Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Home routers: Broken windows to the world

Taylor Armerding | May 20, 2014
Top security experts say the software in most home routers – even brand new ones – is so obsolete that it is an inviting attack surface for hackers. And changing your password will help a little, but not all that much

In other words, if you take basic security precautions, you will be more secure than the average user, and therefore much less likely to be attacked.

Robert Siciliano, CEO of IDTheftSecurity and a blogger for McAfee, recently offered a brief list that includes logging in to the router settings, changing the default username and password that control the configuration settings and enabling the WPA2-PSK with AES encryption protocol, making sure to enter the passphrase, which is usually at least 10 characters.

He said, if possible, users should also change the Service Set Identifier (SSID) of the network connection from the default name.

Siciliano said he uses the latest versions of N and AC home routers, "which are the equivalent to the security of Windows 7 or 8," but are much more expensive than the basic $15 to $40 models. They cost $150-200 or more.

But he contended that the newer routers on the market, "have a grade of security that most average consumers need not be concerned about in relation to the amount of WiFi hackers in play. And as exploits are discovered, either ethically or not, patches will be administered or recommendations will be made to upgrade hardware."

He said it is possible for "those versed in WiFi hardware and software," to wipe and replace the default firmware with custom versions that provide addition security. But, this would be beyond the capabilities of 99% of users.

Besides encryption and changing default user names and passwords, Brown and others recommend:

- Password protection for the different ports that handle various types of traffic such as HTTP, FTP (file transfer protocol), HTTPS (encrypted web traffic) and Remote Desktop.

- Reset everything -- passwords, user names etc., if a hard reset is required, since that common troubleshooting step frequently restores the weak, default password without letting the user know.

- Disable UPnP (Universal Plug and Play) -- a recommendation of the federal Department of Homeland Security.

- Disable anonymous access to your FTP service, unless you don't mind sharing your files with anyone and everybody. Users can access their FTP settings in the router's HTML configuration pages, and those can be accessed with a browser. The default address for a router is in its user manual.

- Put the router into so-called "pin-hole" mode, where every port is blocked by default until the user opens them. "It takes a bit of work, but it's very secure," Brown wrote.

To that list, Mark Stanislav, security evangelist at Duo Security, recommends, "turning on automatic updates, disabling Internet-facing remote administration, and keeping an eye on security notices."

Stanislav acknowledged that changing passwords doesn't improve things greatly, but said it is worthwhile because, "it's too common that an attacker leverages default credentials to start an attack against a target."


Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.