A basic wireless router can have massive security flaws. Also called SOHO routers (for small office, home office), they can be wide open for hackers even when fresh from the box and updated.
How bad are they? Bad enough that one company is holding a contest just to highlight terrible router security.
The contest, SOHOpelessly BROKEN, challenges the hacker community to find new, undisclosed vulnerabilities in 10 popular routers. It will take place next week at DEF CON 22, a hacker event in Las Vegas.
Ready to secure your wireless router? Two approaches are below.
If you must rely on a wireless router to manage and secure your network, then follow these steps to lock it down:
Go to the manufacturer’s website and download the current software for the router. This will patch the disclosed security vulnerabilities that the manufacturer has bothered to address. Regularly check the website for new updates.
Encrypt traffic on the network with WPA2 (do not use WPA or WEP). Make the password at least 10 characters long and use a mix of uppercase, lower case, numeric, and special characters.
In Windows, the service set identifier (SSID) is the name you will see when the router is listed as an available wireless connection. Change this from the default ID to anything you like.
This is a feature best handled by a security device such as AccessEnforcer. But if that is not an option, enable MAC address filtering on the router. Then register each device you want allowed on the network. This will prevent other devices from connecting.
This will prevent anyone from logging into the router’s administration panel through a wireless connection. Only a machine plugged into the router with an ethernet cable will be able to log in.
Ideally, you want a real security device to protect your network instead of flimsy SOHO router. But, if you’re stuck with only basic router security, then enable the firewall. It’s better than nothing.
Some routers have optional wireless connections that allow people to join without a password, giving them internet access without access to other resources like shared drives. Disable this feature.
Every feature enabled on a router is another potential way for hackers to break in. Limit your exposure by shutting off all unnecessary features and services.
By picking a custom IP address range, you can avoid attacks directed at the millions of wireless routers that use the default settings.
Not all routers have this feature, but if possible, only allow administrative access over encrypted, HTTPS sessions.
Wi-Fi Protected Setup (WPS) provides an easier way to secure and connect to a wireless network. Though widely used on consumer routers, WPS is not secure, so disable it.
Note: You may have trouble disabling WPS. Some routers do not provide an option to disable it, and others have the option but it does not work. This is one of many reasons why you should not depend on a SOHO router for security.
Independent Security Evaluators, sponsor of the hacker contest mentioned above, has two more recommended practices in a related case study:
After logging into a router for administration, always (1) Log out and restart the device, and (2) Clear browser cookies and active logins.
A basic wireless router is not enough to protect your network, so the best approach is to use it as little as possible.
How? Use the router only as a wireless access point. Then use a security device like AccessEnforcer to direct and filter traffic on the network.
With this approach, the router does not “route” traffic. It simply provides a wireless connection and allows a security device to handle the rest. That way you do not depend on spotty router security to protect you.
Wireless Router Security is Dangerous: 6 Reasons
Top Threats: How to prevent Cryptolocker
Top Threats: Heartbleed Bug in OpenSSL