How to secure your Wi-Fi network - the basic version

Here are the basics on how to protect your router and home network.

Router

In October 2016, criminals launched a distributed denial-of-service (DDoS) attack against Dyn's managed DNS infrastructure.

The assault messed with how the internet translates domains like the human-friendly www.grahamcluley.com into their actual numeric web addresses. As a result, Twitter, Spotify, and many other websites we know and love on the internet went down for several hours.

Dyn's researchers revealed that 100,000 Internet of Things (IoT) devices infected with the Mirai malware had constituted the bulk of the campaign's attack traffic. Lots of smart devices had snagged a piece of the pie, including baby monitors, cameras, and home routers.

Passwords

Seriously?!

Sigh... this isn't the first time a botnet has leveraged infected home routers to conduct attack campaigns. With that being said, I think all of us in security agree on one thing: it's time we put a stop to online criminals hijacking our routers for nefarious ends.

How? By learning what we can do to secure our routers and our Wi-Fi networks.

Common attacks against a router

Before we dive into how we can protect our home networks, it's important that we first understand some of the most common attacks that threaten our routers. These are as follows:

  • DDoS Campaigns: Routers and DDoS attacks have a multifaceted relationship. On the one hand, infected routers make for dutiful bots such as those employed by Mirai to target Dyn. On the other hand, actors can launch their own attacks against a router. If the traffic is sufficiently large, they can overpower the device's resources and thereby slow down the network.
  • Brute Force: An attacker attempts to gain unauthorized access to a router by guessing its username and password. This effort takes no time if the device still uses the default credentials with which it originally shipped out to retailers.
  • Packet Mistreating Attacks: Some actor abuses a vulnerability in the router to inject it with malicious code that prevents the device from handling its routing process correctly. As a result, the router can't process data packets, which causes denial of service conditions and network congestion.

The fun for an attacker need not stop with one of the scenarios above, either.

After successfully conducting a brute force campaign, for example, a nefarious individual can then conduct secondary attacks such as DNS hijacking, a method which points a router to a rogue server controlled by the attackers that can trick users into inadvertently visiting malicious websites.

091515 2139 attacksover6

An illustration of a DNS hijacking attack. (Source: The Infosec Institute)

The basics of network protection

Now that we know what types of attacks threaten our routers, we can now learn more about how to protect them. Here are the basics:

  1. Don't use a router supplied by your ISP: These devices are often less secure than commercially available routers. For instance, many of them enable remote support via the use of hardcoded credentials that are impossible to change. Depending on the vendor, they also might not receive patches on a regular basis.
  2. Change the default admin login credentials: Mirai and botnets like it work by scanning IoT products for default login credentials. If they find what they're looking for, the malware logs in and enlists the devices into their botnet. Don't let this happen! Set a unique username with a strong password. It's that simple.
  3. Choose a strong Wi-Fi password: Why stop there? When you set up your Wi-Fi network, make sure you set a strong password to deter remote attackers. It would be a good idea to couple that password with the use of WPA2 as your router's security protocol.
  4. Update your router's firmware on a regular basis: Once the credentials for your router and network are set, make sure you register your product so that you can receive firmware updates whenever they're released. You can and should implement those security fixes from the router's web interface.
  5. Be careful when logging into the router's web interface: Whenever you access the router from the web, make sure you do so in private mode so that the browser doesn't save any cookies. Also, make sure the browser doesn't save your router's username and password. You don't want those bits of information inadvertently falling into the wrong hands should someone obtain access to your computer!
  6. Don't enable services you don't need: Telnet, SSH, UPnP... few people need those services, but plenty activate them anyway. Don't be one of those people! There's no reason to expose yourself to additional risk if you have no use for those services.

Qsg telnet menu

More for next time...

We're just getting started with our tips for how to protect your router and home network. Want to get a little more complex? Read some advanced security tips and recommendations.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

13 Responses

  1. Bob

    December 7, 2016 at 5:03 pm #

    You forgot one of the biggest ones… disable wireless WPS.

    Even if you activate WPA2 it's virtually useless if you've got wireless WPA enabled because it's easily cracked (in under 2 minutes!)

  2. Simon

    December 8, 2016 at 10:29 am #

    "Choose a strong Wi-Fi password:"

    This, along with hiding your SSID, using WPA2 and MAC filtering should be enough to deter Joe hacker.

    • Bob in reply to Simon.

      December 8, 2016 at 10:54 am #

      Hiding your SSID is inconvenient and offers no improvement in security as you can easily scan hiddden SSIDs. However changing its name from the default so as to obscure the brand of router is a good idea.

      MAC filtering offers no improvement as it's easy to scan the connected devices so that you can impersonate the MAC yourself.

      • Simon in reply to Bob.

