Securing Home Routers – Keeping Your Data Safe

Routers are apart of everyday life. Anyone with an active home internet connection has one. It keeps a constant connection to the internet, it allows more then 1 computer to share the same internet connection, it blocks out bad traffic from entering your network, and can perform more sophisticated tasks; share files via FTP over the network and to the wider internet for example.
Your router is filled to the brim with technology but not all of it is safe, even though it might be helpful. Simply buying a router and connecting it up is not enough; like any device, it needs updates and maintenance to have it running well and safely.

All routers are different and it helps to log into your routers settings and familiarize yourself with the options available to you. Not everything you see will be apparent as to what they do so it’s worth noting these down and doing a bit of research yourself.
Additionally a general rule of thumb; if your not using a specific service or option in your router, disable it!


Keep Your Firmware Updated Regularly

New firmware is important

Regular firmware updates can help plug security holes, fix bugs and keep your router running smoothly. Some ISP’s push updates to your router when they become available but alot of third party routers need to be updated manually. Make sure you read the documentation of the new firmware carefully and only download the firmware from only the manufacturers website. Follow the manufacturers instructions carefully whilst upgrading the firmware and always triple check that the firmware is for your exact router hardware; wrongly selected firmware can block your router and stop it from working, completely rendering it useless. I can not be held accountable for your mistakes/damages/outages!

Edit: If your router is issued by your ISP, it may differ in some ways from the manufacturers model on their site (even though it’s the same model number). It’s worth getting in touch with your ISP.
Secondly: A firmware update will wipe your current configuration data, so make a backup of current configuration files and also make written note of your ADSL username and password before you upgrade or make changes. If you do not have your ADSL logon details to hand, do not proceed! You will not be able to connect to the internet without these!
Again, I cannot be held responsible for any damages or outages you may incur.

Router Login – Default Router Username and Password

Change your default credentials!

The first step to securing your router is to immediately change your default username and password.
Ideally you want to change both of these credentials but I know some routers (especially those provided by ISP’s), will let you only change the password.
I would pick a password specifically for the use of the router and not one that is being used for anything else. A mixture of uppercase and lowercase, numbers and symbols. The longer you make it, the harder it is to be brute-forced open.
Write your new details down carefully and keep them safe;  you won’t be using the password too often; you don’t really need to remember it.

Reason: Many crackers know that a lot of the default credentials are never changed, so they can try Username: Admin, Password: Admin and have an easy time sending over Mirai Infection (https://en.wikipedia.org/), redirecting all of your traffic to a malicious server to snoop on your activity or to simply gain access to your network and cause havoc.

Router Login – Close Remote Management Access

Disallow foreign admins

Remote management allows connections from outside your internal network (internet) to connect to your router and access it’s settings.
This needs to be disabled. You may have to tick a box or blank out an IP address. Always read the tooltips


WiFi – WPS

Disable your WPS button; its handy for quickly connecting devices but it is by design, unsafe to use.
The WPS pin is apparently easily crackable. Note that you may have to disable this feature on both 2.4ghz and 5ghz networks individually if you have are lucky enough to have both bands.

WiFi – Guest Network

Disable your guest network if you are not going to use it. Some routers can isolate your guest network from your ‘normal’ network to allow ‘untrusted’ people or devices to gain internet access. (Great for small businesses or busy households)
With this enabled, you open up your internet connection to anyone to use, however they like, especially if there’s no isolation switch in the settings. You also create another attack surface to a WiFi miscreant.

WiFi – Wireless Authentication and Encryption

Never use WEP or WPA to authenticate or encrypt wireless traffic. They are both weak encryption systems and can be easily cracked to gain access to your wireless traffic and network.
Use WPA2 AES with strong, long passwords. If your only options are WEP or WPA, consider replacing the router for one with WPA2. It’s also worth noting that you may have to choose these options for both 2.4ghz and 5ghz bands individually.


Security – uPnP

Universal plug and play (or uPnP for short) sounds great on paper but in the real world this is a major security risk.
With this enabled, it allows applications and devices to ask the router to open ports. In some cases, uPnP can be requested to open ports from the internet side too. There’s known malware to take advantage of this system and actually open ports on your router, to send collected data from your computer elsewhere and allow data to flow in.
Disabling uPnP lowers the accessibility good and bad programs may have over your network. If you need a specific port opened, you are better to set up Port Triggering or Forwarding rules.

Security – Firewall

Having a firewall will help to filter bad traffic from good traffic. Enable Stateful Packet Inspection (SPI) to help eliminate bad incoming traffic and as with uPnP, bad traffic exiting your network.

Your firewall may also include preset filters, for example VPN Services and Windows’ Service passthrough. If you don’t use those specific services, disable the filters.

Security – DMZ

DMZ (Demilitarized Zone) will allow you to specify a single IP address or host to completely by-pass all the security on your router.
In short, this means that any firewalls or port blocking features that you have turned on, will be turned off for the allocated machine.
You will more commonly see game console users applying this feature to their consoles, in order to get better connectivity and latency to their online games and may also solve NAT (Network Address Translation) issues.
Never use DMZ on a home router. If that DMZ host gets compromised, it could compromise the rest of your network too. If NAT is causing you a massive issue, it might worth finding an optimized ‘gaming’ router.


Other Services

You may find that your router has USB connectivity. As technology progresses, some functions that you may have used a separate computer for; File Server or NAS (Network Attached Storage), can now be built into your router. Very handy to share files over the network. You may even have a print server function or a function that allows you to make your attached hard-drive as the source for a public internet FTP server.

These functions may be secured internally, but unless your router specifically states that you can use these services over the internet via secured encryption (FTPS for example), steer well clear. If so, do not make your FTP public! If you are not considering to use any of those functions mentioned, disable them.
Another real scenario; if someone did manage to get into your WiFi, or you allowed a friend join the network, they will have access to your USB storage on your router. Never keep sensitive information on an easily accessible, unauthenticated, unencrypted devices!

Save Your Routers’ Configuration Files

Once you have your router set up to how you like, don’t forget to save your configuration data! If you update the firmware or perform a hard reset, you will probably lose all of the settings. Keeping an up to date backup of your settings will become essential for quick network recovery and stops you from forgetting to close down vulnerabilities whilst rushing to get your network back!


Summary

Network security is a minefield and undertaking some simple tasks, can help keep your network and your data safe. With technology constantly changing and moving forward, it can feel like a bit of an impossible task, but learning or researching about the concepts behind some of these technologies can make it a little bit easier. By the time of writing WPA2 is considered safe… but how long until it’s not!(.. . )

The general idea is to give attackers the least amount ‘surface area’ to poke at. By disabling some vulnerable functions like uPnP and changing default passwords, will give someone less methods to use.

This guide is not the be all and end all, but it’s a start. Take time to look at your router and research it’s capabilities. Your data is ultimately, in your hands.

The images and examples are taken from a TP-Link Archer V2 AC-750 Router.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.