A basic wireless router can have massive security flaws. Also called SOHO routers (for small office, home office), they can be wide open for hackers even when fresh from the box and updated.
How bad are they? Bad enough that one company is holding a contest just to highlight terrible router security.
The contest, SOHOpelessly BROKEN, challenges the hacker community to find new, undisclosed vulnerabilities in 10 popular routers. It will take place next week at DEF CON 22, a hacker event in Las Vegas.
Ready to secure your wireless router? Two approaches are below.
Steps to improve router security
If you must rely on a wireless router to manage and secure your network, then follow these steps to lock it down:
1. Update the firmware
Go to the manufacturer’s website and download the current software for the router. This will patch the disclosed security vulnerabilities that the manufacturer has bothered to address. Regularly check the website for new updates.
2. Require a password
Encrypt traffic on the network with WPA2 (do not use WPA or WEP). Make the password at least 10 characters long and use a mix of uppercase, lower case, numeric, and special characters.
3. Change the SSID
In Windows, the service set identifier (SSID) is the name you will see when the router is listed as an available wireless connection. Change this from the default ID to anything you like.
4. Enable MAC address filtering
This is a feature best handled by a security device such as AccessEnforcer. But if that is not an option, enable MAC address filtering on the router. Then register each device you want allowed on the network. This will prevent other devices from connecting.
5. Disable remote administration
This will prevent anyone from logging into the router’s administration panel through a wireless connection. Only a machine plugged into the router with an ethernet cable will be able to log in.
6. Enable router firewall
Ideally, you want a real security device to protect your network instead of flimsy SOHO router. But, if you’re stuck with only basic router security, then enable the firewall. It’s better than nothing.
7. Disable all guest networks
Some routers have optional wireless connections that allow people to join without a password, giving them internet access without access to other resources like shared drives. Disable this feature.
8. Disable all other services, such FTP, that you do not use
Every feature enabled on a router is another potential way for hackers to break in. Limit your exposure by shutting off all unnecessary features and services.
9. Change the default IP address range
By picking a custom IP address range, you can avoid attacks directed at the millions of wireless routers that use the default settings.
10. Enable HTTPS for administrative connections
Not all routers have this feature, but if possible, only allow administrative access over encrypted, HTTPS sessions.
11. Disable WPS
Wi-Fi Protected Setup (WPS) provides an easier way to secure and connect to a wireless network. Though widely used on consumer routers, WPS is not secure, so disable it.
Note: You may have trouble disabling WPS. Some routers do not provide an option to disable it, and others have the option but it does not work. This is one of many reasons why you should not depend on a SOHO router for security.
Independent Security Evaluators, sponsor of the hacker contest mentioned above, has two more recommended practices in a related case study:
After logging into a router for administration, always (1) Log out and restart the device, and (2) Clear browser cookies and active logins.
Better Approach: Do not rely on router security
A basic wireless router is not enough to protect your network, so the best approach is to use it as little as possible.
How? Use the router only as a wireless access point. Then use a security device like AccessEnforcer to direct and filter traffic on the network.
With this approach, the router does not “route” traffic. It simply provides a wireless connection and allows a security device to handle the rest. That way you do not depend on spotty router security to protect you.