Six ways to secure your vulnerable network router

Six ways to secure your vulnerable network router

Summary: Your home router is vulnerable to attacks as soon as you take it out of the box. Here are six things you can do to secure your network.

SHARE:
28

 |  Image 1 of 6

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Don't use the default login information

    It's nearly always possible to find a router's default username and password online, depending on the brand and model. This means you can connect to the network, or tap into the router settings and lock out anyone from the network — even the owners. Worse still, hackers could monitor the traffic going in and out of the router, such as passwords and credit card information.

    Change the default settings at the earliest opportunity with a strong username (if possible) and password.

    Image: ZDNet/CBS Interactive

  • Set the wifi security to WPA2

    WPA2 isn't perfect, but it's the best solution outside of the enterprise. It allows you to set a strong password — with letters, numbers, and other characters — that can be near-uncrackable to attackers. The stronger the password, the harder it is for anyone to jump on your wi-fi network.

    Image: ZDNet/CBS Interactive

Topics: Networking, Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • MAC addresses are easily spoofed.

    Give me five minutes with a packet sniffer, and I'll bypass that MAC filter. MAC addresses are easily spoofed.

    It's much harder to bypass the WiFi password than the MAC filter - it's pretty safe to assume that if somebody has the means to bypass your WiFi password, they also have the means to bypass the MAC filter.

    Also, if you're brave enough or know somebody who is confident doing such a thing, the very best thing to do to secure your router is to flash it with open source firmware. This will also make it far more stable, practically removing the number of times you need to reboot it.

    "Keep your router's firmware up to date"

    Good idea, in principle.

    But never possible. I don't think I've ever seen firmware updates for those cheap consumer boxes. If you want firmware updates, you'll either have to go with expensive enterprise level equipment, or with one of the custom open source firmwares.
    CobraA1
    • +1

      * MAC filters are useless.

      * Open source firmware is the way to go if you want your router to actually work, get useful updates, and not be subject to the manufacturer's whims regarding your privacy and security.
      TehBlahb
      • Locked doors are useless

        .. because a determined attacker will just break in a window.
        deanders
    • I've updated the firmware twice on my D-Link router

      Model DIR-655. I've followed all the recommendations in the article except for the MAC address filter. I may set that, but I suspect it is easily bypassed as some have commented.
      oldnuke69
      • It's a feature on many routers. And network adapters.

        "I've followed all the recommendations in the article except for the MAC address filter. I may set that, but I suspect it is easily bypassed as some have commented."

        It's a feature on many routers. And network adapters.

        Not "big iron" routers, mind you, but home routers you encounter every day.

        Many of them have a feature to manually set the MAC address. I've owned one, and it actually made short work of a college campus' enforcement of a "one machine per dorm room" limitation.

        I also looked at the "Advanced" tab of my network adapters on my desktop and laptop.

        On my desktop, "Network Address" is an editable field; I assume it's a MAC address.

        On my laptop, it's more explicit: "Locally Administered MAC Address."

        Spoofing MAC addresses: It's a feature!

        You don't even need special tools other than a packet sniffer. All you need to do is to find the MAC of an already existing machine, and you're golden.

        Trying to crack passwords, on the other hand, usually requires specialized tools made by hackers, and might not always succeed if the target is well protected.

        If somebody's gone out of their way to crack your password, spoofing your MAC address wouldn't even be a speed bump.
        CobraA1
        • It's not quite that easy

          It's not quite that easy as just duplicating an active MAC will cause them to step on each other. I'm not actually sure what will happen as I've never actually tried that on a wifi or any unswitched network. On a switch both systems become mostly unusable as packets going down the other channel cause repeated TCP timeouts.
          Buster Friendly
          • Not really.

            "It's not quite that easy as just duplicating an active MAC will cause them to step on each other."

            Not really. Higher level protocols sort it out anyways. Modern networking generally also includes things like NAT to help determine the eventual destination of a packet. Worst case, the packet may simply become duplicated and you may end up with more network traffic than you bargained for.

            Never had a problem with that at college. Just saying.
            CobraA1
    • Not usually an option

      I agree the MAC filters isn't that useful but most consumer hardware doesn't have other firmware support either. Back before I got the Verizon FIOS router, I tried to use dd-wrt but it only worked on older hardware and was flaky on a lot of those. The problem is they change chipsets all the time but keep the same model numbers.
      Buster Friendly
    • Not that easy

      It is easy to spoof a MAC address but not that easy to get one of the ones configured on the router. You need a physical access to one of the system maybe even logical is no MAC is written on the box or access to a non protected network where the system is connected to. In either case you had already compromised something in a much direct way than spoofing a MAC address. There is a lot of theoretical easy hacks, but few really practical. MAC address filtering is an efficiency way for home user, but not much an easy way, I never saw a lamda user, so 99% of the users, knowing about MAC filtering and willing to do it.
      By the way if this lamba user follow the screen capture displayed here, she will lookout herself out or her network, the selected open of the pic shows "Prevent PCs listed below...", silly.
      a_gautier
  • Various levels of usefulness

    Some of the advice is good, some of the advice isn't as good as it could be.

