Basic Router Security – Part 2

/ October 18, 2016

Welcome to the Fast-Air Tech Talk newsletter. The Tech Talk newsletter is a free service for all Fast-Air customers. Please feel encouraged to suggest newsletter topics.

Many new routers support USB devices. Examples of using USB ports on such routers are connecting a single USB printer for all users or providing shared files on a USB flash or disk drive. Generally, vendor firmware is poorly designed for securing USB devices from Internet attacks. The NetUSB flaw is an example. File sharing flaws are another example. While a useful feature, because vendor firmware usually is poor with security, be careful to fully research these features for known security flaws before using USB ports in routers.

If you have many devices in the home or office and you want to keep certain devices isolated from the other devices, then you will have to learn about network segmentation. This complicated sounding topic means creating additional subnets to isolate devices and networks. A common method is called Virtual LANs (VLANs). VLANs are used to create additional subnets that are isolated from one another.

Similar to VLANs are wireless guest networks.

Not all router firmwares support VLANs and guest networks. Another approach then is using managed network switches and multiple routers.

If your router firmware does not support WPA2 and you use wireless, then the router is not secure. The old security standards of Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP) are easy to compromise. If you live in a rural area with no close neighbors then this might not be a concern, but is a concern for anybody living in an urban area.

Considering the lax security of most consumer grade router firmwares, this leads into the land of feeling queasy about using the vendor’s firmware. A popular choice among some security professionals is to use third-party firmwares such as DD-WRT. DD-WRT is free and open source software that is secure and offers more features than stock vendor firmware. More importantly, there are no privacy or cloud nonsense. While DD-WRT supports many types of routers, not all are routers are supported. Some routers can be purchased with DD-WRT already installed.

Wireless guest networks need to be secure too. Some router firmwares to do not support secure wireless because all they really do is create an open access point. That means your guest’s connections are not secure, exposing security information such as passwords.

Testing a router’s security with a basic port scan is tricky. The primary reason is many ISPs use Network Address Translation (NAT). That means many customers all have the same public IP address. The public IP address is the address everybody on the Internet sees and is not the same as the IP address that is assigned inside a private network. Because of NAT, an external port scan will be close but is unlikely to be fully reliable. For most people, there should be no open ports on the Internet WAN side of a router. A popular port scanning site is Shields Up!.

Detecting a compromised consumer grade router is challenging. The reason is router malware usually resides in RAM. Routers do not use hard-drives for the firmware operating system, instead using something called Non Volatile RAM (NVRAM) to store the firmware and configuration options. The amount of NVRAM in routers varies with each model, but there is not enough room to store sophisticated malware.

One way to avoid malware is using a router with minimal RAM. Such routers will have only enough memory to run basic router features. These routers will not support many features. With limited RAM, malware is unlikely to be able to reside in the device’s memory.

One nominal way to check for a compromised router is checking upload bandwidth. Most users have high download and low upload bandwidth volume. High upload usage might be an indicator.

Another method is to check the router’s Domain Name System (DNS) servers. Most people should see the IP addresses of the ISP’s DNS servers or the DNS servers they explicitly configured. The default DNS servers for Fast-Air customers are 198.21.91.2 and 198.21.90.2.

Some routers support some form of logging. Enabling this feature might help with discovering suspicious activity and whether a router has been compromised.

There is a simple way to remove most malware from a compromised router. Schedule nightly or weekly reboots to flush any possible malware. Then be sure to follow basic security precautions to ensure the router is not again compromised. This is a reboot managed through the firmware web interface and is not to be confused with a hardware reset. If the firmware does not support scheduled reboots then simply power off the router for several minutes.

If you are certain a router is compromised and a soft reboot fails to remove the malware, then a hardware reset is required to remove the malware. Most routers have a hardware reset button. Usually the button is tiny and recessed to avoid accidental pushing. Usually a paper clip tip or toothpick is needed to press these buttons. Each vendor’s firmware is different with managing a hard reset, but usually the reset button must be continuously pressed for about 30 seconds or more. The good news is a hardware reset will remove the malware. The bad news is the firmware will be reset to factory defaults and everything must be reconfigured.

This is important to realize with routers that have been configured by Fast-Air employees. A hardware reset will delete the Fast-Air configuration. Additionally, resetting to the factory defaults and leaving the device connected to the Internet will render the device vulnerable to malware and compromise by malicious hackers.

While routers are useful and necessary for many people, here are some things you cannot do when configuring a router.

  • Content filtering often fails to stop persistent children from accessing certain web sites, but access restrictions are effective.
  • Children are not dumb and often will use computers and open networks outside the home to access desired web sites.
  • Access restrictions do not stop cell phones because they use a different network.
  • Various restrictions might not stop certain devices such as tablets because many of these devices are preconfigured to use the vendor’s DNS servers.

Much of the information shared in this article applies to any computer device connected to the Internet, which includes but is not limited to the following:

All of these devices, including routers, are miniature computers called single board computers (SBCs). That is, do not be fooled by their function. A “smart” web camera or thermostat is just as much a computer as a laptop or desktop computer.

Manufacturers and retailers are interested in selling these devices. They are not interested in providing security support. This attitude is unlikely to change until, sadly, some major catastrophes occur, such as major power outages caused by DDoS attacks or people dying because of compromised devices. The general opinions of many security professionals is the worst is yet to come with the Internet of Things.

Imagine your refrigerator being compromised to send spam email. Imagine devices being compromised with ransomware.

Many of these types of devices are expected to be connected directly to the Internet. Some are expected to be connected behind a router. Often they are designed to “punch through” a router’s NAT service. Sometimes this is accomplished through a Universal Plug and Play (UPnP). UPnP is a network protocol and should not be confused with Plug-and-Play, which is hardware protocol. For many people, having these devices behind a router provides an illusion of security because these devices are actually exposed and connected directly to the Internet.

Another common exploit is these devices have the Telnet service open, which allows outsiders to scan and test default login names and passwords.

Therein lies part of the security problem with IoT. Many users of these devices are not technically savvy. Worse, although basic security is possible without a degree in rocket science, many people will not attempt to perform some of the simple preventive changes to improve security.

Many of these devices use wireless. That means being able to use a neighbor’s router rather than your own. Securing your own router might not stop these devices from connecting to the Internet. The only way to control these devices is learning how to configure them.

The old adage that “time is money” is just as true for malicious hackers as anybody else. A significant majority of these malicious people do not waste time trying to compromise every existing device they find. Most perform nominal tests and when those tests fail they move on to the next device they find. Often then the basic security changes are sufficient to prevent most malicious attacks.

Smokey the Bear’s motto is a good attitude for securing routers and Internet devices.

Technical trivia: The File Transfer Protocol (FTP) was popular long before the Hypertext Transport Protocol (HTTP). The original FTP specification was written in 1971.

Next issue: Public Wireless Security

The future of surgery?
Video

Latest posts by Backwoods Geek (see all)

Related posts