Pop Quiz
Question 1 - Who is the manufacturer of your router? (If you don't know, don't feel bad. You're not alone.)
Question 2 - What is your router’s “name”? (This one may be easier. Maybe it is “No Wi-Fi No Cry.”)
Question 3 - What is the admin login username to your router? (Is your answer, “See answer to Question 2?”)
Okay, okay. If you're like a lot of my recent test subjects (mostly against their will), you may not know the answers to those questions. That's okay. I'm sure you're still a good person. But, I thought I would take a minute to try to demystify how to ensure your home router is set up securely.
Let’s cover a little router terminology. (What a teaser, huh?)
How many of you have looked at the available Wi-Fi networks at your house and noticed the names of your neighbors’ Wi-Fi networks? Do any of them have the name of a local internet service provider?
It is not uncommon to see Wi-Fi networks with, for example, the local cable company’s name in it. The name that you are seeing is the service set identifier (“SSID”). You may have encountered new neighbors moving in, and when you look at the Wi-Fi networks available, you proclaim, “Honey, our new neighbors’ last name is Asus.”
I recommend that you absolutely change your SSID to a unique name. Take the cable company example. What if you call the local cable company and ask, “What kind of router are you going to provide me if I get to your service?” Many times, it is the same router that is given to every new customer at that time. If a hacker has this information, it may create a security vulnerability. If you are using the SSID that was provided by your internet service provider, a hacker may be able to learn this information and actually login to your router.
Let’s do an experiment. Find the brand and model of your router. Now, search the internet for “[router brand and model] username and password.” Most likely, you are going to get results from your router manufacturer’s website. For example, if you own a Netgear router, your Login IP is http://192.168.0.1 (the address you type in your internet browser to contact your router); the login username you enter is “admin”; and the password you enter is “password.” If I'm a hacker who knows your router manufacturer or the username and password combinations of the most popular brands of routers, and you have not changed the administrative password, it would take very little time to be able to access your router.
We hear a lot about ransomware, malware, viruses, etc., but there has also been recent news of router exploits,
including KRACK, In-the-wild, and VPNFilter. KRACK exploits a vulnerability in WPA2 encryption. In-the-wild exploits a vulnerability of those using DLink routers. And, VPNFilter is just another gift from Russia that may be collecting information on your web traffic, phoning home, and containing a kill switch to disable your router at some point in the future. I encourage you to search the internet to determine if your device may be infected.
What to do? Welcome to Routers Anonymous, my 7-step program to router recovery!
- Step 1 - Figure out how to access your router. Most have user interfaces designed for basic users to navigate. Although you may not be able to change the router’s username from admin, you should definitely change the administrative password. Make it LONG. If VPNFilter has taught us anything, making a long password makes it extremely difficult to brute-force crack your password. After several days, you may just notice that van in front of your house.
- Step 2 - Update your firmware. You should make sure your router has the latest firmware. Consult your documentation or conduct an internet search on how to upgrade. Most router manufacturers will release a firmware update to patch any known exploits. Once you've updated, reboot your router.
- Step 3 - Change your SSID (your router’s wireless “name”).
- Step 4 - Select the best security option. There are many: WEP, WPA, WPA2, TKIP, PSK, AES, ABBA. (Okay, maybe not ABBA, but you get the point.) More letters does not necessarily mean more secure. WPA2-PSK (AES) is the most secure option.
- Step 5 - Set up a Guest Network. Get a router that gives you an option to set up a guest network. This option will enable you to isolate your “home” devices that may contain sensitive data from all of the devices the neighborhood kids bring into your house to play Fortnite. A Guest Network can have its own SSID and strong password, but the devices on the Guest Network cannot access the devices on the main network. A Guest Network may also provide you additional security if you have any concerns about your smart devices [e.g., security cameras, wireless printers, smart TVs, vacuum robot (mine is named Steve), refrigerator, IP phones, etc.]You can allow these devices to connect to the internet via a Guest Network, which isolates them from your main network devices.
- Step 6 - Turn off Remote Management and Port Forwarding. Find these features and disable them. It gives you another layer of security to your router.
- Step 7 - If you're using a router that only offers WEP as a security option, it's time to go shopping. A router may be an out-of-sight, out-of-mind device for a lot of us, but if you're interested in making your wireless network more secure, consider investing in a new piece of hardware. The Wi-Fi Alliance has begun to certify new products that will support WPA3, which will replace WPA2 as the most secure option. If you want to set your router up once and forget it, look for one that will support WPA3.
Now, if you’ll excuse me, I have to go meet the Netgears, who just moved in next door.