Check if Your Home Router is Vulnerable
At Wordfence, we make a firewall and malware scanner that protects over 2 million WordPress websites. We also monitor attacks on those sites to determine which IPs are attacking them and we block those IPs in real-time through a blacklist.
Tuesday morning we published a post showing how 6.7% of all attacks we see on WordPress sites come from hacked home routers. In the past month alone we have seen over 57,000 unique home routers being used to attack WordPress sites. Those home networks are now being explored by hackers who have full access to them via the hacked home router. They can access workstations, mobile devices, wifi cameras, wifi climate control and any other devices that use the home WiFi network.
Half of the internet service providers we analyzed have routers with a very specific vulnerability. This vulnerability is known as the “misfortune cookie”. We will call it the MC vulnerability for short. It has been known for a few years and was first disclosed by CheckPoint in 2014. It is now being used to hack home routers. Using the tool below you can tell if you have the MC vulnerability.
The MC vulnerability exists in a service that your ISP uses to remotely manage your home router. That service listens on a “port” number, which is 7547. Besides the MC vulnerability, this port can have other vulnerabilities, one of which was disclosed a few months ago. Researchers have been discussing the dangers of port 7547 in home routers for a few years now.
Your ISP should not allow someone from the public internet to connect to your router’s port 7547. Only your ISP should be able to access this port to manage your home router. They have the ability to configure their network to prevent outsiders from accessing that port. Many ISPs do not block public access to port 7547.
You can use the tool below to determine if your port 7547 is open to the public internet. If it is, we suggest you contact your ISP and ask them to prevent outsiders from accessing that port on your home router. Even if you aren’t vulnerable to one of the two vulnerabilities we posted above, future vulnerabilities may emerge on port 7547. By blocking public access you will protect yourself and your home network.
Check if you are vulnerable
To use this tool, simply click the ‘Scan me’ button and we will check the IP you are visiting this site from to determine if port 7547 is open on your router and if it is vulnerable to the misfortune cookie vulnerability.
This test attempts to connect to your home router port 7547 to see if it is listening and it grabs the response from that port and analyzes it. It is quite safe and if your port 7547 is publicly available, it already receives many scans like this every day from hackers and security professionals.
[Editor’s note: The tool to check for this vulnerability was removed in April, 2018.]
What to do with the results
If you are vulnerable, we recommend that you:
- Immediately reboot your home router. This may flush any malware from your home router.
- Upgrade your router firmware if you can to the newest version. Close port 7547 in your router config if you are able to. (Many routers don’t allow this)
- If you can’t upgrade your own firmware, immediately call your ISP and let them know you have a serious security vulnerability in your home router and you need help fixing it. You can point them to this blog post (the page you are on) and this CheckPoint website for more information. Let them know that your router has a vulnerability on port 7547 in “Allegro RomPager” that can allow an attacker to access your home network and launch attacks from your router on others.
- Run a virus scan on all your home workstations.
- Update all home workstations and devices to the newest versions of operating system and applications or apps.
- Update any firmware on home devices where needed.
If you are not vulnerable, but port 7547 is open on your router, we recommend that you:
- Reboot your home router immediately. You may suffer from other port 7547 vulnerabilities.
- Upgrade your router firmware if you can.
- Close port 7547 on your router if you can. (Many routers don’t allow this)
- Contact your ISP and let them know that port 7547 on your home router is accessible from the public internet. Let them know that port 7547 is used by your ISP to manage the router. It should not be publicly available. Suggest that they filter access to that port to prevent anyone on the public internet accessing it.
How you can help
According to Shodan, a popular network analysis tool, over 41 million home routers world-wide have port 7547 open to the public internet. We are trying to get the word out to home users and ISPs to block this port and patch any vulnerable routers. This will help reduce attacks on the websites we protect and, far more importantly, it will help secure over 41 million home networks.
We found over 10,000 infected home routers in Algeria who use Telecom Algeria for internet access. These are home networks that have already been hacked. We found over 11,000 hacked home routers in India with BSNL, another major ISP in that country, where the routers have already been hacked. Let’s help secure our fellow internet citizens and prevent others from having their home networks compromised.
You can help by sharing this post and empowering home users to check if they are vulnerable. They can then contact their ISPs with the information and this will gradually cause ISPs to close port 7547 to outside access and to disinfect and patch vulnerable routers.
Comments
6:33 pm
Thanks for taking the trouble, Mark. Being able to check one's home router is certainly very helpful.
