Eggs and Router Security (my advice...)
“Don’t put all your eggs in one basket,” some wise person opined. Yet most of us do exactly that with all of our expensive “smart” home electronics, and the consequences can be as calamitous as the old proverb implies. In addition to attacking your computer, cyber-crooks are targeting home internet routers. Here's my advice on what you need to know to defend yourself against router attacks... |
Yes, Virginia, You Have a Router.
I sometimes hear from people who claim they have no router. But unless you're on a super-slow dialup connection, you do. Some say they have just a modem they rent from their Internet Service Provider (ISP). For the record, the “modem” that Comcast and other ISPs talk about is the black box they overcharge you to rent.
That box contains the router which controls traffic on your home network as well as the modem that handles communication with the Internet. So yes, this article is relevant to you, too.
The "basket" I mentioned in the intro is your home’s router, the device that acts as a gateway between the Internet and all the gadgets in your home that use it. When malware compromises your router, it’s as if a fox pried open your basket of precious eggs. Everything on your home network is compromised, too.
That is one reason to run anti-malware software on each computer attached to your home network even though the router may have a firewall or other security features designed to keep intruders and malware out. If the router’s protection fails, individual devices may save themselves. The performance hit imposed by such redundancy is negligible compared to the potential risk to computers that harbor irreplaceable data. An even greater reason not to rely on your router’s security is that it is almost non-existent, in most cases.
The firmware of most consumer-grade routers is poorly written to begin with, is often left unpatched when vulnerabilities are discovered, and almost certainly will not be supported longer than two years after your particular router make/model was released. (How long have you had your router? How old was it when you got it?)
This disgraceful state of affairs is especially true for cheap, no-name routers. Brands that I consider trustworthy include TP-Link, Netgear, Linksys, ASUS, and D-Link. If you see a router advertised on Amazon, but it’s a brand you’ve never heard of, and yet somehow they’ve got thousands of glowing reviews, put down the mouse and back away slowly. Fake or paid reviews (both positive and negative) are rampant on ecommerce websites.
Consumer-grade routers are commodities differentiated only by price in the minds of most buyers, who do not grasp the technical mysteries of these boxes that “just sit there blinking.” Consequently, manufacturers shave their costs in every possible way. Software quality and support are sacrificed heavily.
Signs Your Router May Have Weak Security
You may have noticed that your router does not automatically update its software; that updates are never trumpeted via the trade press; that it is devilishly difficult to find current router software on manufacturers’ sites, and tricky to install it correctly if you do find the right update. Even basic documentation of the software that ships with a router is often terribly slim and reads as if was run twice through Google Translate. These are all signs that a router maker has skimped on security software and support.
Another sign of weak security is that the only advice you get for improving security is, “Change the default admin password.” That is the first thing you should do with a new router; if it is the last thing you can do, the router still may have no meaningful security.
“Disable remote administration” is another router security recommendation that should be implemented but does not hacker-proof your router. Remote administration allows you, your ISP, and possibly some hacker in Romania the ability to login to the router via the Internet. Hackers have known about “cross-site request forgery (CSRF) ” tricks that get around this safeguard for many years, but some cheap routers still don’t close this hole.
Your ISP may not even allow you to disable remote router administration. After all, it makes their job a lot easier if they have to reconfigure your router. This is a case of “better to ask forgiveness than permission.” Disable remote administration if you can; address any objections from your ISP only if necessary.
You have the legal right to use your own equipment on your side of the ISP’s box as long as it doesn’t interfere with anyone else’s service, according to the FCC and well-settled case law.
Protecting the IP addresses of the DNS servers that your router uses to look up Internet sites is another security essential that cheap routers neglect. These DNS server IP addresses are stored in the router’s memory. A badly secured router leaves it vulnerable to “DNS hijacking” in which requests for domain name lookups are misdirected to an attacker’s bogus DNS server, and what you see in your browser’s address bar may not be the site that you think it is.
If your home network’s security is worth about $200 amortized over five years, then you should be willing to buy a better router, too. If you are paying for malware protection of individual devices on your home network, a competent router makes that investment more worthwhile; otherwise, you are sacrificing the redundancy that makes security as good as it can be. Check out the Asus AX-5400 WiFi 6 Gaming Router,
the NETGEAR Nighthawk Cable Modem WiFi Router Combo (compatible with Xfinity by Comcast, Spectrum, Cox, and others), and the Linksys Mesh Wifi Router.
