Can an intruder remotely reset a Linksys WRT54G v5 router to default?

What just happened is clear ... but HOW it happened ... is not clear to me.

Here's what happened:

  1. I was home with my PC connected wirelessly to my Linksys WRT54G router
  2. The connection was WPA2/PSK with wireless administrator access 'enabled'
  3. The connection went down; the router disappeared from view
  4. Shortly thereafter, the strongest signal was SSID=linksys
  5. My teen-age kid experienced the same thing - at the same time
  6. Only the kid & I were home so NOBODY physically touched the router!
  7. Yet, the Linksys WRT54Gv5 router was clearly reset back to defaults.

How can that happen without anyone pressing the reset button? Can a Linksys home broadband router be reset by an intruder on the net?

Reply to
William Bonner
Loading thread data ...

First step: make sure you're still hooking up to your own router. It's possible the Linksys died and you're hitting a neighbors...

Reply to
danny burstein

formatting link
1 "*Reset* There are two ways to reset the Router¢s factory defaults. Either press and hold the Reset Button for approximately five seconds, or restore the defaults from Administration > Factory Defaults in the Router¢s web-based utility. Page 2 "The Linksys default password is admin."

So how secure was yours after changing it? How strong was the password?

How long is the WPA[2] shared key or WEP passphrase? Are they *strong* keys and not some easily guessed (easily dictionary attacked)?

Did you enable MAC filtering and add the MAC addresses for just your intranet hosts so only they can connect to the router?

Settings in the router are retained by using NVRAM (non-volatile random accessed memory) when power is off. Could be the flash memory is going bad and isn't retaining the settings. However, since the flash memory is inside the microprocessor (e.g., Atmega88), it means the unit is kaput. Cooling is by convection only (no fans inside, just holes in the case). If the ventilation holes get blocked then the parts inside overheat. Once the unit goes flaky, dusting out the holes and inside won't help. Could be someone (kid?) installed DD-WRT and then reinstalled the factory or update firmware without first clearing the NVRAM. Reinstalling the latest firmware might fix it (but then if the reset was caused by flashin in new firmware then you already have it).

After entering strong keys/passwords for all the settings (to avoid hacking), you'll have to watch the unit to see it if screws up again. Could be it's getting flaky in its old age. So far with the routers that have died for me, they always exhibit some flakiness in operation before a catastrophic failure.

Reply to

If they can get to the admin web pages, they can reset it to defaults.


However, that's probably not what happened. Some (not all) WRT54G v5 and v6 routers are junk.

They will hang, reboot spontaneously, reset themselves, or do other disgusting things. Installing DD-WRT sometimes cures the problems, but not always. Oddly, only some WRT54G v5 and v6 routers are like this. Some actually work quite well.

I'm constantly seeing various routers reset to defaults for no obvious reason. It's not hackers. It's usually AC power glitches. Give the power plug the right waveform, and the router thinks the reset button has been depressed. I had this problem on a different product that I worked on. The original design had the reset pin on the CPU set to normally high and using level triggering. If the DC power went down slowly or erratically, it will look like the reset pin was grounded, thus causing a reset. It was solved by setting the line to normally low, using the reset button to pull up the line. The firmware guys also added additional debouncing to the reset pin. We were tempted to try edge triggering, but ran out of time.

Reply to
Jeff Liebermann

Thanks for the advice. I'm absolutely positive it's my router.

Now I'm in worse shape than I was before.

Worried that the intruder put software on the router, I tried to upgrade the firmware. After about 2 hours of watching the little bars go over nd over across the screen, I unplugged it all.

Now the power light is flashing about twice a second, and I can no longer log into the router, despite a bazillion reboots and resets.

Two questions: a) How long should it take for a firmware upgrade? b) Should the power light be steady or flashing on the WRT54G v5?

Reply to
William Bonner

Hi Jeff, I know you're one of (if not the) most respected guy on this forum so I do appreciate your advice. I'm in the Santa Cruz mountains (like you) and we do get glitches in the power a lot. Seems to go down once a month sometimes, and other times it lasts for six months before the generator kicks in.

So, maybe that's what happened.

