Your router has likely been hacked if you notice unfamiliar devices in its connected-devices list, an admin password that suddenly stops working, DNS settings you never changed, an unrecognized new WiFi network, unexplained slow internet, or random restarts. Smart home devices show related but distinct signs — moving cameras, spiking data use, or unexpected re-pairing prompts. Any one of these is worth investigating; two or more together mean act now.
Who wrote this guide
This article was written and reviewed by IT Cares certified technicians based on our day-to-day home and business network support work across Canada. We do not sell routers or smart home hardware — the checks and steps here reflect what we actually walk clients through when they suspect their network has been compromised.
Why Routers and Smart Home Devices Are Such a Common Target
A decade ago, "home network security" mostly meant one router and a handful of laptops. In 2026, the average connected household runs a router, a mesh WiFi system, two or three smart TVs, a smart speaker or two, a video doorbell, a couple of smart plugs, maybe a robot vacuum, a thermostat, and increasingly a baby monitor or two — every single one of them a small computer, permanently connected to the internet, and rarely thought about again after setup day. That combination is exactly what makes routers and IoT (Internet of Things) devices such an attractive target for attackers.
Weak or default passwords are the norm, not the exception
Most routers and smart devices ship with a factory-default administrator password — often something as predictable as "admin/admin" or "admin/password" — printed right on the box or a label on the device itself. Manufacturers assume the buyer will change it. Most people never do. Automated scanning tools that attackers run continuously across the internet specifically hunt for devices still using these factory defaults, and a router or camera left on default credentials can be found and compromised in minutes, not months.
Firmware almost never gets updated on its own
Unlike a phone or laptop that nags you constantly about software updates, most routers and IoT devices sit quietly in a closet or on a shelf, running the exact firmware version they shipped with — for years. Manufacturers do release security patches, but unless you've specifically enabled automatic updates (and many older devices don't even support them), nobody is applying them. Every month a device runs unpatched firmware is another month a publicly known vulnerability sits open and unaddressed.
They're always on, always connected, and rarely monitored
Your laptop gets shut or put to sleep. Your phone gets checked constantly, so odd behavior tends to get noticed quickly. A router, a smart plug, or a security camera runs 24/7, has no screen you look at daily, and produces no obvious signal when something is wrong unless you go looking for it. This "always on, never watched" profile is precisely what makes IoT devices valuable to attackers building botnets or maintaining long-term, quiet access to a network — the device just keeps running in the background, doing what it's told, with nobody the wiser.
A single compromised device can expose everything else on the network
Unless you've specifically segmented your network, most home WiFi setups put every device — computers with your banking logins, phones with your saved passwords, and a $20 smart plug from an unfamiliar brand — on the exact same flat network. Once an attacker gets a foothold on the weakest device (frequently the cheapest, least-updated IoT gadget), they can often see, scan, and attack every other device sharing that network. This is the single biggest reason security professionals recommend network segmentation, which we cover in the long-term section below.
📊 IT Cares field note: A growing share of the "my internet is slow" and "my smart camera is acting weird" calls we take turn out to have the same root cause: a router still running factory-default credentials, years-old firmware, or both. Clients are often surprised the fix isn't a new router — it's changing three settings on the one they already have.
Not sure if it's your router or your ISP?
Our certified bilingual technician remotes in, diagnoses the real cause, and fixes it the same day — from $119.99. No fix, no fee.
Real-World Router and IoT Attacks You Should Know About
This isn't a theoretical risk. Home routers and smart devices have been at the center of some of the largest cyberattacks in recent history, and the pattern behind nearly all of them is the same: default passwords, unpatched firmware, and devices nobody was watching.
The Mirai botnet (2016)
Mirai remains the textbook example of what's possible when IoT security is ignored at scale. It spread by scanning the internet for routers, IP cameras, and DVRs still running factory-default administrator credentials, then quietly recruited them into a botnet of hundreds of thousands of devices. In October 2016, that botnet was used to launch a massive distributed denial-of-service attack against DNS provider Dyn, knocking major sites like Twitter, Netflix, Reddit, and PayPal offline for hours across the US and Europe — caused, in large part, by ordinary home routers and cameras whose owners never changed the default login.
