. Never click links in emails from unknown sources.

You see unrecognized devices on your network

You can use the router’s web interface or a compatible mobile app to see a list of devices connected to your home or office network. For example, the Linksys Smart Wi-Fi interface provides a network map—just click on a device to see its assigned address.

When you look at the map, all local devices have a derivative of the router’s private IP address. If your router’s address is 192.168.1.1, for example, then all device addresses should start with 192.168.1.

However, a device remotely accessing your router won’t have an address that matches the first three numbers of your router’s private address.

Immediate action: Kick the unknown device(s) off your network and change the password. Disable remote access if you never plan to use it.

You can’t control your device

If you sit in front of your computer and watch an uninvited, unseen guest move the mouse and access your banking information, you definitely have a hacked router.

In this scenario, the hacker has remote access to your device and can open any file or online account using the passwords you store in the operating system or browser.

Immediate action: Unplug your devices and disconnect your router from your modem. After that, reset your router.

Your internet speeds are slower than snails

Slow internet speeds aren’t uncommon. There may be issues with your provider, too many devices downloading at one time, and so on. But if you experience extremely slow speeds along with other symptoms on this list, chances are you have a hacked router.

Your speeds could be slow because the hacker seized your full bandwidth for the following:

• Botnet activity
• Distributing malware to other networks
• Remote connections to your devices
• Cryptojacking
• General internet piggybacking

Immediate action: First, use our tips on how to speed up your internet to see if the problem is just a connection issue. If you think that someone hacked your router, try to change the password. If you can’t, reset your router.

How to fix a hacked router or gateway

You can easily and quickly fix a hacked router. There’s no need to throw it out the window and purchase a new unit.

Step 1: Disconnect the router or wireless gateway

If you have a standalone router, disconnect the Ethernet cord to avoid communicating with the modem. If you have a wireless gateway, disconnect the internet connection instead.

In both cases, disconnect all wired and wireless devices.

Step 2: Power cycle or reset your router or wireless gateway

In some router hacking cases, a simple power cycle works as a quick fix. This method clears the memory of any malicious code and refreshes your public IP address. Just pull the plug, wait 30 seconds, and then plug the cord back into the outlet.

In other cases, you may need to reset your router to its factory settings if an infection persists or you can’t log in. A power cycle cannot remove severe infections like VPNFilter.

To factory reset your router, find its reset button—it’s either surface-mounted or recessed on the back. Press and hold the button—you’ll need a paperclip for a recessed button—for 10 seconds until your router’s LEDs indicate a reboot.

Step 3: Change the password

Once the router reboots or resets, log in using the default password and username and change the password. You can use one of the best password managers to create one and retrieve it from your account when needed.

You could also create a passphrase—a long string of unrelated words—filled with symbols and numbers. Make it something you can remember, but isn’t easily guessed.

Step 4: Update the firmware

Set your router to update its firmware automatically if it’s not already. And if your router doesn’t give you the option to update automatically, set yourself a reminder to check every month or so.

For example, on a Linksys router, click on Connectivity listed under Router Settings. You should see a checked box next to Automatic displayed in the Router Firmware Update section. If not, click on the box to enable automatic updates.

Alternatively, you can click on the Check for Updates button or download the latest firmware from the manufacturer and click the Choose File button to install it.

Routers from other manufacturers provide similar firmware update tools.

The three-stage VPN Filter malware is a perfect example of how malicious software can infect a router (and network-attached storage). In fact, it persists after a reboot, making it highly dangerous to your sensitive information and devices. It exploits security vulnerabilities in the router’s firmware to gather sensitive data and send it back to hackers using the Tor network. Moreover, it can add malicious content to traffic that passes through an infected router.²

How to prevent a router hack

Use the following suggestion to safeguard your devices and sensitive data against hackers.

Turn on automatic updates

Your router is a miniature computer with a processor, system memory, and storage that houses the operating system (firmware). Unfortunately, firmware is never bulletproof, as there are bugs in the code and security holes that can grant hackers easy access. Manufacturers distribute firmware updates regularly to squash these bugs and patch vulnerabilities.

