[HOWTO] Protect Your Router Now

Category: Security

“Don’t put all your eggs in one basket,” they say. Yet most of us do exactly that with all of our expensive “smart” home electronics, and the consequences can be as calamitous as the old proverb implies. The latest cyber attacks are targeting home internet routers. Here's the first article in a series detailing what you need to know to defend yourself against router attacks...

Yes, You Have a Router.

I still hear from people who claim they have no router. But unless you're on a super-slow dialup connection, you do. Some say they have just a modem they rent from their Internet Service Provider (ISP). For the record, the “modem” that Comcast and other ISPs talk about is the black box they overcharge you to rent.

That box contains the router which controls traffic on your home network as well as the modem that handles communication with the Internet. So yes, this article is relevant to you, too.

The "basket" I mentioned in the intro is your home’s router, the device that acts as a gateway between the Internet and all the gadgets in your home that use it. When malware compromises your router, it’s as if a fox pried open your basket of precious eggs. Everything on your home network is compromised, too.

Router Security - are you vulnerable to hackers?

That is one reason to run anti-malware software on each computer attached to your home network even though the router may have a firewall or other security features designed to keep intruders and malware out. If the router’s protection fails, individual devices may save themselves. The performance hit imposed by such redundancy is negligible compared to the potential risk to computers that harbor irreplaceable data. An even greater reason not to rely on your router’s security is that it is almost non-existent, in most cases.

My recent article about the router-attacking malware, VPNFilter, illustrates the heightened need for router security that consumers face today and the sorry state of consumer-grade routers’ security. The firmware of most consumer-grade routers was poorly written to begin with, is often left unpatched when vulnerabilities are discovered, and almost certainly will not be supported longer than two years after your particular router make/model was released.

This disgraceful state of affairs is especially true for cheap, no-name, foreign-made routers, (arguably the best-selling category). Yes, “all hardware is foreign-made” these days. But it’s the software that implements security, even so-called “hardware security.” That software will be worth exactly what you pay for it.

Consumer-grade routers are commodities differentiated only by price in the minds of most buyers, who do not grasp the technical mysteries of these boxes that “just sit there blinking.” Consequently, manufacturers shave their costs in every possible way. Software quality and support are sacrificed heavily.

Signs Your Router May Have Weak Security

You may have noticed that your router does not automatically update its software; that updates are never trumpeted via the trade press; that it is devilishly difficult to find current router software on manufacturers’ sites, and tricky to install it correctly if you do find the right update. Even basic documentation of the software that ships with a router is often terribly slim and reads as if was run twice through Google Translate. These are all signs that a router maker has skimped on security software and support.

Another sign of weak security is that the only advice you get for improving security is, “Change the default admin password.” That is the first thing you should do with a new router; if it is the last thing you can do, the router still may have no meaningful security.

“Disable remote administration” is another router security recommendation that should be implemented but does not hacker-proof your router. Remote administration allows you, your ISP, and possibly some hacker in Romania the ability to login to the router via the Internet. Hackers have known about “cross-site request forgery (CSRF) ” tricks that get around this safeguard for many years, but some cheap routers still don’t close this hole.

Your ISP may not even allow you to disable remote router administration. After all, it makes their job a lot easier if they have to reconfigure your router. This is a case of “better to ask forgiveness than permission.” Disable remote administration if you can; address any objections from your ISP only if necessary.

If the ISP insists on remote access to a router that it owns and you only rent, ask to have that router configured in “bridge mode,” which effectively makes the ISP’s router irrelevant. Then install your own router between the ISP’s router and the devices on your network. If an ISP won’t accept this compromise, do all you can to change ISPs before resigning yourself to this unfair, unnecessary, and hazardous situation.

