How to secure your home or office broadband Wi-Fi router
The humble broadband router is a vital bit of equipment, granting access to the internet and providing home networking. But when it comes to security that anonymous blinking box in the corner is often overlooked. That can be a huge mistake.
A Wi-Fi hub is the gateway between your personal devices and the wider world and if it is not properly configured your private data and home network - along with everything attached to it - are at risk.
Most likely you use the Wi-Fi router supplied by an ISP. And if you don’t there’s a good chance it’s a consumer model from a popular brand like Netgear, D-Link, Belkin or Asus. This makes a hacker’s job much easier because a single security exploit could potentially be used to compromise millions of identical routers. Compounding this is the fact that many routers still use factory default settings, so accessing a router might be as simple as knowing the default password for that brand.
There are simple steps everyone can take to minimise the risks. Here’s a few ways you can bolster your home broadband router security.
Accessing the router’s administrative settings
To perform the following changes, access to the router’s settings is required. But as each make and model can have slightly different ways of getting to the administrative tools it’s impossible for us to give exact instructions for your particular setup.
Typically the management controls are viewed with a web browser using either a URL (some Netgear models use routerlogin.net, for example) or an IP address (i.e. https://192.168.1.1). You’ll then be prompted to enter a username and/or password. The default login details will either be printed on the router itself or in the manual. Some routers may offer a software utility, but this can be limited to a few of the most common controls for basic setup so it’s usually best to go through the web interface.
Note that the options themselves can also vary wildly. They may be labelled differently and not every router will offer the same choice of settings. If you get stuck consult the user manual or search online for a solution specific to your hardware.
Change the administrator login
The admin login gives access to all the router’s settings so this isn’t something you want falling into the wrong hands, especially as it can be used to access a router over the internet.
Because the default admin login is frequently the same for every router of that make or model it’s extremely important to change this to something unique. Do not give the password to anyone else without good reason.
Some routers will allow you to change both the username and password, but others may only permit the password to be modified. As always, it’s a good idea to use a password manager so you can have a long and complex code without having to write it down or remember it.
Disable remote administration
Many Wi-Fi routers offer a remote management function which permits access to the admin controls from outside the home. But this represents a risk as it can be exploited by viruses or used by hackers to get to your router controls (especially dangerous if you haven’t changed the admin password). Save yourself the trouble and disable it.
Whenever possible use HTTPS rather than HTTP to access your router’s web controls to prevent the traffic being monitored. This might be an option within your router, or you can try adding HTTPS to the router IP address when logging in.
Update the router firmware
Firmware is your router's operating system and keeping it up to date is vital for improving security. Manufacturers will deploy updates to patch security holes and provide new features so you should grab the latest version as soon as possible. This may require manually checking for an update as not all routers will alert the user of an update automatically.
Limit administrative access to wired connections
This is not something every router provides, but if available it’s a good idea to limit access to the router’s configuration settings to wired connections. This means that anyone who wanted to mess with your network hub would have to be plugged directly in with an ethernet cable, rather than being able to sit outside on the Wi-Fi.
Secure the Wi-Fi network
As well as updating the administrator password, another important step for the initial setup of any network is modifying the Wi-Fi settings. Out of the box the Wi-Fi network name and password will usually be printed on a sticker, which is obviously not very secure.
To avoid your broadband connection becoming a free-for-all for anyone who can read, change the Wi-Fi password to something only you know.
Also make sure it uses ‘WPA2’ encryption - and if you have the choice select "AES" instead of "TKIP". Do not use the outdated and insecure 'WPA' or 'WEP'.
The Wi-Fi network name can also be modified. It is important to do this if the current name gives away the make and model of the router. Otherwise an attacker could easily identify the hardware and attempt to use known vulnerabilities or default passwords.
Another option which can make things more difficult for bad guys is hiding the network name (or ‘SSID’). It does mean you’ll have to manually input the SSID each time a new device is connected, and it can still be found by anyone who knows what they're doing, but it renders the network invisible to casual viewers in the vicinity.
Wi-Fi Protected Setup (WPS) is a seemingly handy feature which allows new devices to be connected to the Wi-Fi by pressing a button or entering a PIN, rather than using a potentially long and complex password. But WPS is a flawed and insecure standard which can be exploited to hack Wi-Fi passwords.
For this reason it is best to disable the feature whenever possible. Some routers may not allow WPS to be switched off completely but might instead offer the option of disabling the PIN function. That does mitigate the risk of a remote hack but can still allow WPS to be activated with a button press.
Universal Plug n Play (UPnP) is a protocol designed to allow software and hardware to communicate over a network without user configuration. But it’s a security risk as it can be exploited by malware or used to access a router over the internet.
Many home broadband users can disable UPnP for greater security without negative impact, however others may find that certain applications such as Skype and online gaming no longer work and will require manual port forwarding.
If you don’t mind trading some security for convenience you might prefer to leave UPnP enabled. But if so use the ShieldsUP! scanner to check for common vulnerabilities; if this indicates that your connection is insecure due to UPnP it should be left disabled.
Disable PING responses
A simple fix, this one. Check your router is set not to respond to ‘PING’ requests over the internet. That means if someone on the internet is scanning for active devices by sending out a ‘PING’ your router will stay silent rather than making its presence known.
Monitor attached devices
It’s normal for routers to provide an overview of devices connected to the network. This will typically display the device name, connection type, internal IP address and MAC address. Check this regularly - if you notice an unknown device it may be a sign the network has been compromised. This can be particularly helpful if the broadband is running slower than normal and you suspect a neighbour has accessed your Wi-Fi.
Buy a better router
Switching to a higher end router can provide superior performance, security and features compared to ISP supplied hardware.
Even better is an entry level small business router from a manufacturer like Billion or DrayTek, which often have more rigorous security and come with vulnerable features like WPS disabled out of the box.
When buying a router take the time to check the manufacturer's history of firmware updates. Do they regularly issue patches, and continue to support older models for a reasonable amount of time? If not you could find that shiny new router is left exposed to newly discovered exploits.