In this guide
The humble broadband router is a vital bit of equipment, granting access to the internet and providing home networking. But when it comes to security that anonymous blinking box in the corner is often overlooked. Fear not, this guide will tell you how to secure your home or office Wi-Fi router.
A Wi-Fi hub is the gateway between your personal devices and the wider world and if it is not properly configured your private data and home network - along with everything attached to it - are at risk.
Most likely you use the Wi-Fi router supplied by an ISP. And if you don’t there’s a good chance it’s a consumer model from a popular brand like Netgear, D-Link, Belkin or Asus. This makes a hacker’s job much easier because a single security exploit could be used to compromise millions of identical routers. Compounding this is the fact that many routers still use factory default settings, so accessing a router might be as simple as knowing the default password for that brand.
But there are simple steps everyone can take to minimise the risks. Here’s a few ways you can bolster your home broadband router security.
- Accessing the router’s administrative settings
Access to the router’s settings is required to carry out changes to its settings. But as each make and model can have slightly different ways of getting to the administrative tools it’s impossible for us to give exact instructions for your particular setup.
Typically the management controls are viewed with a web browser using either a URL (some Netgear models use routerlogin.net, for example) or an IP address (i.e. https://192.168.1.1). You’ll then be prompted to enter a username and/or password.
The default login details will be printed on the router itself or in the manual.
Some routers may offer a software utility, but this can be limited to a few of the most common controls for basic setup so it’s usually best to go through the web interface.
Note that the options themselves can also vary wildly. They may be labelled differently and not every router will offer the same choice of settings. If you get stuck consult the user manual or search online for a solution specific to your hardware.
Change the administrator login
The admin login gives access to all the router’s settings so this isn’t something you want falling into the wrong hands, especially as it can be used to access a router over the internet.
Because the default admin login is often the same for every router of that make or model it’s extremely important to change this to something unique.
Some routers will allow you to change both the username and password, but others may only permit the password to be modified. As always, it’s a good idea to use a password manager so you can have a long and complex code without having to write it down or remember it.
Disable remote administration
Many Wi-Fi routers offer a remote management function which permits access to the admin controls from outside the home. But this represents a risk as it can be exploited by viruses or used by hackers to get to your router controls (especially dangerous if you haven’t changed the admin password). You're unlikely to have much cause to use this feature, so save yourself potential trouble and disable it.
Whenever possible use HTTPS rather than HTTP to access your router’s web controls to prevent the traffic being monitored. This might be an option within your router, or you can try adding HTTPS to the router IP address when logging in.
Update the router firmware
Firmware is your router's operating system and keeping it up to date is vital for improving security. Manufacturers will deploy updates to patch security holes and provide new features so you should grab the latest version as soon as possible. This may require manually checking for an update as not all routers will alert the user of an update automatically.
Limit administrative access to wired connections
This is not a feature every router offers, but if available it’s a good idea to limit access to the router’s configuration settings to wired connections. This means that anyone who wanted to mess with your network hub would have to be plugged directly in with an ethernet cable, rather than being able to sit outside on the Wi-Fi.
Secure the Wi-Fi network
As well as updating the administrator password, another important step for the initial setup of any network is modifying the Wi-Fi settings.
Out of the box the Wi-Fi network name and password will usually be printed on a sticker fixed to the router itself, which is obviously not very secure if you want to prevent kids or anyone else jumping on your Wi-Fi whenever they like.
To avoid your broadband connection becoming a free-for-all for anyone who can read, change the Wi-Fi password to something only you know.
When changing the password use at least 12 characters and make it random, don't use a dictionary word or phrase that could be easily guessed.
Also make sure the Wi-Fi uses ‘WPA2’ encryption - and if you have the choice select "AES" instead of "TKIP". Do not use the outdated and insecure 'WPA' or 'WEP'.
The Wi-Fi network name (or 'SSID') can also be modified. It is important to do this if the current name gives away the make and model of the router. Otherwise an attacker could easily identify the hardware and attempt to use known vulnerabilities or default passwords.
Wi-Fi Protected Setup (WPS) is a seemingly handy feature which allows new devices to be quickly connected to the Wi-Fi by pressing a button or entering a PIN. But WPS is a flawed and insecure standard which can be exploited to hack Wi-Fi passwords.
For this reason it is best to disable the feature whenever possible. Some routers may not allow WPS to be switched off completely, but might instead offer the option of disabling the PIN function. That does mitigate the risk of a remote hack but can still allow WPS to be activated with a button press.
Universal Plug n Play (UPnP) is a protocol designed to allow software and hardware to communicate over a network without user configuration. But it’s a security risk as it can be exploited by malware or used to access a router over the internet.
Many home broadband users can disable UPnP for greater security without negative impact, however you may find that certain applications such as Skype and online games no longer work and will require manual port forwarding.
If you don’t mind trading some security for convenience you might prefer to leave UPnP enabled. But if so use the ShieldsUP! scanner to check for common vulnerabilities; if this indicates that your connection is insecure due to UPnP it should be left disabled.
Disable PING responses
A simple fix, this one. Check your router is set not to respond to ‘PING’ requests over the internet. That means if someone on the internet is scanning for active devices by sending out a ‘PING’ your router will stay silent rather than making its presence known.
Change your DNS
When you enter a web address into a browser it's translated into the server IP address by a Domain Name System (DNS) server. DNS is the internet's address book, and if you ever find that you're unable to access web sites it may be due to problems with DNS servers.
Most routers allow you to change the DNS server and add additional servers for redundancy. As a bonus some DNS services provide web filtering to block harmful web sites. Changing the DNS will also prevent ISPs from hijacking DNS to insert adverts.
There are numerous free public DNS services. We would recommend the following:
Most routers support two different DNS servers, but some may allow three or four to be entered. Two is plenty, but it won't hurt to set up more if the option is available.
Enable a guest network
If the router has a guest network feature you can use this to provide isolated access to guests and internet-only devices. The guest network provides a broadband connection but blocks local connections to other hardware on your home network.
Guest networks have their own SSID and password so follow the rules above when setting this up.
Monitor attached devices
It’s normal for routers to provide an overview of devices connected to the network. This will typically display the device name, connection type, internal IP address and MAC address. Check this regularly - if you notice an unknown device it may be a sign the network has been compromised. This can be particularly helpful if the broadband is running slower than normal and you suspect a neighbour has accessed your Wi-Fi.
Buy a better router
Switching to a higher end router can provide superior performance, security and features compared to ISP supplied hardware.
But don't just look at consumer hardware. An entry level small business router from a manufacturer such as Billion or DrayTek can have more rigorous security and come with vulnerable features like WPS disabled out of the box.
When buying a router take the time to check the manufacturer's history of firmware updates. Do they regularly issue patches, and continue to support older models for a reasonable amount of time? If not you could find that shiny new router is left exposed to newly discovered exploits.