    1. Change default password. Obvious advice. Better advice would also mention how to build a strong password - not the useless crap about lower case, upper case, and one number - something about entropy like the CorrectHorseBatteryStaple from xkcd.
    2. WPA2. Solid choice. An article about security would have benefit from listing the choices and their flaws. It would also benefit on advice about what a strong password is - see above.
    3. Mac addresses. Not good advice. Anyone competent enough to get past a reasonably complex password will not be blocked by this. On the other hand, it certainly is a hassle for the user. See the first comment by CobraA1.
    4. Firmware updates. Very important. As soon as a firmware update is out, any vulnerabilities it patches is known to every prospective attacker. If no new firmware for your device has been released in the past 2 years, consider switching to DD WRT or something similar, if you can afford the small risk of bricking your router.
    5. Disable remote access. Sensible but incomplete. You do not want to allow http access, only https. Http may transmit the router login information unencrypted, which allows any connected device under someone else's control access to the password information.
    6. Disable guest access. I advise against this, strongly. Assuming a reasonably safe password for the guest network (certainly not "guest"), there is no benefit from this. On the other hand if you have guests to which you hand over the key to your main WiFi instead of the guest network, this increases your exposure significantly - even if you can trust your friends, you can't trust their devices.

    I also was surprised I didn't see anything about WPS in this.
    Sacr
    • I agree with most you said

      Except 5. Remote access as referenced means the router punching a hole in your WAN side firewall in order to allow access to the web interface from outside of your LAN. Therefore it should be disabled as there is no need for leaving this attack vector open.

      If you just are referring to non remote access and the inclusion of only https, then I obviously agree.
      sjaak328
      • Re

        If you just are referring to non remote access and the inclusion of only https, then I obviously agree.

        - Yep, that one. Disable all remote access and disable all http access.
        Sacr
    • Sacr: "I also was surprised I didn't see anything about WPS in this"

      Indeed. Wi-Fi Protected Setup (WPS) is included in many manufacturers and models of consumer routers. WPS has some significant security implications.

      The gist of it is that users should disable WPS in their router as it makes WPA2 vulnerable to hacking. Some router models, though, fail to actually disable WPS when disabled via the settings.

      "Vulnerability Note VU#723755"
      "WiFi Protected Setup (WPS) PIN brute force vulnerability"
      http://www.kb.cert.org/vuls/id/723755

      "Researchers publish open-source tool for hacking WiFi Protected Setup"
      http://arstechnica.com/business/2011/12/researchers-publish-open-source-tool-for-hacking-wifi-protected-setup/

      "Wi-Fi routers: Oldies are goodies"
      http://blogs.computerworld.com/19551/wifi_routers_oldies_are_goodies
      Rabid Howler Monkey
      • Disable the PIN, but enable the button

        All of the WPS hacks brute force the PIN. But most home routers let you disable the PIN, while enabling the WPS hardware button on the router. Seems like a good approach to me.
        Speednet
  • Setting an Approved List will usually just result in a headache

    We live in a world of Wifi where it's common place for friends and family to use our broadband connection. Nice idea in theory but it'll likely just get annoying.

    I've yet to see a router you can change the username.

    The rest I usually do though.
    bradavon
    • DDWrt

      Or the like, you can change a lot of things. That is if you know how jacked it in in your router though.
      Koymik
    • First slide / picture

      You are correct, most routers have fixed login usernames. So the first slide should be, "Change the default admin password" of your router.
      Martmarty
    • Gust Network

      Better Quality SOHO include Dual Radio to create a Separate Guest Network that is restricted to only internet access and does not allow access to systems on the secure network.
      tmbutterworth
  • WPA2

    I stopped using Mac blocking a while ago, but to help security I do get on once every month or two and change the WPA key, and also periodically check the list of devices that have connected to the router to make sure nothing looks suss.

    The rest of it are good points which you'd wish were included on a little quick reference style card with the routers so when the typical non-it home user gets their shiny router from their ISP they have some basic things they know they should do.
    aesonaus
  • Mostly correct, but incomplete

    As said, a MAC adress filter is useless for security and bothersome for yourself. The rest of the tips are good, but incomplete.

    I've tried to write a more complete how-to myself:
    https://sites.google.com/site/easylinuxtipsproject/securitywireless

    For those routers that are fit for it, I recommend Tomato RAF firmware rather than DD-WRT:
    https://sites.google.com/site/easylinuxtipsproject/tomato

    DD-WRT is, in my experience, buggy and unreliable. The least unreliable build is still 14929, I think, which is pretty old.... Tomato RAF on the other hand is steady as a rock on my routers, and has a brilliant QoS feature.
    pjotr123