Your router, that box sitting in a corner of your house giving you internet access, is in many ways more important than your laptop or mobile phone. It might not store any of your personal information directly, but sensitive data passes through it every time you access various online services and can be stolen or manipulated if the router is hacked.
A compromised router can also serve as a platform for attacking other devices on your local network, such as your phone or laptop, or for launching denial-of-service attacks against internet websites. This can get your IP address blacklisted and can slow down your internet speed.
Because it’s exposed directly to the outside world, your router is frequently targeted by automated scans, probes and exploits, even if you don’t see those attacks. And compared to your laptop or phone, your router doesn’t have an antivirus program or other security software to protect it.
Unfortunately, most routers are black boxes and users have little control over their software and configurations, especially when it comes to devices supplied by internet service providers to their customers. That said, there are certain actions that users can take to considerably decrease the likelihood of their routers falling victim to automated attacks.
Many of those actions are quite basic, but others require a bit of technical knowledge and some understanding of networking concepts. For less technical users, it might simply be easier to buy a security-focused router with automatic updates such as the Eero, Google OnHub, Norton Core, Bitdefender Box, or F-Secure Sense. The downside is that those routers are expensive, some require annual subscriptions for certain services, and their level of customization is very limited. Ultimately, their users need to trust the vendors to do the right thing.
If you don’t want to get one of those, or already have a router, follow along for a detailed, step-by-step guide on how to secure it.
Choosing a router
If you prefer getting a cheaper router or modem that you can tweak to your needs, avoid getting one from your ISP. Those devices are typically manufactured in bulk by companies in China and elsewhere and they come with customized firmware that the ISPs might not fully control. This means that security issues can take a very long time to fix and in some cases, they never get patched.
Some ISPs force users to use gateway devices they supply because they come pre-configured for remote assistance and there have been many cases when those remote management features have been poorly implemented, leaving devices open to hacking. Furthermore, users cannot disable remote access because they’re often not given full administrative control over such devices.
Whether users can be forced to use a particular modem or router by their ISP varies from country to country. In the US, regulations by the Federal Communications Commission (FCC) are supposed to prevent this, but it can still happen. There are also more subtle device lock-ins where ISPs allow users to install their own devices, but certain services like VoIP will not work without an ISP-supplied device.
If your internet provider doesn’t allow you to bring your own device onto its network, at least ask if their device can be configured in bridge mode and if you can install your own router behind it. Bridge mode disables routing functionality in favor of your own device. Also, ask if your ISP’s device is remotely managed and if you can opt out and disable that service.
The market for home and small office routers is very diverse so choosing the right router will depend on budget, the space that needs to be covered by its wireless signal, the type of internet connection you have, and other desired features like USB ports for attached storage, etc. However, once you get your list down to a few candidates, it’s important to choose a device from a manufacturer that takes security seriously.
Research the company’s security track record: How did it handle vulnerabilities being discovered in its products in the past? How quickly did it release patches? Does it have a dedicated contact for handling security reports? Does it have a vulnerability disclosure policy or does it run a bug bounty program? Use Google to search for terms like “[vendor name] router vulnerability” or “[vendor name] router exploit” and read past reports from security researchers about how they interacted with those companies. Look at the disclosure timelines in those reports to see how fast the companies developed and released patches after being notified of a vulnerability.
It’s also important to determine, if possible, how long a device will continue to receive firmware updates after you buy it. With product lifecycles becoming shorter and shorter across the industry, you might end up buying a product released two years ago that will reach end-of-support in one year or in several months. And that’s not something you want with a router.
Unfortunately, router vendors rarely publish this information on their websites, so obtaining it might involve calling or emailing the company’s support department in your respective country, as there are region-specific device models or hardware revisions with different support periods. You can also look at the firmware update history of the router you intend to buy or of a router from the manufacturer’s same line of products, to get an idea of what update frequency you can expect from the company.
Choose a device that can also run open-source community-maintained firmware like OpenWrt/LEDE because it’s always good to have options and these third-party projects excel at providing support for older devices that manufacturers no longer update. You can check the device support list of such firmware projects—OpenWrt, LEDE, DD-WRT, AdvancedTomato, Asuswrt-Merlin—to inform your buying decision.
Once you have a router, it’s time to make a few important settings. Start by reading the manual to find out how to connect to the device and access its administration interface. This is usually done from a computer through a web browser.
Change the default admin password
Never leave your router with the default administrator password as this is one of the most common reasons for compromises. Attackers use botnets to scan the entire internet for exposed routers and try to authenticate with publicly known default credentials or with weak and easy-to-guess passwords. Choose a strong password and, if given the option, also change the username for the default administrative account.
Last year, a botnet called Mirai enslaved over 250,000 routers, IP cameras and other Internet-of-Things devices by connecting to them over Telnet and SSH with default or weak administrative credentials. The botnet was then used to launch some of the largest DDoS attacks ever recorded. More recently, a Mirai clone infected over 100,000 DSL models in Argentina and other countries.
