Routers - security:

Routers (home routers) are widely used nowadays. Due to their popularity, criminals started taking advantage of their security vulnerabilities or low awareness of their owners.

Wireless-Router (11K)
Source, Sergio Sánchez López, Lic. GPL

How do I secure my home router?

The basic, and yet one of the most important steps is to change the default username and password. Every router (wired or wireless) comes with a set of default passwords. If it’s not changed, attackers can easily compromise your router using malicious code – you may experience redirects to bogus (potentially harmful) sites or annoying advertisements. This technique has been in use since 2007.
Most modern routers will force the change of default settings during the installation procedure. However, it’s not always a case. Make sure a username and password on your home router is changed to a non-default – choose a strong one.
Sample instructions on how to change the username/password on your router can be found below, on vendors’ websites:

    - D-Link - How do I set or change the administrative password on my DI series router?
    - Linksys - Changing the Linksys Router's Password
    - NETGEAR - How do I change my router password?

    If your router is not secured properly, malware can easily change its DNS settings - see for example here: Malware Silently Alters Wireless Router Settings.
    This can lead to stealing your personal information and credentials.
    One thing to note: if malware changes the DNS settings on your router, in most cases every other machine connected to it will be affected as well.

    Make sure you use the latest firmware available for your router. Old versions may have security vulnerabilities which can be easily exploited. Check your router vendor's website if the new firmware is available (usually, you can upgrade firmware by logging into the router and accessing the Administration/Maintenance section).

    Some attacks targeting routers take advantage of outdated programs on a victim’s computer. That’s one another reason why checking your computer from time to time for outdated programs is such a good idea! Read here: 3.Keep your programs updated.

    What if my router has already been compromised?
    Firstly, every machine connected to the router has to be cleaned - run antivirus and antimalware scans to make sure the infection is gone. Secondly, I'd suggest you reset the router back to the factory default settings.

    Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
    Source: Security Fix

    Refer to your router's manual. Sample instructions for common routers:
    Reset for Linksys, Netgear, D-Link and Belkin Routers; D-Link router; NETGEAR device.
    Note: in some cases, the 'erase' funcion (to restore factory defaults) can be accessed after logging into the router.
    Thirdly, since all your personal settings have been cleared, you'll need to reconfigure your router. You may need a router's default password and settings required by your Internet Service Provider (for example DNS server addresses). If a new firmware is available, perform an update.
    Don't forget to change the router's default password.

    Configuring a router, securing a Wi-Fi network:

    You have just unpacked your new router. What do you do? One would want it works 'out of the box'. Well, it is a good idea to spend a few minutes on a proper configuration. Once it's secured, it may be visible, but nobody should be able to break into or piggyback on your network.

    Before powering a new router on, always refer to the manual. Apart from a connection configuration section, there should be a chapter dealing with safeguarding a network.
    I also suggest you take a look at the articles below - they describe the process of securing a wireless home network in detail:

    Some general ideas, for clarity, are presented below.
    Generally, it's essential that you use wireless encryption with a strong passphrase, and have the router administrator password changed:

    - change the administrator password on your router (from a default one),
    - use encryption that all your devices support:

    - WEP - not recommended, as it can be easily cracked,

    - WPA/WPA2 - provides strong data security; it's recommended to choose the most secure option available - currently it's WPA2-PSK(AES) - Wi-Fi Protected Access version 2 with Pre-Shared Key + the AES encryption type.

    With WPA/WPA2 encryption, you need to use a strong passphrase/password - a minimum of 10 characters long (letters, numbers, special characters). It's recommended to change that password from time to time.
    Note: all devices bought in 2005 or later should be WPA2 compatible.

    Additionally, consider the steps below to enhance WiFi security:
    - change the default SSID (give your network a name, don't use any personal information),
    - make sure the "Remote Management" option is disabled,
    - disable wireless administrating (note: any changes will require a wired connection to the router),
    - disable UPnP (Universal Plug and Play) if you do not need it - note: that feature is often used to stream media, share files or by online games and VoIP devices,
    - turn off your router when you know you won't use it for a longer period of time.

    Most modern routers support the Wi-Fi Protected Setup feature. Unfortunately, the external registrar PIN exchange mechanism is susceptible to brute-force attacks that could allow an attacker to gain access to an encrypted Wi-Fi network (US-CERT Alert). Therefore, it is recommended to a) disable the WPS feature, b) install the latest firmware available for your router. Refer to your router's manual (an example for Netgear devices).

    Disabling the broadcasting of the network SSID is not recommended, and restricting an access to your network using MAC filtering is not a serious security enhancement, as one can spoof a MAC address in seconds - see for example here: 7 Things Wi-Fi Hackers Hope You Don't Know.

    Make sure that after all these changes you can connect to your secured network. You'll need the network name (SSID), security key (passphrase), and security/encryption type information: View and connect to available wireless networks.
    It's recommended to record all basic wireless settings setup information. Many routers also have an option to back up the configuration to a file - so that in case of any problems, your configuration can be restored.

    Any questions or connectivity problems? Please take a look at the BleepingComputer's Networking forum or Tech Support Forum's Networking Support forum.

    Additional reading:
    - Home routers under attack... (SpywareInfo Forum)
    - Home Wireless AP Hardening in 5 Steps
    - Wireless LAN security myths that won't die
    - Small Office/Home Office Router Security (PDF by US-CERT)
    - How to Setup a D-Link Router
    - What Wi-Fi Hackers can do on Unsecured Wi-Fi Networks

    Published: 21 May 2010
    Updated: 2 April 2012