Basic Router Security – Part 1

/ October 18, 2016

Welcome to the Fast-Air Tech Talk newsletter. The Tech Talk newsletter is a free service for all Fast-Air customers. Please feel encouraged to suggest newsletter topics.

The Internet of Things (IoT) has become a security nightmare. Some people are now cynically joking that IoT is an acronym for Internet of Thieves. Malicious hackers are using devices on the Internet for their own purposes. Overwhelmingly these malicious people obtain access because owners are not using basic security precautions.

That router in your home or office keeping your computers connected as well as provide Internet access is a member of the Internet of Things.

How are routers compromised?

  • A common attack is to change the Domain Name Service (DNS) server information in the router to redirect users to malicious fake web sites.
  • Compromised DNS server information allows malicious hackers to spoof security certificates, which then can be used to monitor secure connections through HTTPS.
  • Wardriving is the term used to describe people roaming neighborhoods and using unsecured wireless routers inside a home or office. Often wardrivers visit undesirable web sites. Because the router is in your home or office, that connection is tracked back to you.
  • Routers are used by malicious people to form botnets, which are used in Distributed Denial of Service (DDoS) attacks.
  • Malicious hackers “sniff” or monitor unencrypted web traffic for personal or business information.
  • Malicious hackers use the router to break into personal computers looking for personal or business information.

Most people with unsecured routers never know their device is compromised.

The good news is router security does not require a degree in rocket science. The bad news is there are some ugly facts about consumer grade routers.

  • Out of the box, many commodity routers are not secure.
  • Often the firmware in consumer grade routers contain security flaws and vulnerabilities.
  • Manufacturers are interested only in the first sale and not in security patching because there is little to no money with follow-up support.
  • Often firmware is not updated.
  • Auto updating the firmware is not always dependable.

Many security professionals refuse to use consumer grade routers.

To rub salt into the proverbial wound, online reviewers seldom discuss security. This is the usual click-bait trap. Instead reviewers talk about whether the finish collects fingerprints.

Okay, enough doom and gloom. What is the everyday user supposed to do?

Like ogres and onions, security is about layers. There is no simple one-all solution to good security. Healthy security involves different layers of protection. Let’s make sure this useful device is not a threat. Here are some quick tips.

  • Do not buy any router model that only supports remote admin.
  • Do not buy any router model that requires vendor cloud support.
  • When provided as an option, do not use cloud-based management.
  • Only buy a model that supports a firewall service.
  • Check with the vendor web site for the latest firmware.
  • Do not blindly rely on automatic firmware updates.
  • Manually updating firmware requires only nominal technical skills.
  • Download firmware updates only from the vendor’s web site. Never from any other location.

Most routers are configured through a web browser interface. Many router firmwares allow additional access through Telnet or SSH. Using Telnet or SSH usually is outside the typical skill level of most non technical users.

Wireless signals can be intercepted. Some router interfaces do not support HTTPS. That means not updating or configuring router firmware using wireless because passwords are then transmitted in clear text and are not encrypted. Use a wired connection to configure the router. Further, a wired connection will be faster and more responsive while using the web browser interface.

When using the web browser interface, the IP address of the router must be manually typed into the web browser location bar. With respect to routers, IP addresses use four sets of numbers separated by periods. For example, http://192.168.1.1. Most router firmwares default to using HTTP rather than HTTPS.

Most routers will come packaged with a brief “quick start guide.” This guide will contain basic access and configuration information.

Routers are sometimes referred to as gateways.

Here is a basic check list for configuring a router.

  • Change the vendor’s default login name.
  • Change the vendor’s default password.
  • Change the default router name.
  • Avoid using the default IP address (often 192.168.0.1, 192.168.1.1).
  • Enable the firewall service.
  • On the WAN side, disable all unnecessary remote services such as ping, Telnet, SSH, UPnP and HNAP.
  • Disable WAN side remote management.