But, now it's even worse. With the router reset to defaults, I had no problem logging in. I decided to update the firmware, just in case, using the file FW_WRT54Gv5v6_1.02.8.001_US_20091005.bin downloaded from the Linksys site for the v5 that I have.

This process went on for hours ... from about 11:00 to about 1:30 when I finally gave up and pulled the plug. (BTW, how long 'should' a firmware upgrade take anyway?).

Here's a picture of what showed for hours (the lines were moving and repeating themselves over and over and over again):

formatting link
Then, after rebooting and resetting a few times, here's what then showed up:
formatting link
Now I can't get anything to work on the Linksys router. No connection.

Two questions: Q1: How long should it take for firmware to install itself? (I gave up after almost 3 hours) Q2: Should the power light be constantly blinking or should it be steady? (Mine is blinking)

Reply to
William Bonner

The WPA2/PSK password was the maximum length - and I did not use a dictionary SSID, but it had been setup without change for quite some time (years).

Reply to
William Bonner

Not very long. I think your router had problems and is now dead/bricked. Can you reset it with its hole? :( Maybe the router had problems earlier too.

Reply to

I held the reset button in for tweny seconds while booting and while running - and it still doesn't respond.

The only indication I have is the power light is blinking two to four times a second which I don't remember seeing (but I'm not sure if it's supposed to blink).

I'm hooked directly to the rooftop antenna/radio right now so at least one computer will be OK.

If it's bricked, I might try the WRT54G revival guide:

formatting link
Or maybe even Tomato or DD-WRT (although I'm merely a basic home user).

Reply to
William Bonner

When I was a wireless hacker, I would spoof the MAC address without even thinking about it. Not really worth the trouble setting up MAC filtering. The hard bit is the password cracking. []'s

-- Don't be evil - Google 2004 We have a new policy - Google 2012

Reply to

I've read much of what Jeff L. has said time and time again, so ... a) I don't bother hiding the SSID b) I don't bother with MAC address filtering c) I use a non-dictionary SSID & passphrase

Of course, if I have a keylogger trojan on the network, that will negate everything ... or it may have been a glitch in the power that reset the router to defaults. I'm surprised - because it never happened before and I've had the router for years ... but ... either way ...

My problem now is that the router is (apparently) bricked.

Q: Does anyone know if the router power light should be flashing or solid? Q: How long 'does' it take to do a firmware upgrade?

Reply to
William Bonner

Yeah. Also, try posting on Linksys forum. Good luck. Aren't computer problems fun? I hate doing firmware problems and upgrades! :(

Reply to

V. Good

Never allow wireless access to your admin account on the router. Always use a temporary cable for that.


I use a Netgear. 1 to 2 minutes. I've used D-link. Just over a minute. That includes the re-boot. Your upgrade took way too long. []'s

-- Don't be evil - Google 2004 We have a new policy - Google 2012

Reply to

Hang on while I polish my ego.

That's fairly typical for a low end consumer router. I have a home made power line logger running at my palatical office looking for power line glitches. It's fairly crude and only catches the big glitches. We've had major two power glitches in the area during the last week. I've been getting calls for dealing with hung routers, modems, and computahs all week. It sometimes takes several days for the effects of the glitch to show up. All that needs to happen is for the glitch to trip one bit in RAM. No problem until the device needs to use that bit. Then, it goes nuts. ECC RAM is not used on commodity routers.

Highly likely. I can see a wireless attack in a crowded metro area, but not in the sparcely populated hills. Attacks from the internet are possible, but unless the router has some built in vulnerabilities, is grossly misconfigured, or is sensitive to malformed packets, it's not going to happen. Just in case, try:

It's old and incomplete, but I'm still finding modern routers that fail some of the exploit tests.

The update should take about 60 seconds plus reboot time. Something went wrong. Hopefully, you didn't try to do the upgrade via a wireless connection. That's usually a guaranteed disaster.

Checking the web site, you have the correct version:

No checksum, so I have no way to verify if it was correctly downloaded. You might want to try another download just to be sure.

It's bricked, but probably not fatal.

About 60 seconds plus a reboot.

Nope. That means there's a checksum error in the firmware.

