A Basic Guide to Router and Wireless Security for Regular People
Router and wireless security for the home/small network is often overlooked due to the limitations of consumer grade hardware and general lack of awareness of network security (NetSec).
As such, many users run home or small office networks that introduce a great amount of unnecessary risk.
This is a guide meant for “regular” users to improve their network security, cutting down unnecessary risk that may be invisible to users unfamiliar with (cyber)security.
Why you shouldn’t use your ISP’s router
Renting a router from your internet service provider (ISP) is not recommended. The ISP router is often subpar equipment, has limited to no flexibility in settings, and often does not allow maximum control over administration of your network.
Frequently, routers and other networking equipment rented from the ISP is… subpar. You’ll often get better Wi-Fi coverage and performance using a router you purchase yourself.
In many cases, the ISP router has default settings enabled that could compromise user security. For example, many ISP routers (and shipped instructions) do not prompt users to change the default credentials even after successfully setting up the wireless network.
Additionally, ISP initial set up instructions may not cover how to disable certain features that could undermine security – such as disabling automatic, public Wi-Fi hotspots broadcasting separately from the user’s network.
ISP routers typically do not support changing settings which could ultimately benefit user privacy, such as setting custom DNS resolvers. They often do not support other features some users may want or need to properly administer their network, such as network segmentation, creating VLANs, or enabling parental controls.
Again on the privacy front, routers supplied by the ISP allow the ISP direct access to the router firmware, using TR-069. TR-069 is remote management software, enabling your ISP to perform configuration of network devices, such as the ISP-provided router, on your behalf.
TR-069 is legitimate software and has legitimate use cases -it’s typically used for providing timely security updates. However, this could have privacy implications as well; in theory, your ISP could spy on your local network. Or, a third-party could gain access to this remote function of the router and start collecting sensitive data about you, your devices, and your network.
This is a little different than your ISP collecting information on your browsing history – which they can do regardless of whether you use your own router or theirs. Since 2017 and as of writing, ISPs are legally allowed to sell consumer data to third parties, in the US, including your browsing history. To mitigate this specifically, you can use a reputable virtual private network (VPN) provider or the freely available Tor browser (or another onion routing service, such as SafingIO’s SPN).
From a financial standpoint, renting the ISP’s router also costs you more in the long run. See this example:
Let’s say you sign up for a 1-year term contract for home internet service from ISP-1. Each month, your bill is $60 for 12 months.
You also elect to rent a router from ISP-1 for $12 a month. So, in total for 1 year, you are paying $864 for service and equipment.
Over the course of 12 months, your total cost for renting ISP-1’s router is $144. In a lot of cases, you’ll have to return the router if/when you choose to terminate service with the ISP.
For that amount of cash, you could buy a capable home router that is under your control, allows meaningful customization, is more than likely higher quality hardware, and… you get to keep it for years (or until it reaches its end-of-life, where it no longer receives security updates.)
Change the default router password
If you do nothing else in this guide, you should absolutely change the default password for your home router – even if it’s your ISP’s router. Changing default passwords is a part of basic cybersecurity hygiene everyone should practice.
The default password to any device is the password that ships with the device/software for administrator (privileged) access into a device/account. As a basic security rule, default passwords should always be changed as soon as possible.
Why change the default password? Put simply, default credentials are often exceedingly simple and/or not difficult to locate. They are incorporated in many brute-forcing and credential stuffing wordlists and consistently used in automated attacks. Default credentials for many devices (including routers) are also often publicly available and can frequently be found on device manufacturers’ websites.
In fact, many router manufacturers post the default credentials for router models and sub-models on their websites. For example, the default interface passwords for NETGEAR routers for current models is admin and password .
The bottom line: Once receiving an internet connection (typically from a modem or a device acting as a modem) and assigned a public IP address from the ISP, your router is effectively discoverable from the outside world.
If you haven’t changed the default credentials for the router, anyone can “discover” it and use the default credentials to login to the device.
From this point forward, your device can be recruited into a botnet or used as a residential proxy for cyber threat actors. Since the device is controlled by the threat actor, they could download additional malware, pivot to compromise the rest of the devices on your network, or spy/steal data from your network – anything they want, really.
Change the default password to your router! Do not use variations of the default password or credentials. Set a truly strong password that is both lengthy and complex.
Turn off or disable unused features
Users should disable various features – such as UPnP and WPS – for security, as these can circumvent other security measures your router may rely on – such as the firewall. Users should also disable unused features on their routers – that may extend beyond the few listed below – to reduce their attack surface; features available depend on router manufacturer, router model, and sub-models.
Remote management
Some consumer-grade routers available allow remote management; the feature may be called some variant of “Remote Administration” or “Remote/Web Access.” This enables you to access your router outside of the LAN… and exposes the administrator login…
*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/router-wireless-guide