8:24 pm
Mark, I'd like to extend to you my sincerest thanks for informing the public about such vulnerabilities time and time again. Your data studies and reporting is excellent.
I've been a Wordfence user for a while now and been reading your newsletter and blog since then. You always share some unique data in the WP security sphere and educate the netizens in what needs to be done to stay safe.
Also, after experiencing your plugins' superb functionality, I am thoroughly impressed.
I thought to myself if the free version was this good, how good the premium be? Well, I did subscribe to WF premium, and since then I am pretty relaxed when it comes to WordPress security.
My two primary needs (a firewall and a 2-factor auth for all users) both are handled beautifully by WordFence. On an average, I used to get anywhere between 10-50 brute-force login attempts daily, from IPs all over the world. This article explains how the hackers can automate and manage this process so well. Well, I'm sure this is just one of the techniques they use.
I'm glad I am using WordFence as I can laugh as those waves of brute force attempts crash against the WF firewall, Dual-factor authentication.
Educate yourself and follow the best practices, that's what I always say to our readers. Thanks for leading the way.
PS: I did scan my router and it was reported safe. Whew!
8:46 am
Thank you so much for this tool! Can't say enough great things about WordFence.
8:47 am
Installing Wordfence was one of the best decisions I've ever made regarding my online-website-Wordpress career.
8:49 am
You guys are great, thank you!!
8:50 am
Great tool, great help! Lots of kudos!
8:51 am
Many thanks to you guys at Wrdfence !
As per your check my router is OK.
All the best and regards,
Carlos,grupo.paralaxe@gmail.com
8:52 am
Thank you for sharing this tool today! It was a relief to know my router is safe. I install Wordfence on every site. It's like having a silent business partner.
8:53 am
Can the scan be run accurately from a mobile device via WiFi?
8:55 am
Yes. It will check whatever your public IP is for your mobile connection. So if you're using your home WiFi on a mobile device, it will check your home router as intended. If you're at a coffee shop, it will check their router. If you're connected via a VPN, it will check the exit node for the VPN, not your home router. If you're at the office, it will check the public IP for your office connection and if that's a router, it will let you know if that is insecure.
8:55 am
Thanks for the information. Since i cannot close the port 7547 myself, i will request my ISP for help.
9:01 am
That's great Rajat. Let us know if they have any feedback.
8:56 am
"Your router is safe." :) huh !
8:56 am
Thanks for the utility. Great job and just one more reason to use Wordpress.
8:56 am
Tres echos of kudos above.
Well done.
Thanks.
~mak
8:56 am
Great tool. Thanks for creating this for us to use. I always find your site full of great information.
8:57 am
Thanks very much for this helpful tool and your regular and very interesting newsletter /reports. Your report is one of the few newsletter that I read every time. Your premium version is worth every penny and I will strongly recommend it.
8:58 am
Thank you so much for always providing important information to keep our devices and websites safe and secure. WordFence is the best!
8:58 am
Thank you for the the warning and link to check security vulnerabilities. I will post it.
9:00 am
I'm stuck here in the UK using BT's "Home Hub 6" router.
It's vulnerable and no way to manually block the port using their router.
have sent them a message about this, doubtful they will fix it quickly...
9:01 am
Wow, first vulnerable router Bill. Thanks for sharing. Definitely reboot it immediately and then contact BT urgently.
9:29 am
The latest Plusnet router (which is the same as BT's/same company) shows up as safe, so they may be able to change the router to a later one?
9:55 am
I would change router back to the hub 5 im on hub 5 bt and in uk and all is good .
10:42 am
@ Mark
Does this malware use the same method of attack as mentioned in this old article?
http://www.ispreview.co.uk/index.php/2014/12/masses-broadband-routers-hit-misfortune-cookie-security-scare.html
Because in this article BT tested their routers and stated that they're unaffected. They clarify the point towards the bottom of that post in the updates section.
Thanks
11:49 am
Yes we think these routers were exploited by CheckPoint's misfortune cookie vulnerability. I haven't read the post you linked to yet but can see MC referenced in the link (sorry, short on time). I'd also add that there's a new port 7547 (TR-069 service) exploit doing the rounds and more will emerge. They really should block the port from public access.
9:00 am
Thanks for this excellent post, Mark. You're doing great things!
9:02 am
I'm very much relieved my router has been blocked, thanks to you. I'm looking forward to upgrading my service.
