Pinterest Stumbleupon Whatsapp
Ads by Google

The introduction of the home router was a great advancement in security for many owners. Before routers, most PC users relied only on a software firewall or, more often than not, ran no firewall at all. Routers with built-in firewalls have generally been a very good thing.

An item that provides safety can also lead to a false sense of security, however, and leave users vulnerable when attacks that they thought impossible occur. Routers are no different. They can be difficult to set up and often require updates to patch exploits discovered after release. Here’s what you must do to make your router is a boon instead of a burden.

WiFi Is Secure, Except When It Isn’t

newsletter-share-wifi

All modern WiFi routers provide a variety of encryption choices that are used to make traffic unintelligible to anyone trying to sniff packets The 5 Most Common Tactics Used To Hack Passwords The 5 Most Common Tactics Used To Hack Passwords When you think of a serious security threat, you may think of some clever malicious program that steals your data or takes over computer. In reality, you’re just as (if not more) likely to be... Read More out of the air. At a basic level all forms of encryption work, but some work better than others, and routers are lamentably silent when it comes to providing advice. Many routers list the oldest and least secure option, WEP, at the top of the list – so users often select it.

How can you fix it? The best WiFi encryption option is WPA2. You’ll probably have this choice unless your router is more than eight years old. Though not undefeatable, it’s unlikely anyone will go to the bother of cracking your WPA2 secured network. You should make sure to pick a long and highly random password, too, since this will make a brute-force attack against your network much more difficult.

You also should disable WPA2-PSK (the PSK standards for pre-shared key) if given the option. This form of encryption has been cracked, and can by-passed with relatively simple tools within a few minutes, no real hacking required.

Ads by Google

Don’t Trust Your Router’s Firewall

common-security-mistakes-firewall

The built-in firewall found in a router is one of its best traits. It provides a solid barrier between your home network and the Internet at large, making exploits that transfer themselves across the Internet, aka “worms,” more difficult to pull off.

But your router’s firewall isn’t perfect. In addition to exploits, which I’ll address in detail shortly, routers are prone to simple misconfiguration. Home users often have difficulty navigating complex are unintuitive router menus.

How can you fix it? Use a software firewall. You can use Windows’ built-in firewall Windows 7 Firewall: How It Compares Against Other Firewalls Windows 7 Firewall: How It Compares Against Other Firewalls Windows 7 contains an unobtrusive, easy-to-use firewall that protects your computer from inbound traffic. If you're looking for more advanced options, such as the ability to control outbound traffic or view the applications using your... Read More or one of the many free options on the market The Three Best Free Firewalls for Windows The Three Best Free Firewalls for Windows Read More . Also, you should remember to close any unsecure gaps you might have opened in your router’s firewall. Many people open ports to make software work, but never close them after they stop using the app.

The Malicious March of Progress

Researchers have found a broad range of potential exploits in common consumer routers from companies like D-Link and ASUS. While most are not attacks that were found in the wild but instead discovered in a laboratory, the findings prove that routers are not fortresses. In fact, ever-expanding feature sets seem to provide more potential for exploitation.

How can you fix it? Keep up to date on your router’s firmware. Modern routers sometimes have an automatic update feature, or allow you to update with the press of a button. If you find that option in your router’s options, that’s great. If you don’t, you’ll need to visit the support site of the router’s manufacturer and download an update, then install it manually.

The Classic Password Problem

enterpassword

Home routers are always secured by a password. As explained earlier, this makes routers open to brute-force attacks, which can be effective if a password is too short. But there’s more to worry about than random brute-force hacking; in fact, that’s an unlikely scenario. What’s more likely is that someone will guess or discover your password.

Discovery can be simple. Does your girlfriend or boyfriend know your password? What about your co-workers? Family? Friends? Many of the people who might know your password probably know it because you told them. And your password might be easy to guess if you use the name of a pet or a variation of your birth date.

How can you fix it? Read our guide on how to create strong, memorable passwords How To Create Strong Passwords That You Can Remember Easily How To Create Strong Passwords That You Can Remember Easily Read More , which will help you learn the basics of a good password. Change your router’s password to something that is not at all associated with your personal life or interests and introduce random characters to it. Also, change your password every few months. A simple Google Calendar Google Calendar - Organize, Schedule and Share Events Google Calendar - Organize, Schedule and Share Events Read More reminder can ensure you do so.

