Router and wireless security for the home/small network is often overlooked due to the limitations of consumer grade hardware and general lack of awareness of network security (NetSec).
As such, many users run home or small office networks that introduce a great amount of unnecessary risk.
This is a guide meant for “regular” users to improve their network security, cutting down unnecessary risk that may be invisible to users unfamiliar with (cyber)security.
Renting a router from your internet service provider (ISP) is not recommended. The ISP router is often subpar equipment, has limited to no flexibility in settings, and often does not allow maximum control over administration of your network.
Frequently, routers and other networking equipment rented from the ISP is… subpar. You’ll often get better Wi-Fi coverage and performance using a router you purchase yourself.
In many cases, the ISP router has default settings enabled that could compromise user security. For example, many ISP routers (and shipped instructions) do not prompt users to change the default credentials even after successfully setting up the wireless network.
Additionally, ISP initial set up instructions may not cover how to disable certain features that could undermine security – such as disabling automatic, public Wi-Fi hotspots broadcasting separately from the user’s network.
ISP routers typically do not support changing settings which could ultimately benefit user privacy, such as setting custom DNS resolvers. They often do not support other features some users may want or need to properly administer their network, such as network segmentation, creating VLANs, or enabling parental controls.
Again on the privacy front, routers supplied by the ISP allow the ISP direct access to the router firmware. Typically this is used for providing timely security updates, but this could have privacy implications as well; in theory, your ISP could spy on your local network. Or, a third-party could gain access to this remote function of the router and perform privacy invasive action such as collecting sensitive data about you, your devices, and your network.
This is a little different than your ISP collecting information on your browsing history – which they can do regardless of whether you use your own router or theirs. Since 2017 and as of writing, ISPs are legally allowed to sell consumer data to third parties, in the US, including your browsing history. To mitigate this specifically, you can use a reputable virtual private network (VPN) provider or the freely available Tor browser (or another onion routing service, such as SafingIO’s SPN).
From a financial standpoint, renting the ISP’s router also costs you more in the long run. See this example:
Let’s say you sign up for a 1-year term contract for home internet service from ISP-1. Each month, your bill is $60 for 12 months.
You also elect to rent a router from ISP-1 for $12 a month. So, in total for 1 year, you are paying $864 for service and equipment.
Over the course of 12 months, your total cost for renting ISP-1’s router is $144. In a lot of cases, you’ll have to return the router if/when you choose to terminate service with the ISP.
For that amount of cash, you could buy a capable home router that is under your control, allows meaningful customization, is more than likely higher quality hardware, and… you get to keep it for years (or until it reaches its end-of-life, where it no longer receives security updates.)
If you do nothing else in this guide, you should absolutely change the default password for your home router – even if it’s your ISP’s router.
The default password to any device is the password that ships with the device/software for administrator (privileged) access into a device/account. As a basic security rule, default passwords should always be changed as soon as possible.
Why change the default password? Put simply, default credentials are often exceedingly simple. They are incorporated in many brute-forcing and credential stuffing wordlists and constantly used in automated attacks. Default credentials for many devices (including routers) are also often publicly available and can frequently be found on device manufacturers’ websites.
In fact, many router manufacturers post the default credentials for router models and sub-models on their websites. For example, the default interface passwords for NETGEAR routers for current models is admin and password .
The bottom line: Once receiving an internet connection (typically from a modem or a device acting as a modem) and assigned a public IP address from the ISP, your router is effectively discoverable from the outside world.
If you haven’t changed the default credentials for the router, anyone can “discover” it and use the default credentials to login to the device.
From this point forward, your device can be recruited into a botnet or used as a residential proxy for cyber threat actors. Additionally, since the device is controlled by the threat actor, they could download additional malware, pivot to compromise the rest of the devices on your network, or spy/steal data from your network – anything they want, really.
Change the default password to your router! Do not use variations of the default password or credentials. Set a truly strong password that is both lengthy and complex.
Universal Plug and Play (UPnP) is a protocol designed to let users quickly connect devices to their networks without manual configuration on the devices themselves.
In most cases, UPnP does not use authentication for connected devices, operating with the assumption devices attempting to connect using UPnP are trustworthy and available via the local network; because the router is operating under the assumptions 1) the device connecting via UPnP is local and 2) the device is trustworthy, the router will permit the device to connect without “challenge.”
While originally designed to be used on the local area network (LAN), router manufacturers have enabled UPnP by default on most consumer-grade routers available. Typically, UPnP is available on the wide area network (WAN), where a broader audience can discover and connect to your router and network. A broader audience can include, well, an attacker.
Naturally, this undermines network security because UPnP enabled on the WAN allows devices from outside your physical LAN to request connection to your network – with zero challenge in most cases. It’s kind of like going to a concert without having security check/scan your ticket at the front gate – you just say you paid for a ticket and they let you in.
A malicious device controlled by an attacker could pose as a benign device and request access from your UPnP enabled router. The router will open a port in the firewall and permit connection – now, the threat actor has access to your network and is free to pivot, observe/collect data, or install malware as seemed fit.
Open ports are similar to opening windows – you may wish to only invite the cool breeze into your home, but you may never know what exactly will come through the window.
The steps for disabling UPnP ultimately depend on a given router’s manufacturer, model, and if applicable, sub-model. Refer to your router’s manual for specific steps to disable UPnP. Router manuals or other how-tos are frequently found on the manufacturer’s websites.