9:05 am
Thank you for this research and this testing utility
9:17 am
Thanks for the tool.
Is the message "Your router is safe" unrealistically reassuring? Would it be more accurate to say "Your router's port 7547 is safe" since that's the only test performed and other vulnerabilities may still exist?
9:35 am
Hi Eric,
I'm not sure I agree. I think we've made it clear we are only checking port 7547 and so the response can be interpreted as "Port 7547 is safe" (because it is closed). Thanks for the input.
Mark.
11:36 am
The article is very clear and the first wave of users (mostly developers) understand it. But when average users test it (which hopefully will happen), many will only look at the button and the response without the context and misinterpret it as a clean bill of health.
9:24 am
You guys are like the Carrie Mathison of web security...always saving our butts!
9:25 am
Great article for which many thanks.
I have a BT Home Hub 6 - the port is open and now speaking to the BT Help Desk - I have forwarded them the link to the page to help them.
Heartfelt thanks for all you are doing to keep us all safe !
9:29 am
Thanks for this Mark! I tested and am safe. I will share your post with my clients and friends. Wordfence, you and your team have been an invaluable service and source of up-to-date information.
9:31 am
Thanks, Mark, for all you do... great job!
9:33 am
Great tool! Thanks for sharing this! Am passing the word along to family and friends.
9:34 am
Mark - greatly appreciate what you do
9:37 am
Great information and have passed along the informative article to my clients. Email alerts and emerging threats are great to receive. Thank you for keeping us informed and above all, your product! Michael
9:37 am
Thanks so much for doing great things to protect networks worldwide. Going with Wordfence is the best decision I have made in years.
10:00 am
Great tool, I've passed it along to everyone in my office to make sure everyone is being safe at home.
10:01 am
I checked my router with your scan and was informed that I have an open port. I then checked with my internet provider, BT and was informed that the open port poses no threat at all and I should ignore it? So now I have conflicting information and I am not sure what to do about it. I cannot see any way to close the port in question and BT are saying that I shouldn't even bother trying as it poses no threat to anyone?
12:49 pm
We disagree. It may not be vulnerable, but an ISP management port should not be accessible to anyone on the public Internet.
10:03 am
Thanks for keeping us informed Mark. You can't be too careful these days. My router is safe :)
And I use wordfence on my websites.
10:09 am
Very much appreciated.
Thank you!
10:14 am
Just posted this on my facebook page. Thanks for the tool.
10:30 am
Thank you!
10:32 am
Seems that Comcast/Xfinity is wide open and vulnerable.
10:38 am
I am so grateful for WordFence. I have enabled premium WF on both my personal and work websites, and I can't imagine *not* having it. WF makes a dangerous web feel a lot more secure. Thanks!
10:56 am
Port 7547 is the Comcast public access Wi-Fi installed in over 16 million routers worldwide. I had already contacted them regarding hacking possibilities. They say it cannot happen. Of course, I am a realist. Anything can happen. One fixes vulnerabilities and the hackers learn how to do something new. It is simply a case of staying ahead of the chase. I would humbly like to add that all users of modem/routers install very strong passwords to login, as well as, for Wi-Fi registration. Sadly, there isn't much more that I can do in this case. While logged into the modem, I did see your tool test and DHCP IP address. In sum, there is not more I can do without upsetting the gateway 'apple cart'. Thank you very much Mark. I am considering your request for part-time engineers to help Wordfence. I have also checked my website and with multiple anti-malware software, I have any changes going to my inbox, automatically. Thank you, again for a great service. Sincerely, Ed Smith
11:30 am
Thank you, to Mark and the Wordfence team for the tool and having our backs.
11:34 am
Thanks to Wordfence - we use your plugin on every site we design. And we really appreciate the ongoing support you provide with articles like this one.
11:52 am
Thanks for this. I ran the scan on my EE Bright Box. The result came very quickly. Safe!
12:16 pm
Thanks Wordfence for such a fast turn around and convenient tool
12:24 pm
Fortunately no 7547 open but I do have port 8088 open on a Vodafone router. My ISP won't close it. I've spent 2 weeks telling them this is a vulnerability but got no where.
1:08 pm
This test is only valid if run from a computer that is *not* connected to a VPN or Tor. In these cases, you are not testing your router, but instead the VPN server or the Tor exit node.
1:11 pm
Correct.
1:35 pm
Great job as always. Thanks guys... you are the best. All good on my router.