I would normally consider this a great opportunity to purchase a new router and get rid of the v5 abomination. However, if you want to raise the dead, try this simple test:

  1. Power OFF the router.
  2. Temporarily set your computah to a static IP address of
  1. Start a continuous ping to For Windoze, that's ping -t Don't worry if you see errors at this point. If you don't have TFTP:

IP= no password - leave blank select the firmware set retries to 99

  1. Apply power to the router. You should see proper returns from the pings after about 8 seconds. The returns will revert to errors after about 5 more seconds. Try to record the times. You'll need them.
  2. If you get proper returns in the previous step, there is hope.
  3. Rename the firmware to "code.bin". This might also be a good time to try loading the mini version of DD-WRT.
  4. Under Windoze, type the following onto the command line (in a cmd window): tftp -i PUT code.bin code.bin Do not hit enter quite yet. Do not hit enter quite yet. Do not hit enter quite yet. Do not hit enter quite yet. Got that? If you're using tftp book, get ready to hit the start button.
  5. Apply power to router and start counting seconds. The idea is to start the TFTP program in the middle of when the pings were correctly returned. You may have to do this several times to get it right.
  6. When you hit enter, nothing should happen until code.bin is properly uploaded. You'll get a message about ok to reboot (it varies with the firmware). Ignore it and do nothing for at least 5 minutes. Go get some coffee and keep your fingers off the keyboard. After 5 mins, pull the power to the router, wait for it to boot, and see if you can get to the management page at
  7. If that works, don't foget to change the static IP address of the computah back to DHCP. If it doesn't work, try again, or just get a better router.

Some notes (and complications):

Reply to
Jeff Liebermann

Once a wireless hacker, always a wireless hacker.

I found one situation where MAC filtering was needed. A customer was using about 10 assorted IBM Thinkpads of varying vintage. Some were sufficiently old that they only supported WEP. There was also a wi-fi range extender (repeater) that would only pass WEP. However, the customer was not comfortable with using easily crackable WEP. So, I added MAC address filtering to the security obstacle course. It really wasn't necessary because they live in the deep dark forest and know all the neighbors. Still, it made him feel better.

Sorta. Give me a few minutes with one of the client computers and I'll extract a usable portable hash key. Much easier than over the air pass phrase cracking.

Reply to
Jeff Liebermann

Hmm... that's what I needed to know. Bummer. Something definitely went wrong.

Hmm... OK. Well at least that matches what I'm seeing as the power light is blinking three or four times a second (or so).

As for the recovery procedure ... I'll get ready for that and respond when/if it works!


Reply to
William Bonner

Whew! The version 5 Linksys WRT54G is back in business!

After unplugging everything but power, I did the 30/30/30 procedure which was to hold the button for the entire 90 seconds - the first 30 while the unit is powered - the second 30 while the power cord is removed - and the third 30 seconds while the power is back on. Then I let go of the reset button.

Following Jeff's hint, I again downloaded the same file I had downloaded before - overwriting the old file for my WRT54G version 5 router:

formatting link
I then pinged and this worked (much to my surprise) even though the power light was still blinking and no other light was on (not even the "CiscoSystems" orange light).

I opened up Firefox and went to and was surprised to see: Management Mode Firmware Upgrade

So, I hit the "Browse" button and then the "Apply" button and ... lo and behold, after about 2 minutes and much flashing of the LAN light on the router, the web page changed to "Upgrade Success".

I was worried because the power light still blinked for about two minutes or so, but then it settled down, and now is a solid green!

I was able to log into the router at and immediately noticed I was at version 1.02.8 (plus the blue color changed in tone).

Thanks for all your help! I've disabled wireless access to the router just in case it 'was' an intruder. Also I noticed this setting by default: Wireless->Advanced Wireless Settings->Secure Easy Setup->Enable

Googling for "Linksys Secure Easy Setup" I find PC Magazine loves the feature ...

formatting link
I also find a 1/21/2012 Cisco security vulnerability bulletin:
formatting link
It's also described by Cert:
formatting link
Note VU#723755 WiFi Protected Setup (WPS) PIN brute force vulnerability

So, I disabled the "Secure Easy Setup" and the orange Cisco light went out!

