Guide to Home Network and Router Security

By Cybersecurity Guides, ,

Basic home router

The security of routers and other internet-connected devices is more important than never before. There is a huge increase in threats for devices that connected to the internet. Internet of Things (IoT) devices have had their impact on this as more and more attacks are targeting small devices used at homes.
Routers and modems together create the gateway to the home network, so if you want to secure all devices in your home network you really want to make your router is as secure as possible. If someone compromises your router they can basically see everything you do on the internet and it also makes it very easy for the attacker to gain access to the devices in the network.

Different IoT devices are easy to gain access into since the devices use weak login credentials by default. Many buyers don’t change these passwords making their devices extremely vulnerable. Cheap IoT devices aren’t usually very secure even if you change the password and username.

This has caused problems as IoT device and router botnets have been used in new botnets which are used to make Denial of Service attacks. These attacks have gained a lot more power because of the huge increase in the number of devices.

It is recommended to change the default password and to change the settings to strictest possible in your router and in IoT devices.

Basic routers are not secure by default

Routers that are commonly provided by ISPs and the basic consumer level routers are highly insecure. They usually have outdated software and firmware. There are also default settings that makes the routers easy to compromise, such as the default login credentials mentioned earlier.

As most home users aren’t very tech savvy, it can be hard to understand these settings if you don’t know what they mean. The routers that are given by the ISPs are usually very simple and cheap. They can be very poorly made and usually have limitations in the settings available, in the worst cases even the password length is restricted.

You should try to avoid the cheapest and “Best Buy” models, as they are the most vulnerable routers there are. If you at any point notice that you aren’t able to change as many settings as you would like, my recommendation is to get a higher-class router, like something used in small businesses.

Routers are commonly overlooked when it comes to internet security. If you only pay attention to securing your computer’s operating system, you are making a huge mistake. If somebody is able to compromise your router, they are able to spy on almost everything you do with your computer. They can also conduct different kinds of attacks and it will be easier to attack into your computer when they are already in control of your router and inside your home network.

Router Configurations

Low-end routers that are usually cheap, should be avoided. They usually come with a modem, which is a cheap model as well. It is a good practice to invest for a better router and use the cheaper modem provided by the ISP. This is an easy way of making your home network more secure instantly.

By purchasing the router for your needs, you will have the control in your own hands. More settings are usually available than in the router provided by the ISP, depending on what kind of router you bought. There are a few simple properties the router should have: firewall, NAT and the ability to configure it offline. All new routers should have these properties.

It is a good practice to shut down the router and modem when they are not in use. You can do this when you are leaving for a vacation, work trip or on a daily basis when you leave your home and don’t need to have internet available at your home.

We have so far covered some basic things about routers and their security. Now it’s time to actually implement some basic security functionalities. If you aren’t familiar how to access your router settings or what the settings actually change, don’t worry, I will be explaining everything we do here, so you are able to keep track every step easily and know what we just did.

Accessing Router Settings

To do this, you need to have your router on and your computer connected to the network. You don’t necessarily need actual internet connection during this setup phase as we are only changing the router’s settings and only need a connection to the router.

To be able to change the router’s settings, we need to login to it. This is very easy, you just need to know your home network address pool. Here are the most common home network addresses routers use by default.

  • 192.1168.0.1
  • 192.168.1.1
  • 10.0.0.1

 

If you don’t know what address your router has, you can check it quickly by trying each one of them (type the address to the URL bar of your browser) or check it from the router’s manual. You can also check it from the command line. Trust me, it’s easier than it sounds.

Windows
  • Press the start or Windows icon
  • Select the search box or just start typing (depends what version of Windows you have)
  • Type “cmd” and hit enter
  • In the command prompt, type “ifconfig” and you should see a block of text appear
  • Look for a IP address next to the text “Default Gateway”
  • Copy or memorize the address and continue

 

You can also find it like this:

  • Control panel -> Network and Internet -> View Network Status and Tasks
  • Click on the internet connection that is in use
  • Click on “Details”
  • You can see the routers IP address next to the “Default Gateway” text
  • Copy or memorize the address and continue

 

MacOS
  • Open terminal and run ifconfig
  • You will see the interfaces and the addresses
  • Look for the “Default Gateway”
  • Copy or memorize the address and continue

 

You can also look the address up from the settings:

  • System Preferences -> Network -> TCP/IP Wired or Wireless section
  • Copy or memorize the address and continue

 

Linux
  • Open terminal and run “iproute”
  • Locate the text starting with “default via ***.***.***.***”
  • That address is your default gateway meaning that it’s the routers IP
  • Copy or memorize the address and continue

 

You can also:

 

When you know the address, type it to the URL bar of the browser and hit enter. You should now see a login screen with username and password fields.