You have the legal right to use your own equipment on your side of the ISP’s box as long as it doesn’t interfere with anyone else’s service, according to the FCC and well-settled case law. There seems to be only one ISP in the USA with the stubborn contempt for customers necessary to deny that right even in court; its name is Armstrong, which should be spelled “strongarm.” Fortunately, its customer-victims are confined to parts of Pennsylvania, Ohio, New York, West Virginia, Kentucky, and Maryland.

Protecting the IP addresses of the DNS servers that your router uses to look up Internet sites is another security essential that cheap routers neglect. These DNS server IP addresses are stored in the router’s memory. A badly secured router leaves it vulnerable to “DNS hijacking” in which requests for domain name lookups are misdirected to an attacker’s bogus DNS server, and what you see in your browser’s address bar may not be the site that you think it is.

Consider a “Business-Grade” Router

“Business-grade” routers are another matter in more ways than their prices, which start at roughly $100 higher than consumer routers. Enough businesses have competent IT staff to make router manufacturers spend money on software and security, costs which businesses are willing to pay.

If your home network’s security is worth $100 to $150 amortized over five years, then you should be willing to buy a better router, too. If you are paying for malware protection of individual devices on your home network, a competent router makes that investment more worthwhile; otherwise, you are sacrificing the redundancy that makes security as good as it can be.

What You Can Do For Free

That said, here are some things you can do to configure better security on any router. I cannot provide detailed instructions for your specific router; but in most cases you'll start by connecting to your router via this address: http://192.168.1.1 and providing the admin username and password. If you need help logging into your router, or changing the settings once logged in, contact your ISP or look for instructions online.

Your first task is to change the administrator’s password; this one cannot be repeated often enough. Many routers ship with a default password, or no password at all, leaving them wide open to attack.

Disable remote administration: discussed above. The router should be accessible only via a physical Ethernet cable, or from a specific, fixed IP address of a device designated for the administration of the router (such as the owner’s PC or phone).,

Change the router’s IP address. Hackers typically look for vulnerable routers at a factory-default IP address like 192.168.1.1; if that fails, the attack fails in all but the most sophisticated campaigns. But there is no reason a router can’t have another IP address, and your router’s administration interface should allow you to make such a change.

For example, you could choose 192.168.0.100 as your router’s IP address. Log in to the router’s administrative interface in the usual way, via the default IP address. Navigate to the page that enables changes to the router’s IP address and make your change. Save changes and reboot the router. Henceforth, enter the router’s new IP address in your browser’s address bar to access the router’s admin interface.

Keep router firmware up to date. Automatic updating of router firmware should be as standard as automatic Windows Update on all routers; don’t buy a new router without it. Newer models from Linksys, dubbed “Smart WiFi Routers,” include automatic firmware updates as an option. Google WiFi Routers – the brand name that replaced Google’s OnHub line - also auto-update. Certain Netgear routers can update firmware automatically.

Changing the router’s default password is the first, easy step towards router security you can count on. If you also perform any one of these reinforcements to your router’s security, you will have thwarted a significant portion of other potential attacks. Implement all of these suggestions and your router security can be “business-grade” (or reasonably close) for free.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 21 Jun 2018


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 20 June 2018

The Top Twenty
Next Article:
UPnP - The (almost) Forgotten Vulnerability

Most recent comments on "[HOWTO] Protect Your Router Now"

Posted by:

Bob K
21 Jun 2018

What are the thoughts on replacing a router's firmware with one of the after-market ones that are available (if one is available for your router)?


Posted by:

john
21 Jun 2018

I have one of those Linksys Smart WiFi Routers. I don't like that Linksys keeps trying to get me to create an account on their server and manage my router from that account. Also, during hurricane Irma, I lost internet connectivity for several days. I could not log into my modem during those days because my router could not call home to Linksys. I am in the process of researching open source firmware for my router. Linksys seems as bad as Google when it comes to collecting internet data. Maybe Bob can do an article about OpenWRT?