Pause now to appreciate a horrible but sobering fact. Any router using the vendor default login name and password likely will be compromised after connecting to the Internet. Therefore, configure as much of the router as possible before connecting the Wide Area Network (WAN) port. The WAN port is the port that connects the router to the ISP. Minimally that means changing the default login name and password.

A caveat to this sane approach is the vendor’s firmware likely is designed to insist on contacting the vendor’s server. Ignore those requests. Configure as much as possible manually before connecting to the Internet. Any router that does not allow manual configuration without connecting to the Internet should be returned for a refund. Such routers should be considered suspicious of being designed for data mining, tracking, and requiring cloud management. Examples of such routers include the ZyXEL Armor Z1 and Google OnHub routers.

Outside of a handful of highly technical users, most people do not need any kind of remote access to a router and no WAN side ports are needed. Outside of unknown zero-day vulnerabilities, these simple steps at router security will block most hacking attempts from the Internet.

Remember that security is about layers. After ensuring the router’s firewall is enabled, do not disable your computer’s software firewall.

Routers also can be compromised from inside the home or office.

  • On the LAN side, disable all unnecessary remote services such as ping, Telnet, SSH, UPnP and HNAP.
  • If needing remote access then use SSH rather than Telnet. Telnet is not a secure protocol.
  • Update the firmware.

Updating the software does not avoid any of the other security precautions. Updating the firmware only patches known security vulnerabilities and does not change any of the default configuration parameters.

Changing the default IP address means knowing about private IP addresses. When networking was first getting popular, certain IP addresses were established as private IP addresses. These IP address ranges may be used by anybody creating a Local Area Network (LAN). These special addresses are not used in the general IP address space of the overall Internet.

Because these special private IP address ranges may be used by anybody, routers are used to provide a Network Address Translation (NAT) service. The NAT service keeps track of all LAN side addresses and their connections to the Internet. The router connects to the ISP device. The ISP assigns a public IP address. A router might connect several computers on the LAN side through the built-in network switch, but through the NAT service everybody on the Internet side sees all of these computers as the same location because of the single public IP address.

The possible private IP addresses that may be used include the following ranges:

  • 10.0.0.0 to 10.255.255.255
  • 172.16.0.0 to 172.31.255.255
  • 192.168.0.0 to 192.168.255.255

Wireless differs from wired connections because radio transmissions are open to anybody. Wireless requires additional security precautions. Here is a basic check list for configuring wireless networks on a router.

  • Do not disable Service Set Identifier (SSID).
  • Change the default SSID name.
  • Disable Wi-Fi Protected Setup (WPS).
  • Use WPA2+AES encryption using a long passphrase
  • Understand that the wireless password is not the same as the router admin password.
  • Create a separate wireless network for guests.
  • Create a separate wireless network for IoT devices.

Here is a really simple security precaution. Disable the wireless radio if wireless is not needed at all.

For those using the wireless features of a router, using a WPA2+AES passphrase prevents unwanted people from using the wireless features. That includes neighbors who might decide that browsing certain web sites through your router is slick way to prevent tracking back to their IP address. This security also prevents wardrivers from using the device.

Record the changes on paper. One trick to not losing this information is writing the information on masking tape and placing the masking tape on the underside of the router. For most people using the router in private networks this is a safe way to remember the changed information.

One more tip. Ensure the router is physically secured. That means unwanted people do not have physical access to the router. For some people such access is not a concern. For others, physical security might be as simple as placing the device on a high shelf or a shelf in a closet.

There are many router models. Too many to provide specific instructions. Here are some web sites to help with configuring various routers:

Setup Router
Router Security

That second web site contains an exhaustive check list.

Technical trivia: Early Internet search engines included Archie, Veronica, and Jughead, all named after the comic book characters. Another popular search engine was Wide Area Information Server (WAIS), used to search databases.

Next issue: Basic Router Security – Part 2

What happens when the “baby” of the family meets a human baby for the first time?
Video

Latest posts by Backwoods Geek (see all)

Related posts