The FBI just issued a VPNFilter malware warning saying, “Reboot your routers now!”
But why? And will it help?
Kimberly Truong and Paul Ducklin of Sophos investigate in a Sophos Security SOS podcast.
LISTEN NOW
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
If you enjoy our podcasts, please share them with other people interested in security and privacy, and give us a vote on iTunes and other podcasting directories.
Further reading
- VPNFilter – is a malware timebomb lurking on your router?
- VPNFilter botnet: a SophosLabs analysis
- VPNFilter router malware – what to do? [VIDEO]
- Set up your own VPN at home with the Sophos XG Firewall Home Edition (free!)
Anonymous
I sure would love a transcript of that podcast. Forty years of rock and roll has not improved my hearing one bit.
Paul Ducklin
What if you just turn it up to 12 :-)
Seriously: we have sometimes done transcripts in the past, but the job usually (OK, inevitably, i.e. always) falls to me and as I am not a stenographer, it really is a labour of love – it takes a lot longer than you might think to do a proper transcript unless you can type as fast as you can listen.
Problem is that the page views on the transcripts, even when we advertised them in the article, were typically in the low dozens, even for podcasts with listens in the tens of thousands – and the spoken word doesn’t make good written English anyway.
So we (OK, I) gave up transcripts and no one seemed to notice at all for months.
We’ll revisit this, though. Thanks for the comment – I’m not pumping out a blanket “No” above, just explaining why we have historically gone to and fro on whether to do transcripts or not.
WebCog
Does Netgear not issue prompt firmware upgrades (eg for DG834Gv3 – A UK “Domestic Router”) because
– the router is obsolete? (Why?)
– it is secure?
– Netgear as a “domestic supplier” consider the risk small?
– All the “Security panic” is just to get us to buy new kit?
o_O (@1122O)
Listened to the podcast; thanks for the information! A problem many will encounter is that ISP issued routers have been ‘branded’ and most OEM features like the ability to upgrade firmware has been removed… :-|
Paul Ducklin
Yes, it seems a bit like the Android world, where there’s a company that produced the open source code, a company that built the device, an OEM that branded it, and a carrier that shipped it…
…and they don’t all move at the same security pace, if they move at all.
Jim
This brings up a question:
What about routers that the ISP provided, but I purchased? They can still get into them from their side. How confident can we be of the security the ISPs use for authentication?
Personally, I’m paranoid: I have a second router inside theirs. Different brand and IP address range as well. Both passwords are changed and strong.
But, if the ISP’s router got hacked, how would I ever know it? In the case of VPNFilter, a reboot helps, but that’s not going to be true of all malware.
Paul Ducklin
I would say you have done the right thing.
If your ISP insists on having a login to your CPE (customer premises equipment – could be a modem, router, fibre cabinet, whatever) then your network only starts at the next hop, so a router of your own inside theirs is IMO the way to go.
gregory flattery
I have an old BT router, it seems I am snookered regarding a firmware update, since the origin of this router is unknown.
Mark
sorry but I don’t really want to watch the podcast. Could you briefly explain why? And will it help?
Paul Ducklin
Jokingly… if you don’t have 6 minutes to listen to the podcast, then I’m sorry to have to tell you that I don’t have the 86 minutes it would take me to transcribe it, type it in, correct it, format it and publish the text of what we said so you can read it in 3 minutes instead :-)
Seriously… the links in the article should take you to what you need.
FWIW, spoken English is pretty much a different language to written English. Sometimes we do transcripts, but they are never really satisfactory – podcasts are there to be heard, and they come across as weird and stilted when you write them down, because none of us speaks as we write.