How to prevent being hacked again - Router & devices? 😢

[MadonnaMustache]

Hi. Our home network and devices have recently been hacked.

It looks like our router was infected first, which led to our devices being compromised using MITM attack, keyloggers, changing settings, passwords and stealing personal data. This all happened over a period of time, so it took a while to figure out what was going on.

How can I prevent this from happening again - or at least miminise the risk?

- Router: What settings are recommended to prevent rogue access? What should be locked down in terms of protocols, ports and admin? I'd like to aprove each device added. Should I whitelist MAC addresses, or bind MAC to IP and whitelist that, or something else?

- Mobile phones (Android) and PC/Mac: What should one do here to prevent any issues in the future? Anything that can notify one early on of interference, manipulated traffic or someone snooping?

- I have been using AdGuard on our mobiles and PC/Mac. However, I'm a bit worried that installing its Security Certificate to block trackers and ads in HTTPS traffic could have weakened the security of our devices and contributed to the MITM attack. Is it safe to leave its Personal CA, or should I remove it and just stick with HTTP filtering? Thoughts?

- Anything else one should think about? Adding 2FA where possible. Authy seems good.

Many thanks, I look forward to your suggestions.

 

[ColinTaylor]

How do you know your router got hacked? Most hacks come from inside your network, e.g. infected client devices.

You don't provide any information at all about your router or how it was configured. But in general don't enable any form of remote access to it from the internet.

 

[MadonnaMustache]

How do you know your router got hacked? Most hacks come from inside your network, e.g. infected client devices.

You don't provide any information at all about your router or how it was configured. But in general don't enable any form of remote access to it from the internet.

Hi there,

How would you disable remote access?

 

[Tech9]

Router:

What's the router? Make and model.

 

[ColinTaylor]

How would you disable remote access?

Often it is disabled by default and you have to purposefully enable it. However, it is dependant on the particular router in question, which again you have provided zero information about. I'll also ask again, what makes you think your router was hacked?

 

[MadonnaMustache]

What's the router? Make and model.

Zyxel NR5103E

 

[Tech9]

Zyxel NR5103E

Whatever happened on your network most likely originated from your LAN side - infected personal device or rogue IoT. I'm sure this 5G gateway is locked down by default and perhaps your mobile data operator uses private IPv4 addresses behind upstream firewall with no port forwarding. IPv6 may or may not be enabled on it.

 

[ColinTaylor]

Zyxel NR5103E

I am not familiar with that device. I found this manual online which appears to be for it: https://spdl.zyxel.com/NR5103/user_guide/NR5103_V1.0-4.4_Ed3.pdf

I suggest you review chapter 29. In particular make sure that WAN access is not enabled.

 

[MadonnaMustache]

Whatever happened on your network most likely originated from your LAN side - infected personal device or rogue IoT. I'm sure this 5G gateway is locked down by default and perhaps your mobile data operator uses private IPv4 addresses behind upstream firewall with no port forwarding. IPv6 may or may not be enabled on it.

Thanks for that! Is there anything I can do to prevent rogue IoT devices?

 

[MadonnaMustache]

I am not familiar with that device. I found this manual online which appears to be for it: https://spdl.zyxel.com/NR5103/user_guide/NR5103_V1.0-4.4_Ed3.pdf

I suggest you review chapter 29. In particular make sure that WAN access is not enabled.

Thanks for that! WAN is disabled by default. Anything else I should do to make the home network more secure? Should I whitelist MAC addresses, or bind MAC to IP and whitelist that, or something else?

 

[ColinTaylor]

Should I whitelist MAC addresses, or bind MAC to IP and whitelist that, or something else?

No that is not necessary.

 

[Tech9]

it took a while to figure out what was going on

You already figure it out what's going on. We know nothing about it. So tell us what's going on first. Recently been hacked doesn't tell much.

 

[L&LD]

Thanks for that! Is there anything I can do to prevent rogue IoT devices?

Do not power them up and connect (any/all IoT) devices to your network.

Yes, even in 2024, they're still all rogue.

 

[MadonnaMustache]

Do not power them up and connect (any/all IoT) devices to your network.

Yes, even in 2024, they're still all rogue.

But what do I do with the ones I already have? How can I minimise the risk of them being hijacked?

 

[L&LD]

Nothing.

Either live with that or better yet, discard them.

If they need an internet connection, and they are connected, they are not secure. Period.

 

[coxhaus]

Use a different firewall or switch OS if you can and then you can restore everything. Putting everything back the way it was, you will end up hacked the same way.

 

[MadonnaMustache]

Use a different firewall or switch OS if you can and then you can restore everything. Putting everything back the way it was, you will end up hacked the same way.

I factory reset the router, changed the admin password, changed the default SSID names, changed the passwords, made them different.

 

[MadonnaMustache]

Nothing.

Either live with that or better yet, discard them.

If they need an internet connection, and they are connected, they are not secure. Period.

Isn't there anything one can do to make it safer? Will Matter solve this maybe?

 

[Tech9]

Is there anything I can do to prevent rogue IoT devices?

Make sure you buy brand name and popular devices. Avoid random cheap no-name devices.

 

[L&LD]

Look at how IoT devices are made, who they're made by, and how little they go for. Matter? What will that do to change their base defects and corruptible design? Nothing.

I factory reset the router, changed the admin password, changed the default SSID names, changed the passwords, made them different.

Do it all over again, if you haven't already, without being connected to the internet (no USB devices and/or any WAN/LAN cables connected to the router at all), from a trusted PC.

I have had many experiences (many decades ago) where plugging into the internet at that time (bare public IP!!!) would immediately infect the PC I was trying to fully update and protect. Same thing here, except it's with the router this time (the only outwardly facing thing you should ever have on your network.

ONLY AFTER IT IS FULLY SET UP AND PREPARED/READY TO STOP SUCH INFECTIONS.


To be clear:

• Take the router out of the package.
• Use only a trusted PC that you have downloaded all needed files too (it will be offline too while configuring the new router).
• DO NOT PLUG IT INTO THE NETWORK OR YOUR ISP EQUIPMENT. YES, DO THIS WIRELESSLY, ONLY.
• Find the appropriate WPS Button reset method for your model
  • https://www.asus.com/us/support/FAQ/1039074
  • Before powering it up (at all), perform the 'Hard Reset' as instructed.
• Perform a 'dummy' (i.e. a temporary) setup and fully reset the router via the GUI, be sure you click the box to 'Initialize all settings..." too, before hitting Restore.
• Perform another 'dummy' setup and flash the firmware you want to use (i.e. RMerlin's superior fork).
• Verify that the RMerlin firmware 'took', then perform another 'Hard Reset'.
• At this point, you can configure the router (offline) as far as you can.
• When you are ready to plug it into the network, it should be fully functional and as secure as possible. At least for basic internet service.

The above process takes less than 15 minutes on modern routers. Before anyone moans about the time this needs to be performed properly.

This has been my baseline for myself and my customers for years now. At this point, I feel as secure as I can be that the router and network are as safe as possible, with the smallest chance of getting hacked (out of the box).