Router login screen

Router login screen

Type the username and password in the correct fields. If you don’t know what they are, you can check the defaults from the routers manual or from this website: http://www.routerpasswords.com/

If the one provided by that site doesn’t work, you might need to check the side of the router. If you can’t find any username and password combinations that would work, you can reset your router. Resetting is done usually with a button on the router, you can refer to the manual which came with the router for more information. Resetting your router will reset all the settings made to it and the login credentials. Disconnect it from the internet before resetting.

Router Settings

There are some settings that very basic routers won’t allow you to change or even have. If you can’t find all the settings listed in the following sections, you should consider investing in a better router.

The advanced settings are for the paranoid people who want to do just a bit more to achieve a very good security. Non-technical users should stick with the general settings.

To be able to do the changes in the advanced settings you most probably need a router that is meant to be used by a small business. They can be used as home routers as well, but they are more advanced and have a lot more settings available. This makes them also cost more.

General Router Settings

These are the basic settings that you can check and change if needed to enhance your routers security and that way also your whole network’s security. Follow the list and continue to the advanced router settings section if you feel you want to have an even more secure home network.

Note: Not all settings might be available to you!

First off, this should be done to every device in the network. Change the default username and password to something suitably long and random. At least 14 characters long or as long as the router allows the password to be.

Keep router firmware up-to-date at all times for better security. If there is a self-updating option available, turn it on. Notice that not every router has any way of checking if there is a new version of firmware available, you can check for new firmware from the manufacturer website.

Change the Service Set ID (SSID) (the name of the network) which often leaks router information. Do not use personally identifying information like the apartment number you live in. Just give it some name you, so you recognize it as your home network.

Do not bother disabling SSID broadcasting since it is very easy to find even when hidden.

Disable Wi-Fi Protected Setup (WPS) because it allows any device to connect to the network with the relevant eight-digit PIN. WPS is insecure and should not be enabled.

Do not use the WEP and WPA standards which are nowadays cryptographically weak and have known security weaknesses. Use at least WPA2 standard so only authorized users can use the network.

Use routers that exclusively use WPA2, preferably with the AES standard (CCMP) and not TKIP which is less secure. Use WPA3 if available, when you are buying a new router check that if it is WPA3 compatible

Enable the “Block WAN Requests” option to secure your network from reply requests from outside of the home network. This makes the router ignore probing which makes it harder to even find the device for the bad guys.

Turn off Universal Plug and Play (UPnP), it allows applications to open ports. If you need to open ports for some device, like a gaming console, do it manually. UPnP should not be trusted as it has opened ports for applications requesting it outside of the network.

Disable NAT-PMP, since it is almost the same as UPnP.

Disable the Home Network Administrative Protocol, it allows remote management of network devices which is something you want to avoid. If someone else than you can administrate your router, you are screwed.

If port forwarding is necessary, it should be limited to a source IP address and/or source IP address subnet. Make sure all the other ports that are not needed aren’t open.

Disable all other remote-access protocols like PINGTelnet, and SSH. This makes it harder for the bad guys to probe your router and home network.

Firewall ports should be set to “stealth” instead of “closed”. This makes the router drop the port scan responses and not giving any response back.

Set logging to on, if the feature is available. This allows the router to write down unsolicited incoming connection attempts, attempted logins and so on. Get familiar with the logs and check them every once in a while.

Avoid administrating the router with a smartphone application.

Use Gibson Research Corp.’s Shields Up port-scanning service to test the router for hundreds of common vulnerabilities, most of which can be mitigated by the router’s administrator.

 

Advanced Router Settings

Do not bind services to the external interface.

Reconfigure the router firewall rules to drop all relevant incoming packets.

Disable the HTTP interface and enable the HTTPS interface instead, preferably on a non-standard port. For example: https://192.168.1.1:82 instead of http://192.168.1.1 

If offered, disable cloud-based router management because trust is shifted to another person between the user and the router.

Do not use mesh router systems that do not permit local administrative access.

Disable remote administrative access and administrative access over Wi-Fi. Set administrator access only via wired ethernet connections (not possible with mesh routers).

Limit the number of Dynamic Host Configuration Protocol (DHCP) leases (connects) to the Wi-Fi network to match the number of personal devices owned.

Enable MAC Filtering so only specific devices may connect to the network.

If you must allow the use of the Wi-Fi network to visitors, set up a guest network that turns itself off after a set period.