        December 8, 2016 at 12:08 pm #

        Valid points, but at least it'll throw off less savvy neighbours trying to piggyback off your WiFI…

        • Bob in reply to Simon.

          December 8, 2016 at 1:01 pm #

          But so will a WiFi password to be fair Simon. If they're not tech savvy then they're not going to be able to crack your WiFi password.

          Changing your SSID makes it very inconvenient to join new devices to the network and it also makes it impossible for some badly programmed existing devices to connect (because they look for a visible SSID).

  3. Don

    December 8, 2016 at 7:45 pm #

    Should I replace my router if it is no longer supported by the manufacturer?

    • Bob in reply to Don.

      December 9, 2016 at 6:11 pm #

      Yes because it will no longer receive updates.

  4. John

    December 8, 2016 at 8:28 pm #

    In addition to setting a non-standard username/password, I'm creating my router username the same way that I am creating passwords: long in length and randomly generated by my password manager, just like I do on my passwords. And why wouldn't I ? :-) Doing so, there's a double whammy for those interested in brute-forcing my router. And I would not be interested in some simple/convenient username that is easy to remember (nor any password) anyway, since I keep it in a password manager (diligently used, too, of course). Not a 100% guarantee, but at least the brute-force attack will be extremely hard to perform. (And that's merely step 1)

    • Bob in reply to John.

      December 8, 2016 at 9:43 pm #

      Just remember to use the correct encryption option otherwise your super-complex password can be broken in a matter of minutes.

      You should also remember that if you're using an ISP-supplied router that there are normally built-in backdoors which allow access regardless of your complex password – e.g. the BT HomeHub* and others.

      That's why a 'proper' router is recommended, preferably running Tomato / DD-WRT.

      *http://www.bit-tech.net/news/hardware/2013/12/17/bt-back-door/1

      • John in reply to Bob.

        December 9, 2016 at 10:25 am #

        Hi Bob,

        Thanks for your reply.

        When you mention proper encryption option, I trust you mean the way that the Wifi signal is being encrypted, right? (My Wifi signal is only on WPA2, no WPS whatsoever, and also it's of course a long key that is different from the admin login which I was referring to.) You see, I'm not aware of being able to encrypt my admin login credentials. Perhaps it's done by default by hardware (built into the Asus RT-AC68U perhaps?) , or perhaps it is not. I really can't tell. Should you have knowledge on that, then please share!

        About the hardware setup: I am getting my internet signal through my cable company, over a coax line. They provided me with a "Ubee modem" that converts the coax line into several ethernet-lines and Wifi (if activated). Well, Wifi is totally disabled on this one. I've hooked my Asus router right onto / after this Ubee modem into one of the ethernet lines. And it is only from there, that this second Asus router is routing traffic, giving Wifi signal etc. (Mind you: things get tunneled over VPN of course :-)

        One might argue, that the Ubee modem still provides an attack vector. Correct, think it does. And perhaps there are backdoors in there as well. If you have any reference sites where I can find info on that, I'd much appreciate it.

        Thanks for the article, will read it diligently! :o)

        • Bob in reply to John.

          December 9, 2016 at 1:26 pm #

          Yes, in terms of encrypting the connection you should use WPA2 whenever possible.

          I don't know what you mean about encrypting your admin credentials.

          If you're talking about the connection then you should ideally connect your computer physically (with the cable) to the router to change the admin password and your WPA2 password. Once the changes have been made you're all good to use it wirelessly again. That stops any sniffing of the new password by somebody who had the old credentials.

          Make sure that WPS is fully disabled, not just that you don't use it. If your router supports WPS then turn the option off.

          Depending on where your VPN is installed depends on where can be hacked. Make sure you're using a modern VPN and not using legacy protocols like PPTP or L2TP / IPSec as these modes are trivially crackable.

          Regarding your over question take a look at this site. There are other resources out there too and a lot of the vulnerabilities work on different models of ASUS.

          http://www.routerpwn.com/Asus/

          It's all about securing your router as much as possible to make you a less attractive target.

          • John in reply to Bob.

            December 9, 2016 at 1:40 pm #

            Hi Bob, thanks for your very helpful information.

            I will check on my router at the site you pointed out. Thanks!

  5. coyote

    December 19, 2016 at 12:11 am #

    'Don't use a router supplied by your ISP'
    This isn't always possible though; you might not have a choice in the matter: use the ISP provided device or don't use the service. Is it worth it? It might very well be to some. I'm included and as frustrating as it is such is life.

    'Update your router's firmware on a regular basis'
    This is fine for devices not provided by your ISP but otherwise it's not going to work so well unless you're a little too trusting or your ISP is quite kind (however you wish to define 'kind').

    'Be careful when logging into the router's web interface'
    And while you're at it if you can log in to it wired. Not that that is the ultimate answer but then there isn't a single answer to the problem.

    And disable remote login while you're at it.

Leave a Reply