Signs Your Router or Smart Home Device Has Been Hacked (2026 Guide)

Reviewed by IT Cares certified technicians · Updated July 2026

Router and smart home devices hacked warning signs guide
Your router and smart devices are the most exposed part of your home network — here's how to check them.
📡
Seeing devices you don't recognize on your network? Our certified technicians can remotely audit your router and secure your home network the same day.
Get Help Now →

Your router has likely been hacked if you notice unfamiliar devices in its connected-devices list, an admin password that suddenly stops working, DNS settings you never changed, an unrecognized new WiFi network, unexplained slow internet, or random restarts. Smart home devices show related but distinct signs — moving cameras, spiking data use, or unexpected re-pairing prompts. Any one of these is worth investigating; two or more together mean act now.

Who wrote this guide

This article was written and reviewed by IT Cares certified technicians based on our day-to-day home and business network support work across Canada. We do not sell routers or smart home hardware — the checks and steps here reflect what we actually walk clients through when they suspect their network has been compromised.

Why Routers and Smart Home Devices Are Such a Common Target

A decade ago, "home network security" mostly meant one router and a handful of laptops. In 2026, the average connected household runs a router, a mesh WiFi system, two or three smart TVs, a smart speaker or two, a video doorbell, a couple of smart plugs, maybe a robot vacuum, a thermostat, and increasingly a baby monitor or two — every single one of them a small computer, permanently connected to the internet, and rarely thought about again after setup day. That combination is exactly what makes routers and IoT (Internet of Things) devices such an attractive target for attackers.

Weak or default passwords are the norm, not the exception

Most routers and smart devices ship with a factory-default administrator password — often something as predictable as "admin/admin" or "admin/password" — printed right on the box or a label on the device itself. Manufacturers assume the buyer will change it. Most people never do. Automated scanning tools that attackers run continuously across the internet specifically hunt for devices still using these factory defaults, and a router or camera left on default credentials can be found and compromised in minutes, not months.

Firmware almost never gets updated on its own

Unlike a phone or laptop that nags you constantly about software updates, most routers and IoT devices sit quietly in a closet or on a shelf, running the exact firmware version they shipped with — for years. Manufacturers do release security patches, but unless you've specifically enabled automatic updates (and many older devices don't even support them), nobody is applying them. Every month a device runs unpatched firmware is another month a publicly known vulnerability sits open and unaddressed.

They're always on, always connected, and rarely monitored

Your laptop gets shut or put to sleep. Your phone gets checked constantly, so odd behavior tends to get noticed quickly. A router, a smart plug, or a security camera runs 24/7, has no screen you look at daily, and produces no obvious signal when something is wrong unless you go looking for it. This "always on, never watched" profile is precisely what makes IoT devices valuable to attackers building botnets or maintaining long-term, quiet access to a network — the device just keeps running in the background, doing what it's told, with nobody the wiser.

A single compromised device can expose everything else on the network

Unless you've specifically segmented your network, most home WiFi setups put every device — computers with your banking logins, phones with your saved passwords, and a $20 smart plug from an unfamiliar brand — on the exact same flat network. Once an attacker gets a foothold on the weakest device (frequently the cheapest, least-updated IoT gadget), they can often see, scan, and attack every other device sharing that network. This is the single biggest reason security professionals recommend network segmentation, which we cover in the long-term section below.

📊 IT Cares field note: A growing share of the "my internet is slow" and "my smart camera is acting weird" calls we take turn out to have the same root cause: a router still running factory-default credentials, years-old firmware, or both. Clients are often surprised the fix isn't a new router — it's changing three settings on the one they already have.

Not sure if it's your router or your ISP?

Our certified bilingual technician remotes in, diagnoses the real cause, and fixes it the same day — from $119.99. No fix, no fee.

Real-World Router and IoT Attacks You Should Know About

This isn't a theoretical risk. Home routers and smart devices have been at the center of some of the largest cyberattacks in recent history, and the pattern behind nearly all of them is the same: default passwords, unpatched firmware, and devices nobody was watching.