Connected Storage Is Helpful – And Risky

 

Many recent routers have added a helpful connected storage feature, usually enabled by a USB port. The idea is that you can connect an external hard drive directly to the router, making it easy for all other computers in your home network to access. And since it’s connected to the router, not a computer, it doesn’t rely on any particular PC being turned on.routerstorage

Sounds great, right? But there’s also a security risk here. The first problem is the obvious fact that anyone who has access to your home network will likely have access to the files stored on the shared drive. Worse, several security flaws have been found in routers with this feature which potentially make the drive visible to people not even connected to your network.

How can you fix it? The simple answer is to not use a drive connected directly to your router. A more practical option, though perhaps less secure, is to only use the drive for files that aren’t sensitive. You could also use file encryption The 5 Best Ways To Easily & Quickly Encrypt Files Before Emailing Them [Windows] The 5 Best Ways To Easily & Quickly Encrypt Files Before Emailing Them [Windows] Earlier this year, I was faced with a situation where I had a writer working for me overseas in China, where we were both certain that all of our email communications were being monitored. I... Read More , though it will add an extra step into using files stored on the drive.

Don’t Let Your Router Become A Security Time Bomb

Routers are still a boon for home networks, but they’ve certainly suffered their fair share of problems – and it’s likely to get worse. Common network hardware, like a common operating system, is often targeted because it’s popular.

Finding an exploit in a popular router can provide access to hundreds of thousands of victims. This doesn’t mean you have to treat your router like a time bomb, but you do need to beware of the potential pitfalls and take steps to lessen how they can affect you.

What do you think of router security? Do you feel it’s sufficient, or have manufacturers become lazy? Let us know in the comments!

Image credit: Firewall via Shutterstock, Marc Falardeau via Flickr

  1. none
    May 23, 2014 at 9:57 am
  2. Mac Dude
    May 21, 2014 at 9:24 pm

    I would be interested in what typical home routers would be considered the most secure, ...I mean since both D-Link and Asus were specifically called out in this article.

    • Tocki Cohi
      August 6, 2015 at 7:39 pm

      one with 3rd party, open source firmware flashed to it

  3. Drew S
    May 21, 2014 at 4:41 pm

    Oh don't worry Karl, I'm hacking your traffic through the bot that your kid installed when they just had to play my free Naruto game. :)

  4. Karl
    May 21, 2014 at 3:17 pm

    Since your article on EMR appeared, "Dangers of Wireless", I have eliminated WiFi and hardwired my house with CAT6a SSTP (screened shielded twisted pair) Ethernet cable. A test meter shows neglible EMR leakage in my home. I believe I need not worry about someone invading my home network.

  5. Emmanuel Fu
    May 21, 2014 at 3:49 am

    Opps made a typo. My stupid keyboard

    "But the thing is Pfsense doesn't receive real time live security updates like Pfsense Snort IPS."

    What I meant was [ "But the thing is Pfsense Snort doesn't receive real time live security updates like "Check Point firewalls". ]

    • Tim
      May 21, 2014 at 12:32 pm

      Yes.. those pesky keyboards just type whatever the heck they want.... no way the human pushing the keys could have made a misstakke. (Look... mine just did it too. Must be that someone hacked both of our keyboards because of WPA2-PSK encryption).

  6. Emmanuel Fu
    May 21, 2014 at 3:43 am

    I use Check Point for my firewall. They may not be cheap but they are far more effective than your standard regular wireless router. I also deployed Pfsense in my rig but I don't use it as a firewall but instead use it for traffic shaping, networking monitoring, Cache Proxy, load balancing for my servers I run out of my house. In a nut shell Pfsense is sort of my replacement to my Blue Coat Traffic Shaper that I use to own. I prefer to use commercial firewalls since you have far better support and the protect is far more effective than something that is offered for free. Free doesn't mean you get the same level of security as a commercial product because there is a huge difference on how they perform. Pfsense and Check Point both offer IPS. But the thing is Pfsense doesn't receive real time live security updates like Pfsense Snort IPS. See the difference? Anything can get pass Snort if its not updated in time. Same goes with Anti-Virus firewall gateways. Open Source software doesn't mean its equality effectiveness Check Point Firewalls is commercial and effective which is the reason why its used by 100 percent by every 100 Fortune company in the US mostly financial firms and governments. You can say the same thing for Avast Free. There is a reason why there is a Free version and a Paid version. Both work well but you get better effectiveness if you pay because you get far more frequent updates than the Free version if you get my drift.

