Recently there has been a lot of press regarding the security of home or small office routers. Cisco Talos has warned that 500,000 devices including storage devices have been hacked across 54 countries in a suspected state nation targeted attack. The vulnerability is known as VPNFilter and affects router brands like Linksys, MikroTik, NETGEAR and TP-Link as well as QNAP network-attached storage (NAS). You may not have one of these brands, but home routers by their very nature are vulnerable due to their connection to the internet as well as locally through their wireless connectivity. This blog is an attempt to provide you with some basic home router and internet connected device security hygiene, but first let’s discuss why…
In the past, a number of router brands have been found to have a hidden backdoor… a technical term for accessing a router by bypassing encryption or authentication via a default port. Backdoors provide a way for the manufacturer or vendor of the device to access it for maintenance reasons, but through poor security design practices they can all end up with the same hard coded password. If this password is obtained by malicious actors, then all the models for that manufacturer immediately become vulnerable to attack.
Routers control the network, if someone has administrative access to a router, they can potentially see all the network traffic which goes via the router. Some of your network traffic is encrypted, which means all an attacker will see is gibberish, but there will be a lot of your network traffic which may not be encrypted, and this information will be in plain text, which of course can be easily read.
However, what is worse is that once someone has control of the network, they can direct your internet traffic to wherever they like. A malicious attacker can direct you to a page which may look like Amazon, but it’s controlled by them, so when you go to order something, you are giving the attacker your password to Amazon, your address, contact information, credit card etc. If you also use that same password for other sites, the attacker may try to gain access to these sites too (look back to my second blog about using strong passwords!).
Hacked routers can also end up being part of a botnet, which happened to some owners of D-Link and Huawei routers that became part of the Satori botnet which infected more than 280,000 internet addresses in under 12 hours of initiation. Internet of Things (IoT) devices are increasing in our homes, kettles (I’m not sure why these need to be on the internet), central heating systems, lights, doorbells, fitness devices etc. and it’s estimated that by 2020 there will 31 billion IoT devices connected worldwide. Some of the rules for securing routers can also be applied to IoT devices, but it’s wise to check its security before purchasing the latest IoT gadget. You can have a very secure network which becomes worthless after installing a vulnerable IoT device, which happened to a casino who installed an insecure IoT thermometer into a fish tank which was hacked and used to gain access to the casinos gambling database.
But there are things you can do reduce the risk to your home network, however I now hear cries of “but I’m not technical” and “I don’t know the first thing about routers or networking!” If you are not comfortable making these changes, I recommend calling upon the ‘expert’ in the family and get them to make these changes for you. If you are the ‘expert’ also, check on your family relations and friends routers; they may not be as technical and could do with the help and advice.
You will need administrator access to your router:
1) Change the SSID so it is not instantly recognisable what manufacturer of router you have. The Service Set Identifier (SSID) is the name you search for when looking for Wi-Fi networks… SKY-4HSJT or BTHub6-ABCD-5 as examples, which instantly gives away what provider you are using.
2) Change the default user name (if possible) and password of the administrator account for your router. As you rarely use this account, make the password very long and complex.
3) Change the password used to connect to wireless, again use your password manager and make it a long and strong password. It will be a pain when you add a new device as it will feel like it’s taking forever to put the password in (especially with a tv remote), but you don’t have to do that very often, so the awkwardness is worth it.
4) WPA2 AES or better (WPA3) should be the default authentication method for modern routers. If you know someone with an older router, check that it is not using WEP, as it is insecure and should never be used.
5) Most routers have built in firewalls, but double check the model with the manufacturer to ensure yours has. If any of your devices have built in firewalls, make sure they are enabled.
6) Check that remote access is in a disabled state.
7) Disable universal plug and play UPnP (you may need to temporarily turn it back on for new gadgets but turn it off again afterwards).
8) Check your router manufacturer for firmware updates, ISP’s (Internet Service Providers), like BT (plus others) automatically update the firmware but check regularly to make sure it’s up to date according to the provider or manufacturers website.