The Mirai botnet (2016)

Mirai remains the textbook example of what's possible when IoT security is ignored at scale. It spread by scanning the internet for routers, IP cameras, and DVRs still running factory-default administrator credentials, then quietly recruited them into a botnet of hundreds of thousands of devices. In October 2016, that botnet was used to launch a massive distributed denial-of-service attack against DNS provider Dyn, knocking major sites like Twitter, Netflix, Reddit, and PayPal offline for hours across the US and Europe — caused, in large part, by ordinary home routers and cameras whose owners never changed the default login.

VPNFilter (2018)

VPNFilter was a more sophisticated malware family that the FBI estimated infected at least 500,000 routers and network storage devices across dozens of countries, targeting popular consumer brands. Unlike Mirai, VPNFilter could survive a simple reboot, intercept and modify traffic passing through the router, and in some configurations, permanently disable ("brick") the device. The FBI's public advisory at the time specifically recommended that home users reboot their routers and apply firmware updates — a response that underscored how few consumer routers were being patched in the first place.

Ongoing IoT botnet activity heading into 2026

Mirai's source code was published publicly after the 2016 attack, and dozens of variants descended from it have circulated ever since, continuously scanning the internet for the same class of vulnerable, default-credentialed devices — smart cameras, routers, DVRs, and increasingly smart TVs and streaming boxes. Security researchers tracking IoT threat activity have consistently found that the overwhelming majority of successful compromises still come down to the same two root causes documented since Mirai: default or reused passwords, and firmware that was never updated after the device left the box. The specific malware families change; the two fixable causes behind almost all of them have not.

Why this history matters for you

None of these large-scale attacks required a sophisticated, targeted hack against any individual household. They worked because millions of ordinary routers and cameras were left exactly as they came out of the box. The two steps that would have prevented the vast majority of Mirai and VPNFilter infections — a unique admin password and current firmware — are the same two steps at the top of the "What To Do Right Now" checklist below.

Quick Reference: Symptom, Likely Cause, and What To Do

Use this table to jump straight to the relevant fix once you've identified a symptom from the lists above.

SymptomMost likely causeWhat to do
Unfamiliar device in connected-devices listUnauthorized network accessChange WiFi + admin password, review device list again
DNS settings changedRouter compromise redirecting trafficReset DNS to Automatic/ISP default, update firmware
Admin password rejectedAttacker locked you outFactory reset router, reconfigure from scratch
New unexplained WiFi networkRogue network or botnet relayInvestigate via admin panel, factory reset if unrecognized
Sudden unexplained slowdownBackground malicious trafficCheck bandwidth/traffic logs, update firmware, reset if needed
Router restarts randomlyUnstable malware or forced rebootsUpdate firmware, factory reset if it continues
Unknown port-forwarding rulePersistent hidden access channelDelete the rule, change admin password, update firmware
Camera moves/sounds on its ownLive active compromiseUnplug device immediately, secure router first, then factory reset device
Unusual data usage from a deviceBotnet recruitment or data exfiltrationIsolate on guest network, factory reset, monitor traffic
Settings reset unexpectedlyUnauthorized reconfigurationFactory reset, reconfigure from official app only
Device asks to "reactivate"/re-pairLost config or device spoofingFactory reset, re-pair via official app with new password
Activity LED on when idleUnauthorized recording/streamingUnplug immediately, investigate before reconnecting

Router-Specific Warning Signs

None of these signs alone is definitive proof — a slowdown can be your ISP, a restart can be a power blip. But two or more together, especially appearing suddenly, is a strong signal your router itself has been compromised.

1. Unfamiliar devices in the router admin panel's connected-devices list

Every router's admin panel has a section — usually labeled "Connected Devices," "Attached Devices," or "Client List" — showing every device currently or recently on your network. Log in (typically at 192.168.1.1 or 192.168.0.1) and scroll through it slowly. A device name you don't recognize, an unfamiliar manufacturer prefix, or simply more devices listed than you actually own is one of the single clearest signs someone else is on your network.