    • dragonmouth
      May 21, 2014 at 1:08 pm

      "you get better effectiveness if you pay because you get far more frequent updates than the Free version if you get my drift."
      You are adrift if you think that. Pay-for versions of software usually have more features than free versions. However, the frequency and the content of security updates is the same.

      "Check Point Firewalls is commercial and effective which is the reason why its used by 100 percent by every 100 Fortune company in the US mostly financial firms and governments."
      CheckPoint is not used by 100% of Fortune 100 companies. Many other Enterprise Security suites are in use.
      The only reason corporations and governments use commercial software is that the corporate lawyers can blame (sue) somebody if their company's security is compromised.

      "Anything can get pass Snort if its not updated in time."
      Malware can get past ANY security software, even commercial, if it isn't update in time.
      BTW - do you realize that most security updates are REACTIVE, rather than PROACTIVE? They cure whatever infection have already occured and innoculate against future infections by the same malware. Which is only to be expected since how can you patch a hole that you do not know you have?

    • Emmanuel Fu
      May 21, 2014 at 2:38 pm

      Most free security software only updates either once a day or a few times in a day. Commercial software gets far updated more frequently than that, most in real time. That is what people miss or don't even think twice about.

  7. John
    May 21, 2014 at 3:09 am

    Many routers list the oldest and least secure option, WEP, at the top of the list – so users often select it.

    This is not true.

    You also should disable WPA2-PSK (the PSK standards for pre-shared key) if given the option. This form of encryption has been cracked, and can by-passed with relatively simple tools within a few minutes, no real hacking required.

    Uh, no. Where are you getting this from?

    Also, change your password every few months. A simple Google Calendar reminder can ensure you do so.

    If you use a strong password, this is pointless. And annoying. Set up a strong password once and leave it.

    and it’s likely to get worse.

    Probably not.

  8. Matthew
    May 20, 2014 at 4:57 pm

    I'd also go with WPS as the one to avoid - subject to a basic design flaw as bad as that in WEP.
    The PIN is 8 digits (7 + check) and the flaw is that it is validated in two 4 digit chunks (the second being effectively 3 digits).
    With no throttling, brute forcing would be trivial.

    The old, bad ideas are also worth noting:
    Unbroadcast SSID - at best, prevents accidental connects if you must run an open network - and if you must, then it should be a locked down secondary network with limited privileges. Conveys no additional security.
    MAC filtering - may deter some, but anyone who can crack any other protection can easily find & spoof a valid mac address.

    Those two "nonsense security" measures may deter casual "Oh, I see a network" connection abusers, but are not any form of security.

    WEP - is broken, leaks the key to anyone with an off the shelf hacktool - if you must have WEP to support some crummy old device, then it should be as a limited secondary network without access to your home network or anything more than it needs.

    WPA - better than WEP, intended to be possible as a software/firmware update to WEP hardware, but not entirely without flaws.

    WPA2 - unless forced to use anything less, use this - and select WPA2 only, not mixed, and AES, not TKIP or mixed. With no fundamental flaws (known yet), the attacks ranged against WPA2 include brute force of inadequate passkeys and "rainbow table" attacks on popular SSID/passkey combinations. An obscure or "per unit" SSID resists rainbow table attack, so your SSID should not be the router model - some ISP ones use the MAC address as part of the name, and while that may sound insecure, the MAC address is readable in every packet - and the SSID is unique

    • Keefe K
      May 20, 2014 at 5:16 pm

      I appreciate this additional info. I have to say I'm rather confused that he said to stay away from PSK, since besides WPS, I know of no other ways to connect my devices to my router's WiFi. I had learned previously of how insecure WPS was from a previous MUO article, so this new article has me between a rock and a hard place! But based on your recommendation, I have nothing to worry about with my router's security, since both the 2.4 and 5 GHz bands are protected by WPA2-Personal with a pre-shared key, because as previously stated, I don't have any other way besides WPS) and AES encryption. So I appreciate that you cleared this little bit up for me, and given me some peace of mind. Thank you! :)