Use the 5-GHz band for Wi-Fi instead of the standard 2.4GHz band (if possible), since the 5 GHz band does not travel as far.

If possible, schedule Wi-Fi networks to turn off at night, and then turn on in the morning.

 

Automatic DNS registration and autodiscovery vulnerability

Routers use automatic DNS registration and autodiscovery. This, however, was recently noticed to be a security issue in some of the home and small office routers.

This type of attack requires that the attacker has access to the LAN (Local Area Network) and that the used router is affected by this vulnerability. To avoid being vulnerable, apply all new patches to your router or purchase a router that is not vulnerable to this kind of attack. More information below.

At the time of writing this article, there are only four vendors that are confirmed as not being vulnerable to this type of attack. To view the full up-to-date list of affected and not affected vendors, please see the link provided here.

Security protocols

WEP

Wired Equivalent Privacy (WEP) was introduced in 1997 to provide networks with data confidentiality. In 2003 WEP was superseded by WPA and in 2004 both the WEP-40 and WEP-104 are deprecated. WEP should not be used since it is old technology and has poor security.

WPA

Wi-Fi Protected Access (WPA) is a security protocol that fixed the serious weaknesses of WEP. WPA was intended to use just for a year before WPA2 released. WPA is also vulnerable and should not be used.

WPA2

WPA2 is the second Wi-Fi Protected Access protocol and it replaced the WPA protocol. Devices using WPA2 must be certified by the Wi-Fi Alliance to use the Wi-Fi trademark. WPA2 is the most commonly used home network security protocol as it is still fairly safe to use. However, in 2017 KRACK attack was published that is a severe vulnerability in WPA2.

WPA3

As WPA2 was found to be vulnerable the Wi-Fi Alliance published the WPA3 security protocol in early 2018. The new WPA3 standard has four new security improvements. These new features can be divided into password improvements and encryption improvements.

First of the improvements in the new WPA3 standard will give some protection even if the password chosen by the user is weak. This will help to protect the network from brute-force attacks, which is a threat to WPA2 networks since there are no login limits. The effectiveness of the brute-force attacks can be mitigated in WPA2 by choosing a strong password, this will make the attack very time consuming, depending on the password complexity.

Devices without display or with just a limited display are easier to configure. This will improve the security of IoT devices since misconfigurations of the devices become harder. Again, this can be already avoided in WPA2 by changing the factory default usernames and passwords to strong passwords.

WPA3 users will be also provided with individual data encryption, this will make open networks, such as an airport, hotel, and coffee shop networks more secure. WPA2 mitigation to this is to use VPN in open networks, like in the ones mentioned before, to lower the risk of somebody eavesdropping your traffic in this kind of networks.

The last improvement to WPA3 will be the 192-bit security suite. It will be available for networks with higher security requirements.

KRACK

KRACK (Key Reinstallation Attack) is an exploitable flaw in Wi-Fi Protected Access. Any correct implementation of WPA2 is vulnerable making the attack a severe threat to WPA2 networks.

Patching and mitigation

These vendors have patched the flaw.

 

If you are looking to mitigate the threat of KRACK, the easiest way is to patch and the second easiest is to use a wired network instead of wireless. Mobile devices and tablets are a problem when it comes to this, but normal home users aren’t the ones in facing the highest risk being targeted with this attack.

There is also a way to mitigate the KRACK attack if there are no patches available for your device, but I won’t go through it here as most of the normal home users don’t need to worry about it. You can google the solution if you want to.

Router Firmware (Advanced)

OpenWRT

DD-WRT logo

The most paranoids of us might want to consider flashing the wired/wireless router with an open-source GNU/Linux distribution. OpenWrt and DD-WRT provide router firmware that is suitable for a many of the wired and wireless routers and other embedded systems.

By using OpenWrt or DD-WRT you get regular updates to the firmware and a lot more settings available, meaning a lot more control over your own device. This is very handy if your old router firmware doesn’t have that many settings for controlling the security of the router.

If you are interested in flashing your device with open-source firmware, make first sure that the device is compatible with the firmware. Read through the steps of the flashing process and be sure you understand the whole process before you start it. You have to know what you are doing.

Conclusion

Router security is very important as it helps you to secure your other devices in the home network. Poor router security can danger all the devices in the network.

Buy a better router that has more settings available and is more customizable or consider flashing your router to an open-source firmware.

Use strong passwords and at least WPA2 with AES or WPA3, if possible. Change router settings to strictest possible.

Following these simple guidelines, you should be fairly safe.

 

 

If you found this post helpful, share it to your friends!

About the author

PC Rookies is a project to share information related to mostly security related topics.

Leave A Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.