How To Secure Your Router

Image: iStock

We often forget that routers are very complex machines that run software designed to manage a massive array of functions - software that can carry vulnerabilities. Throw in the fact many people don't know how to secure their network or router and you have a ticking time-bomb that bad guys are waiting to detonate. What can you do defuse this potentially explosive situation?

With threats like the recently announced VPNFilter and the Mirai botnet attack of 2016, it's clear that the home or small office router is becoming an attack vector favoured by threat actors.

For most people their router is something they install and then largely ignore. Gavin Lowth, a vice president in Symantec's Norton business unit said that for most users "Once they've set it up, they never look at it again".

But he said that the last couple of years have seen a greater awareness of how their personal data can be exploited. And that's leading to a deeper understanding of the security challenges that affect us at home and in small offices that, while similar to large enterprises, can be very damaging.

So, what can we do to secure our home and office networks?

#1 Default usernames and passwords

Ove the years, the majority of router manaufacturers have picked up their game here but there are still plenty of older devices out there that are setup with the same administration credentials they left the factory with.

Changing the administrative username and password is an easy first step to take in order to protect your router.

The Shodan service highlights the number of unsecured IoT devices, including routers, that are connected to the Internet.

#2 Secure WiFi settings

The majority of devices you connect to your network will be wireless. Most home and small office routers have a maximum of four Ethernet ports, with many of the latest mesh gear only offering two ports if you're lucky.

With wireless, use a complex passphrase that's easy to remember but hard to guess. You're better off with a longer phrase you can remember than a short passcode that satisfies the minimum length requirements as that's harder for brute-force password crackers to break.

Many people also say hiding your SSID is a a good idea. I'm less convinced. A moderately skilled hacker can capture that information as the SSID is transmitted unencrypted when a new device connects to the network. That can be captured by someone with easily accessible tools. Personally, I find hiding the SSID to be more of an inconvenience than benefit.

#3 Disable guest networks

Many wireless routers off a guest mode that gives visitors access to the internet but isolates them from other network resources. However, if there's a vulnerability in the router software, then that guest connection could be exploited by a malicious party.

Only enable guest networks when they're needed and ensure they have a complex password. I'd also suggest changing that password regularly just in case someone you trusted with a connection isn;t as trustworthy as you thought.

#4 Keep router software updated

Routers run software. And that software was created by humans who sometimes make mistakes. Router manufacturers often fix that software but they aren't all that good at letting you know when they've fixed things.

Make it a habit to log into your router, at least monthly, to check if there's new firmware and install it.

Some routers will check this automatically Andy even install it at a scheduled time. Explore your router's settings and, if you can, automate the downloading and installation of your router's software.

#5 Look at logs

Your router keeps a record of many of its activities. Things like failed log ins to the administration settings, a history of what devices were connected and, in some cases, unusual behaviour such as traffic spikes are recorded.

If you see any unusual behaviour take remedial action. For example, if an unexpected device is connected, most routers will let you block, or blacklist, a device so it can't reconnect.

If there have been attempts to connect to the administrative functions you can't explain, then it might be a good idea to change your router's password just in case.


Comments

    6. disable WAN admin access
    7. disable uPNP
    8. don't use DMZ
    9. minimise externally facing open ports
    10. of questionable value - set user access control/MAC filtering

    Last edited 18/10/18 1:23 pm

    I'd also like to encourage people to disable WPS. I barely know anyone that uses it and it's a considerably easy attack. I've cracked at least 3 devices in my street alone using this method.
    Also, once the attacker has the key, even if you change your WIFI password. They can still get right back in. The only way to stop them after that, is buy a new device or turn off WPS.

Join the discussion!

Trending Stories Right Now