I have a store bought consumer router connected to my ISP’s router which is in bridge mode, and it’s one of the few remaining proprietary mystery boxes in my network that I don’t know how to audit. I recently made a post about whether I should switch to PFsense, and this was one of my motivations (though I forgot to mention it in that post).
Is there an effective way to check whether my router is part of a Mirai botnet or some other malware that scanned the internet and found some vulnerability in my router? As far as I know, once infected, things like updating the firmware or pressing the reset button aren’t guaranteed to remove it because it can just take control of those processes and persist. In my specific configuration, can malware from the internet even see my main router or just the ISP router it’s connected to?
In my threat model, I’m most concerned about my local traffic to and from my server being exfiltrated by some cybercrime group as a lot of it is HTTP or HTTP proxy data. Not so much general internet bound traffic which is usually HTTPS or VPN. Obviously I don’t want to be “participating” in botnet attacks or other cybercrime infrastructure either.
Rather than test, why not just get the firmware from the manufacturer’s site and flash the same firmware? Or update if there’s something new?
If the firmware is vulnerable, it’s only a matter of time before it gets breached again.
Sure, but you can at least start any observations from a clean baseline.
Wouldn’t the old firmware still have to respond to and perform the flashing request? For example reading from a USB drive? Is it more likely to overwrite potentially malicious code compared to the reset button or automatic updates from the web admin panel?