Router security is not enough to protect your network from attacks. Basic wireless routers, often called SOHO routers for small office/home office, are cheap devices with a dismal security record.
Here are six reasons why you do not want a SOHO router to protect your network:
Independent Security Evaluators analyzed 13 popular routers last year and found that all 13 had security vulnerabilities, many of them critical.
Below is a chart of the 13 routers and the types of attacks that could crack them (source: ISE’s report). Any of the brands look familiar?
Fed up with the sad state of wireless router security, ISE sponsored a hacking contest this week at DEF CON 22. Called SOHOpelessly BROKEN, the contest awards prizes to hackers who can discover new vulnerabilities in 10 popular SOHO routers.
The organizers hope the contest “sheds light on the need for manufacturers to better secure these devices.”
A basic wireless router can have an absurd number of security flaws out of the box. That’s why it’s important to update the device’s firmware before using it.
Unfortunately, even if people update the device at deployment, many of them never bother to update it again. Even if they use the device for five years, every security flaw discovered over that time goes unfixed – even if the manufacturer issued a patch for it.
That’s why the manual update process for wireless routers is a security issue. Users should not have to check for updates, download them, and apply them manually. When the manufacturer finds a vulnerability, it should be fixed automatically. Otherwise, it’s not going to be fixed.
New vulnerabilities are discovered in SOHO router security all the time, but some are exceptionally bad. One of the most egregious is the widespread problem created by Wi-FI Protected Setup (WPS).
WPS was intended to make things easier for users. The network security standard made it simple to create a secure wireless network.
However, WPS also made things easier for hackers. The standard’s security PIN is easy to crack with tools that are freely available. This massive gap in router security can allow attackers to obtain the WPA password and seize control.
A router translates information between your network and another network (the internet). That is its purpose, and it will fulfill that purpose for years to come.
But a router is not a security device. Manufacturers have little incentive to patch newly discovered security vulnerabilities after the router is a few years old. They would rather you buy a new one.
When you depend on a device to secure your network, you want to know that it will remain patched and updated for years to come. That’s why you should depend on a device that focuses on security and not a $30 router.
Competition in the SOHO router market is fierce. Prices are dirt cheap. One of the only ways to stand out is to add features.
However, as we’ve seen, SOHO routers do not have reliable security. Every new feature is potentially a new way for hackers to break in and take over.
That’s why when you want to secure your wireless router you should consider getting a simple access point instead. This will limit the attack surface of the cheaper device. Then you can use a more advance security device to direct network traffic.
Routers often come with a default username and password such as “admin”. Many people do not change these settings, which makes it deplorably easy for attackers to guess their passwords.
Even if changed, a factory reset will often restore the router’s defaults. Our recommendation: get a device that doesn’t use default passwords.