Hacked Routers Linger on the Internet for Years, Data Shows
Summary
Researchers at Censys — led by principal security researcher Emily Austin — discovered several hundred Ubiquiti routers still displaying “hacked” banners when trawling Internet scan data. The evidence suggests these devices were compromised long ago rather than in a new campaign: the number of defaced hosts has fallen since 2022, but a residual handful remain online in a defaced state.
The likely root cause is weak or default credentials (including reused passwords and the default ubnt/ubnt). Most affected devices appear on consumer or residential ISP networks. Censys found no clear follow-on malicious activity tied to these routers; the persistence mainly highlights an asset visibility and maintenance gap among device owners.
Key Points
- Censys identified several hundred Ubiquiti routers still showing hacked banners in Internet scan data.
- These devices appear to have been compromised some time ago, not as part of a fresh campaign.
- Defacements have declined substantially since 2022, but a few hundred defaced devices remain.
- Main cause is poor credential hygiene — weak, reused, or default passwords (e.g., ubnt/ubnt).
- Most affected routers are on consumer/residential ISP networks; no obvious follow-on exploitation was observed.
- The case exposes a visibility gap: asset owners often do not know devices have been compromised for long periods.
Content Summary
While analysing Internet scan datasets available via the Censys platform, Emily Austin spotted numerous Ubiquiti routers with modified host banners indicating compromise. Historical banner text ties some to campaigns dating back to 2016–2017 (for example, banners left by the MF worm).
Although the current quantity of defaced devices has fallen, the presence of several hundred still online suggests long-term neglect: owners either lack monitoring or are unaware their devices were breached. Censys could not identify clear post-compromise activity for these routers, so the motives range from opportunistic defacement to simple mischief rather than coordinated malicious infrastructure use.
Context and Relevance
This story matters because it underlines persistent problems in IoT and small-network device hygiene: default credentials, password reuse and poor maintenance let compromises persist for years. For network operators, ISPs and home users it highlights the importance of asset inventory, routine scanning, and basic credential hardening.
It also demonstrates the value of Internet-wide scanning and threat hunting: these datasets reveal long-tail compromises that traditional perimeter monitoring might miss. The trend ties into wider conversations about unmanaged devices, supply-chain exposure and the need for better remote‑device management practices.
Why should I read this?
Short version: if you run or manage routers (or live in a household with one), this is a wake-up nudge. Someone’s done the grunt work — the takeaways are simple and actionable: check for default passwords, run scans, and keep an inventory. If you’re an IT person, it shows why visibility and basic hygiene still stop more problems than fancy tech.
Author style
Punchy: this is a quick, practical find — not an alarm bell but a reminder. We’ve saved you time by pulling the key points: long-lived compromises are still a thing, and most are avoidable with basic hygiene.