SECURITY TIP: Lock Down Your WiFi Router

Category: Security

While we’ve been focusing on the security of our desktop PCs, laptops, and mobile devices, malware-manufacturing miscreants have been exploiting the most overlooked computer in most homes and businesses: the router. Here's what you need to know…

Is Your Router Secure?

For those who have high-speed Internet, the router is the little box that connects your home or office to the Internet. And they are the latest target of the online criminal classes.

A legion of hacked consumer-grade routers were used to launch distributed denial-of-service (DDoS) attacks that brought Sony and Microsoft gaming networks to a halt over the last holiday season.

And now, according to researchers at the Fujitsu Security Operations Center, hundreds of hacked routers are being used to distribute malware that steals login credentials by redirecting browsers to rogue websites that imitate financial institutions.
Lock Down Your Router

A router can be compromised by changing its settings. For instance, substituting a hacker’s rogue DNS server address for that of a legitimate DNS server would redirect browser requests to a fake website. But a router can also be remotely reprogrammed with firmware that includes malware and instructions for distributing it, turning the router into a slave in a botnet.

It's unsettling that the researchers are not sure how bad guys are gaining control of routers. They speculate that users are to blame for not changing the factory default administrator login credentials when they set up their routers. Most often, the default credentials are published online; always, they’re simple and easily guessed. But I can’t lay all the blame on users.

Configuring the Router

Hardening your router’s security is important, but don’t neglect the other machines on your network. You may want to review my earlier article, Avoid These Five WiFi Security Mistakes.

Certainly, the first thing you should do when installing a new router is change the administrator’s userid and password to something that only the administrator (which is probably you) knows. Conventional wisdom says the password should be long and complex, but that really isn’t necessary if you make one other simple change to the router’s settings.

Most routers are shipped with “remote administrative access” or “remote management access” enabled by default. That means the administrator can log in to the router from any device connected to it. That’s convenient for admins but dangerous.

Disabling remote administration means that the admin must log in via a hardwired connection between the admin’s computer and the router’s Ethernet port. It doesn’t matter if your userid is “admin” and your password is “password.” Only someone who has physical access to the router can log in and fiddle with its settings or install new firmware.

In a home or small office, it should be easy to control who can plug an Ethernet cable into the router. But to protect against an “inside job,” the admin’s login credentials should still be changed to something non-obvious. I've visited coffee shops and motels with wifi routers that were completely unprotected. If I was malicious or mischievous, I could have logged into the router and changed the settings so that anyone who tried to access a website would be redirected to an inane cat video on Youtube.

Even if you doubt that your family, guests, or employees might hack your router, it’s entirely possible for their devices to be infected with malware that will attack a router. Denying admin access to the router foils such attacks, even if they come from machines that are connected to your local network.

I can't give specific instructions on exactly how to login to your router and change settings, because each model has a different interface. But the first step in every case is to find the address of your router. On Windows, open a Command Prompt, then enter the ipconfig command. The output will look something like this:

IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . : 192.168.1.1

Look for the "Default Gateway" line, and you'll find the router address there. (Mac users can click the Apple icon, then “System Preferences” and “Network”. Your default gateway will appear next to “Router”.) So in this case, you'd open your browser and enter http://192.168.1.1 in the address box. You should be greeted with a prompt to enter your router's login and password. If you don't know the router's username and password, check with your Internet service provider.

NOTE: Your router's username and password is NOT THE SAME as your wifi password. The former allows access to your router's configuration screens, while the latter allows you (and others who know the password) to access the Internet via wifi.

For Extra Credit…

Here are a few other steps you can take to improve the security of your wifi router:

Switch to OpenDNS, an alternative to the DNS servers from your Internet provider. See my article OpenDNS - Faster and Safer Internet for details on how this can improve security, and how to make the change.

Change the router's SSID (network name) to something of your own choosing. Your router's SSID is broadcast to others nearby who are searching for wifi networks. Often the default name is "linksys" or something else that gives away the make or model of your router. That only makes a hacker's job easier.

Consider updating your router's firmware. Think of this as the operating system that controls your router. After logging into your router, look for an option called "Firmware Upgrade" or similar. On my Verizon FIOS router, there's an option to automatically check for available firmware upgrades, and even install them automatically. But those are turned off by default. Check with your Internet provider first if you have questions about where to download updated firmware.

Is YOUR wifi router secure? Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 10 Jul 2015


For Fun: Buy Bob a Snickers.

Prev Article:
Voice Recognition Hacking

The Top Twenty
Next Article:
Google’s New Spam-Fighting Tools

Most recent comments on "SECURITY TIP: Lock Down Your WiFi Router"

Posted by:

Charley
10 Jul 2015

A minor router annoyance. My Linksys router insists on being a DNS cache. I can't disable that feature. I have changed my PCs to use OpenDNS. But my smartphone when using Wi-Fi is forced to use the router cache. Occasionally the cache get messed up and I need to restart the router to clear it.

If you do an IPCONFIG (on windows) or if you have an app to show you your smartphone DNS servers, you can see what you are using. My smartphone always shows 192.168.1.1 as the DNS server.