If automatic updates are toggled off and you never manually install new firmware, hackers will utilize the unpatched flaws in the firmware and access your router with ease. Log in to your router and toggle on automatic updates if they are not already.

Use a secure password

All routers ship with default credentials you use to access the interface and adjust the settings. You can find these credentials printed on the router’s belly or on a sheet supplied in the packaging. If you never changed these credentials during the initial setup, hackers can log in if they have your router’s public IP address.

Never use an easily guessed password with your router or Wi-Fi network. These include names of pets, children, other family members, and anything that links to your interests. Believe it or not, the two most used passwords are still 123456 and 123456789.¹

A hacker can use free online tools to carry out a brute-force attack—a trial-and-error method that continuously enters every possible password until one works. Hackers can also use a library attack, which uses words pulled from a dictionary. These attacks can quickly crack an easy eight-character alphanumeric password.

Schedule routine reboots

The first step to hacker prevention is to schedule a monthly reboot. It’s good for the router, as a reboot can clear the system memory and refresh all connections.

Additionally, your internet provider assigns a public IP address to your router. It usually refreshes every 14 days (unless you pay for a permanent “static” address). But a reboot gives you an extra refresh if hackers obtained one of your previous addresses.

Disable remote access

Most routers allow you to access the settings if you’re off the network, like from a hotel room. Generally, you need a cloud account to do so, like TP-Link ID and NETGEAR Cloud. However, hackers can also use remote access if they can guess the password.

Be sure to secure your account with a strong passphrase if you plan to use remote management. Otherwise, toggle it off to prevent a possible hack.

Disable WPS

Wi-Fi Protected Setup (WPS) has good intentions; it allows users to connect their devices to a wireless network without a password. Simply press the WPS button on the router, or enter an eight-digit PIN provided by the router.

Unfortunately, hackers can use a brute-force attack to figure out the PIN in 4 to 10 hours—they don’t need access to the physical button. You can easily disable WPS through the router’s backend and instead use our guide on how to share your Wi-Fi network’s password to any device.

If you have a Linksys router, for example, you can disable WPS by doing the following:

Step 1: Select Wi-Fi Settings displayed under Router Settings.

Step 2: Click on the Wi-Fi Protected Setup tab.

Step 3: Click the toggle so that it reads OFF.

Step 4: Click on the Apply button. You must click this button so that WPS and its related PIN are completely disabled—clicking on the toggle without applying the change isn’t enough.

Change the default SSID

The Service Set Identifier (SSID) is your wireless network’s name. Most routers broadcast the manufacturer’s name by default, like Linksys_330324GHz or NETGEAR_Wi-Fi. Anyone within range can see this name, know who built your router, and search the internet for the default login credentials.

“Cheesedoodle” or “Wotulooknat” are a few examples of SSIDs that are unique and non-offending to neighbors. SSIDs can be 32 characters long.

Pro tip:

If you want to keep hackers off your network, we suggest one of the best routers for security.

Never click or tap on strange links

Malware you unintentionally download to your computer or mobile device could lead the way to a hacked router. Here are several ways you can get unwanted malware:

• Click on a link in a phishing email or chat message
• Connect an infected flash drive
• Access a malicious website
• View infected ads

Even mobile devices can grant hackers access to your router. For instance, the Switcher trojan lurked in Android apps and contacted a command-and-control server once the user connected to Wi-Fi. It then began a brute-force attack on the router to hack into its interface and change the default DNS settings to one malicious server address and one Google server address, so the user didn’t grow suspicious.³

Sources

1. NordPass, “Top 200 Most Common Passwords of the Year 2020,” Accessed August 11, 2021.
2. Norton, “VPNFilter Malware Now Targeting Even More Router Brands,” Accessed August 11, 2021.
3. Kaspersky Lab, “Switcher Hacks Wi-Fi Routers, Switches DNS,” December 28, 2016. Accessed August 11, 2021.