Securing your Router/WiFi

Today we’ll talk about something most home and office’s have. It’s so common now, most people don’t even give it a second thought, a router that enables you to have a WiFi network. It’s convenient, no wires so no clutter and possibly the weakest link in your home/office security. Wait, what? Yes, in a world where everything is designed to be plug-and-play, routers are no exception. Most come pre-configured with the WiFi and Administrator password printed on a label stuck to the bottom of the device or on a small piece of paper that’s inside the box. Just plug it in and you’re good to go. “No-one has access to the device or the box but just in case let’s remove that label and store that piece of paper somewhere safe. Done, safe, ready to surf the web and connect all my devices to the internet.” If this is you, we have a lot to talk about.

Here are some tips, common misconceptions and best practices when it comes to securing your router / WiFi.
1. Change the default name and passwords.
Though others may not have physical access to that piece of paper with the password you stashed somewhere safe, default names, passwords and settings are mostly the same for all brands and models. Of course there are exceptions but most routers can be accessed with Admin/Admin, Admin/{no password}, Administrator/Password etc. The default names and passwords for both the Administrator access and WiFi can be easily guessed and/or found online. Change the default credentials of your router as soon as possible.

2. NAT, Firewall.
As old as the internet itself, the firewall is critical to your safety online. Most routers have a built-in firewall that can be configured through the Admin panel but some routers do not (Airport Extreme for example). Routers that utilize NAT and do not have a firewall should still be somewhat protected as NAT can act as a firewall too. Many manufacturers have tried to make the firewalls in their devices easy to configure and even loaded them up with presets so the user can set it up but still to this day most users will rather disable it or leave it at factory default settings so they do not have to learn how to set it up and properly test it. This is like hiding in a nuclear bunker but leaving a window open. Take time to get to know your router’s firewall settings and configure them to your needs.

3. WiFi password.
As discussed before, and then some more, and probably more in the future, passwords are most often the weak link in any setup. Choose a strong password and do not hand it out to anyone. If someone asks for your wifi password at home, type it in yourself. If you are not comfortable handing out your WiFi password (good, you shouldn’t be), set up a Guest Network if your router supports that feature.

4. Guest Network.
Setting up a guest network is fine, very kind of you, but for some reason people think that a guest network should not have a password or a password that’s extremely easy and fast to type in, after all they do not want to inconvenience their guests. I still do not understand why but as you can guess, this is a big no-no. Guest networks should be equally well protected. Pick a strong password that you do not use for anything personal (so one that is ok to hand out to whoever asks to join your network) and change it often. If your router supports this feature there may be additional settings to limit the guest network bandwidth, set restrictions as to what ports and protocols are allowed and wether or not the guest network can communicate/mix with your private network. Examine all available settings thoroughly and adjust them.

5. WiFi encryption.
When selecting a way to encrypt your wireless network you are usually presented with options of different encryption methods. WEP used to be very popular back in the day, then WPA and WPA2 took over. A surprising amount of wireless networks these days are still ‘protected’ with WEP encryption. I say ‘protected’ because using WEP is like using no encryption. Tools that are available online for free and take little effort to install and operate can crack a WEP key in a very short amount of time. Anyone with those tools and a laptop can sit in range of your wireless and figure it out. Change your WiFi encryption to WPA or WPA2.

6. MAC Address Filter.
A common misconception is that no password or encryption is needed if a MAC address filter is set up. Meaning only devices that have their unique MAC address pre-defined in an access list on the router may connect to it. This is absolutely not the case. In fact, in my opinion, MAC address filters are completely useless. If you do insist on having it enabled please do not rely on it as a safety measure. MAC addresses are sent in every transmission from a device to the router, they are not encrypted, they can be snatched out of the air by anyone! Once someone has your MAC address they can set up their own equipment, spoof their MAC address to be identical to yours, send a disconnect signal that kicks everyone off the network for a second and then connects his equipment before yours can. That person is now connected to your router, on your WiFi, using your MAC address. The router doesn’t know any better as the MAC address is valid and pre-defined to be allowed onto the network. Sounds simple and really, it is. Please do not believe MAC address filters offer ány kind of security. Set up WPA/WPA2 encryption with a strong password.

7. Firmware.
Routers have their own little operating system installed called the firmware. Just like your computer there may be occasional updates that become available to do anything from feature enhancements to security patches. Most people are completely unaware this firmware exists and that it has to be checked for available updates once in a while. To make sure you are not using a router with firmware that has been outdated for the last 3 years, visit the manufacturer website and see if new firmware is available for your router. If there is, read through the changes and patches that are included and then read previous update notes dating back all the way since you purchased the router. Once you are done reading, wether you understand all of it or not, you should have a pretty good idea as to what kind of vulnerabilities your network has had all this time and hopefully from then on you’ll check at least once a month for new updates. If you do not want to read, install the latest available update anyway 🙂

8. Online tests and reviews.
Do a search for your specific router model online and combine it with words like ‘vulnerability’, ‘exploit’ and ‘hack’, see what pops up. See if there is talk online about known vulnerabilities and known exploits. If there are a lot of them, check to make sure these vulnerabilities were fixed in a recent firmware update by the manufacturer. If they have not, you have a choice to make. Keep that router that hasn’t seen a firmware update in over a year and leaves your network an easy target or invest in a new router (do the same research before you buy a new router). I am a big fan of the Airport Extreme. It’s not very popular so not (yet) a target worth going after for hackers. The tests that have been done so far show good results when it comes to security. Use pages such as the National Vulnerability Database to search for a vendor or model number to see if it has known vulnerabilities or a long history of sloppy security.
Example.

9. Connected devices.
Any device connected to your network is a potential access point for someone with malicious intent. This can be your computer, smart phone, fax or even your wireless thermostat. Make sure every device that connects to your network is properly secured. Strong passwords, up to date soft/firmware etc etc.

10. Physical access.
The best password and encryption won’t do you any good if someone with bad intentions can walk up to the router, resets it and adjust settings as he/she pleases or worse, install a custom firmware version that allows unlimited access from any location and monitors your traffic on top of that. Your router needs to be in a place where it is not easy to reach. In offices this usually means above the ceiling boards or in a server room, at home this usually means behind a locked door or somewhere on top of a closet. You have to find a good balance between location and coverage.

Take a look at this very recent study.
“Before you dismiss router hacks as exceptionally rare, it’s important to note that they’ve been a small but growing segment of computer security threats. In 2011, one firmware vulnerability affecting six hardware manufacturers combined with two malicious scripts and 40 malicious DNS servers to attack 4.5 million Brazilian DSL modems, with the goal of stealing bank and credit card information.”