Wi-Fi Warning: ISP-Provided Routers Put You at Risk

A D-Link wireless router similar to those found to be vulnerable in a recent study.

A D-Link wireless router similar to those found to be vulnerable in a recent study.

Hundreds of thousands of DSL modem routers given to customers by Internet service providers are full of security holes and could leave average users vulnerable to hackers, a security researcher says.

Last week at the CRESTCon and IISP Congress in London, Kyle Lovett of Cisco Systems showed that some 700,000 home gateway devices sold under the ZTE, D-Link, Sitecom, Fiberhome and other names, as well as some using private ISP labels, failed to prevent remote takeover by hackers who could easily change router settings to direct hapless victims to malicious websites.

MORE: Your Router's Security Stinks. Here's How to Fix It

Most of the models were distributed by ISPs in Latin America, the Middle East and Asia, although Lovett said some could be bought off the shelf in North America, according to a writeup of Lovett's presentation by Lucian Constantin of IDG News Service.

The latest vulnerabilities reinforce the perception that many routers and home Internet gateways distributed by ISPs, as well as low-end models sold in U.S. retail outlets, have shoddy security and can be easily hacked.

The solution may be to spend more for your home router, and to make sure your modem, whether it's for DSL or cable, and your router are separate devices.

Litany of pwnage

In the past seven months, major security flaws have been found in home wireless routers made by ASUS, Huawei, Netcore, Netis, TP-Link and UTStarcom, as well as the aforementioned D-Link and ZTE. The problems often stem from the fact that routers commonly run third-party firmware, some of it more than a decade old.

Firmware patches are haphazardly distributed to customers, who can sometimes only learn of updates by checking manufacturer websites. Moreover, many customers never change administrative credentials, which can be sometimes accessed from the Internet — and many combination modem-routers handed out by ISPs can't be administered by the end user at all.

The result is that the devices that route Internet traffic into tens of millions of American homes are often much less secure than the computers and smartphones to which they're delivering the traffic.

In a presentation at the HOPE X security conference in July 2014, independent computer consultant and columnist Michael Horowitz ran through half a dozen common home-router flaws, ranging from the profoundly insecure Wi-Fi Protected Setup (WPS) option to an obscure but potentially devastating "backdoor" that may have been installed on several brands.

Horowitz recommended buying a commercial-grade small-office router with less convenience and a higher price, but much more security, than a home model. Home models with a high price, such as the Apple Airport Extreme, might also fit the bill.

Horowitz provided an extensive checklist of steps, ranging from easy to advanced, that users of any home wireless router can take if they have administrative access to their devices. If your ISP gives you a combination modem-router gateway, most common with DSL service, contact the ISP to ask how you can put it into purely modem mode so that you can add your own router.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.