How attackers compromise home routers and how to harden yours.
Home routers are one of the most consistently overlooked security devices in any home — most people unbox them, plug them in, and never touch the configuration again until the internet stops working. Yet routers sit at the centre of every device on the network: every laptop, phone, smart-home device, and security camera traffic flows through them. Compromise of the router gives attackers visibility into all that traffic and a launching point for attacks on every device behind it.
The realistic threats are concrete: routers running outdated firmware with known vulnerabilities, default admin credentials, exposed remote-management interfaces, and default WiFi configurations weaker than the protections the device technically supports. Many ISP-provided routers are particularly bad on these dimensions because the ISP optimises for support cost rather than security, shipping devices with shared admin credentials and infrequent firmware updates.
For most consumers, the protections that matter are straightforward: change default admin credentials, keep firmware updated, disable remote management, use strong WiFi password and current encryption (WPA3 or WPA2-AES), and replace devices that no longer receive firmware updates. Doing these things eliminates the overwhelming majority of realistic attack scenarios.
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Most home routers ship with default admin credentials (admin/admin, admin/password, model-specific defaults). Attackers know the defaults for every common router model. Reaching the router admin interface (often accessible from the WAN if remote management is on, always accessible from inside the LAN) and trying default credentials is one of the highest-volume reconnaissance activities on the internet.
Router manufacturers regularly publish firmware updates patching security vulnerabilities. Routers running firmware that is months or years out of date have known exploitable vulnerabilities documented in CVE databases. Attackers scan for vulnerable router models and exploit known issues at scale.
Many routers have a remote-management feature that exposes the admin interface to the internet. When enabled (sometimes the default), attackers worldwide can reach the admin interface and attempt credential attacks or vulnerability exploitation. Most consumers do not need remote management; leaving it on is gratuitous exposure.
WiFi Protected Setup (WPS) feature has design flaws allowing brute-force attacks against the WPS PIN regardless of WiFi password strength. Successful attack reveals WiFi password. Several years old as a known issue; many routers still ship with WPS enabled by default.
Once attacker controls the router, changing DNS settings is a high-leverage move — all DNS lookups by all devices behind the router go through attacker-controlled DNS, allowing redirect to phishing sites, blocking of security updates, traffic monitoring. Often persistent (survives router reboot since stored in config) and hard for users to detect.
Many compromised routers are recruited into botnets (Mirai-family being the most famous) used for DDoS attacks against third parties. Compromise may not directly affect the user noticeably (some bandwidth used) but contributes to internet-wide attacks on others. Major source of internet-scale DDoS capacity.
Some sophisticated router malware persists in router firmware/storage, surviving reboots and even firmware updates in some cases. Used for ongoing surveillance of network traffic, credential capture, or as platform for further attacks. VPNFilter (2018) was a notable example; similar campaigns continue.
ISP-provided routers often have shared admin credentials across all customers (sometimes documented publicly, sometimes leaked). When known, these credentials allow attackers to compromise large numbers of customer routers with low effort. ISP firmware update cadence is often slow, leaving vulnerabilities exposed for extended periods.
Signs that your home routers may have been compromised:
Compromised router involved in botnet DDoS or attacker traffic shaping consumes bandwidth. Sustained unexplained slowness — especially at unusual times — warrants investigation. Many other causes; not definitive alone but worth checking.
If browser suddenly warns about invalid certificates on multiple websites that previously worked, attacker may be intercepting traffic via compromised router. DNS hijacking redirects can also produce certificate warnings.
If the password you configured for router admin no longer works and you have not changed it, attacker has likely compromised the router and changed admin credentials.
WiFi password, network name, DNS servers, port forwarding rules all changed when you did not change them. Indicates someone else has accessed router admin.
Router admin interface lists currently-connected devices. Devices you do not recognise may indicate WiFi compromise. Investigate before assuming family member or new IoT device.
Sustained activity LED blinking when all your known devices are off can indicate unauthorised access or background malicious activity. Worth investigating.
If your ISP contacts you about your connection being source of attacks, spam, or other unusual traffic, you have a compromised device on your network — often the router itself.
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
Router admin login should never use default credentials. Change to a strong unique password (different from your WiFi password and from passwords used on other accounts). The single most important router security action; takes 60 seconds.
Check router manufacturer site for firmware updates monthly minimum. Many modern routers support automatic firmware updates — enable that feature. Old routers no longer receiving updates from manufacturer should be replaced; running unsupported firmware is accumulating vulnerability over time.
Most consumers never legitimately access router admin from outside their home network. Leaving remote management enabled exposes the admin interface to internet-wide attacks. Disable it via router admin settings; the convenience cost is essentially zero for typical users.
WPA3 is current standard; WPA2 with AES is acceptable. WiFi password should be 16+ random characters. Older protocols (WEP, original WPA) are broken; do not use them.
WPS push-button connect feature has known vulnerabilities bypassing WiFi password. Disable in router admin settings. Convenience cost is minimal (manually enter password when adding new device); security benefit significant.
ISP-provided routers commonly have shared admin credentials, slow update cadence, and weak default configurations. Quality consumer routers (current ASUS, TP-Link, Netgear higher-end) or prosumer (UniFi, MikroTik, GL.iNet) provide stronger security defaults and longer update cycles. Cost is moderate; security improvement is real.
Most modern routers support a separate "guest" network isolated from your main network. Put smart-home devices, security cameras, visitor devices on guest network; keep laptops and phones on main network. Limits compromise blast radius.
Quarterly minimum: review connected device list, confirm router settings have not been changed, verify firmware is current. Catches issues early.
Higher-end routers (Asus AiProtection, eero with security subscription, UniFi Threat Management) include intrusion detection, threat intelligence, automatic blocking of known malicious destinations. Useful additional layer for users who want it.
Two-router setup with sensitive devices (home office, banking computer) behind a second router that itself sits behind the main household router. Adds isolation between household IoT/visitor traffic and sensitive devices. More configuration overhead; meaningful security improvement.