Your router security stinks: Here’s how to fix it
Most Wi-Fi routers and network gateways used by home clients are highly insecure. Some of them are so vulnerable that they should be taken down, a security expert said at the HOPE X hacker conference in New York.
If a router is sold in [a well-known retail electronics chain with a blue-and-yellow logo]”You don’t want to buy it,” independent computer consultant Michael Horowitz told the audience.
If your ISP gave you your router [ISP]You don’t want to use it either, because they’re giving away millions of them, and that makes them a prime target for both spy agencies and bad guys.”
Horowitz recommended security-conscious consumers instead upgrade to commercial routers meant for small businesses, or at least separate their modems and routers into two separate devices. (Many “gateway” modules, often provided by ISPs, can do both.) Should either option fail, Horowitz provided a list of precautions users can take.
- A router VPN might be the best way to secure your Wi-Fi at home
Problems with consumer routers
Routers are the basic but unspoken workhorses of modern computer networks. However, few home users are aware that routers are actually complete computers, with their own operating systems, software, and vulnerabilities.
“A compromised router can spy on you,” Horowitz said, explaining that a router under the control of an attacker could launch an intermediary attack, alter unencrypted data, or send the user to “evil twin” sites often disguised as webmail or service portals. Online banking.
Horowitz noted that many consumer home gateway devices fail to notify users if and when firmware updates become available, even though those updates are necessary to patch security vulnerabilities. Some other devices will not accept passwords longer than 16 characters – which is the minimum password security length today.
Universal Pwn and Play
The Universal Plug and Play Networking Protocol (UPnP) is enabled in millions of routers around the world on ports facing the Internet, exposing them to external attack.
UPnP is designed for local networks [local area networks]And, as such, it has no security. It’s no big deal, Horowitz said in and of itself.
But he added, “Online UPnP is like going for surgery and having the doctor work on the wrong leg.”
Another problem is the Home Network Management Protocol (HNAP), a management tool found in some older consumer-grade routers that transmits sensitive information about the router over the web at http://[router IP address]/HNAP1/, and gives full control to remote users providing administrative usernames and passwords (which many users never change from factory defaults).
In 2014, a router worm called TheMoon used the HNAP protocol to identify vulnerable Linksys-branded routers on which it could propagate itself. (Linksys quickly released a firmware patch.)
“Once you get home, this is something you want to do with all of your routers,” Horowitz told the tech-savvy audience. “Go to /HNAP1/, and hopefully you won’t get a response, if that’s the only good thing. Honestly, if I get any, I’ll fire the router.”
- Setting up a virtual router is an ideal way to share your connections
Worst of all is Wi-Fi Protected Setup (WPS), a handy feature that allows users to bypass the network password and connect devices to Wi-Fi simply by entering the eight-digit PIN code printed on the router itself. Even if the network password or network name is changed, the PIN remains valid.
“This is a huge security issue that has been obscenely deleted,” Horowitz said. “This eight-digit number will get you to [router] regardless. So a plumber comes into your house, flips the router, takes a picture of the bottom, and can now connect to your network forever.”
Horowitz explained that the eight-digit PIN is not really eight. It’s actually seven digits plus the final checksum number. The first four digits are validated as one string and the last three digits as another string, resulting in only 11,000 possible tokens instead of 10 million.
“If WPS is active, you can go into the router,” Horowitz said. “You only need to make 11,000 guesses” – a trivial task for most modern computers and smartphones.
Then, there’s networking port 32764, which French security researcher Eloi Vanderbeken discovered in 2013 had been quietly left open on gateway routers sold by many major brands.
With port 32764, anyone on a local network – including the user’s ISP – can have full administrative control of the router, and can even perform a factory reset, without a password.
The port was closed on most affected devices after Vanderbeken’s disclosure, but it was later found that it could easily be reopened using a specially designed data packet that could be sent from the ISP.
“Obviously a spy agency did this, it’s amazing,” Horowitz said. “It was intentional, no doubt about it.”
- Read more: The best VPN in Dubai can bypass the strict UAE internet laws
How to lock your home router
The first step toward home router security, Horowitz said, is to make sure the router and cable modem aren’t the same device. Many ISPs rent such dual-purpose devices to customers, but these customers will have little control over their home networks. (If you need to get your own, see our recommendations for the best cable modem.)
“If you were given one box, which I think most people call a gateway, you should be able to connect to your ISP and have them walk away from the box so that it just acts as a modem. Then you can add your router to it,” Horowitz said.
Next, Horowitz recommended that customers buy a low-end, commercial-grade Wi-Fi/Ethernet router, such as the Pepwave Surf SOHO, which retails for about $200 (although price gougers beware), rather than a consumer-friendly router that can It costs less than $20.
Commercial grade routers are not likely to have UPnP or WPS enabled. Horowitz noted that Pepwave provides additional features, such as firmware rollbacks in the event of a firmware update error. (Many high-end consumer routers, especially those geared toward gamers, offer this as well.)