I wasn't sure if this flaw was related to WPA2/PSK but apparently it is. According to Wikipedia

formatting link
"The flaw allows a remote attacker to recover the WPS PIN and, with it, the network's WPA/WPA2 pre-shared key in a few hours".

Maybe that's what happened to me?

Reply to
William Bonner

UPDATE: Apparently my Linksys WRT54G v5 router 'can' be reset by an intruder and/or by a glitch in the power line. Drat!

To make it harder for the 'next' intruder, I realized belatedly we should all turn OFF the Linksys/Cisco/ "Secure Easy Setup" feature!

Beware, it's not only Linksys that is affected by the SES vulnerability.

According to CERT, these companies are affected by the vulnerability:

  1. Belkin, Inc. Affected - 10 May 2012
  2. Buffalo Inc Affected - 10 May 2012
  3. Cisco Systems, Inc. Affected - 10 May 2012
  4. D-Link Systems, Inc. Affected 05 Dec 2011 10 May 2012
  5. Linksys/Cisco Affected 05 Dec 2011 10 May 2012
  6. Netgear, Inc. Affected 05 Dec 2011 10 May 2012
  7. Technicolor Affected - 10 May 2012
  8. TP-Link Affected - 10 May 2012
  9. ZyXEL

The CERT advisory is:

formatting link
Here is a pictorial look at what I did AFTER my router was bricked:

  1. I ran the 30/30/30 procedure which left the power light blinking but allowed me to ping the router. This was a good sign.
    formatting link
  2. In a browser, I went to and was happy to see the Management Mode Firmware Upgrade page. I downloaded a 'new' Firmware upgrade and browsed to it and hit the "apply" button.
    formatting link
  3. After only a couple of minutes, I saw the Upgrade Success notification in the browser:
    formatting link
  4. Logging into, I immediately noticed a different shade of blue and that the firmware had been updated to version 1.02.8.
    formatting link
  5. In my googling, I had found the CERT vulnerability so I disabled Wireless -> Advanced Wireless Settings -> Secure Easy Setup -> Disabled
    formatting link
    Hopefully, with a new non-dictionary SSID, non-dictionary password, a rather long WPA2-PSK/AES key, & with remote management and wireless web access disabled, I'm a bit more secure from outside hacking (if that's what had happened).

I didn't bother hiding the SSID or filtering the MAC address based on advice previously provided in this forum.

Minor question: Q: Does setting the administrator access to https buy me any security over http?

Reply to
William Bonner

No. All that does is prevent anyone from sniffing the wireless traffic and extracting your admin password and WPA2 key if they were able to capture a WPA2 setup session.

Congrats. What the 30/30/30 did was wipe the firmware completely leaving only the TFTP loader and in your case, the initial firmware loader. I forgot about that. It doesn't appear in all models.

Maybe, but I don't think so. I've always assumed that using WPS requires that the button on the router be pressed in order to start the WPS session. I can't currently determine if it's really required, or if WPS is running all the time. I'll check later (time permitting).

"Further, some access points don't provide an option to disable WPS or don't actually disable WPS when the owner tells it to." Groan...

Linksys has only fixed the WPS vulnerability problem on newer models. I don't expect a fix for the WRT54G.

That's from Jan 27, 2012. Since then there have been fixes for E1200 v2, E1500, E3200, and E4200 v1. Note that the WRT54G is not listed, probably because it's not a currently selling product. If you must use WPS/SES/AOSS/EZ-SETUP, I suggest you get an alternative firmware, such as DD-WRT.

11,000 attempts works out to 9 hrs maximum. When I tried Reaver, I was able to recover the PIN in about 6 hrs at about 1.5 seconds per attempt. I only tried it once:

It generated considerable wireless traffic, which was easily detected. More:

Reply to
Jeff Liebermann

My Linksys WRT54G version 5.0 has the option to disable secure easy setup but I can't find out from Linksys if that option actually works.

formatting link
They say nothing about the WRT54G here either:
formatting link
I called Cisco technical support three times: 1-877-770-4113

They didn't know what I was talking about.

They gave me two more numbers to call: 1-800-326-7114 Cisco Consumer Support for Linksys 1-800-546-7597

They answer pretty quickly but none have a clue.

Reply to
Arklin K. Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.