VPNFilter (2018)
VPNFilter was a more sophisticated malware family that the FBI estimated infected at least 500,000 routers and network storage devices across dozens of countries, targeting popular consumer brands. Unlike Mirai, VPNFilter could survive a simple reboot, intercept and modify traffic passing through the router, and in some configurations, permanently disable ("brick") the device. The FBI's public advisory at the time specifically recommended that home users reboot their routers and apply firmware updates — a response that underscored how few consumer routers were being patched in the first place.
Ongoing IoT botnet activity heading into 2026
Mirai's source code was published publicly after the 2016 attack, and dozens of variants descended from it have circulated ever since, continuously scanning the internet for the same class of vulnerable, default-credentialed devices — smart cameras, routers, DVRs, and increasingly smart TVs and streaming boxes. Security researchers tracking IoT threat activity have consistently found that the overwhelming majority of successful compromises still come down to the same two root causes documented since Mirai: default or reused passwords, and firmware that was never updated after the device left the box. The specific malware families change; the two fixable causes behind almost all of them have not.
Why this history matters for you
None of these large-scale attacks required a sophisticated, targeted hack against any individual household. They worked because millions of ordinary routers and cameras were left exactly as they came out of the box. The two steps that would have prevented the vast majority of Mirai and VPNFilter infections — a unique admin password and current firmware — are the same two steps at the top of the "What To Do Right Now" checklist below.
Quick Reference: Symptom, Likely Cause, and What To Do
Use this table to jump straight to the relevant fix once you've identified a symptom from the lists above.
| Symptom | Most likely cause | What to do |
|---|---|---|
| Unfamiliar device in connected-devices list | Unauthorized network access | Change WiFi + admin password, review device list again |
| DNS settings changed | Router compromise redirecting traffic | Reset DNS to Automatic/ISP default, update firmware |
| Admin password rejected | Attacker locked you out | Factory reset router, reconfigure from scratch |
| New unexplained WiFi network | Rogue network or botnet relay | Investigate via admin panel, factory reset if unrecognized |
| Sudden unexplained slowdown | Background malicious traffic | Check bandwidth/traffic logs, update firmware, reset if needed |
| Router restarts randomly | Unstable malware or forced reboots | Update firmware, factory reset if it continues |
| Unknown port-forwarding rule | Persistent hidden access channel | Delete the rule, change admin password, update firmware |
| Camera moves/sounds on its own | Live active compromise | Unplug device immediately, secure router first, then factory reset device |
| Unusual data usage from a device | Botnet recruitment or data exfiltration | Isolate on guest network, factory reset, monitor traffic |
| Settings reset unexpectedly | Unauthorized reconfiguration | Factory reset, reconfigure from official app only |
| Device asks to "reactivate"/re-pair | Lost config or device spoofing | Factory reset, re-pair via official app with new password |
| Activity LED on when idle | Unauthorized recording/streaming | Unplug immediately, investigate before reconnecting |
Router-Specific Warning Signs
None of these signs alone is definitive proof — a slowdown can be your ISP, a restart can be a power blip. But two or more together, especially appearing suddenly, is a strong signal your router itself has been compromised.
1. Unfamiliar devices in the router admin panel's connected-devices list
Every router's admin panel has a section — usually labeled "Connected Devices," "Attached Devices," or "Client List" — showing every device currently or recently on your network. Log in (typically at 192.168.1.1 or 192.168.0.1) and scroll through it slowly. A device name you don't recognize, an unfamiliar manufacturer prefix, or simply more devices listed than you actually own is one of the single clearest signs someone else is on your network.
2. DNS settings changed without your action
Your router's DNS settings determine which servers translate web addresses (like itcares.ca) into the actual internet locations your browser connects to. Attackers who compromise a router frequently change these settings to point at malicious DNS servers, silently redirecting some or all of your traffic — including banking sites — to fraudulent lookalike pages, without changing the address bar in any visibly obvious way. Check your router's WAN or Internet settings; DNS should normally read "Automatic" or match your ISP's or a service you deliberately configured (like 1.1.1.1 or 8.8.8.8), not an unfamiliar address.
3. Your admin password suddenly stops working
If you're confident you're entering the correct router admin password and it's rejected, an attacker who gained access may have changed it to lock you out and maintain control. This is one of the more alarming signs on this list, since it means someone else may already have exclusive administrative control of your network.
4. An unexpected new WiFi network appears
Some router compromises create a second, hidden or lightly-named WiFi network (sometimes to relay traffic, sometimes as part of a botnet operation) alongside your normal one. If a device's WiFi list shows a network broadcasting from your home that you never set up — separate from your router's legitimate guest network, if you use one — investigate immediately.