2. DNS settings changed without your action

Your router's DNS settings determine which servers translate web addresses (like itcares.ca) into the actual internet locations your browser connects to. Attackers who compromise a router frequently change these settings to point at malicious DNS servers, silently redirecting some or all of your traffic — including banking sites — to fraudulent lookalike pages, without changing the address bar in any visibly obvious way. Check your router's WAN or Internet settings; DNS should normally read "Automatic" or match your ISP's or a service you deliberately configured (like 1.1.1.1 or 8.8.8.8), not an unfamiliar address.

3. Your admin password suddenly stops working

If you're confident you're entering the correct router admin password and it's rejected, an attacker who gained access may have changed it to lock you out and maintain control. This is one of the more alarming signs on this list, since it means someone else may already have exclusive administrative control of your network.

4. An unexpected new WiFi network appears

Some router compromises create a second, hidden or lightly-named WiFi network (sometimes to relay traffic, sometimes as part of a botnet operation) alongside your normal one. If a device's WiFi list shows a network broadcasting from your home that you never set up — separate from your router's legitimate guest network, if you use one — investigate immediately.

5. Slow internet with no explanation

A compromised router can be relaying traffic for a botnet, mining cryptocurrency, or simply handling malicious processes in the background, all of which compete with your own traffic for the router's limited processing power and bandwidth. Rule out the obvious first (an ISP outage, a bandwidth-heavy device streaming or downloading) — but a persistent, unexplained slowdown that started suddenly and doesn't match your usage deserves a closer look at the router itself.

6. Router restarting on its own

Occasional restarts can be firmware bugs or power issues. Frequent, unexplained restarts — especially several times a week with no storms, power blips, or firmware updates involved — can indicate malware running on the router that's unstable, or an attacker deliberately forcing reboots as part of maintaining control or hiding their tracks.

7. Unfamiliar port-forwarding rules

Port forwarding lets specific internet traffic reach a specific device on your network — legitimately used for things like game servers or remote camera access. Check your router's Port Forwarding or Virtual Server section for rules you don't remember creating, pointing at devices or ports you don't recognize. This is a favorite technique for maintaining a persistent, hidden channel into a compromised network.

The most overlooked router-specific vector

Most home users have genuinely never opened their router's admin panel since the day their ISP technician set it up. Because of this, DNS changes and port-forwarding rules can sit unnoticed for months — they don't produce a pop-up, a notification, or any obvious visual sign the way a hijacked browser homepage does. Making a habit of logging into the admin panel every few months, even with nothing wrong, catches an entire category of compromise that otherwise goes completely invisible.

Smart Home / IoT Device-Specific Warning Signs

Smart cameras, plugs, thermostats, TVs, and baby monitors don't have an admin panel most people ever check — so the signs of compromise show up differently, usually in the device's own behavior rather than in a settings screen.

8. A smart camera moves or makes sounds on its own

Pan-tilt security cameras and baby monitors that physically move, or speakers that emit sounds/voices, without you or anyone in your household controlling them through the app, is one of the most unsettling and clearest signs of a live, active compromise. If this happens, disconnect the device's power immediately and treat it as actively compromised — don't just note it and move on.

9. Unusual data usage from a smart device

Most IoT devices send a small, fairly predictable amount of data — a status ping, video snippets on motion, a temperature reading. A device suddenly sending or receiving far more data than its normal function would require (visible in your router's traffic monitoring, if it has one, or in a network scanner app) can indicate it's been recruited into a botnet, relaying traffic, or exfiltrating recorded footage or data to an outside server.

10. Smart device settings reset unexpectedly

If a smart plug's schedule, a thermostat's programmed temperatures, or a camera's motion zones suddenly revert to factory defaults without you resetting anything, someone with access may have modified or wiped the device's configuration — sometimes as a side effect of gaining unauthorized control, sometimes to cover tracks after tampering with settings.

