Router Security

A router is the device that shares internet access among multiple computers and devices on a network.  A router may also be a modem, as many Internet Service Providers (ISPs) now offer all-in-one devices that both connect to the internet and share that connection between computers and devices.  Because a router is exposed to the public internet, it is subject to automated attacks by malicious hackers scanning the web for vulnerable devices. Recent denial-of-service attacks have been driven by insecure devices (including routers) that have been compromised in these automated attacks. Many off-the-shelf home WiFi routers available at retail outlets are vulnerable to these types of attacks, but there are ways to secure some of these devices or switch to a more secure commercial grade router.  Here are a few steps you can take to secure your router:

1. Change the default username and password.

Many of the automated attacks against routers rely on using the default username and password to gain access to the device. Even if you’re sure your device’s login can’t be accessed from the public web, change your username and password to something secure anyway.

2. Change the wireless SSID.

The default SSID for most home WiFi routers includes the maker and/or model (“NetgearAC1900”).  The less information you give away to an attacker the better, so change your SSID from the default to something personalized.

3. If you’re a techie, flash your router with open source firmware.  If not, purchase a known secure or commercial grade router.

Certain off-the-shelf home routers are compatible with very secure open-source firmware versions known as “DD-WRT” and “Tomato”. CAREFUL! Flashing your router can render it inoperable if something goes wrong, so don’t attempt this unless you’re very confident in your technical skills. A more surefire way of securing your network is to purchase a known secure router, or a commercial grade router.  A lower-cost router (retails at about $50) that is known to have good security is Ubiquiti’s Edgerouter X. The Edgerouter allows you to create a segmented network, which can increase network security by isolating your “internet of things” devices from your more sensitive devices (computers). The Edgerouter uses only wired connections though, so you will need a separate wireless access point.  A commercial grade all in one WiFi router solution that comes highly recommended by many security experts is the Peplink Surf SOHO, which retails for about $200.

4. Enable WPA2-AES Encryption with a strong key.

Although WPA2 has known flaws, it’s still the most secure encryption method that is widely available.  To mitigate the flaws present in WPA2 be sure to use a very strong key.

5. Keep your firmware updated.

Regardless of what type of router you use, keeping your firmware up to date is a good idea.  Updating your router’s firmware may plug security holes, or simply ensure more stable operation.

6. Turn off WPS.

If WPS is enabled in your router, turn it off.  It is known to have serious security flaws and can be a point of entry for compromising your network.

7. Put your modem in bridged mode and use a separate router.

When possible, use a separate router from the ISP provided modem.  These devices are given away by the millions and are known to have serious security vulnerabilities that the ISP may be slow to patch.  Keeping your router separate from your modem allows you greater control over the security and functionality of your network.