What You Can Do For Free
That said, here are some things you can do to configure better security on any router. I cannot provide detailed instructions for your specific router; but in most cases you'll start by connecting to your router via this address: http://192.168.1.1 and providing the admin username and password. If you need help logging into your router, or changing the settings once logged in, contact your ISP or look for instructions online.
Your first task is to change the administrator’s password; this one cannot be repeated often enough. Many routers ship with a default password, or no password at all, leaving them wide open to attack.
Disable remote administration: discussed above. The router should be accessible only via a physical Ethernet cable, or from a specific, fixed IP address of a device designated for the administration of the router (such as the owner’s PC or phone).,
Change the router’s IP address. Hackers typically look for vulnerable routers at a factory-default IP address like 192.168.1.1; if that fails, the attack fails in all but the most sophisticated campaigns. But there is no reason a router can’t have another IP address, and your router’s administration interface should allow you to make such a change.
For example, you could choose 192.168.0.100 as your router’s IP address. Log in to the router’s administrative interface in the usual way, via the default IP address. Navigate to the page that enables changes to the router’s IP address and make your change. Save changes and reboot the router. Henceforth, enter the router’s new IP address in your browser’s address bar to access the router’s admin interface.
Keep router firmware up to date. Automatic updating of router firmware should be as standard as automatic Windows Update on all routers; don’t buy a new router without it. Newer models from Linksys and Netgear include automatic firmware updates as an option.
Changing the router’s default password is the first, easy step towards router security you can count on. If you also perform any one of these reinforcements to your router’s security, you will have thwarted a significant portion of other potential attacks. Implement all of these suggestions if you can.
Your thoughts on this topic are welcome. Post your comment or question below...
|
|
This article was posted by Bob Rankin on 26 Oct 2022
For Fun: Buy Bob a Snickers. |
Prev Article: Hacker Defense: Your SEVEN Point Tuneup |
The Top Twenty |
Next Article: Get Your Credit Score (without getting ripped off) |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Eggs and Router Security (my advice...) (Posted: 26 Oct 2022)
Source: https://askbobrankin.com/eggs_and_router_security_my_advice.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Eggs and Router Security (my advice...)"
Posted by:
Paul S
26 Oct 2022
For a deeper dive including recommendations go to routersecurity.org by Michael Horowitz. He is obsessive about router security and has done a lot of research. His favorite, recommended router from Peplink is no longer manufactured but available from other sources. For those of us with little knowledge of networking jargon and needs, anything beyond Bob’s recommendations is intimidating, but we can learn.
Posted by:
Diane
26 Oct 2022
As a follow up to this article, could you possibly write an article on how to swap out a home router/modem rented from an ISP provider to one purchased privately, Bob? Mine is currently rented from my ISP provider and I have long wanted to install my own, but fear that installation would not be as simple as unplugging the old one and plugging in the new one.
Posted by:
Art F
26 Oct 2022
Found this by googling my router's model:
---------------
How do I update the firmware on my FIOS G1100?
The easiest way to trigger a firmware update is by resetting the device.
Simply hold down the WPS button located on the front of the router for 10 seconds to reboot it.
Once it restarts and reconnects to Verizon's network, it should grab and install the firmware.
May 16, 2020
How do I reset the firmware on a Verizon Quantum Gateway G1100 ...https://www.ifixit.com › Answers › View › How+do+I+res..
--------------------
This couldn't have been easier, and APPEARED to work fine. Took about a minute for the router to reboot.
Posted by:
snert
26 Oct 2022
i've been using a computer for about twenty years now, but still consider myself computer ignorant. how do i go about doing the things you say in this article without bringing a high priced expert over to fix all!!!
Posted by:
Frank
26 Oct 2022
I bought a NETGEAR AC1900 Wi-Fi Modem Router C700v2 (Night Hawk) in 2021 and have scared to death of trying to install the daggum thing. Like some have said, I don't understand the jargon and don't want to screw up my system and leave it vulnerable to h*ckers (in Romania or in some basement wherever) though I have nothing worth hacking me to get at. Plus, getting a professional to come out and install it means spending cash and I still won't know nothing about the installation. Finally, Bob (Anybody) did I buy a good Router?