11. The device suddenly asks to "reactivate" or re-pair

Legitimate apps occasionally require re-authentication after a major update. A device that unexpectedly demands you re-pair it, re-enter WiFi credentials, or "reactivate" your account — with no update or network change on your end — can mean the device lost its configuration because it was reset by an attacker, or that something is impersonating your device on the network.

12. The LED activity light is on when it shouldn't be

Many smart cameras, speakers, and doorbells have a small LED indicator that lights up during active recording, streaming, or listening. If that light is on while you're confident nothing should be actively recording or streaming — no motion, no one using the app — the device may be capturing or transmitting without your knowledge. Note that some devices allow disabling this LED through settings, which itself is worth checking if you didn't disable it yourself.

If a camera or microphone-enabled device shows live signs of compromise

Physically unplug or remove the battery from any camera, baby monitor, or smart speaker showing signs of active, live compromise (unexplained movement, sound, or an activity light with no legitimate cause) before doing anything else. Investigate and reconfigure it only after you've secured the router itself — reconnecting a compromised camera to a still-compromised network just gives an attacker the same access back.

Found signs of compromise and not sure what's actually causing it?

Some router-level compromises hide behind changed DNS settings or port-forwarding rules that look harmless at a glance. IT Cares audits your router and connected devices remotely and locks it down properly. Average resolution: 30-45 min · From $79 · Same-day remote.

Book a Network Security Check → 1 (888) 711-9428
🇨🇦 Serving all of Canada · ⭐ 5★ Google reviews · ✅ No fix, no fee

What To Do Right Now, Step By Step

If you've spotted one or more of the signs above, work through these steps in order. Most router-level compromises are fully resolved by step 3; IoT-specific compromises need steps 4 and 6 as well.

1

Log into your router admin panel and check connected devices

Open a browser, go to your router's admin address (commonly 192.168.1.1 or 192.168.0.1 — check the label on the router if you're unsure), and log in. Open the "Connected Devices" or "Client List" section and compare every entry against what you actually own. Note anything unfamiliar before making changes, in case you need to reference it later.

2

Change your router admin password AND your WiFi password

These are two separate settings. Change the administrator login (not the default admin/admin or admin/password many routers ship with) to something long and unique, and separately update your actual WiFi network password. This single step alone locks out an attacker relying on default or previously-known credentials.

3

Update your router's firmware

Find the "Firmware Update" or "Router Update" section in the admin panel and install whatever is available. This patches known vulnerabilities that attackers actively scan the internet for, and it's one of the most commonly skipped basic security steps for home routers.

4

Factory-reset compromised IoT devices and reconfigure from scratch

For any camera, plug, thermostat, or other smart device showing signs of compromise, perform a full factory reset (usually a physical button held 10-15 seconds) and set it up again from the manufacturer's official app with a brand-new, unique password — don't restore a saved configuration, since that can reintroduce whatever was compromised.

5

Disable remote-management and UPnP if you don't need them

In the router's admin panel, find "Remote Management," "Remote Access," or "UPnP" and turn these off unless you specifically and knowingly rely on them for something. Both make it easier for outside devices to reach into or reconfigure your network without you noticing.

6

Segment IoT devices onto a guest network

Turn on your router's guest network feature and move all smart cameras, plugs, TVs, and other IoT devices onto it, keeping computers and phones on your primary network. If one smart device is compromised again in the future, it can't reach your other devices, files, or saved passwords.

When to stop and call a professional

If you've completed these steps and symptoms persist, if you found evidence of a changed DNS setting pointing at an unfamiliar server, if a device is actively behaving strangely (camera movement, unexpected sounds), or if you simply don't feel confident poking around your router's admin panel, stop and get help. IT Cares audits and secures home networks remotely across Canada, and our technicians can verify nothing was missed after a DIY attempt.

How to Secure Your Home Network Long-Term

Cleaning up an active compromise is only half the job — here's how to make your router and smart devices a much harder target going forward.

For related home security topics, see our guide on is your computer hacked, 15 warning signs, and if your WiFi itself is misbehaving rather than showing signs of compromise, our WiFi troubleshooting guide covers the non-security causes.