Posted by:

Greg C
10 Jul 2015

Another change I make to the router is to clone the MAC address to one of my computers. Then a hacker will falsely believe that he is not dealing with a router, but a computer. In the very least. the make of the router will be masked, as long as ALL of Bob's other recommendations are followed. -Greg


Posted by:

Butch
10 Jul 2015

Does this article apply *only* to folks who use Wi-Fi? I have no mobile devices--only 'landline' phone. My ISP says that they can't change the settings because my modem/router is 'old'--bought a little over 2 years ago from the ISP. (I have a feeling that's just to make a sale and may not be the truth about the settings.) What about the folks who don't have Wi-Fi? Will the info you gave be of help to us?

EDITOR'S NOTE: Even if you have no devices connected via Wifi, you should still change the router settings as per my article. My router is 7 years old, so I think you should call the ISP again. Maybe you'll get a different tech on the line.


Posted by:

Bruce Kulik
10 Jul 2015

You reminded me of the time I bought a new router and wanted to configure it wirelessly. Unfortunately, I had not noticed that my laptop had connected to my neighbors WiFi instead, and proceeded to configure it, including changing the password and setting up firewall DMZ commands and the like. The only problem was that I couldn't figure out why my other machines didn't show up in the DHCP settings. It hit me when one of the machines was called [name of neighbor]'s Laptop. I changed everything back and reconnected to my router.


Posted by:

Ron
10 Jul 2015

I have a set up that's very common, I think, and I am confused. I have optimum triple play with a cable modem that splits the co-ax in/out cable to tel. service, tv service, and internet service. The internet connection is by ethernet cable to a router, which is hardwired to desk pc with ethernet cable, and has wi-fi antennas for lap tops, etc. Is the router vulnerable even though it is hardwired to the cable modem and then to cablevision's co-ax for internet access?


Posted by:

Bob K.
10 Jul 2015

My router has IPV4 AND IPV6 numbers.. There's no "Default Gateway" in the output of IPCONFIG.
I'd appreciate you touching on describing the differences and how to protect (if needed) for IPV6 routers.


Posted by:

Ron
10 Jul 2015

Wouldn't telling everyone to turn off broadcasting their routers SSID be helpful for security also?


Posted by:

HA
10 Jul 2015

"Disabling remote administration means that the admin must log in via a hardwired connection between the admin’s computer and the router’s Ethernet port. "
Actually, disabling remote administration still lets a computer use wifi to change router settings. It just blocks outside IP addresses from changing settings.


Posted by:

Lucy
11 Jul 2015

Bob Wrote "Your router's SSID is broadcast to others nearby who are searching for wifi networks. "

Should I consider hiding the router SSID?

What are the pros and cons of taking that step?


Posted by:

robert roberts
11 Jul 2015

The many complex steps to go through to secure the router might be a useful comment. But why should Joe Consumer have go through these complex steps and still not feel secure with his/her computing experience? When we invented door locks it was a simple solution. Government regs might be required for a range of computing devices that allow consumers to feel confident or allow consumers to make simple changes that will allow them to gain confidence.


Posted by:

robert roberts
11 Jul 2015

The many complex steps to go through to secure the router might be a useful comment. But why should Joe Consumer have go through these complex steps and still not feel secure with his/her computing experience? When we invented door locks it was a simple solution. Government regs might be required for a range of computing devices that allow consumers to feel confident or allow consumers to make simple changes that will allow them to gain confidence.


Posted by:

Anne
13 Jul 2015

If this is such a huge problem, would it not make sense for the default to be denial of remote admin access? Those who want or use remote access will tend to have many more tech skills than the average computer owner. They can change it to remote access after they buy (I am sure they love that sort of thing.)
Changing from remote admin access as you describe is way over the heads of most users (myself included)


Posted by:

Paul
13 Jul 2015

@Lucy No, don't bother hiding your SSID. http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/


Posted by:

Alan M.
20 Jul 2015

Thanks for the reminder......
I am currently using a Linksys wireless router. From day one I disabled wireless connectivity and had changed the username/password to something I can never remember. Well anyway, I had planned on only turning the wireless on when my grandkids were over with their laptops. Now, they prefer using a wired connection since it is much faster and don't mind dragging the cable around.
I think that wired is safer anyway.
I just recently fished a cable from my router to my wife's BlueRay player for her to use Netflix. The wireless connection wasn't fast enough to watch movies with. Too much buffering time.
I just out and out don't trust wireless at all. I only have 1 wireless mouse and that's on the computer with the 32" TV for watching DVD and Netflix.
Sometimes your advice looks like you're repeating yourself but it is always information that NEEDS to be repeated and the more often the better.
Eventualy, most people after hearing something often enough, will finaly decide to follow your advice. By that time they will have forgotten who said it and think it was their own idea.
Thanks again.......Alan


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.
[an error occurred while processing this directive]


Article information: AskBobRankin -- SECURITY TIP: Lock Down Your WiFi Router (Posted: 10 Jul 2015)
Source: http://askbobrankin.com/security_tip_lock_down_your_wifi_router.html
Copyright © 2005 - Bob Rankin - All Rights Reserved