RouterCheck now detects the “Kafeine Vulnerability”

attackSecurity researcher Kafeine recently discovered a web-based attack tool that hackers have been using to compromise home routers. The attack utilizes Cross-Site Request Forgery (CSRF) vulnerabilities that are present in many popular routers. The list of router vendors affected include:

  • ASUS
  • Belkin
  • D-Link
  • Edimax
  • Linksys
  • Medialink
  • Microsoft
  • Netgear
  • Tenda
  • TP-Link
  • Trendnet
  • ZyXEL

The attack modifies the router’s DNS server settings to point to DNS Servers controlled by the hackers. Once this is done, any internet request made from the network can be redirected to sites with malware for further infections.

The attack seems to have been executed on a large scale. According to Kafeine, during the first week of May the attack server got around 250,000 unique visitors a day, with a spike to almost 1 million visitors on May 9. The most impacted countries were the US, Russia, Australia, Brazil and India, but the traffic distribution was more or less global.


RouterCheck can now detect routers that have been modified by this attack. Starting in RouterCheck Version 0.7.13, any router that’s had its DNS changed to one of the affected DNS servers will be flagged as problematic. Users who find that they’ve been a victim of this attack will be directed on how to fix it.


Kafeine has graciously posted the RouterCheck link in his blog posting of the description of the problem. Hopefully that means more users which means more checking which means fewer compromised devices.