Home and Small Business routers have become an ideal target for attackers seeking to gain control over a user’s access to the Internet, according to United States Computer Emergency Readiness Team (US-CERT).
Router misconfigurations (such as default credentials and interfaces open to the Internet) or the lack of security precautions (such as failure to apply updates and patches) can make users susceptible to exploitation. Once cyber attackers gain unauthorized access to a vulnerable router, they may be able to obtain sensitive information from a user’s computer or perform other attacks.
Why Secure a Router?
Routers facilitate connectivity to the Internet for home-based businesses, telework, schoolwork, personal financial management, social networking and entertainment.
Routers are directly accessible from the Internet, are easily discoverable, are usually continuously powered on, and are frequently vulnerable because of their default configuration.
A router comes configured with many vendor default settings. Many of these settings are public knowledge and make a router susceptible to cyber attacks. Remember to change your router default log-in password during your initial setup.
Most routers are preconfigured at the factory and are Internet-ready for immediate use. After installing routers, users often connect immediately to the Internet without performing additional configuration, thinking additional safeguards as too difficult or too time consuming. Unfortunately, the default configuration on some routers offer little security and leave home and small business networks vulnerable to attack and a target to obtain a user’s personal or business data. Wireless features incorporated into these devices add another vulnerable target.
Prevent Unauthorized Access
Take preventative steps to increase the security of your router and reduce the vulnerability of the internal network against attacks from external sources.
- Change the Default Username and Password. Default usernames and passwords are available in publications and are well known to attackers. Change them during the initial router installation. Use a “strong” password, consisting of upper and lower case letters, numbers and symbols totaling at least 14 characters. Change passwords at least every 90 days.
- Change the Default SSID. A service set identifier (SSID) is a unique name that identifies a particular wireless local area network (WLAN). Wireless devices on a WLAN use the same SSID to communicate with each other. Manufacturers set a default SSID at the factory, which typically identifies the manufacturer or the actual device. An attacker can use the default SSID to identify the device and exploit its known vulnerabilities. Users sometimes set the SSID to a name that reveals their location, organization or their name. This makes it easy for attackers. When choosing a SSID, make the SSID unique and not tied to your personal or business identity.
- Don’t Stay Logged In. Routers usually provide a website for users to configure and manage the router. Do not stay logged into this website as a defense against cross-site request forgery (CSRF) attacks. A CSRF attack could transmit unauthorized commands from the attacker to the router’s management website.
- Configure Wi-Fi for Data Confidentiality. Some routers still use Wired Equivalent Privacy (WEP). If your router or device supports only WEP, and not other encryption standards, upgrade your network device. A newer standard, WPA2-AES, encrypts the communication between the wireless router and the wireless computing device, providing stronger authentication and authorization between the devices. WPA2 incorporates the Advanced Encryption Standard (AES) 128-bit encryption that is recommended by the National Institute of Standards and Technology. WPA2 with AES is a secure router configuration for home and small business use, according to security tips published by US-CERT.
- Immediately Disable WPS. Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure moderately-secure wireless networks. A design flaw in the WPS specification for the PIN authentication reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the PIN is correct. The lack of a proper lockout policy after a certain number of failed attempts to guess the PIN on some wireless routers makes a brute-force attack more likely to occur.
- Limit WLAN Signal Emissions. WLAN signals can broadcast beyond the perimeters of a home or business. This extended emission allows eavesdropping by intruders outside a network perimeter. Consider antenna placement, antenna type, and transmission power levels. Local area networks (LANs) are more secure than WLANs because they are protected by the physical structure in which they reside. Limit the broadcast coverage area when securing your WLAN. A centrally-located, omnidirectional antenna is most common. If possible, use a directional antenna to restrict WLAN coverage to only the areas needed. Experimenting with transmission levels and signal strength will allow you to better control WLAN coverage.
- Turn the Network Off. During travel or extended offline periods, turn devices off. The ultimate in wireless security measures–shutting down the network–will prevent outside attackers from being able to exploit your WLAN.
- Disable UPnP. Universal Plug and Play (UPnP) is a handy feature allowing networked devices to seamlessly discover and establish communication with each other on the network. While the UPnP feature eases initial network configuration, it also is a security hazard. Disable UPnP, unless you have a specific need for it.
- Upgrade Firmware. Just like software on your computer, the router firmware, the software that operates the router, must have current updates and patches. Many of the updates address security vulnerabilities that could affect the network. When considering a network, check the manufacturer’s website to see if the website provides updates to address security vulnerabilities.
- Disable Remote Management. Disable remote management to keep intruders from establishing a connection with the router and its configuration through the wide area network (WAN) interface.
- Monitor for Unknown Device Connections. Use your router’s management website to determine if any unauthorized devices have joined or attempted to join your network. If an unknown device is identified, a firewall or media access control (MAC) filtering rule can be applied on the router.
[small]Source: US-CERT, Security Tip ST15-002. Release Date: December 16, 2015[/small]