Many users don’t realize it, but their internet routers might be the most important electronic devices they have in their homes. Routers link most of their other devices together and to the outside world, so they have a highly privileged position that hackers often look to exploit.
Over the past several years, the number of botnets comprised of hacked routers has increased and those botnets have been used by both criminals and sophisticated state-sponsored attackers to launch attacks against businesses and organizations.
Unfortunately, many consumer and small-business routers come with insecure default configurations, have undocumented backdoor accounts, expose legacy services and have firmware that is riddled with basic flaws. Users can’t fix some of these problems, but they can take actions to at least protect these devices from large-scale, automated attacks.
Don’t let your router be a low-hanging fruit for hackers.
Avoid using routers supplied by ISPs
These routers are typically less secure than those sold by manufacturers to consumers. They often have hard-coded remote-support credentials or protocols — TR-069 — that users can’t change or disable. Patches for their custom firmware versions lag behind patches released by router manufacturers for their retail models.
If you are forced to use the modem supplied by your ISP to enable services like VoIP, it’s best to configure it in bridge mode and install your own router behind it to give you better control over your network and how your devices connect to the internet.
Change the default admin password
Many routers come with default administrator passwords, and attackers constantly try to break into devices using these publicly known credentials. After you connect to the router’s management interface for the first time through your browser — the address should be the router’s default IP address found on its bottom sticker or found in the set-up guide — make sure the first thing you do is change the password.
The router’s management interface should not be reachable from the internet
For most users, managing the router from outside the LAN (local area network) is not necessary. If remote management is needed, consider using a VPN (virtual private network) solution to establish a secure tunnel into the local network first and then access the router’s interface from within.
Inside the LAN, it’s also good to restrict which IP (Internet Protocol) addresses can manage the router. If this option is available, allow access from a single IP address that is not part of the pool of IP addresses assigned to computers via DHCP (Dynamic Host Configuration Protocol). For example, configure the router’s DHCP server to automatically assign IP addresses from 192.168.0.1 to 192.168.0.50 to clients and then configure the web interface to only allow access from 192.168.0.53. Your computer can be manually configured to use this address when you need to perform administrative tasks on the router.
Turn on HTTPS access to the router interface if available
Always log out when your management task is done. Use the browser in incognito or private mode when working with the router so that no session cookies get left behind and never allow the browser to save the router’s username and password.
Change the router’s default LAN IP address if possible
Routers will likely be assigned the first address in a predefined netblock, for example 192.168.0.1. If offered the option, change this to 192.168.0.99 or something else that’s easy to remember and is not part of the DHCP pool. The entire netblock used by the router can also be changed to a non-default one — for example, 192.168.10.x instead of 192.168.0.x. Doing this protects against cross-site request forgery (CSRF) attacks that hijacking users’ browsers when visiting malicious websites and try to access routers through them by using the default IP addresses commonly assigned to such devices.
Use a security-focused DNS service provider
By default, your router will be configured to forward Domain Name System (DNS) requests to your ISP, which means you have to trust your ISP to maintain a secure DNS lookup service. Since DNS acts as the internet’s phone book, locating the IP addresses of the websites you want to visit, hackers commonly target it to direct users to malicious websites in a way that’s typically hard to spot. Companies like Google, Cloudflare, OpenDNS (Cisco) and others offer publicly available DNS resolvers that are security-focused and even have encrypted versions.
Choose a complex Wi-Fi password and a strong security protocol
WPA2 (Wi-Fi Protected Access II) and the newer WPA3 should be the options of choice, as the older WPA and WEP versions are susceptible to brute-force attacks. If the router offers the option, create a guest wireless network, also protected with WPA2 or WPA3 and with a strong password. Use this isolated guest network for visitors and friends instead of your main one. These users might not have malicious intentions, but their devices might already be compromised or infected with malware since before they visit your network.
Disable WPS (Wi-Fi Protected Setup)
This is a rarely used feature designed to help users set up Wi-Fi networks more easily, typically by using a PIN printed on a sticker. A serious vulnerability was found in many vendor implementations of WPS years ago that allows hackers to break into networks. Because it’s hard to determine which specific router models and firmware versions are vulnerable, it’s best to simply turn off this feature if possible. Instead, you can connect to the router’s web-based management interface to configure Wi-Fi with WPA2 and a custom password — no WPS needed.
