Router Security Tips.

[Fixxx]

​

If you are motivated enough and take into account all of the above you can significantly improve the security of your router and home network as a whole. A router helps distribute internet connection among all devices in your network but at the same time it carries additional risks and threats as cybercriminals become increasingly sophisticated in spreading malware, ransomware and executing other network attack scenarios. In March 2020 it was reported that hackers were redirecting users to a malicious application related to the COVID-19 virus using vulnerable and accessible routers to steal personal data. This raises the legitimate question of how to protect yourself from such threats. At first glance, it may seem like a non-trivial task but you can take some steps to enhance the security of your router and Wi-Fi network.

​

1. Check router settings.​

The first step is to check the security-related settings of your router. Many users leave the default configuration without realizing that these settings can be changed. Specific settings depend on the model but all routers have options to enhance security. To access the settings you need to authenticate using the credentials provided with the router (usually an IP and password). It's advisable to change the password to a more complex one so that cybercriminals cannot easily log into your network.

2. Change the Wi-Fi network name.​

The next step is to change the Wi-Fi network name (SSID). Keeping the default name simplifies the task of finding your network through scanning.

3. Disable network name broadcasting.​

This feature, used for connecting to Wi-Fi (e.g., in coffee shops, libraries or hotels) should be in your router settings. Such features are unnecessary for a home network. After disabling it your network will not be listed publicly.

4. Enable network encryption.​

Many routers have this feature but it's often disabled by default. WPA2 encryption should be available.

5. Check if the router has a guest network. ​

This doesn't mean that your friends will be unsafe when connecting to your network but if you provide access to a guest network, instead of the main one, you enhance the overall security of the main network. It's not advisable to share the network password freely and if you can provide internet access while keeping your home network secure you should take this opportunity.

6. Check firewall settings.​

All 2- or 3-channel routers have a built-in firewall which may be disabled. The software firewall is designed to protect your network from intrusions. If the router doesn't have this - consider purchasing a different router or a separate device with firewall features.

7. Use VPN.​

A Virtual Private Network (VPN) is used to encrypt communications originating from the network. The working principle involves mixing incoming and outgoing communications so that no one can understand the essence of the transmitted information. Once the data reaches your computer the VPN decrypts it.

8. Regularly update software and firmware.​

Manufacturers periodically update device software and firmware and provide information about new malware and viruses. Updating your system protects you from new threats. When new patches (especially in the security domain) are released, try not to delay the update.

9. Turn off the router. ​

If you plan to be offline for some time you can also turn off the router. However, this method may be inconvenient if you don't live alone as no one will be able to use your network after it is turned off.

10. Buy a new router.​

How old is your router? Older models lack many security-enhancing features found in new routers. Buying a new router will not only enhance the security of your network but may also increase internet speed. By being sufficiently motivated and considering all of the above you can effectively enhance the security of your router and home network overall.

 

[Fixxx]

Additional Tips.
​

1. Avoid using the WEP algorithm.​

WEP is an outdated, practically unused Wi-Fi security algorithm. It can be hacked in a matter of minutes. However, there are still access points with WEP, so check yours and if it uses WEP for encryption, switch to WPA or WPA2.

2. Disable WPS.​

WPS (Wi-Fi Protected Setup) provides an easy but insecure way to set up a wireless network. Depending on the vulnerability, WPS (and then the Wi-Fi password) can be hacked in a day or even in a matter of minutes.

3. Check the settings for the 5 GHz network.​

Many users are unaware that their router operates in two frequency ranges: 2.4 GHz and 5 GHz. If you have secured one range but forgotten about the other an attacker can take advantage of this. Set a strong password for the 5 GHz network and disable WPS for it. If you don't use the 5 GHz range you can simply turn it off.

4. Disable remote access to the router control panel.​

In the vast majority of cases, accessing the router's administration panel from the local network is sufficient. If you don't need access to the router settings from an external network (from the Internet) disable it to prevent attackers from attempting to guess the login password. This setting may be called "Enable web access from WAN".

5. Disable unused network services.​

The more complex the device - the more potential points for a hacker to exploit. Many network services and additional functions aren't used by most users and some of them also contain known vulnerabilities. Therefore, disable SSH, FTP, Telnet, file sharing over the Internet (e.g., AiDisk), file/media server (e.g., UPnP), SMB (Samba), TFTP, IPv6 and others that are not needed.

6. Enable HTTPS for administrative connections.​

On most routers this feature is disabled by default. This setting helps prevent interception of your router's admin password when connecting to it from the Internet or during man-in-the-middle attacks if an intruder has already breached your local network. You can also restrict administrative access over the wireless network but this may not be suitable for everyone.

7. Change the default IP address range for your local network.​

Most routers have the same range of local addresses. It's either 192.168.1.x or 192.168.0.x. This facilitates automated attacks using scripts. Available ranges: Any 10.x.x.x, Any 192.168.x.x, 172.16.x.x to 172.31.x.x.

8. Change the default local router address.​

If someone infiltrates your network they know the address of your router is x.x.x.1 or x.x.x.254 making their task more difficult.

9. Use MAC filtering.​

A less effective method of protection since an attacker can easily determine the permitted MAC addresses and spoof them. Don't rely solely on this protection.

10. Network hiding.​

An ineffective measure. It neither worsens nor improves security because an attacker can easily find out the network name.

Searching for Vulnerabilities in Your Router.​

Unfortunately, vulnerabilities are sometimes discovered after the manufacturer has discontinued support for the router. This can lead to a situation where hackers are aware of vulnerabilities in your router but firmware updates aren't available. You can check your router for vulnerabilities using the Router Scan program by Stas’M. It's a fairly easy-to-use program with a graphical interface. If you are familiar with Linux you can also use a similar program called RouterSploit which may have exploits not found in Router Scan. If your router is found to be vulnerable without the possibility of updating the firmware it's recommended to stop using it and replace it with a new one.

Signs of Wi-Fi Router Compromise.​

Changing router settings without your knowledge: ​

If unauthorized users have made changes to any settings (especially changing the password to access the administration panel, DNS settings, VPN) this is a sign that a hacker has gained access to your router.

Monitoring devices connected to your local network: ​

Programs such as NetworkConnectLog and Wireless Network Watcher can be used for this purpose. Unauthorized device connections indicate that your network has been compromised.

Reviewing the router log: ​

If your router supports logging, which records the administrator's device login, regularly check it for suspicious activity.

Detecting man-in-the-middle attacks and strange network disruptions: ​

Advanced users can not only detect new devices on the network but also to identify attacks against their devices. Strange disruptions in network can indicate changes to network equipment settings and interception/modification of traffic by attackers.