Regardless of whether a router is a commercial or a consumer level, there are many things, varying from easy to difficult, that home network administrators can do to make sure their routers are more secure.
Easy fixes for your home wireless router
Change administrative credentials from the default username and password. It’s the first thing an attacker will try. Your router’s instruction manual should show you how to do this. If it doesn’t, Google it.
Make the password long, strong and unique, and don’t make it look like a regular password to access Wi-Fi.
Change the network name or SSID, from “Netgear” or “Linksys” or whatever defaults to something unique – but don’t give it a name that identifies you.
“If you live in an apartment building in a 3G apartment, don’t connect to SSID’ Apartment 3G,” Horowitz quipped. It was called ‘Apartment 5F’.
Turn on automatic firmware updates If available. Newer routers, including most network routers, will update the router’s firmware automatically.
Enable Wireless WPA2 encryption So only authorized users can jump on your network. If your router only supports the old WEP standard, it’s time for a new router.
Enable the new WPA3 encryption standard If the router supports it. However, as of mid-2021, only the latest routers and client devices (PCs, mobile devices, and smart home devices) are working.
Disable Wi-Fi Protected SetupIf your router allows you to.
Set up Wi-Fi for guests And offer to use it to visitors, if your router has this feature. If possible, set the guest network to turn itself off after a specified period of time.
“You turn on your guest network, set a timer, and after three hours, it turns off by itself,” Horowitz said. “This is a really cool security feature.”
If you have a lot of smart home or IoT devices, chances are that many of them won’t be terribly secure. Connect them to the guest’s Wi-Fi network instead of your primary network to reduce the damage from any potential IoT device hacking.
Do not use cloud-based router management If your router manufacturer offers it. Instead, see if you can turn this feature off.
“That’s a really bad idea,” Horowitz said. “If your router offers that, I won’t, because now you trust someone else between you and your router.”
Many “Network Router” systems, such as Nest Wifi and Eero, are entirely cloud-based and can only interact with the user through cloud-based smartphone applications.
While these models offer security improvements in other areas, such as automatic firmware updates, it may be worth looking for a network router that allows local administrative access, such as the Netgear Orbi.
Home router repairs are a bit tricky
Install new firmware when it becomes available. This is how router makers install security patches. Routinely log into your router’s administrative interface to check – here’s a guide with more information.
With some brands, you may have to check the manufacturer’s website for firmware upgrades. But have a spare router on hand if something goes wrong. Some routers also allow you to backup your current firmware before installing an update.
Set your router to use the 5GHz band For Wi-Fi instead of the standard 2.4GHz band, if possible — and if all your devices are compatible.
“The 5GHz band doesn’t travel as much as the 2.4GHz band,” Horowitz said. “So if there’s a bad guy in your area a block or two away, they might see your 2.4GHz network, but they might not see your 5GHz network.”
Disable remote administrative access, And Disable administrative access over Wi-Fi. Administrators should only connect to routers via wired Ethernet. (Again, this won’t be possible with many mesh routers.)
Advanced router security tips for tech-savvy users
Change the administrative web interface settingsIf your router allows it. Ideally, the interface should enforce a secure HTTPS connection over a non-standard port, so that the administrative access URL would be something like, to use Horowitz’s example, “https://192.168.1.1:82” instead of the more standard “http://192.168”. .1.1″, which by default uses standard Internet port 80.
Use incognito or private mode When you access the administrative interface so that the new URL you set in the above step is not saved in the browser history.
Disable PING, Telnet, SSH, UPnP and HNAP, if possible. All of these are remote access protocols. Instead of setting their respective ports to ‘closed’, set them to ‘incognito’ so that unwanted external connections that may come from attackers exploring your network are not answered.
“Every router has the option not to respond to PING commands,” Horowitz said. “It’s something you totally want to turn on—a great security feature. It helps you hide. Of course, you wouldn’t hide from your ISP, but you would hide from someone in Russia or China.”
Change the router’s Domain Name System (DNS) Server from private ISP server to server maintained by OpenDNS (18.104.22.168, 22.214.171.124), Google Public DNS (126.96.36.199, 188.8.131.52) or Cloudflare (184.108.40.206, 220.127.116.11).
If you are using IPv6, the corresponding OpenDNS addresses are 2620:0:ccc::2 and 2620:0:ccd::2, the Google addresses are 2001:4860:4860::8888 and 2001:4860:4860::8844, and Cloudflare including 2606:4700:4700::1111 and 2606:4700:4700::1001.
use Virtual Private Network (VPN) Router To supplement or replace your existing router and encrypt all your network traffic.
“When I say VPN router, I mean a router that can be a VPN client,” Horowitz said. “Then, you sign up with some VPN company, and whatever you send through that router goes through their network. This is a great way to hide what you’re doing from your ISP…