Suspect Your Network Has Been Compromised? We Can Help.

IT Cares audits routers and smart home devices, removes unauthorized access, and secures home networks remotely and on-site across Canada. Certified technicians, no guesswork.

Frequently Asked Questions

Can someone hack my WiFi from outside my house?
Yes. WiFi signals routinely reach the sidewalk, neighboring units, and parked cars, and an attacker within that range can attempt to crack a weak password, exploit an unpatched router vulnerability, or abuse a feature like WPS without ever setting foot inside your home. A strong WPA3 password, disabled WPS, and current firmware close off the most common ways this happens.
Do smart cameras get hacked often?
Smart cameras are one of the most frequently compromised categories of IoT device, mainly because many models ship with weak or reused default passwords and are exposed to the internet for remote viewing. Attacks usually come from credential stuffing (reusing passwords leaked in other breaches) rather than sophisticated hacking, which is why a unique password and two-factor authentication on the camera's app account matter more than almost anything else.
How often should I update my router's firmware?
Check for firmware updates at least once every 2-3 months, and turn on automatic updates if your router supports them. Manufacturers release firmware patches specifically to close security vulnerabilities that attackers actively scan for, so a router running outdated firmware for a year or more is a meaningfully easier target than one kept current.
Is a guest network really necessary for smart home devices?
For any home with more than one or two IoT devices, yes. A guest network (or a dedicated IoT VLAN on more advanced routers) isolates smart cameras, plugs, and other connected gadgets from your computers and phones, so that if one device is compromised, the attacker cannot pivot to your primary devices, files, or saved passwords. It takes about five minutes to set up on most modern routers.
Why does my smart device keep asking to re-pair or reactivate?
Occasionally this is a normal app update or a Wi-Fi hiccup. Repeated or unexpected re-pairing requests, especially when you did not change networks or update anything, can indicate the device lost its configuration because an attacker reset it, or that a spoofed device is impersonating yours on the network. Factory reset the device and reconfigure it directly from the manufacturer's official app to rule this out.
Can a hacked router affect devices that aren't even connected to WiFi?
Indirectly, yes. Since the router controls DNS and traffic routing for your entire network, a compromised router can redirect any connected device (wired or wireless) to malicious servers, intercept traffic, or block legitimate security updates from reaching devices, even ones connected by ethernet cable rather than WiFi.
What is the fastest way to check if devices I don't recognize are on my network?
Log into your router's admin panel (usually at 192.168.1.1 or 192.168.0.1) and look for a "connected devices," "attached devices," or "client list" section. Compare it against a mental list of everything you own that connects to WiFi. Free network scanner apps like Fing can also list connected devices with more detail from your phone in about a minute.
Should I just buy a new router if I suspect it's hacked?
Not necessarily. A full factory reset followed by a firmware update and fresh, strong passwords resolves the vast majority of router compromises, since it wipes any malicious configuration changes. Replacement is worth considering only if your router is several years old, is no longer receiving security updates from the manufacturer, or you have reset it and the same symptoms return.

Comments (3)

MP
Marc P., Longueuil
July 16, 2026

Checked my connected devices list after reading this and found two devices I genuinely did not recognize. Turned out to be an old smart plug I'd forgotten I still had plugged in, but it scared me enough that I finally changed my admin password, which was still the factory default from 2019. Embarrassing but fixed now.

DL
Danielle L., Gatineau
July 15, 2026

Our baby monitor's LED was on at 3am and neither of us was checking it. Unplugged it immediately like the article says, then found out our router's admin password had never been changed from the ISP default. Called IT Cares the next morning to have someone actually verify the whole network was clean.

RT
Robert T., Sherbrooke
July 12, 2026

Set up a guest network for all our smart devices after reading this — took maybe ten minutes total. Wish I'd done it years ago instead of having everything, including my work laptop, on the same network as a $15 smart plug from a brand I can't even remember buying.

Leave a Comment

Need Help?