periods
Sign in with
Sign up | Sign in

Your Router's Security Stinks: Here's How to Fix It

By - Source: Tom's Guide US | B 7 comments
Tags :

Credit: Bacho/ShutterstockCredit: Bacho/Shutterstock

Most gateway routers used by home customers are profoundly not secure, and some routers are so vulnerable to attack that they should be thrown out, a security expert said at the HOPE X hacker conference in New York earlier this month.

"If a router is sold at [an electronics chain], you don't want to buy it," independent computer consultant Michael Horowitz said in a presentation July 20. "If your router is given to you by your Internet service provider [ISP], you don't want to use it either, because they give away millions of them, and that makes them a prime target both for spy agencies and bad guys."

Horowitz recommended that security-conscious consumers instead upgrade to commercial routers, or at least separate their modems and routers into two separate devices. (Many "gateway" units, often supplied by ISPs, act as both.) Failing either of those options, he gave a list of precautions users could take.

Problems with consumer routers

Routers are the essential but unheralded workhorses of modern computer networking, yet few users realize they are computers, with their own operating systems, software and vulnerabilities.

MORE: Best Antivirus Software 2014

"A compromised router can spy on you," Horowitz said, explaining that a router under an attacker's control can stage a man-in-the-middle attack, alter unencrypted data or send the user to "evil twin" websites masquerading as often-used Webmail or online-banking portals.

Many consumer-grade home-gateway devices fail to notify users if and when firmware updates become available, even though those updates are essential to patch security holes, Horowitz noted. Others will not accept passwords longer than 16 characters.

Millions of routers throughout the world have the Universal Plug and Play (UPnP) networking protocol enabled on Internet-facing ports, which exposes them to external attack.

"UPnP was designed for LANs [local area networks], and as such, it has no security. In and of itself, it's not such a big deal," Horowitz said. But, he added, "UPnP on the Internet is like going in for surgery and having the doctor work on the wrong leg."

Another problem is the Home Network Administration Protocol (HNAP), a management tool found on some consumer-grade routers that transmits sensitive information about the router over the Web at http://[router IP address]/HNAP1/, and grants full control to remote users who provide administrative usernames and passwords (which many users never change from the factory defaults).

Earlier this year, a router worm called TheMoon used the HNAP protocol to identify vulnerable Linksys-brand routers to which it could spread itself. (Linksys quickly issued a firmware patch.)

"As soon as you get home, this is something you want to do with all your routers," Horowitz told the tech-savvy crowd. "Go to /HNAP1/, and, hopefully, you'll get no response back, if that's the only good thing. Frankly, if you get any response back, I would throw the router out."

The WPS Threat

Worst of all is Wi-Fi Protected Setup (WPS), an ease-of-use feature that lets users bypass the network password and connect devices to a Wi-Fi network simply by entering an eight-digit PIN that's printed on the router itself. Even if the network password or network name is changed, the PIN remains valid.

"This is a huge expletive-deleted security problem," Horowitz said. "That eight-digit number will get you into the [router] no matter what. So a plumber comes over to your house, turns the router over, takes a picture of the bottom of it and he can now get on your network forever."

That eight-digit PIN isn't even eight digits, Horowitz explained. It's actually seven digits, plus a final checksum digit. The first four digits are validated as one sequence and the last three as another, resulting in only 11,000 possible codes instead of 10 million.

"If WPS is active, you can get into the router," Horowitz said. "You just need to make 11,000 guesses" — a trivial task for most modern computers and smartphones.

MORE: How to Secure Your Samsung Galaxy Phone

Then, there's networking port 32764, which French security researcher Eloi Vanderbeken in late 2013 discovered had been quietly left open on gateway routers sold by several major brands. Using port 32764, anyone on a local network — which includes a user's ISP — could take full administrative control of a router, and even perform a factory reset, without a password.

The port was closed on most affected devices following Vanderbeken's disclosures, but he later found that it could easily be reopened with a specially designed data packet that could be sent from an ISP.

"This is so obviously done by a spy agency, it's amazing," Horowitz said. "It was deliberate, no doubt about it."

How to lock down your home router

The first step toward home router security, Horowitz said, is to make sure the router and modem are not a single device. Many ISPs lease such devices to customers, but they'll have little control over their own networks.

"If you were given a single box, which most people I think call a gateway," he said, "you should be able to contact the ISP and have them dumb down the box so that it acts as just a modem. Then you can add your own router to it."

Next, Horowitz recommended that customers buy a low-end commercial-grade Wi-Fi/Ethernet router, such as the Pepwave Surf SOHO, which retails for about $150, rather than a consumer-friendly router that costs half as much. Commercial-grade routers are unlikely to have UPnP or WPS enabled. The Pepwave, Horowitz noted, offers additional features, such as firmware rollbacks in case a firmware update goes wrong.

Regardless of whether a router is commercial- or consumer-grade, there are several things, varying from easy to difficult, that home-network administrators can do to make sure their routers are more secure:

Easy fixes

Change the administrative credentials from the default username and password. They're the first things an attacker will try.

Change the network name, or SSID, from "Netgear," "Linksys" or whatever the default is, to something unique — but don't give it a name that identifies you.

"If you live in an apartment building in apartment 3G, don't call your SSID 'Apartment 3G,'" Horowitz quipped. "Call it 'Apartment 5F.'"

Enable WPA2 wireless encryption so that only authorized users can hop on your network.

Disable Wi-Fi Protected Setup, if your router lets you.

Set up a guest Wi-Fi network and offer its use to visitors, if your router has such a feature. If possible, set the guest network to turn itself off after a set period of time.

"You can turn on your guest network, and set a timer, and three hours later, it turns itself off," Horowitz said. "That's a really nice security feature."