2:32 pm
So glad to find out my router is safe - I wouldn't have thought to check that or have any idea how to go about it. Wordfence rocks. Thanks!
2:58 pm
Thanks for your service. It is worth paying for the premium version to support your work!
3:13 pm
Well this post was something that everyone could use. I really like that your team is willing to expand the scope to the masses, not just WordPress users. It's a great idea to help protect the public from having their equipment from being compromised which in turn helps protect our websites. Now if we could somehow replace Log/Pass for something better. ;)
3:45 pm
Thank-you very much for that little extra peace of mind.
4:03 pm
Thanks guys. I'm pleased to see I not one of the contributors.
5:50 pm
I did the check and it said I was vulnerable but the warning code mentioned "Cisco..." I don't use a Cisco router. My Xfinity/Comcast modem/router is made by Arris. I called Comcast and they said none of my ports are open. I'm not sure what to do. I see others reporting that Xfinity is vulnerable. How do we tell Comcast this?
9:04 pm
Hi David,
Can you please email me your public IP address and the exact data you got from our check tool. You can use whatsmyip.org to get your public IP. So check your IP and then re-verify what you saw, and then shoot me an email at mark@wordfence.com. I can investigate further and will share (privately) what we find.
Mark.
11:14 am
Hi Mark,
Thanks for your reply. I just sent you a personal email. Thank you!
11:36 am
Thanks David.
6:28 pm
Could you please make public anything you find out from Xfinity/Comcast in the US? I also got the warning that the port was open and possibly vulnerable.I have an xfinity router made by cisco.
Thanks!
10:24 am
We currently have no plans to research that ISP specifically.
7:47 pm
You guys are the best. Every time I think ok they are on top you come out with something better. It is amazing that you compete with yourself to keep out doing yourself. That is a sign of a true leader.
7:52 pm
Your work is truly amazing, guys!
Almost makes me feel guilty for only using the free version ; )
Even though my router was not on the list, yesterdays post made me check my firmware version, and to my dismay discover that I never upgraded it when I installed my new router a few months ago! Ah well, unpleasant as it was to have to take time to do it, now it's done and I'm glad I did it - you never know...
Cheers
Lars
9:02 pm
That's great Lars, nice catch!!
9:01 pm
Thanks very much for sharing this !!
12:09 am
So cool, just make a button for checking. How simple can you make it?
Really awesome work Wordfence, love to read the blogs :)
Thanks for al the work!
3:55 am
Just checked my router now, it's safe. Thanks for the valuable piece.
6:23 am
Hi Mark,
I found your plug-in through the Wordpress forum when I was having some issues with my site crashing. I've installed Wordfence on my site and it found some malware which had been causing some problems.
I'd like to thank you for the work you do to keep our sites safe and for providing these additional products to check our system to make sure they're not infected.
Thanks so much!
Cathy Rust
7:17 am
Wow, tested last night and found my home router, provided by COMCAST, did have the vulnerability. Took almost an hour on the phone with them to get this resolved. I would guess that most of the COMCAST provided routers are configured the same (yikes!).
8:49 am
Thanks for the feedback. I just want to confirm: So Comcast took action and they were able to close port 7547 for you?
Thanks.
9:26 am
Thanks for the warning. I am safe, I sent your link to facebook, twitter and tumbler.
10:50 am
This post was very interesting and informative. It's sickening what hackers can do today and they should be putting their intelligence to better use.
I have ran the scan to see if my router is safe and I am happy to say that it is.
Kenneth C Young
11:06 am
Hi Mark, the best for your and all your professional team. Thank you for this great tool.
11:23 am
Rats. BT SmartHub - vulnerable and the user can't close 7547.
Thank you for the tool, and I agree with you that with these kinds of exploits in the wild, 7547 should not be publicly accessible.
12:35 pm
Thanks so much for all the fantastic info, the solid software and for this particular warning and the tool for checking our routers. Rock solid on!
5:42 pm
Another way to check your router for vulnerability and others is to use the utilities at https://www.grc.com. As always you stimulate me to ask more questions. Couldn't Internet Service Providers block all access external to their network to port 7547?
I hope you are working with ISPs to encourage them to clean up their vulnerabilities.
I wish there was a way to have Steve Gibson read about your research.
11:51 pm
Thanks for this info. Was able to check my router with the tool
7:36 am
Many thanks Mark, the scan was very useful. I live in one of the listed countries, have a ZyXEL modem-router and an ISP with abysmally poor support. Last week I had some Internet issues and tried to access my modem-router and could not. I ran your scan with the result "Your router is vulnerable. The port returned: RomPager/4.07 UPnP/1.0"
After ensuring I had all the settings needed, I did a reset and was able to gain access. On the Admin page I found: http://acs.telkom.net:9090/web/tr069 and a field for the port which was filled with 7547. The field could not be empty so I entered a figure above 50000 and tried the scan again. This time the massage was: "Your router is safe". Another door closed! Thank you again!
I spent half an hour on the telephone to my ISP Customer Service, but even after reaching a supervisor I realised that I was wasting my time, so I tried to get an e-mail address for someone to contact, but was told the only one was @customerservice. From experience I know that the mail box is always full.
I decided to check for firmware updates at Zyxel and found that the exact model of my router was not listed. There are hundreds of thousands of the same model in this country. Without a listed Model No., you cannot open the message field. I picked the closest one and entered the Serial No. and the SN(??), explained the issue in detail and clicked Send. A few minutes later, I received an e-mail: lUndeliverable: Zyxel【Contact Support】Delivery has failed to these recipients or groups: ZySG-Support@zyxel.com.sg!!! Checking Whois told me the server was in Taiwan, so complained to the postmaster and admin, but probably a waste of time.
6:33 am
Thanks for the post :) - I had updated my firmware on my affected Zyxel router but being naive/stupid I didn't actually test it after update - I just assumed it worked. Turns out it didn't as this page and other apps flagged it up.
Having been back and forth with their support and two further firmware updates (their contact form is buggy if you try and contact them - sometimes the form company field needs to be left empty and the attachment field clicked but left empty) they want me to block the 7547 port manually. At the moment followed their documentation link they sent the port is still vulnerable.
So waiting to see if they can help me again if it still persists I guess I'll have to buy a new router.
3:16 pm
Hi Victor
Sounds like your ISP and mine did the same thing - using the 7547 port to do updates. I updated the firmware and I disabled the ISP service in the end and back working :)
8:35 am
THANK YOU !
You guys ROCK!!!!!!
:-)
9:09 am
It says i'm safe ...
3:06 am
When contacted, our ISP replied:
We do not have the ability to block any ports. That has to be done locally at pc or router level.
Can you provide more info to educate them???
9:42 am
You should find out if your router is owned and operated by them or if it's your own equipment.
3:05 pm
The router is ours and has been updated to the latest firmware - Linksys e1200. There is no visible option to block a port. Would moving to the Tomato firmware offer this option?
3:38 pm
I'm doubtful that you're connecting to your own router. Wondering if there's a way you can verify it's actually your own router you're connecting to. Can you login to it and check what IP it has received on it's WAN interface and then try telnetting to port 7547 on that IP?
7:35 am
The router is sitting here in my office. When I run your scan, it says vulnerable.
There is a DSL modem between the router and the wall connection - we checked and there is no updated firmware available for it.
9:59 am
I ran the scan,but received the following message: "An error occurred when trying to test your router."
10:04 am
We have an issue with the scan currently. Working on a fix. Should be back up within 2 hours.
10:11 am
It's fixed now. Was down for just a few minutes.
3:46 pm
I have two routers, the one is my internet gateway and the second plugs into it to run my network. So I suppose that this tests the gateway? Is there anyway to test the one that is nested within that?
10:01 am
Thanks for this post and free online tool to check if my homes router is insecure and how to make it secure if it is. This is the type of post & tool that I will take the time share on all the platforms I am associated with.
3:46 pm
I ran the test and it tells me I have port 7547 open.
I login to my router and find no way to block the port.
I call Comcast/Xfinity to ask to have port 7547 blocked.
The tech tells me I am 100% safe because Port Forwarding, Port Triggering, and Remote Management are all disabled.
Does this sound reasonable?
6:00 pm
Can anyone tell me if I change the firmware in a Linksys e1200 to the Tomato software will that then allow me to block the port?
12:29 pm
Thanks for going to the trouble to provide the scanner. Fortunately, we came up safe. However, you have no way of knowing, and being provided an easy tool to find out is worth our gratitude many times over.
4:33 am
After much too and fro it appears some ISPs used outside companies several years ago to manage router distribution and updates - they used the 7547 port to send updates.
So even with firmware updates vulnerability existed - now I've disabled this service the router shows as safe
Thanks sincerely for this post