Secure the administrative interface
Many routers allow users to expose the admin interface to the internet for remote administration and some older devices even have it configured this way by default. This is a very bad idea even if the admin password is changed, because many of the vulnerabilities found in routers are located in their web-based management interfaces.
If you need remote administration for your router, read up on how to set up a virtual private network (VPN) server to securely connect into your local network from the internet and then perform management tasks through that connection. Your router might even have the option to act as a VPN server, but unless you understand how to configure VPNs, turning on that feature might be risky and could expose your network to additional attacks.
It’s also a common misconception that if a router’s administrative interface is not exposed to the internet, the device is safe. For a number of years now, attackers have been launching attacks against routers through cross-site request forgery (CSRF) techniques. Those attacks hijack users’ browsers when visiting malicious or compromised websites and force them to send unauthorized requests to routers through local network connections.
In 2015, a researcher known as Kafeine detected a large-scale CSRF attack launched through malicious advertisements placed on legitimate websites. The attack code was capable of targeting over 40 different router models from various manufacturers and attempted to change their Domain Name System (DNS) settings through command injection exploits or through default administrative credentials.
By replacing the DNS servers configured on routers with rogue servers under their control, attackers can direct users to fake versions of the websites they are trying to visit. This is a powerful attack because there’s no indication in the browser address bar that something is amiss unless the website uses the secure HTTPS protocol. Even then, attackers can use techniques such as TLS/SSL stripping and many users might not notice that the green padlock is missing. In 2014, DNS hijacking attacks through compromised home routers were used to phish online banking credentials from users in Poland and Brazil.
CSRF attacks usually try to locate routers over the local area network at common IP addresses like 192.168.0.1 or 192.168.1.1 that manufacturers configure by default. However, users can change the local IP address of their routers to something else, for example, 192.168.33.1 or even 192.168.33.22. There’s no technical reason why the router should have the first address in an IP netblock and this simple change can stop many automated CSRF attacks in their tracks.
There are some other techniques that attackers could combine with CSRF to discover the LAN IP address of a router, even when it’s not the default one. However, some routers allow restricting access to their administrative interfaces by IP address.
If this option is available, you can configure the allowed IP address to be different than those automatically assigned by the router to your devices via the Dynamic Host Configuration Protocol (DHCP). For example, configure your DHCP address pool to be from 192.168.33.50 to 192.168.33.100, but specify 192.168.33.101 as the IP address allowed to access the router’s administrative interface.
This address will never be automatically assigned to a device, but you can manually configure your computer to temporarily use it whenever you need to make changes to your router’s settings. After the changes are done, set your computer to automatically obtain an IP address via DHCP again.
Also, if possible, configure the router interface to use HTTPS and always access it from a private/incognito browser window, so that no authenticated session that could be abused via CSRF remains active in the browser. Don’t allow the browser to save the username and password either.
Shut down risky services
Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they’re actually needed. In general, any service that’s not used should be disabled to reduce attack surface.
Over the years, security researchers have found many undocumented “backdoor” accounts in routers that were accessible over Telnet or SSH and which provided full control over those devices. Since there’s no way for a regular user to determine if such accounts exist in a router or not, disabling these services is the best course of action.
Another problematic service is Universal Plug and Play (UPnP), which allows devices to discover each other on networks and share their configurations so they can automatically set up services like data sharing and media streaming.
Many UPnP vulnerabilities have been found in home routers over the years, enabling attacks that ranged from sensitive information exposure to remote code execution leading to full compromise.
A router’s UPnP service should never be exposed to the internet and, unless absolutely needed, it shouldn’t be enabled on the local area network either. There’s no simple way to tell if a router’s UPnP implementation is vulnerable and the service can be used by other network devices to automatically punch holes through the router’s firewall. That’s how many IP cameras, baby monitors, and network-attached storage boxes become accessible on the internet without their owners knowing.
Other services that have been plagued by vulnerabilities and should be disabled include the Simple Network Management Protocol (SNMP), the Home Network Administration Protocol (HNAP) and the Customer Premises Equipment WAN Management Protocol (CWMP), also known as TR-069.
SNMP is mostly used in corporate environments, so many home routers don’t have the feature, but some do, especially those supplied by ISPs. In 2014, researchers from Rapid7 found SNMP leaks in almost half a million internet-connected devices and in April, two researchers found a weakness in the SNMP implementation of 78 cable modem models from 19 manufacturers, including Cisco, Technicolor, Motorola, D-Link and Thomson. That flaw could have allowed attackers to extract sensitive information such as administrative credentials and Wi-Fi passwords from devices and to modify their configurations.
HNAP is a proprietary administration protocol that’s only found in devices from certain vendors. In 2010, a group of researchers found vulnerabilities in the HNAP implementation of some D-Link routers and in 2014 a worm called The Moon used information leaked through HNAP to target and infect Linksys routers by exploiting an authentication bypass vulnerability.
