Breaking News: When will AT&T say anything about the HUGE security flaws in their gateway devices?
This site focuses on the security of routers. Period. If you are interested in faster WiFi, look elsewhere. The site covers configuration
changes to make a router more secure, and, picking a router that is more secure out of the box.
Why devote an entire site to router security?
I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. But, anyone who follows tech news has no
doubt heard of assorted router flaws. After some huge flaws, affecting millions of routers, caught my attention, I started following
the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my
own router security and get more up to speed on the topic.
Non-techies can start at the Introduction to Routers page, which discusses what a router is conceptually, describes
the hardware and the many ways to communicate with a router.
The list of configuration changes to increase router security is far from complete. The topic on selecting a secure router is complete, as is the
checklist page which lists the security features to look for when buying a router. The
router bugs page will never be complete, but that's not the point. It exists to backup my argument - don't buy a consumer router.
I spoke on Securing a Home Router at the
HOPE conference in July 2014. This website is planned to contain all the information in that presentation
and be kept up to date with new developments. It's a work in progress. A PDF of my HOPE presentation is available
at box.net (last updated Oct. 4, 2014). Audio is available
at x.hope.net (thanks to 2600). An article about the talk appeared in Toms Guide.
I will again be speaking about Router Security, this time at the upcoming O'Reilly Security Conference in
New York City at the midtown Hilton Hotel in Manhattan. The conference runs from Oct. 30 - Nov. 1, 2017. No exact date/time yet for
Router security may be a dull and boring topic, but it's important. For more, see what can happen if your router gets hacked.
This site has NO ADS. If you see ads, either your browser, computer or router is infected with adware.
Picking a Router
The first step towards a secure router is choosing a router.
Many people use the device given them by their Internet Service Provider (ISP) which I think is a bad idea for a
number of reasons.
The next decision is buying a consumer router or a business class device. Don't buy a consumer router.
I am not alone in pointing out the sad state of router software/firmware.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. My only
relationship with Peplink is that of a customer.
How secure can a router get? Only as secure as its included features allow. For a list of router security features see my Security Checklist. The most expert person in the world can only make a router as secure as the included features allow.
Finally, some thoughts on Apple routers and Google Wifi and OnHub routers and mesh routers.
Secure Router Configuration - Start With This
When complete, this site will list dozens of tweaks to make a router more secure. But, at the least, make these changes:
- Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary.
- Turn off WPS
- Wi-Fi encryption should be WPA2 with AES and your Wi-Fi password should be at least 14 characters long
- Turn off UPnP and NAT-PMP to protect both yourself and the rest of the Internet. For more see the Turn
Off Stuff page.
- Be smart about choosing an SSID (network name)
- Use a password protected Guest Network whenever possible, not just for guests but for IoT devices too.
- Periodically check the DNS servers being used by the router. They should either belong to your ISP or be the ones you manually configured. If not, your router was probably hacked. One site that displays your current DNS servers is www.perfect-privacy.com/dns-leaktest.
- Test Your Router for open ports using some online testers
- Periodically update the router firmware
- Eat your vegetables
Secure Router Configuration in Detail
- Suggestions for setting up a new router. Perhaps the most important thing to do is a full scan of the WAN/Internet side using NMAP looking for open TCP and UDP ports. This is best done by connecting a new router to an existing one and scanning it from a LAN side computer.
- Set a good router password (not WiFi password). Never use the default password. Don't use a word in the dictionary. If you must use a common word or name, at least precede it with a number (i.e. 3BabeRuth). If your router also lets you change the userid (few do), then change it too.
- Turn off WPS (added March 2017)
- Selecting a unpopular range of IP Addresses helps prevent many router attacks
- Don't let DHCP give out the full range of available IP addresses. Reserve some for static assignment.
- Turning off features you are not using reduces the attack surface. Among features that should probably be disabled are Remote Administration (aka Remote Management, Remote GUI or Web Access from WAN), SNMP, UPnP, NAT-PMP, etc. etc.
- If any of your Wi-Fi networks (a router can create more than one) use a default SSID (network name) then change it. Do not pick a name that makes it obvious
that the network belongs to you. More...
- There is more to encryption than just choosing WPA2. To begin with use AES, not TKIP. Also, Wi-Fi passwords need to be long enough to stall brute force attacks. Opinions on the minimum password length differ, my best guess is that 14 characters should be sufficient. A totally random password is not necessary, "999yellowTULIPS" is both long enough and easy to remember.
- Lock down access to the router from the LAN side. The Security Checklist page offers a dozen possible options (see the Local Administration topic)
- If you need Remote Administration, there are a number of ways to make it more secure. See the Security Checklist page for more.
- The router operating system is referred to as "firmware" and like all operating systems it needs to be updated
periodically. Some routers, such as Google Wifi, Eero, Synology, Orbi, Luma and Velop, can self-update. I have a list of those I know about on the Resources page. That said, router self-updating can be done well or not. If your router does not self-update, then register it with the hardware manufacturer on the chance that they notify you of firmware updates. Netgear, for example, has a security newsletter that announces bug fixes. If you are on your own, at least set a reminder, somehow, to check for new updates every month or so. The procedure for checking varies by manufacturer. That said, all firmware updates are not good. Netgear, for example, introduced some analytics with updates in April 2017. If you didn't want them watching your network, you needed to login to the router and disable the new analytics.
- Guest networks are your best friend. Use them not only for visitors but also for IoT devices. They should be protected with a unique password that is at least 14 characters long. Guest networks are usually isolated from the main network. Review all the configuration options your router offers for the Guest network. The Security Checklist page has a list of options you might find. Turn off any sharing.
- The Ubiquiti AmpliFi mesh router defaults to using the same password for Wi-Fi and administering the router system. Regardless of the router being used, don't do this; each function should have its own password. Likewise, all guest networks should be password protected. Too many passwords? Write them down on a piece of paper and tape them to the router, face down.
- A common router attack changes the DNS servers. This is extremely dangerous and normally invisible. Fortunately, many websites can display your current DNS servers and I have a list of them on the Test Your Router page. Your DNS servers should either belong to your ISP, or, be the ones you manually configured in the router. If not, the router was probably hacked. VPN provider Perfect Privacy offers a thorough display of detected DNS servers at www.perfect-privacy.com/dns-leaktest/. Other sites include dnsleaktest.com and whoer.net. Consider making one of them to your web browser home page to insure that you check it periodically.
- Turn off Ping reply. Different routers use different terminology for this, but its easily tested, just ping your public IP address from the Internet.
- Turn off wireless networks when not in use. Some routers let you schedule this, others have a physical Wi-Fi on/off button, others have a mobile app. In the worst case, you have to login in to the router web interface to disable the Wi-Fi. In that case, a browser bookmark can ease the pain.
- The Test Your Router page has many ways to kick the tires on your router. One thing to look for is open ports. At Steve Gibson's ShieldsUP! site (click the gray Proceed button), start with the Common Ports test and pay special attention to the SSH (22) and Telnet (23) ports as these services are frequently abused by bad guys. The only good status for any port is Stealth (assuming remote administration is disabled). Next, do the All Service Ports test and finally, do the Instant UPnP Exposure Test (orange button).
- Test if your router supports HNAP, hopefully it does not
- More to come ...........
When you are all done making configuration changes to a router, it is a good idea to back them up. Routers normally can export a file with the
current settings. On a Pepwave Surf SOHO router, go to the System section, click on Configuration, then click the Download button to Download Active Configurations. With a TP-LINK Archer C8, go to the Advanced
tab, click on System Tools, then on Backup and Restore, then the Backup button.