5. Slow internet with no explanation
A compromised router can be relaying traffic for a botnet, mining cryptocurrency, or simply handling malicious processes in the background, all of which compete with your own traffic for the router's limited processing power and bandwidth. Rule out the obvious first (an ISP outage, a bandwidth-heavy device streaming or downloading) — but a persistent, unexplained slowdown that started suddenly and doesn't match your usage deserves a closer look at the router itself.
6. Router restarting on its own
Occasional restarts can be firmware bugs or power issues. Frequent, unexplained restarts — especially several times a week with no storms, power blips, or firmware updates involved — can indicate malware running on the router that's unstable, or an attacker deliberately forcing reboots as part of maintaining control or hiding their tracks.
7. Unfamiliar port-forwarding rules
Port forwarding lets specific internet traffic reach a specific device on your network — legitimately used for things like game servers or remote camera access. Check your router's Port Forwarding or Virtual Server section for rules you don't remember creating, pointing at devices or ports you don't recognize. This is a favorite technique for maintaining a persistent, hidden channel into a compromised network.
The most overlooked router-specific vector
Most home users have genuinely never opened their router's admin panel since the day their ISP technician set it up. Because of this, DNS changes and port-forwarding rules can sit unnoticed for months — they don't produce a pop-up, a notification, or any obvious visual sign the way a hijacked browser homepage does. Making a habit of logging into the admin panel every few months, even with nothing wrong, catches an entire category of compromise that otherwise goes completely invisible.
Smart Home / IoT Device-Specific Warning Signs
Smart cameras, plugs, thermostats, TVs, and baby monitors don't have an admin panel most people ever check — so the signs of compromise show up differently, usually in the device's own behavior rather than in a settings screen.
8. A smart camera moves or makes sounds on its own
Pan-tilt security cameras and baby monitors that physically move, or speakers that emit sounds/voices, without you or anyone in your household controlling them through the app, is one of the most unsettling and clearest signs of a live, active compromise. If this happens, disconnect the device's power immediately and treat it as actively compromised — don't just note it and move on.
9. Unusual data usage from a smart device
Most IoT devices send a small, fairly predictable amount of data — a status ping, video snippets on motion, a temperature reading. A device suddenly sending or receiving far more data than its normal function would require (visible in your router's traffic monitoring, if it has one, or in a network scanner app) can indicate it's been recruited into a botnet, relaying traffic, or exfiltrating recorded footage or data to an outside server.
10. Smart device settings reset unexpectedly
If a smart plug's schedule, a thermostat's programmed temperatures, or a camera's motion zones suddenly revert to factory defaults without you resetting anything, someone with access may have modified or wiped the device's configuration — sometimes as a side effect of gaining unauthorized control, sometimes to cover tracks after tampering with settings.
11. The device suddenly asks to "reactivate" or re-pair
Legitimate apps occasionally require re-authentication after a major update. A device that unexpectedly demands you re-pair it, re-enter WiFi credentials, or "reactivate" your account — with no update or network change on your end — can mean the device lost its configuration because it was reset by an attacker, or that something is impersonating your device on the network.
12. The LED activity light is on when it shouldn't be
Many smart cameras, speakers, and doorbells have a small LED indicator that lights up during active recording, streaming, or listening. If that light is on while you're confident nothing should be actively recording or streaming — no motion, no one using the app — the device may be capturing or transmitting without your knowledge. Note that some devices allow disabling this LED through settings, which itself is worth checking if you didn't disable it yourself.
If a camera or microphone-enabled device shows live signs of compromise
Physically unplug or remove the battery from any camera, baby monitor, or smart speaker showing signs of active, live compromise (unexplained movement, sound, or an activity light with no legitimate cause) before doing anything else. Investigate and reconfigure it only after you've secured the router itself — reconnecting a compromised camera to a still-compromised network just gives an attacker the same access back.
Found signs of compromise and not sure what's actually causing it?
Some router-level compromises hide behind changed DNS settings or port-forwarding rules that look harmless at a glance. IT Cares audits your router and connected devices remotely and locks it down properly. Average resolution: 30-45 min · From $79 · Same-day remote.
Book a Network Security Check → 1 (888) 711-9428What To Do Right Now, Step By Step
If you've spotted one or more of the signs above, work through these steps in order. Most router-level compromises are fully resolved by step 3; IoT-specific compromises need steps 4 and 6 as well.