Whichever router you use – whether your ISP’s or one you own/purchased yourself – should have basic firewall capabilities. Firewalls filter traffic from/to the internet from your home network and help prevent intrusions from outsiders. They’re especially effective against automated attacks, such as brute force attacks and denial-of-service attacks.
Firewalls can often be custom configured using “rules,” but this is beyond the scope of this post and many consumer grade routers out there.
The router’s firewall should include network address translation (NAT), preventing devices on your network from being discoverable from outside the network boundary; no one should have the ability to enumerate your devices on your home network from outside the network.
The firewall should also support IPv6 (alongside legacy IPv4), allowing it to effectively filter IPv6 traffic. If the firewall does not support IPv6, you should disable IPv6 addressing.
Wireless access points (WAP) – including routers functioning in WAP mode – typically do not have firewall capabilities. It’s generally best to purchase a router, enable its firewall, and allow it to be the definitive central hub on your network even if using WAPs.
Your network’s router should at least support Wi-Fi Protected Access 2/3 (WPA 2/3). The first generation of WPA does not use sufficient encryption and should be avoided in all circumstances.
Enabling WPA 2/3 can be done inside the router’s settings (usually by logging in as the administrator account.)
Strong passwords are not easy to guess and are resistant to brute-forcing and some other password attacks like dictionary attacks.
Your Wi-Fi password should be strong, which usually includes:
- A length of at least 20 characters
- Complex – typically mixing lowercase, uppercase, symbols (common and uncommon), and numbers
Complexity is not a substitute for length. For example, the password Pa55w0rd is generally not more secure or stronger than password . Attackers attempting to break into your network will attempt to use common substitutions of commonly (re)used passwords. So, it is highly likely both Pa55w0rd and password will be used in guesses.
Also, generally speaking, using password as part of a password is bad practice. Year after year, password is commonly seen among the top used/leaked passwords.
You should also avoid reusing passwords from online accounts – even variations – as the password to your Wi-Fi network. Avoid using personal information – especially information that is easily discoverable, such as a pet’s name, parts of your email address, or even your address.
You should also
use a password manager
to securely store (and generate) your strong passwords for both the router and the Wi-Fi!
Routers come with a default name for the Wi-Fi network name (SSID). This name is included on the label on the side or bottom of the physical router, alongside the default password.
Different manufacturers have different naming conventions, sometimes varying between different models as well. It’s good practice to change the SSID to something unique; feel free to have some fun with it!
Keeping software and firmware updated is a part of basic (cyber)security hygiene.
Many home and small business router security vulnerabilities are frequently exploited because threat actors are aware many individuals (and organizations) simply do not update to the latest versions in time. The latest versions of both software and firmware often contain security fixes for known vulnerabilities, helping to prevent exploitation of these known security vulnerabilities.
As a trend, year over year, threat actors have exploited disclosed or n-day vulnerabilities quicker – so this makes updating to the latest security patch highly important.
Arguably, home routers are more prone to zero-day attacks and flaws because they often have bundled functions – such as being the definitive firewall for the network – and missing security features more commonly found on enterprise networks. The broader state of home/small network (SOHO) router security capabilities as a whole is simply not the best.
Keeping router firmware updated helps alleviate risk by patching known security vulnerabilities and repairing bugs. As general advice, it’s best to enable automatic updates for the router (if supported).
In addition to keeping the router’s firmware updated, you should also keep other software/firmware on your network – including operating systems for devices, device firmware, apps, drivers, and others – updated. At minimum, installed apps and software and device operating systems and firmware should always have the latest security update.
Staying on top of the latest security updates lessens your attack surface and possible “points of entry” threat actors can use to compromise your network and/or devices.
Surprisingly, consumer routers (and by extension, the router firmware) often come attached to some lengthy privacy policies, just like anything else in modern times.
While many router manufacturers claim they do not collect data about the websites visited by your connected devices, some apparently do collect personal data. Some still may share/sell this data with third parties. Their claims are ultimately hard to verify because their router firmware is often proprietary, closed-source, and tough to audit thoroughly from a privacy perspective.
Depending on the manufacturer of the router, the model, and relevant sub-model details, it is possible to flash (install) some routers with open-source firmware alternatives.
Doing so replaces the router manufacturer’s firmware with an open-source firmware selection, changing how you can interact with your router; often, this allows users to break free from vendor restrictions and configurations and allows greater freedom of control and customization over the router. Open-source firmware brings transparency to the router and its workings and in many cases allows finer control and administration over your network.
Which open-source router firmware should you use? Enter: OpenWRT, a Linux-based operating system for embedded devices used to route network traffic – such as a router. It has been optimized for home routers. Features a fully writable filesystem with package management.
Following the steps outlined in this guide will improve your router and wireless network security. However, the steps outlined in this guide are basic in nature. Primarily, this is because consumer grade (SOHO) networking equipment – such as modems and routers – are not remotely as effective in terms of security as enterprise-grade equipment.
Users should avoid using/renting equipment from their ISPs to avoid the various categories of limitations – security, privacy, administrative, and financial – associated with renting ISP equipment.
Users should also take care to change the default password for both their router login and their Wi-Fi network. Ideally, users should change the default SSID as well.
Users should also turn off UPnP (at least when not in active use), use the router’s firewall capabilities however basic, and use sufficient Wi-Fi encryption – such as WPA 2/3.
Keeping software updated is basic cybersecurity hygiene, even outside the specific context of this post. Ensure the router is always patched with the latest firmware updates.
As always, stay safe out there!
0 Comments