Nearly everyone accessing the internet should be concerned about ensuring their router is secure. While securing WiFi is important, there are other router security concerns even if you have Wifi turned off on your router. The most chilling is how hackers are using home routers by enlisting them in botnet armies to launch botnet attacks on services throughout the internet.
While some vendors automatically update your network with the latest security patches (this is precisely why I switched to Google WiFi) most do not. Today I’m going to cover how you can secure your home router and WiFi network to shield you from exploits and attacks.
Choosing a Secure Router
One of the most important steps of having a secure network is choosing a router that has frequent updates to its firmware. This ensures that the vendor is up to date to fight against the latest hacks and exploits.
I advise against using your ISP supplied router as there are typically remote management features that are suseptable to exploit. If your ISP forces you to use their router, then you should be able to turn off the WiFi on the router and use it in “bridge mode” to disable routing and let your router act as the gateway to the internet.
Here is an example of putting one of Comcast’s Routers in bridge mode: Enable Bridge Mode on Xfinity Routers
When it comes to picking a router it’s best to stay with trusted brands to ensure vulnerabilities are going to be quickly patched. You’ll also need to understand how to update the firmware on these routers as that’s how the vulnerabilities will be patched. I would recommend doing a Google search on “<Router Brand> vulnerabilities” to get an idea of how well they keep up with the latest exploits.
Use Open Source Router Firmware
Personally, I find the open source community is best when it comes to finding and patching exploits. There are so many eyes on exploits that are occurring that most vendors are alerted to bugs and hacks by the open source community. I would look to buy a router that you can flash and install open source routing software like OpenWrt, DD-WRT, AdvancedTomato, or Asuswrt-Merlin.
Configuring Your Router Security
Below are various things you should do to ensure that your router is secure and up to date. Remeber, you are the administrator of your network. It is up to you to make sure it is secure. This means keeping an eye on firmware updates to your router. If possible, sign up for an email when the router’s firmware is updated.
Change the Admin Password
Most routers are manufactured with a default admin account and password. They are typically extremely easy to guess (Like username=”admin” and password=”password”) and you can even look them up online for a given model. One of the first things you should do is create a new administrator account and password. Be sure to choose a strong password. Once, you have set up the new administrator account, delete the default one.
Many botnet attacks are due to a hacker writing a script that searches for routers using the default administrator account and taking control of them.
Change The Routers Default IP
Many routers will default their IP address to something like 192.168.0.1 or 192.168.1.1. There is no rule that this has to be the routers IP address. I recommend changing it to something like 192.168.10.5. I set the subnet mask to 255.255.255.0. This means all the devices on my network will have an IP like 192.168.10.X. Just make sure you use a number between 1 and 254.
I also recommend changing your default DNS. OpenDNS (184.108.40.206, 220.127.116.11) or Google Public DNS (18.104.22.168, 22.214.171.124) are trusted options. If you’re using IPv6, the OpenDNS addresses are 2620:0:ccc::2 and 2620:0:ccd::2, and the Google DNS are 2001:4860:4860::8888 and 2001:4860:4860::8844.
When setting your routers new IP, be sure to also check the DHCP settings. These are the addresses your router will give out to devices on the network. You can set the range of IPs given out. For instance, in my example, I would set the range to something like 192.168.10.57 – 192.168.10.156. This would give me 100 addresses on the network. Be sure not to include your router or IP addresses you set manually on your network in the range.
Also, note that your routers new address is how you access the routers administration menu. In my example, it would be “https://192.168.10.5” instead of the default. In this example, I’m also assuming the router allows the user to force a secure “HTTPS” connection instead of the unencrypted “HTTP.”
Disable Risky Services
Your router will respond to certain protocols when they are scanned from outside your network. There are some that should be shut down, or at least put in stealth mode so they do not reply to scans outside your network.
Services like Telnet and Secure Shell (SSH) should not be exposed outside your network (block incoming traffic). This will prevent access to your router if there was a backdoor installed at some point.
Universal Plug and Play (UPnP) should be blocked to incoming traffic. Be aware this is how external baby monitors and cameras are accessible to the internet. If you require this functionality consult the manufacturer of the device to ensure a secure way to set this up. Using the default UPnP can leave you vulnerable to other people accessing those devices.
Most home users will have no use for Simple Network Management Protocol (SNMP) so that can be shut down. This protocol has been susceptible to many hacks and vulnerabilities in the past. I also recommend disabling Home Network Administration Protocol (HNAP) and the Customer Premises Equipment WAN Management Protocol (CWMP)
Secure Your Home WiFi
When setting up your WiFi network, make sure you are using WPA2 with a strong password. WEP and WPA have been compromised and should not be used. Make sure you change the default name of your WiFi Network. You can also turn off the broadcast of your SSID. This will mean the network will not show up in the menu when connecting to the device and you will need to manually type it in to join the network.
Make sure you disable Wi-Fi Protected Setup (WPS). This allows connecting devices to the network by using a PIN printed on a sticker or by pushing a physical button on the router. These are vulnerable to brute force attacks.
For those that are concerned with privacy and want more anonymity when surfing the web, a VPN Service will go a long way. This service will allow you to use your router as a VPN client to encrypt your data and even keep much of your online behavior hidden, even from your ISP!
Alternatively, Outsource Network Maintenance
As I said I recently switched to Google Wifi. This is easy to setup mesh wifi network that automatically manages security aspects. Some may point to the fact that it is cloud managed which opens up potential vulnerabilities. However, I’m already taking that risk when I use Gmail, Google Docs, or Googles Cloud in any way. I was tired of managing my network so I just decided to let Google do it.
I know some may be uncomfortable with that approach and losing the flexibility of fine grain control over the network. For those folks, take a look at the NETGEAR Orbi WiFi Mesh System. It doesn’t force users into the cloud and permits the user more network management flexibility.