CWMP or TR-069 is a remote management protocol used by ISPs and flawed implementations have been exploited by Mirai last year to infect or to crash DSL modems from ISPs in Ireland, the U.K. and Germany. Unfortunately, there’s usually no way for users to disable TR-069, which is another reason to avoid ISP-supplied devices.
One thing’s certain: Attackers are increasingly attacking routers from inside local area networks, using infected computers or mobile devices as a launchpad. Over the past year researchers have found both Windows and Android malware programs in the wild that were designed specifically to hack into routers over local area networks. This is useful for attackers because infected laptops and phones will be connected by their owners to different networks, reaching routers that wouldn’t otherwise be exposed to attacks over the internet.
Security firm McAfee also found an online banking trojan dubbed Pinkslipbot that transforms infected computers into web proxy servers accessible from the internet by using UPnP to automatically request port forwarding from routers.
The Vault7 documents published by WikiLeaks this year describe a set of tools supposedly used by the US Central Intelligence Agency to hack into routers and replace their firmware with one designed to spy on traffic. The toolset includes an exploit named Tomato that can extract a router’s administrative password through UPnP from inside the local area network, as well as custom firmware dubbed CherryBlossom that reportedly works on consumer and small business routers from 10 manufacturers.
Unfortunately, when building devices, many manufacturers don’t include local area network attacks in their threat model and leave various administration and debugging ports exposed on the LAN interface. So it’s often up to users to determine what services are running and to close them, where possible.
Users can scan their routers from inside their local networks to identify open ports and protocols using various tools, a popular one being Nmap with its graphical user interface called Zenmap. Scanning a router from outside the LAN is more problematic because port scanning on the internet might have legal implications depending on jurisdiction. It’s not recommended to do this from your own computer, but you can use a third-party online service like ShieldsUP or Pentest-Tools.com to do it on your behalf.
Secure your Wi-Fi network
When setting up your Wi-Fi network, choose a long, hard-to-guess passphrase, also known as a Pre-shared Key (PSK)—consider a minimum of 12 alphanumeric characters and special symbols—and always use the WPA2 (Wi-Fi Protected Access II) security protocol. WPA and WEP are not safe and should never be used.
Disable Wi-Fi Protected Setup (WPS), a feature that allows connecting devices to the network by using a PIN printed on a sticker or by pushing a physical button on the router. Some vendors’ WPS implementations are vulnerable to brute-force attacks and it’s not easy to determine which ones.
Some routers offer the option to set up a guest wireless network that’s isolated from the rest of your LAN and you can use it let friends and other visitors use your internet connection without sharing your main Wi-Fi password. Those guests might not have malicious intentions, but their devices might be infected with malware, so it’s not a good idea to give them access to your whole network. Since their devices can also be used to attack the router is probably best not to let them use your internet connection at all, guest network or not, but that might not be an easy thing to explain to them.
Update your router’s firmware
Very few routers have fully automatic update capabilities, but some do provide manual update checking mechanisms in their interfaces or email-based notifications for update availability. Unfortunately, these features might stop working over time as manufacturers make changes to their servers and URLs without taking old models into consideration. Therefore, it’s also good to periodically check the manufacturer’s support website for updates.
Some more advanced stuff
If you disable UPnP but want a service that runs inside the LAN to be accessible from the internet—say an FTPS (FTP Secure) server running on your home computer—you will need to manually set up a port forwarding rule for it in the router’s configuration. If you do this, you should strongly consider restricting which external IP addresses are allowed to connect to that service, as most routers allow defining an IP address range for port forwarding rules. Also, consider the risks of making those services available externally, especially if they don’t encrypt traffic.
If you don’t use it for guests, the router’s guest wireless network can be used to isolate internet-of-things devices on your LAN. Many IoT devices are managed through mobile apps via cloud-based services so they don’t need to talk directly to your phone over the local network beyond initial setup.
Doing this protects your computers from the often vulnerable IoT devices and your IoT devices from your computers, in case they become infected. Of course, if you decide to use the guest wireless network for this purpose, change its password and stop sharing it with other people.
Similar network segmentation can be achieved through VLANs (virtual local area networks), but this feature is not commonly available in consumer routers unless those devices run third-party firmware like OpenWRT/LEDE, DD-WRT or AdvancedTomato. These community-built Linux-based operating systems for routers unlock advanced networking features and using them might actually improve security, because their developers tend to patch vulnerabilities quicker than router vendors.
However, flashing custom firmware on a router will typically void its warranty and, if not done properly, might leave the device in an unusable state. Don’t attempt this unless you have the technical knowledge to do it and fully understand the risks involved.
Following the recommendations in this guide will significantly lower the chances of your router falling victim to automatic attacks and being enslaved in a botnet that launches the next internet-breaking DDoS attack. However, if a sophisticated hacker with advanced reverse-engineering skills decides to specifically target you, there’s very little you can do to prevent them from eventually breaking into your home router, regardless of what settings you made. But why make it easy for them, right?