Log into your router admin panel and check connected devices
Open a browser, go to your router's admin address (commonly 192.168.1.1 or 192.168.0.1 — check the label on the router if you're unsure), and log in. Open the "Connected Devices" or "Client List" section and compare every entry against what you actually own. Note anything unfamiliar before making changes, in case you need to reference it later.
Change your router admin password AND your WiFi password
These are two separate settings. Change the administrator login (not the default admin/admin or admin/password many routers ship with) to something long and unique, and separately update your actual WiFi network password. This single step alone locks out an attacker relying on default or previously-known credentials.
Update your router's firmware
Find the "Firmware Update" or "Router Update" section in the admin panel and install whatever is available. This patches known vulnerabilities that attackers actively scan the internet for, and it's one of the most commonly skipped basic security steps for home routers.
Factory-reset compromised IoT devices and reconfigure from scratch
For any camera, plug, thermostat, or other smart device showing signs of compromise, perform a full factory reset (usually a physical button held 10-15 seconds) and set it up again from the manufacturer's official app with a brand-new, unique password — don't restore a saved configuration, since that can reintroduce whatever was compromised.
Disable remote-management and UPnP if you don't need them
In the router's admin panel, find "Remote Management," "Remote Access," or "UPnP" and turn these off unless you specifically and knowingly rely on them for something. Both make it easier for outside devices to reach into or reconfigure your network without you noticing.
Segment IoT devices onto a guest network
Turn on your router's guest network feature and move all smart cameras, plugs, TVs, and other IoT devices onto it, keeping computers and phones on your primary network. If one smart device is compromised again in the future, it can't reach your other devices, files, or saved passwords.
When to stop and call a professional
If you've completed these steps and symptoms persist, if you found evidence of a changed DNS setting pointing at an unfamiliar server, if a device is actively behaving strangely (camera movement, unexpected sounds), or if you simply don't feel confident poking around your router's admin panel, stop and get help. IT Cares audits and secures home networks remotely across Canada, and our technicians can verify nothing was missed after a DIY attempt.
How to Secure Your Home Network Long-Term
Cleaning up an active compromise is only half the job — here's how to make your router and smart devices a much harder target going forward.
- Use a strong, unique WiFi password that isn't reused from any other account, ideally generated and stored in a password manager rather than something memorable (and therefore guessable).
- Enable WPA3 encryption in your router's wireless security settings if your router and devices support it — it's a meaningful improvement over the older WPA2 standard still shipped as default on many routers.
- Turn on firmware auto-updates if your router offers the option, so security patches install without relying on you remembering to check manually every few months.
- Set up a dedicated guest network for IoT devices and move every smart camera, plug, TV, and speaker onto it, isolating them from the computers and phones that hold your actual sensitive data.
- Disable WPS (WiFi Protected Setup). The PIN-based version of WPS has known, well-documented vulnerabilities that let an attacker within WiFi range brute-force their way onto your network — most routers let you turn it off entirely in the wireless settings.
- Check whether your router has reached end-of-life or been recalled. Manufacturers periodically stop releasing security updates for older router models, and some models have been subject to formal security recalls or advisories — a router no longer receiving updates is a standing risk regardless of how carefully you configure it.
For related home security topics, see our guide on is your computer hacked, 15 warning signs, and if your WiFi itself is misbehaving rather than showing signs of compromise, our WiFi troubleshooting guide covers the non-security causes.
Suspect Your Network Has Been Compromised? We Can Help.
IT Cares audits routers and smart home devices, removes unauthorized access, and secures home networks remotely and on-site across Canada. Certified technicians, no guesswork.
Comments (3)
Checked my connected devices list after reading this and found two devices I genuinely did not recognize. Turned out to be an old smart plug I'd forgotten I still had plugged in, but it scared me enough that I finally changed my admin password, which was still the factory default from 2019. Embarrassing but fixed now.
Our baby monitor's LED was on at 3am and neither of us was checking it. Unplugged it immediately like the article says, then found out our router's admin password had never been changed from the ISP default. Called IT Cares the next morning to have someone actually verify the whole network was clean.
Set up a guest network for all our smart devices after reading this — took maybe ten minutes total. Wish I'd done it years ago instead of having everything, including my work laptop, on the same network as a $15 smart plug from a brand I can't even remember buying.
Leave a Comment