Limit the number of services your router is exposed to on the internet
This is especially true if you haven’t enabled those services yourself and don’t know what they do. Services like Telnet, UPnP (Universal Plug and Play), SSH (Secure Shell), and HNAP (Home Network Administration Protocol) should not be reachable from the internet as they can pose serious security risks. They should also be turned off on the local network if they’re not needed. Online services like Shields UP by Gibson Research Corporation (GRC) can scan your router’s public IP address for open ports. Shields Up can also scan for UPnP separately. Free tools like Nmap can be used to scan the router’s LAN interface.
Keep your router’s firmware up to date
Some routers allow checking from the management interface if firmware updates are available and a few even offer automatic updates. However, sometimes these checks might be broken due to changes made over time to the manufacturer’s servers. It’s a good idea to regularly check the vendor’s support website for updates for your router model. These updates need to be downloaded manually then flashed through the router’s web-based management interface.
More complex router defenses
Use network segmentation to isolate risky devices
Some routers offer the option to set up VLANs (virtual local area networks), and you can use these to separate internet-of-things (IoT) devices from your computers, mobile phones and other privacy-sensitive machines. Over the years, researchers have shown that in their rush to be first to market, IoT makers are not designing devices with security in mind and this results in serious vulnerabilities that hackers can exploit to break into networks and target other IT assets. IoT devices are also often shipped with unprotected administrative protocols exposed to local networks which makes them vulnerable to attacks from malware-infected computers on the same network.
Using VLANs helps mitigate both scenarios and doesn’t limit functionality since most IoT devices are controlled through smartphone apps connected to cloud services. If they have internet access, most of these devices don’t need to communicate with mobile phones or computers directly over the local network after initial set-up.
Use MAC address filtering to keep rogue devices off your Wi-Fi network
Many routers allow users to restrict which devices are allowed on their Wi-Fi networks based on MAC address — a unique identifier of their physical network card. Enabling this feature can prevent attackers from connecting to a Wi-Fi network even if they know its password. The downside is that manually whitelisting legitimate devices can quickly become an administrative burden on larger networks.
Combine port forwarding with IP filtering
Services that run on a computer behind a router cannot be reached from the internet unless port forwarding rules are defined on the router. Many software programs attempt to open ports in the router automatically via UPnP, which is not always safe. If UPnP is disabled, rules can be added manually, and some routers offer the option to specify the source IP address or netblock that can connect on a specific port to reach a certain service inside the network. For example, if you want to access an FTP server on your home computer from work, you can create a port forwarding rule for port 21 (FTP) in your router, but only allow connections from your company’s IP netblock.
Custom firmware can be more secure than factory firmware
Several community-maintained firmware projects offer a wide range of home routers. OpenWRT, DD-WRT and Asuswrt-Merlin (for Asus routers only) are some of the most popular. These Linux-based operating systems typically offer more advanced features and customizations than factory firmware and their maintainers are quicker to fix flaws when identified than router vendors.
Because these firmware packages are aimed at enthusiasts, the number of devices that use them is much smaller than those that run vendor-supplied firmware. This makes widespread and automated attacks against custom firmware less likely, but this should not be treated as a security guarantee. It’s also important to keep in mind that loading — flashing — custom firmware on routers requires a fair amount of technical knowledge, will likely void warranties and, if done incorrectly, can render the devices unusable.
Extend your router’s shelf life
Unlike smartphones, routers are not something that people change every two years. However, router manufacturers are not always clear on the expected support life of their products or the frequency of firmware updates and users can easily fall into the trap of buying a model that’s already been on the market for a long time and is about to go out of support or already has. An out-of-support router is unlikely to receive any security patches, including for critical vulnerabilities.
One way to prevent that is, when making your purchase decision, to intentionally choose a router model that’s also supported by third-party firmware like OpenWRT. This ensures that when official manufacturer support ends, you at least have an alternative to patches. There are also companies that sell routers pre-flashed with OpenWRT or open-source firmware, so you could go that route from the beginning.
Another option is to choose a small business router instead of a consumer one as those are typically supported for a longer time, but they can also be more expensive.