National Cyber Warfare Foundation (NCWF) Forums


A Basic Guide to Router and Wireless Security for Regular People


0 user ratings
2023-08-21 16:09:26
milo
Blue Team (CND)

 - archive -- 


Router and wireless security for the home/small network is often overlooked due to the limitations of consumer grade hardware and general lack of awareness of network security (NetSec).


As such, many users run home or small office networks that introduce a great amount of unnecessary risk.


This is a guide meant for "regular" users to improve their network security, cutting down unnecessary risk that may be invisible to users unfamiliar with (cyber)security.



Why you shouldn’t use your ISP’s router


Renting a router from your internet service provider (ISP) is not recommended. The ISP router is often subpar equipment, has limited to no flexibility in settings, and often does not allow maximum control over administration of your network.




yellow acronym ISP on black background


Frequently, routers and other networking equipment rented from the ISP is... subpar. You'll often get better Wi-Fi coverage and performance using a router you purchase yourself.


In many cases, the ISP router has default settings enabled that could compromise user security. For example, many ISP routers (and shipped instructions) do not prompt users to change the default credentials even after successfully setting up the wireless network.


Additionally, ISP initial set up instructions may not cover how to disable certain features that could undermine security - such as disabling automatic, public Wi-Fi hotspots broadcasting separately from the user's network.


ISP routers typically do not support changing settings which could ultimately benefit user privacy, such as setting custom DNS resolvers. They often do not support other features some users may want or need to properly administer their network, such as network segmentation, creating VLANs, or enabling parental controls.


Again on the privacy front, routers supplied by the ISP allow the ISP direct access to the router firmware. Typically this is used for providing timely security updates, but this could have privacy implications as well; in theory, your ISP could spy on your local network. Or, a third-party could gain access to this remote function of the router and perform privacy invasive action such as collecting sensitive data about you, your devices, and your network.


This is a little different than your ISP collecting information on your browsing history - which they can do regardless of whether you use your own router or theirs. Since 2017 and as of writing, ISPs are legally allowed to sell consumer data to third parties, including your browsing history. To mitigate this specifically, you can use a reputable virtual private network (VPN) provider. or the Tor browser (or another onion routing service, such as SafingIO's SPN).




photo of router on a surface


From a financial standpoint, renting the ISP’s router also costs you more in the long run. See this example:


Let’s say you sign up for a 1-year term contract for home internet service from ISP-1. Each month, your bill is $60 for 12 months.


You also elect to rent a router from ISP for $12 a month. So, in total for 1 year, you are paying $864 for service and equipment.


Over the course of 12 months, your total cost for renting ISP-1’s router is $144. In a lot of cases, you’ll have to return the router if/when you choose to terminate service with the ISP.


For that amount of cash, you could buy a capable home router that is under your control, allows meaningful customization, is more than likely higher quality hardware, and… you get to keep it for years (or until it reaches its end-of-life, where it no longer receives security updates.)


Change the default router password


If you do nothing else in this guide, you should absolutely change the default password for your home router - even if it’s your ISP’s router.


The default password to any device is the password that come as the default for administrator (privileged) access into a device/account. As a basic security rule, default passwords should always be changed as soon as possible.




blue login screen with administrator and hidden password characters


Default credentials are often exceedingly simple. They are incorporated in many brute-forcing and credential stuffing wordlists and constantly used in automated attacks.


Default credentials for many devices (including routers) are publicly available. They can frequently be found on device manufacturers' websites.


In fact, many router manufacturers post the default credentials for router models and sub-models on their websites. For example, the default interface passwords for NETGEAR routers for current models is admin and password .


The bottom line: Once receiving an internet connection (typically from a modem or a device acting as a modem) and assigned a public IP address from the ISP, your router is effectively discoverable from the outside world.


If you haven't changed the default credentials for the router, anyone can "discover" it and use the default credentials to login to the device.


From this point, your device can be recruited into a botnet or used as a residential proxy for cyber threat actors. Additionally, since the device is controlled by the threat actor, they could download additional malware, pivot to compromise the rest of the devices on your network, or spy/steal data from your network.


Change the default password to your router! Do not use variations of the default password or credentials. Set a truly strong password that is both lengthy and complex.


Turn off UPnP


Universal Plug and Play (UPnP) is a protocol designed to let users quickly connect devices to their networks without manual configuration on the devices themselves.


In most cases, UPnP does not use authentication for connected devices, operating with the assumption devices attempting to connect using UPnP are trustworthy and available via the local network; because the router is operating under the assumptions 1) the device connecting via UPnP is local and 2) the device is trustworthy, the router will permit the device to connect without "challenge."




usb cord plugged into red apple


While originally designed to be used on the local area network (LAN), router manufacturers have enabled UPnP by default on routers; UPnP can be available from the wireless area network (WAN), which means a broader audience can discover and connect to your router and network. A broader audience can include, well, an attacker.


Naturally, this undermines network security because UPnP enabled on the WAN allows devices from outside your physical LAN to request connection to your network - with zero challenge in most cases.


A malicious device controlled by an attacker could...


The post A Basic Guide to Router and Wireless Security for Regular People appeared first on Security Boulevard.



Avoid The Hack!

Source: Security Boulevard
Source Link: https://securityboulevard.com/2023/08/a-basic-guide-to-router-and-wireless-security-for-regular-people/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.