    • David S
      May 22, 2014 at 4:34 pm

      As You wrote, using the MAC code is not easily found in every computer or device, but I use this method as my favorite to protect my network. It is also time-consuming to manage, but verk effective.
      Every time a friend or my childrens friends want access to the WiFi they can spot on their device I have (most of the times) help them finding the code, log in to my router, apply the code in two (!) slots and finally give the visitor the WAP password....
      You might think that I don't have any friends left, but I Tell them there is only 12 slots availably in the router (actually it is 20) and that they should feel extra appriciated since they are allowed to share my network With me. It works every time....

    • David S
      May 22, 2014 at 4:40 pm

      I ment "very effective". (english is not my native language).

  9. Will
    May 20, 2014 at 4:15 pm

    What about WPA2-PSK [AES], does the AES fix the WPA2 issue?

    My only options are:
    WPA-PSK [TKIP]
    WPA2-PSK [AES]
    WPA-PSK [TKIP] + WPA2-PSK [AES]
    WPA/WPA2 Enterprise

  10. Cloksin
    May 20, 2014 at 3:48 pm

    Lovely fear mongering! First. please run your article by an editor so that someone can fix the sentences that a completely missing words. Second, 90% of home users wouldn't know how to set up a home network, so they don't have one. They simply have a wireless connection to their internet, no sharing between devices going on at all. Third, since most home routers have a limited range that usually doesn't extend past one's property, a hacker would need to visibly be parked directly in front of someone's house, making themselves very obvious, which means that routers are inherently safe from intruders simply by their lack of range.

    • Bruce E
      May 20, 2014 at 4:14 pm

      Let's go point by point.

      First, check your own comment. It appears you require an editor as well (second sentence) for the same reason.

      Second, most users don't need to know how to set up a home network. It tends to get set up for them by default when a broadband modem/router is introduced. It doesn't matter that they are not sharing anything on their own devices. The connection itself makes the network, not the sharing between the owner's devices. Someone else can also connect to the same wireless network too, so they may have a foot in the door.

      Third, this would only apply to those in more rural areas. At my parent's house, I can see the networks from several of their neighbors. I can see their network when I am about 100 yards from the house. I can reliably connect to it when I am about 50 yards out. In my apartment building, I can connect to my own wireless network when I am within the middle third of the length of the building on any of the 5 floors so your "usually doesn't extend past one's property" assertion is false for a huge number of people.

  11. Antuono
    May 20, 2014 at 3:00 pm

    Please consider to upgrade to custom firmware, such as DD WRT or Open WRT.

    They can provide a lot of new features and enhanced security.

  12. Sean C.
    May 20, 2014 at 1:23 pm

    So, if you're saying we shouldn't run WPA2-PSK, should we be setting up RADIUS servers at home to run WPA2-Enterprise? Seems like overkill and overly complicated for most home users.

    Were you perhaps referring to WPS?

  13. Sean C.
    May 20, 2014 at 1:23 pm

    So, if you're saying we shouldn't run WPA2-PSK, should we be setting up RADIUS servers at home to run WPA2-Enterprise? Seems like overkill and overly complicated for most home users.

    Were you perhaps referring to WPS?

  14. Sean C.
    May 20, 2014 at 1:22 pm

    So, if you're saying we shouldn't run WPA2-PSK, should we be setting up RADIUS servers at home to run WPA2-Enterprise? Seems like overkill and overly complicated for most home users.

    Were you perhaps referring to WPS?

    • Howard B
      May 21, 2014 at 2:23 pm

      Never, EVER use WPS. Wi-Fi Protected Setup is even easier to hack than WEP. Disable it in your router's control panel if you can.

      PS: You triple-posted.

    • Godel
      May 21, 2014 at 11:49 pm

      Even disabling WPS in the control panel doesn't work for some routers. You can tick the box but WPS is still enabled.

      Yet another reason to make sure you have the latest firmware update.

  15. dragonmouth
    May 20, 2014 at 1:19 pm

    What about using m0n0wall or SmoothWall in front of the router? That should improve security somewhat.

Leave a Reply

Your email address will not be published. Required fields are marked *