Do not use cloud-based router management if your router's manufacturer offers it. Instead, figure out if you can turn that feature off.

"This is a really bad idea," Horowitz said. "If your router offers that, I would not do it, because now you're trusting another person between you and your router."

MORE: 7 Computer-Security Fixes to Make Right Now

Moderately difficult

Install new firmware when it becomes available. Log into your router's administrative interface routinely to check. With some brands, you may have to check the manufacturer's website for firmware upgrades. But have a backup router on hand if something goes wrong.

Set your router to use the 5-GHz band for Wi-Fi instead of the more standard 2.4-GHz band, if possible and if all your devices are compatible.

"The 5-GHz band does not travel as far as the 2.4-GHz band," Horowitz said. "So if there is some bad guy in your neighborhood a block or two away, he might see your 2.4-GHz network, but he might not see your 5-GHz network."

Disable remote administrative access, and disable administrative access over Wi-Fi. Administrators should connect to routers via wired Ethernet only.

Advanced tips for more tech-savvy users

Change the settings for the administrative Web interface, if your router permits it. Ideally, the interface should enforce a secure HTTPS connection over a non-standard port, so that the URL for administrative access would be something like, to use Horowitz's example, "https://192.168.1.1:82" instead of the more standard "http://192.168.1.1".

Use a browser's incognito or private mode when accessing the administrative interface so that your new URL is not saved in the browser history.

Disable PING, Telnet, SSH, UPNP and HNAP, if possible. Instead of setting relevant ports to "closed," set them to "stealth" so that no response is given to unsolicited external communications that may come from attackers probing your network.

"Every single router has an option not to respond to PING commands," Horowitz said. "It's absolutely something you want to turn on — a great security feature. It helps you hide. Of course, you're not going to hide from your ISP, but you're going to hide from some guy in Russia or China."

Change the router's Domain Name System (DNS) server from the ISP's own server to one maintained by OpenDNS (208.67.220.220, 208.67.220.222, 208.67.222.220, 208.67.222.222) or Google Public DNS (8.8.8.8, 8.8.4.4).

Use a virtual private network (VPN) router to supplement or replace your existing router and encrypt all your network traffic.

"When I say VPN router, I mean a router that can be a VPN client," Horowitz said. "Then, you sign up with some VPN company, and everything that you send through that router goes through their network. This is a great way to hide what you're doing from your Internet service provider."

Finally, use Gibson Research Corp.'s Shields Up port-scanning service at https://www.grc.com/shieldsup. It will test your router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 3 Hide
    COLGeek , July 31, 2014 12:09 PM
    Good suggestions. All easy and effective.

    In this day and age, there is simply no excuse to not secure a home network. None.
  • 2 Hide
    bugmenotplz , July 31, 2014 2:12 PM
    Also heads up if you run shieldsup make sure you are not connected to VPN it will scan VPN ports and by default most ports are open.

    So run it while not connected to VPN to get accurate results from your own ports.
  • 0 Hide
    velocityg4 , July 31, 2014 2:44 PM
    So I guess I should drop at least $500 on a hardware firewall. I'm not to worried. Sure home devices aren't the securest option. However, I get security by obscurity. I'm too insignificant for someone to waste their time hacking into my network. When that time could be spent trying to break into the network of someone far wealthier than me.

    I also keep my firmware up to date. My router does not have WPS. My WPA2 password is quite strong as well.
  • Display all 7 comments.
  • 1 Hide
    razor512 , July 31, 2014 8:08 PM
    Most router companies have long patched the WPS issue, while it is still best to disable it if possible, most routers now will disable WPS automatically after 3 failed attempts.

    Most ISP supplied gateways will often have a remote access function that cannot be Disabled, for example the actiontec routers that verizon gives, has a remote access function that listens on port 4567. (the right attack on the remote access can also work to slow the router down or cause it to hang).

    There is no need to jump to more commercial grade equipment as the cost will increase significantly (often for slower hardware, e.g., commercial/ enterprise accespoints have not really adopted AC1300 on the 5GHz band yet.

  • 0 Hide
    Haravikk , August 1, 2014 4:53 AM
    I just checked my VirginMedia supplied SuperHub 2 (some Netgear fibre-optic gateway/router) and it seems to have pretty good security defaults. The main problem is that WPS did seem to have PIN-based connections enabled by default, however it is possible to turn off PIN authentication only, while still allowing devices to connect using the push-button method (press the button on the router, and do the equivalent on your device), so you don't lose the convenience of automated connection, but someone has to be physically inside your house to do it.
  • 0 Hide
    smithsa , August 1, 2014 7:19 AM
    Great article and recommendations. Besides ShieldsUp, there's another tool that's more powerful and easier to use called RouterCheck that's worth looking into.
  • 0 Hide
    Anomy_ , August 6, 2014 12:59 PM
    There is a "Linux based firmware" from a third party that will load into many routers that will increase security if only because many of the security holes aren't written into the software. But it's more than that, many believe the firmware upgrades a consumer WiFy router to that of at least the level of inexpensive commercial.
    Plus, my 310 router was glichy and unreliable till I installed the third party firmware that allowed me to turn the power down. The router has been up for 94 days without a hiccup.
    Unfortunately unless the firmwares installation instructions are followed explicitly, especially the hard resets, there is a good chance you'll brick the router.
    Do there is that.

    On another note, if you live in a house you can put the WiFy router in the basement. Being underground really limits the horizontal range but seems to effect vertical very little.

    Plus, when remodeling the house and building the garage I ran lan to strategic walls and to the garage, a run of about 175 feet. The garage has its own WiFy (E1000) with the power turned down to ~ 10 watts.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS