This site focuses on the security of routers. This includes both configuration changes to make a router more secure, and, picking a router that is more secure out of the box. If you are interested in faster WiFi, there is one page on extending the range of a Wi-Fi network.
To be clear, this site is about ROUTER security, not ROUTING security. There is nothing here about MANRS (Mutually Agreed Norms for Routing Security).
See the recent updates to this site.
Why Router Security
Why devote an entire site to router security?
I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. However, after some huge router flaws,
affecting millions of routers, caught my attention, I started following
the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my own router security and get more up to speed on the topic. After all, if a router gets infected with malware, or re-configured in a malicious way, most people would never know. There is no anti-virus software for routers.
I am not alone in pointing out the sad state of router software/firmware.
Router security may be a dull and boring topic, but it's important. For proof, see what can happen if your router gets hacked.
For the latest on routers, see the Routers in the news page.
Non-techies can start at the Introduction to Routers page, which discusses what a router is conceptually, then describes the hardware and the many ways to communicate with a router. There is also a page on Access Points and
an overview of Extending the Range of a WiFi network.
This site has NO ADS. If you see ads, either your browser, computer or router is infected with adware. It also does not use Google Analytics or any third party analytics. In fact, it doesn't use any third part scripts/software of any kind. The search feature uses DuckDuckGo, but does not load any scripts.
Secure Router Configuration - the SHORT list top
This relatively short list of configuration tweaks can greatly increase the security of any router.
- Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary. More...
- If your Wi-Fi network(s) is using the default password, change it, even if it appears to be random. A Wi-Fi password should be at least 16 characters long. More...
- If you are using a default WiFi network name (SSID) change it. When choosing network names, don't identify yourself. More...
- Wi-Fi encryption should be WPA2 (with AES, not TKIP) or WPA3 or both. More...
- Turn off WPS More...
- Turn off UPnP
- Use a password protected Guest Network whenever possible, not just for guests but for IoT devices too.
- If the router has a web interface, Remote Administration is probably off, but since this is so very dangerous, take the time to verify that it is disabled. If the router is administered with a mobile app and a cloud service, disabling remote access to the router is unchartered territory. Lotsa luck.
- Port forwarding is an opened door (technically an open TCP/IP port). Poke around the router configuration to make sure there is no port forwarding going on. There is a small chance that something on your network needs a port to be forwarded, but every forwarded port is a security risk.
- For years, turning off IPv6 (IP version 6) was on the long list below, but as of August 2021, I think it belongs here on the short list too. Very very few people need it and in 2021 it was disclosed that there is a possible security issue with it. If the router can not disable IPv6, the NSA recommended (Feb. 2023) to
"ensure your router supports IPv6 firewall capabilities."
- Periodically check for new firmware. At some point you will go a year or two, or more, without any updates. That's when it is time for a new router.
Secure Router Configuration - the FULL list top
For the techies amongst us, the list below is as comprehensive as I can make it. Perhaps a spy agency would be the only one to implement everything on the list. Pick and chose, and implement as many as you can.
- If the router is new, see my suggestions for setting up a new router. Basic plan: make the most obvious few changes with the router off-line, go online behind another router to get the latest firmware, then make the rest of the changes.
- Change the password used to access the router (this is not a WiFi password). Don't use a word in the dictionary. Two words and a number should be fine (7coldapples). For more, see my router password advice. This is often the hardest step as it requires knowing how to access the router.
- If the router lets you change the userid used to logon to the router, change it
- If any of your Wi-Fi networks (a router can create more than one) use a default SSID (network name) then change it. Do not pick a name that makes it obvious that the network belongs to you. More...
- For Wi-Fi encryption, use WPA2 with AES or WPA3. If there is a choice to use TKIP or AES, opt for AES. There may also be an option to use both TKIP and AES - just use AES. Wi-Fi encryption will improve with WPA3 but WPA2 with AES is perfectly secure as long the password is long (next topic). If you see a reference to PSK that refers to the most common flavor of WPA2, which has a single password for the network. WPA2 Enterprise is the other flavor and it supports multiple users of a single network each with their own password.
- Wi-Fi passwords: Never use the default Wi-Fi password, even if it is long and random. Always change it/them. WPA2 passwords have to be long enough to fend off brute force attacks. This will not be an issue with WPA3. My best guess is that 16 characters should be sufficient, but the German government recommends 20. And, you really should not use a password anyone has ever used before.
- Check for new firmware. There are no standards here, every router has a different procedure. With most routers this will be an ongoing manual check, however, some are able to update themselves. Be aware of the risk; if something goes wrong you may lose Internet access. Best to do it at a time when your ISP has offices that are open, so the box can be exchanged, if necessary. For more, see the firmware updates page. Many routers no longer get firmware/software updates. If the last update for yours was a couple years ago, it is time for a new router.
- Turn off WPS
- Turn off UPnP.
UPnP is a protocol that lets devices on a LAN punch holes in the firewall of the router. This exposes these devices to the Internet at large where, if they are vulnerable, they can be hacked. Technically, UPnP enables port forwarding without the router owner even knowing what port forwarding is. You are safer with UPnP disabled. To see if your router is doing any Port Forwarding, you can login to the router. No forwarding of ports is the safe, secure state. That said, there is a chance that disabling UPnP will break some network communication used by a device on your network, most likely an IoT device. This is why it is enabled by default on all consumer routers - to cut down on tech support calls.
But this is only half the story.
We also need to worry about UPnP on the WAN/Internet side of the router. UPnP was intended to only work on the LAN side of a router, but some routers are so miserably mis-configured that they expose UPnP on the WAN/Internet side too. This is a huge, mistake, akin to a surgeon amputating the wrong leg. Fortunately, there is an online test, from Steve Gibson, that checks the public side of a router for the existence of UPnP exposed to the Internet. On the first page, of his ShieldsUP! service, click on the gray Proceed button. On the next page, click on the yellow/orange button for GRC's Instant UPnP Exposure Test. As of June 2018, Gibson had found 54,000 routers exposing UPnP. For more, read about hacks via UPnP: Hacker Streaming PewDiePie Videos on Exposed Chromecast Devices (Jan. 2019) and for techies: Do You Know Where Your UPnP Is? (Oct. 2016).
- Guest networks (SSIDs) are your best friend. Use them not only for visitors but also for IoT devices. Guest networks should be password protected. Guest networks are usually, but not always, isolated from the main network. Review all the configuration options your router offers for the Guest network to insure they are isolated. The Security Checklist page has a list of options you might find.
- Network Isolation/segmentation: Guest networks are merely an appetizer, using VLANs for isolating groups of devices on the network is the main course. The idea is to prevent a single hacked device from causing grief for other devices on your network. How many groups (VLANs) to create is a matter of opinion. In February 2023, the US National Security Agency issued Best Practices for Securing Your Home
Network which said "At a minimum, your wireless network should be segmented between your primary Wi-Fi, guest Wi-Fi, and IoT network. This segmentation keeps
less secure devices from directly communicating with your more secure devices." Their focus on wireless was a mistake, the VLAN concept applies equally to Ethernet-connected devices. They also don't go far enough, as they don't address the issue of whether devices in a VLAN can see each other. See the VLAN page for more. Much more.
- In the beginning, routers were administered via a web interface and a computer in your home/office. Now, many routers offer Remote Administration via a cloud service and a smartphone app. Management via a mobile app can be especially dangerous as it is likely to work from anywhere. Test this when away from home or by connecting your mobile device to the 4G/LTE network of your cellphone provider. If an app on your phone can get into the router remotely (when not connected to a Wi-Fi network from the router), then you are trusting every employee of the router vendor not to spy on you. Disable this if you can. This is a big issue to me, so much so, that I might replace a router if remote cloud/app access can not be disabled. My preferred router vendor, Peplink, has a cloud-based admin system called InControl2, however it can be easily disabled and the router can be completely administered locally.
- If the router has a web interface, turn off Remote Administration (aka Remote Management, Remote GUI or Web Access from WAN). It is normally OFF by default, but take the time to verify this.
If you need Remote Administration, there are a number of ways to make it more secure, such as using HTTPS on a non-standard port and limiting the source IP address. The Security Checklist page has more on this.
- Turning off features you are not using reduces your attack surface. Among the features that should probably be disabled are SNMP, NAT-PMP, IPv6, Telnet access to the router and Application Layer Gateways (ALG). A longer list is on the Turn off page.
- Change the LAN side IP address of the router. Even better, change the entire LAN side subnet. See the page on IP Addresses for more. This helps prevent many router attacks. And, while you are at it, set up DHCP to allow for some static IP addresses.
- Chose a DNS provider: DNS is a security issue, but not for the router itself. Instead, it applies to the devices that connect to the router. If you are not familiar with DNS, the Test Your DNS Servers page starts with an introduction. By default, your router and your devices will use a DNS service from your ISP. This is the worst possible choice. There are many DNS providers to choose from, both free and paid. I have some suggestions on the DNS Providers page. DNS providers offer assorted services: privacy, malware blocking, porn blocking, ad blocking and/or tracker blocking.
- Chose a DNS protocol: While all routers support the old, insecure flavor of DNS, some routers also support the new, encrypted version. Old DNS does not use encryption, making it very easy for an ISP to spy on your activity. Both of the two newer methods of communication (DoH and DoT) use encryption and thus prevent the ISP from seeing DNS requests and responses. Old DNS is specified with IP v4 addresses (normally two of them). New DNS is typically specified with a server name. All of the DNS providers on the DNS Providers page support both DoH and DoT. On Peplink routers running firmware 8.2 secure DNS is configured on the Network tab -> WAN -> DNS over HTTPS. Built into the router is support for Cloudflare, Quad9, Google DNS and OpenDNS. The Custom URL option can be used for NextDNS.
- If a Wi-Fi network is using WPA2 and the router offers an option for protecting management frames, turn it on. WPA3 requires this option to always be enabled so a Wi-Fi network using WPA3 will probably not have an option for protecting management frames.
- Write down the critical information on a piece of paper and tape it to the router, face down. Include the Wi-Fi network names (SSIDs) and passwords, the router userid/password and the IP address of the router.
- For routers with a web interface, lock down access to the router from the LAN side. The Security Checklist page offers a dozen possible options (see the Local Administration topic) such as changing the port number(s) and limiting access by IP or MAC address. For routers that use a mobile app for administration, think about locking down access to the mobile app (this may require signing out).
- Turn off Ping reply. Sadly, different routers use different terminology for this. To test it, have someone ping your public IP address from outside your network. Steve Gibson's ShieldsUP! service also tests this.
- Turn off wireless networks when not in use. Some routers let you schedule this, others have a physical Wi-Fi on/off button, others have a mobile app. In the worst case, you have to login in to the router web interface to disable the Wi-Fi. In that case, a browser bookmark can ease the pain.
- Test if your router supports HNAP. If so, it should be replaced.
- Your modem is a computer too. Your router may be able to block access to the modem from all devices on the LAN. I blogged about this. See part 1 and part 2.
- If your router supports outgoing firewall rules, block the ports used by Windows file sharing. You may also want to prevent any network printers from making any outbound connections. This way if a printer gets hacked, it can't phone home.
- If the router can send email when certain errors occur, configure this feature.
- Try to prevent your router from spying on you. If you own a Netgear router, be aware that they added "analytics" with firmware updates released in April 2017. If you don't want Netgear watching your network, you need to login to the router and disable these analytics. For more on this, see the Bugs page for July 2017. Likewise, Asus and other routers include anti-malware software that may also be watching you. For more on Asus and their partnership with Trend Micro see the Bugs page from May 2017 and look for "Privacy issues with Trend Micro software in Asus routers" Trend Micro software is in other routers too and other anti-virus companies are also partnering with router vendors.
- The Test Your Router page has many ways to kick the tires on your router. One thing to look for is open ports. At Steve Gibson's ShieldsUP! site (click the gray Proceed button), start with the Common Ports test and pay special attention to the SSH (22) and Telnet (23) ports as these services are frequently abused by bad guys. The only good status for any port is Stealth (assuming remote administration is disabled). Next, do the All Service Ports test and finally, do the Instant UPnP Exposure Test (orange button).
- Test your router with my Shodan Query My Router page. It generates a Shodan query, a Censys.io query and nine other queries of your public IP address. If your router has been doing bad things, hopefully one of the queried sites will have detected it.
- The router tests mentioned above are only a partial solution. For the most thorough test, connect the WAN port of a router to be tested (inside router) to a LAN port on another router (outside router). Then, from a computer connected to the outside router, scan the WAN side of the inside router using NMAP looking for open ports. This lets you test all 65,535 TCP ports and all 65,535 UDP ports. There should be no open ports. Remote administration will require an open port but it should, normally, be disabled.
- Speaking of nmap, it is also useful to run it on the LAN side of the router. There should be one port open for local administration, assuming the router has a web interface. The hard part will be getting the router manufacturer to explain any other open ports. One reason I like Peplink is that getting an answer to this sort of thing is easy. When someone found port 8183 open on the LAN side the company explained why. In 2019, I blogged about a Netgear router that was still somewhat operational for UPnP, even when UPnP was disabled. The smoking gun was two open LAN side ports. (added Sept 8, 2020)
- MAC Address Filtering: A MAC address is a unique identifier assigned to every network interface. A router typically has three, one for the WAN/Internet port, one for LAN side Ethernet and another for Wi-Fi. A laptop computer will have one MAC address for Wi-Fi and, if it has an Ethernet port, a different MAC address for Ethernet. This option can be used to limit the devices that can connect to a Wi-Fi network (or maybe all Wi-Fi networks depending on the router). You can either set up an INCLUDE list of allowed MAC addresses or an EXCLUDE list of banned ones. The bookkeeping involved in maintaining these lists can be a pain in the neck. Perhaps the most interesting aspect of this is how much it tells you about someone making a recommendation. People who do not understand the technology recommend using it, unaware of a flaw. People with an intimate understanding of how it works, say not to use it because of the flaw. MAC addresses are always broadcast unencrypted, so a bad guy can see the allowed ones and copy them. Should you use it? It depends. While the security is far from perfect, it should block unsophisticated attackers, even if they know the Wi-Fi password. And, if you only have a small number of Wi-Fi devices, then the bookkeeping is not that bad. But, it can be hard to learn the MAC address of a Wi-Fi device, especially an IoT device or one using an operating system that creates random private MAC addresses. The world changes. (added April 26, 2021)
- Someone who works from home should have an their own network that is isolated from all the other devices in their home. I wrote about this in a September 2020 blog, A second router can make working from home much more secure. Because this network will have a very small number of connected devices, there are router options that, normally rejected for a larger network, now make sense. Specifically: disable DHCP, enable MAC address filtering, do not broadcast the SSID, use only 5GHz Wi-Fi and lower the Wi-Fi radio signal strength. None of these features is a perfect barrier to entry, but since no one does this, bad guys without good technical skills should be tripped up. And, use Ethernet whenever possible (many printers support Ethernet and USB/Ethernet adapters are cheap). This makes the most sense when using two routers or a main router that supports VLANs. These options are not a good fit when there is only one consumer/ISP-supplied router.
- Many routers let you change the WAN MAC address. If you can, do so. This only applies when you have a stand-alone router, it should not be done on a combination modem/router device. A MAC address is 6 bytes long, the first 3 bytes identify the company that made the hardware. Making a router from company A appear to be manufactured by company B may offer some defense against a malicious ISP. Valid MAC Addresses can be found here. It would be great if we could change the WiFi MAC address(s), but I have not seen that option on any router. This is what the feature looks like on a router made by Asus, TP-Link, Linksys and Peplink. (added April 16, 2021)
- Your router may not be the only device creating a wireless network. Many HP printers (and probably other vendors too, but I tend to see this from HP)
create their own Wi-Fi network using a feature called Wi-Fi Direct that lets wireless devices connect to the printer directly without going through the router. The security of Wi-Fi Direct is poor, so you should either connect a printer to your network -or- use Wi-Fi Direct. Do not use both. Suggestion courtesy of Ryan Woodings, the founder of MetaGeek.
(added March 19, 2020)
- Routers that have a web interface are best administered with a clean web browser session. That is, start up a browser, work with the router, then logoff the router and shut down the browser.
Need proof that this is good advice? Here is one example (from Nov. 2020) and another example (from May 2022).
Better yet, use private browsing mode when working with the router. Even better, use a browser that has no (or very few) extensions or plug-ins installed.
- Bad neighbors can not target a Wi-Fi network that they do not see. To weaken the Wi-Fi signal that leaks out of your home, turn down the transmission power of the router.
There are some other roadblocks that, while not foolproof, are nonetheless a barrier to be overcome. Details are on the Bad Neighbors page.
(added September 2019)
- Eat your vegetables :-)
Final Steps top
When you are all done making configuration changes to a router, it is a good idea to back up the current settings. This way, should you ever have to reset the router, you can easily import/restore the last backed up state. Many routers can export the current settings to a file. With my favorite router, the Pepwave Surf SOHO, settings are backed up with System -> Configuration and click the Download button. The mesh routers that I have used can not export the current configuration settings to a file. If that's the case for you, consider taking pictures of the configuration screens.
One reason you might have to re-install the current configuration settings is if someone resets the router. All routers come with a pinhole reset. Someone malicious, who can physically touch the router, may simply reset the router to factory defaults as a way to get around the security. A business may try to physically restrict access to the router, but at home, this is probably not viable. To offer the best Wi-Fi performance a router needs to be out in the open which leaves it vulnerable to being reset.
Old school, techie-oriented routers have a ton of features. After making the changes above, its probably best to live with the router a while before changing some of the more obscure settings. Once you have a performance baseline, then consider enabling features like the detection and prevention of Denial of Service (DoS) attacks or SYN Flood attacks. Peplink, for example, offers Intrusion Detection and DoS Prevention that protects against 9 types of attacks (With firmware 8.2 this option is at: Network tab -> Firewall Access Rules).
DrayTek routers offer protection from over 15 types of attacks.
If you do not use a VPN then you can turn off the VPN pass-through options.
Some Additional Thoughts top
I also have write-ups on Synology routers, pcWRT, Google Wifi mesh routers,
Eero, the Turris Omnia router, Apple routers.
These are mostly, but not exclusively, focused on security.
The term "modem" is often mis-used. See exactly what a modem is.
The best possible over-the-air encryption is offered by Enterprise versions of WPA2/WPA3 instead of the more popular Personal versions. For more on this, see the WPA2 WPA3 encryption page.
In August 2021, I blogged about Hiding on a Wi-Fi network. This was about hiding your computer from other devices on the LAN. This is mostly an issue when connected to a public Wi-Fi network, but it is also an issue with dedicated IoT networks at home.
In March 2022, I added the black sheep of pages to this site. Rather than focus on security, it offers an overview of Extending the Range of a WiFi network.
Ongoing Care and Feeding and Defense top
- If the router does not self-update, then check for new firmware every month or two. If the router does self-update, check, every now and then, that the self-updating system is actually working. More about firmware updates.
- Register the router with the hardware manufacturer on the chance that they notify you of firmware updates. Netgear, for example, has a security newsletter that announces bug fixes. In December 2021, Google sent owners of their OnHub routers a note about their being discontinued and a coupon for large discount on a new router.
- At some point there will be no more firmware updates. When this is officially publicized it is called called End-Of-Life (EOL). Some router vendors have a list of their EOL devices, some do not. But, regardless of the official status, when the latest firmware is more than two years old, it is time to replace the router.
- As per the topic below on Hacked Routers, it would be a good thing to re-boot a router, every now and then. Here is an example, from June 2022, of router malware that is removed by a re-boot: A wide range of routers are under attack by new, unusually sophisticated malware. How often to re-boot? In February 2023, the NSA said:
"At a minimum, you should schedule weekly reboots of your routing device, smartphones, and computers."
- Every router can display a list of attached devices. It is good to check this every now and then to insure that you know what every device is. Better routers will let you assign names to each device (Susans iPad, Bobs laptop, Georges iPhone). You may want to assign every device a name that begins with "**" for example. That way you can easily scan the list of devices (some households have quite a few Internet-using devices) for names that do not start with your favorite string of characters. Be aware that the list of devices may not include
all devices connected to the router. Read the fine print. It may only be those that are active at the moment or only those using DHCP. Some mobile apps for routers show you information about devices that have recently been on your network, even if they are not currently using it. FYI: If you have more than one SSID (you should) a good router will show you which SSID each wireless device is connected to. The Surf SOHO does this.
- A common attack against routers is to change the DNS servers. You need to know what the DNS servers should be (discussed above). Many websites report the currently used DNS servers. Pick one or two and get in the habit of checking that your DNS servers have not changed. Consider making one of these sites your web browser home page to insure that you check it periodically. This has gotten more complicated with the introduction of Secure DNS settings in web browsers.
- If the router has any logging facilities, check the logs every now and then.
- Electricity: If either a modem or router is damaged by an electric surge, then you lose Internet access, perhaps for quite a while. It is best to connect each device to either a Surge Protector or a UPS. If shopping for a UPS, get an on-line or line-interactive model. These will boost the power when its a bit low and trim it when its a bit high. This is in addition to being a big battery for when the power fails. Any UPS should also provide surge protection. A good place to start when shopping for a UPS is the Tripp Lite SmartPro 1300VA which sells for about $150. Specs: LCD 120V 720W Line-Interactive UPS, AVR, Tower, LCD, USB, 8 Outlets.
Hacked Router? (Added March 1, 2022)
By and large, it can be hard to impossible to tell if a router has been hacked. That said, you can look for this:
- If the router offers a display of CPU usage (some do, some do not) then high CPU usage when there is little activity might indicate cryptomining or some other type of infection. Both Asus and Peplink show current CPU usage but neither has a history of CPU usage so you can't see a pattern.
- High bandwidth usage may indicate the router is part of a botnet. Then again, if the bandwidth is directly attributable to the router (rather than a connected device) who knows if it will even show up in bandwidth reports?
- DNS changes
So, what to do?
- Some malware infections can not survive a re-boot, so ... re-boot every now and then. Just for good luck. Better yet, power the router off, wait a minute, then power it on.
- Routers have dozens of configuration options and no automated way to notify you if anything changes. Note that pcWRT is an exception, it actually can email you about changes. To defend against malicious changes to the configuration, have a backup of the current settings (many routers can do this). If you suspect anything, then restore the settings backup, change the router password and maybe change the Wi-Fi password(s). Then, make a new backup of the current settings.
- I have seen suggestions to factory reset the router. This only makes sense if you do not have a backup of the system settings. Here again, change the router password and maybe the Wi-Fi password(s) after the reset. I would not expect a factory reset to modify the firmware itself (firmware is the operating system of the router), just the configuration settings.
- The worst type of infection modifies the firmware. To clear out infected firmware, download new firmware from the website of the hardware manufacturer, while connected to a different router.
The last point brings an interesting question. If the router is already running the latest available firmware, can you install the current firmware over itself? Some routers do not let you install older firmware, but the issue of re-installing the same firmware has never come up as far as I know. Peplink shines in this area. Their routers have two installed copies of the firmware and there is no restriction on what each copy can be.
Picking a Secure Router top
This topic has been moved to its own page.
In brief: The least secure routers are from an ISP. A small step up are consumer routers, but I would avoid them too.
I recommend Peplink routers, specifically their $200 US Pepwave Surf SOHO router, for as long as it is still available (production stopped some time around October 2022). The next cheapest Peplink router is the Balance 20x for $450 US (as of December 2022).
Conference Presentations top
I spoke on Securing a Home Router at the HOPE conference in July 2014. This website grew out of that presentation.
A PDF of the presentation is available at box.net,
video is available on YouTube,
audio is available at x.hope.net.
An article about the talk appeared in Toms Guide.
I spoke again about Router Security, at the O'Reilly Security Conference on
Nov. 1st, 2017. The talk was very different from the first one. See a PDF of the slides or watch the video on YouTube.
For other Router Security opinions, I maintain a list of articles. Many stink, the good ones are noted in bold.
You Are Safe Here top
This site is as clean as clean gets. There are no ads. There are no trackers. It does not set any cookies. None of the links here are affiliate links, I do not
profit from this site in any way. No need to believe me. You can test for setting cookies at cookieserve.com.
You can also test at Blacklight a website privacy inspector from The Markup. Just click here to run a live Blacklight test of this site. If you see any ads here, something (your
computer, browser or router) has been hacked.
Page Created: January 30, 2015
Last Updated: May 9, 2023 3PM CT
Viewed 2,234,990 times
(706/day over 3,164 days)
Copyright 2015 - 2023