Posted by:

Hill
21 Jun 2018

"For the record, the “modem” that Comcast and other ISPs talk about is the black box they overcharge you to rent."
The 6 or 7 dollars a month paid is worth it for those completely non-techy customers who have no idea what an IP address is, for example. This gets them some tech support which would otherwise cost at least $50 for someone to come to their home and set things up.


Posted by:

Hill
21 Jun 2018

Check out Mikrotik for a quality, not so expensive router.


Posted by:

jimmieboy
21 Jun 2018

But I did have a separate modem and router. My first desktop was not wireless and plugged into the modem provided by the ISP. I bought my first wireless router when I bought my first laptop, so I could use the laptop in any room I chose. The wireless router plugged into the modem. But everything Bob says still applies. There were passwords to change and things to be turned on and off in the settings. I would bet that there are some home setups like this still today.


Posted by:

Bill
21 Jun 2018

Well I'm not great at routers/commo stuff but on my :Linksys Smart WiFi Router I have a very strong 12 digit password and have it set to only allow ip addresses I program into it. Don't know how good this setup is? Never had a virus yet...


Posted by:

Laurie
21 Jun 2018

I’ve never used the ISP’s gateway (modem/router combo) for anything but the modem portion. Instead, I bridge and use my own choice of router. It’s worth it to me to spend for it in order to have a better router experience. I’ve also always done those things suggested in this article. So far, so good.


Posted by:

john
21 Jun 2018

The OEM for my router has not issued a firmware update in 2+ years. Per Bob, this is a sign that the router is due for an upgrade.

I am willing to spend a bit more for one of those "Business Grade" routers. But how does one identify them - any seller can add $100 to their price and publish marketing data claiming to be "Business Grade". Is there a reliable review website rating router security and other features?


Posted by:

Turboprop Ted
21 Jun 2018

John, head over to smallnetbuilder.com, there you can find tests on just about any consumer router or SOHO device. Plus there is a lot of info on networking, more than 97% of people will care to know about.


Posted by:

Renaud Olgiati
21 Jun 2018

Another way to improve the security of your home/small office LAN at a low cost is to dig out of your cupboard an old 486 or Pentium-1 computer, install on it a dedicated free Linux firewall distribution like IPCop or IPFire, and install this between your LAN and the router of your ISP.


Posted by:

Bob Stromberg
22 Jun 2018

1. If you disable remote administration, which seems like a good idea, doesn't that also prevent administering your router from the cloud, or from a smart phone app?

2. I would love to see reviews of routers that include a robust set of security issues. And I'd like to see a list of "must-have" security features.

3. If someone is administering an elderly relative's home network, what steps should be taken to ensure the connection is secure? (First, work from a tested secure computer and network. Also, change the remote admin password, and possibly username, of the target router, preferably on a site visit. Can you check the SSL status of the remote router with a site like Qualys' SSL Server Test (https://www.ssllabs.com/ssltest/)?

Thanks!


Posted by:

gene
22 Jun 2018

I've got Xfinity as my ISP and a telephony modem (that I bought myself) but all of that goes through my Linksys router first - which does have a strong password and is updated. Have done this like this since I first got broadband, upgrading the router and modem every 2-3 years. I've software tools as well on my machines and have never had a bit of malware or a virus get through. I plan to keep that record going. :^)


Posted by:

MINOO
23 Jun 2018

Recently my IPS provider upgraded their customers to digital optic cable, they also provided a combo WiFi Router/Modem with a signal booster. I have a hard wired firewall called Alpha Shield, the manufacturer is bankrupt but the Alpha Shield still works. Can I connect this device to my system? Will it work and protect me? Will it by any chance slow the computer down? Please help me with some answers, I am not that tech savvy!! Thank you.


Posted by:

Judy
09 Jul 2018

My Modem has a built in router from Hughes Net
so I do not know if anything can be changed on it.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- [HOWTO] Protect Your Router Now (Posted: 21 Jun 2018)
Source: https://askbobrankin.com/howto_protect_your_router_now.html
Copyright © 2005 - Bob Rankin - All Rights Reserved