The FBI is warning homeowners that cybercriminals are actively hijacking aging routers to build proxy networks used for fraud, identity theft, and other attacks. The bureau’s alert on end-of-life routers names remote management and outdated firmware as the primary weaknesses exploited, while the Federal Trade Commission has separately published consumer guidance recommending stronger encryption and the removal of legacy features like Wi-Fi Protected Setup. Five specific router settings, each backed by federal advisories or independent security research, can sharply reduce a home network’s exposure without requiring new hardware.
Federal warnings tie router defaults to active criminal exploitation
The FBI published an alert titled “Cybercriminal Proxy Services Exploiting End-of-Life Routers,” detailing how attackers install persistent malware on consumer routers that no longer receive security patches. Once compromised, these devices are sold as proxy nodes on criminal marketplaces, letting bad actors route traffic through an unsuspecting household’s internet connection. The bureau’s recommended countermeasures focus on two actions: disabling remote administration and applying firmware updates. For routers that have reached end-of-life status and no longer receive patches, the FBI advises replacement, framing unsupported hardware as a systemic risk rather than an individual nuisance.
The FTC echoes those steps in its own consumer guidance. Its advice on securing a home Wi-Fi network calls for using WPA2 or WPA3 encryption, keeping firmware current, and disabling WPS when it is not needed. A separate FTC resource on protecting home security cameras reinforces the same baseline: place connected devices on a network secured with WPA3 or, at minimum, WPA2, because the router is the single point of control for every camera, thermostat, and smart speaker behind it. That guidance on securing home security cameras treats the router as the first line of defense for all connected devices in a household and underscores that a compromise at the router level can cascade across every device behind it.
Technical evidence behind each of the five settings
The five settings that appear across federal and independent security sources are: upgrading encryption to WPA3, disabling WPS, disabling UPnP, turning off remote management, and installing the latest firmware. Each recommendation traces back to documented vulnerabilities or published standards rather than general advice, and each targets a distinct stage of the attack chain, from initial access to persistence.
WPA3 was introduced by the Wi-Fi Alliance in 2018 as a replacement for WPA2. The certification program added protections against offline dictionary attacks and forward secrecy for individual sessions, meaning that even if a key is later exposed, past traffic remains protected. Routers still running WPA2 remain acceptable under current federal guidance, but WPA3 closes specific attack paths that WPA2 leaves open, especially in environments where weak passwords might otherwise be cracked offline. In practice, enabling WPA3 where supported reduces the payoff for attackers who rely on large-scale credential guessing.
WPS, the push-button or PIN-based pairing feature found on many consumer routers, carries a design-level flaw documented by CERT/CC in Vulnerability Note VU#723755. The WPS PIN brute-force vulnerability allows an attacker to recover the PIN and gain full network access because the protocol’s eight-digit PIN is verified in two halves, drastically reducing the number of guesses required. Cisco published its own security advisory on the same flaw, confirming that affected products across the industry exposed users to unauthorized access through WPS PIN mode. Disabling WPS entirely removes this attack surface and forces all new devices to join the network using the primary Wi-Fi password under WPA2 or WPA3.
UPnP, a convenience protocol that lets devices automatically open ports on a router, was the subject of a 2013 research report by Rapid7 titled “Security Flaws in Universal Plug and Play: Unplug, Don’t Play.” That research identified systemic exposure problems, including vulnerable implementations that allowed remote code execution and widespread cases where internal services were inadvertently exposed to the public internet. Turning off UPnP prevents devices and malware from silently punching holes in a home firewall, forcing any necessary port forwarding to be set up deliberately rather than automatically.
Remote management, sometimes labeled “remote administration” in router menus, lets anyone reach the router’s configuration panel from outside the local network. The FBI alert specifically names this feature as a vector that criminals exploit to install proxy malware, because exposed management interfaces are often protected only by default passwords or outdated authentication mechanisms. Disabling it restricts configuration access to devices physically connected to the home network, dramatically shrinking the number of potential entry points an attacker can probe from afar.
Firmware updates, the fifth setting, patch known vulnerabilities as manufacturers discover them. The National Institute of Standards and Technology has published recommended cybersecurity requirements for consumer-grade router products that include automatic update capabilities as a baseline expectation for manufacturers, reflecting the reality that most households will not manually track security advisories. Where automatic updates are unavailable, periodically checking the vendor’s support site and applying the latest firmware is the only way to receive fixes for discovered flaws, including those that enable the kind of proxy malware campaigns highlighted by the FBI.
What household-level data still does not exist
The hypothesis that households applying all five settings would see measurably fewer unsolicited inbound connection attempts over a 90-day window is plausible on technical grounds but currently untestable at scale. No federal agency has published telemetry data showing how many U.S. households still run remote management enabled, use WPS, or leave UPnP active. The FBI alert documents criminal exploitation of these features but does not quantify the installed base of vulnerable routers or the percentage of traffic flowing through hijacked devices.
NIST’s consumer-router requirements set manufacturer-side standards without tracking household-level adoption, so even when vendors ship devices with safer defaults, there is no public census of how many users change those settings later. Likewise, the FTC’s guidance assumes a baseline of insecure or outdated configurations but does not offer statistics on how many households have moved to WPA3, disabled WPS, or enabled automatic updates. Independent research from CERT/CC and Rapid7 provides strong proof that WPS and UPnP can be abused in real-world conditions, yet those studies focus on protocol and implementation flaws rather than ongoing measurement of how often those features are still turned on in homes.
This data gap matters because it limits policymakers’ ability to assess whether voluntary guidance is changing behavior. Without longitudinal metrics on configuration trends, agencies cannot easily determine whether repeated warnings about end-of-life routers and risky defaults are reducing the pool of exploitable devices or merely documenting the same problems year after year. For now, the strongest evidence remains technical rather than statistical: each of the five settings has a clear security rationale, and each aligns with specific vulnerabilities or attack techniques that federal agencies and security researchers have already observed in the wild.
For individual households, the absence of precise adoption figures does not change the core calculus. Enabling modern encryption, turning off legacy conveniences like WPS and UPnP, disabling remote access, and keeping firmware current are all low-cost steps that directly address documented weaknesses. While comprehensive national statistics may eventually clarify how many routers remain exposed, the technical record already shows that tightening these five settings meaningfully raises the barrier for the kinds of criminal campaigns now leveraging home networks as invisible infrastructure.
Homeowners who follow the FBI’s advice on end-of-life hardware, implement the FTC’s recommendations for stronger Wi-Fi security, and treat the router as critical shared infrastructure for every connected device can substantially narrow the opportunities available to attackers, even in the absence of new equipment. In that sense, the most important numbers are not national adoption rates but the configuration choices made on each individual router, where a handful of settings can determine whether a household quietly becomes part of someone else’s criminal toolkit.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