Posted by:
Sarah L
26 Oct 2022
This article mentions Comcast but not AT&T. My modem (from AT &T) and router (I bought) were replaced with a Gateway when my connection was improved from DSL to fiber optic cable at 300 speed about 4 years ago. I pay no rental fee for the Gateway, and pay a monthly fee for the connection. I have had few problems; when I do, AT&T tech fixes it as we I speak on the telephone with them. What are your comments about that device? Is it particularly susceptible to h*ckers?
Posted by:
Lucy
26 Oct 2022
@Diane
It really is that easy. The instructions are simple, just make sure you buy one that is "compatible" with your ISP.
You will either call your ISP or use your smart phone to complete set up.
If you look at your options and decide which one to buy g00gle it and check how easy it is to install.
Also check out wikihow, they give clear instructions on all sorts of things including this.
Posted by:
Ernest N. Wilcox Jr.
27 Oct 2022
I have ATT's Fiber 500 Internet service here. I have my router configured to drop all types of ICMP requests. When I checked my ports with GRCs Shields Up page, all ports were reported as operating in stealth mode. That means that my router is effectively invisible to port scanners on the Internet. With this configuration, the only way that I know about for some malware distribution miscreant to get anything onto my computer (or into my home network) should be via some phishing scam (to induce me to go to them), or by taking over some website I frequent. Because I am very skeptical of everything I see/hear/read on the Internet, that possibility is fairly remote.
If you want to check your port security, go to https://www.grc.com, then scroll down the page until you get to the 'Hot Spots' list where you will find the link to the Shields Up page. You can learn a lot about Internet security there too.
I hope this helps someone,
Ernie
Posted by:
Jim
27 Oct 2022
How about disabling Universal Plug and Play (UPnP)? Isn't it dangerous?
Posted by:
BaliRob
27 Oct 2022
@Lucy
Thank you for giving advice to Diane direct. Bob will be so grateful when he sees this because this is what his site is for. I have more handwritten notes and bookmarks detailing helful advice and, for you again Lucy, reminding that we do have "Wikihow", covering Bob's topics that any other medium.
Posted by:
Renaud Olgiati
27 Oct 2022
You can for a low cost improve the security at home by disabling the WiFi on your router, and installing a firewall betwwen the outside, and your LAN/WLAN.
I use a RaspberryPi running the IPFire distribution as a firewall, and a second one running PiHole, which blocks all the unwanted publicity URLs, so i receive less pubs embedded in web pages, so they load faster...
For the firewall, any old Pentium machine, unused in a cupboard, will do...
Posted by:
AE
27 Oct 2022
I appreciate this article Bob. What do youy think of the Google WiFi mesh systems? I expect Google to do a good job with security, but maybe I'm fooling myself.
Posted by:
Ernest N. Wilcox Jr.
28 Oct 2022
Jim,
Universal Plug and Play (UPnP) may be enabled on your router. On my router/gateway is not found from the Internet (the WAN side of the router). I know because I checked on GRC's Shields-Up webpage. To get there, go to https://grc.com, then in the menu at the top-left, click Services -> Shields Up. I suggest you read the Shields Up landing page before you click the 'Continue' button. After you click the Continue button, you will see the UPnP test hyperlink and the other Shields-Up test services below it.
I hope the information you (or anyone else) get(s) from the site helps you,
Ernie
Posted by:
Ernest N. Wilcox Jr.
28 Oct 2022
I forgot to add my usual disclaimer in my post above. I have absolutely no connection to GRC-dot-com or Steve Gibson other than as a user of the services he offers on his website, and I get nothing from him or his site beyond the pleasure it gives me to spread the word about the very useful resources he provides.
Back in the 1990s, I used his SpinRite utility to maintain my hard drives when my computer used MS-DOS. Currently, I watch his Security Now video podcast each week to help me keep abreast of cybersecurity events/issues. Mr. Gibson is one of the few developers who still writes software (SpinRite, etc.) in Assembly Language, and he has forgotten more than I ever knew about the Internet et-al. I consider him to be a trustworthy and reliable source of information. This is something I do not say about many people (especially those who I have never met in person). I consider what I learn from Mr. Gibson to be as reliable and useful as what I learn from Bob (here).
After perusing hid site, you can decide for yourself,
Ernie