Simply put, a poorly secured router can put all<\/em> devices on your network at the mercy of attackers. That is no hyperbole. The threats run the gamut, and a hacked router can:<\/p>\n\n\n\n And that is by no means an exhaustive list.<\/p>\n\n\n\n To harden your router and stay safe from hacker shenanigans, you need to access and properly configure the device\u2019s settings. This may seem to be a daunting task, but that may only be due to fear of the unknown. For most, basic remedies are not, by any means, an ordeal, and they\u2019re enough to greatly improve the security of your router.<\/p>\n\n\n\n Your router\u2019s admin settings can usually be accessed wirelessly by typing the router\u2019s IP address into any web browser\u2019s URL bar (the IP address is often 192.168.1.1 or 192.168.0.1, but check the label on your device or look up the address on Google). Arguably, a better way is to connect that long-forgotten thing, probably cloaked in a thick layer of dust, to your laptop via an Ethernet cable and only then type the IP address. In many cases, you can even reach the settings via a dedicated smartphone app.<\/p>\n\n\n\n There are a few sine quibus non<\/em><\/a> \u2013 beyond having a firewall turned on, of course \u2013 for a hardened router.<\/p>\n\n\n\n Here, we can safely pick up from where we left off last week<\/a>: Passwords invariably come into play when it comes to keeping your network safe and secure, doubly so when Wi-Fi connections are thrown into the mix. Out of all settings that come pre-configured for you from the manufacturer, the password to access the router\u2019s admin interface is the first thing you should replace with a strong and unique password or passphrase. Also, if possible, pick a non-generic username instead of the default one, which commonly in this case is one of these five options: \u2018admin\u2019, \u2018administrator\u2019, \u2018root\u2019, \u2018user\u2019, and no username at all.<\/p>\n\n\n\n Besides reducing cost for the manufacturers, these and some other default configurations are intended to ease set-up and remote troubleshooting. However, the convenience factor is apt to cause trouble in that, for example, the login details are often glaringly obvious and shared across router models, and even entire brands. Indeed, the logins are there for the taking for anybody who can spare a minute searching on Google, <\/em>or even less than that: suffice it to try one such absurdly easy-to-guess username\/password combination (in the vein of \u2018admin\/password\u2019) and it may very well work on a poorly configured router. In fact, ESET\u2019s test on 12,000 home routers<\/a> in 2016 found that one in seven such routers used \u201ccommon default usernames and passwords, as well as some frequently used combinations\u201d.<\/p>\n\n\n\n With routers that permit wireless connectivity (which is the case with pretty much all consumer routers these days), the brand and model may be given away by the default name of your wireless network. Change that name, aka Service Set Identifier (SSID), to something that doesn\u2019t identify you or your location. You can also stop the SSID from being broadcast, but be aware that a snoop with even a modicum of technical chops will be able to sniff it out easily anyway.<\/p>\n\n\n\n Also often enabled by default is a feature called Wi-Fi Protected Setup (WPS), which was originally intended to help bring new devices onto a network. However, due to a flaw in its implementation that relies on registrar PIN numbers and that makes the number easily crackable, WPS can be easily subverted<\/a>. Ultimately, this sets the stage for attacks at your wireless password, aka pre-shared key (PSK).<\/p>\n\n\n\n Another feature that is often enabled by default on routers and that poses a significant security risk is Universal Plug and Play (UPnP). Unless you\u2019re sure you need UPnP, which is intended to enable frictionless communication between networked devices but lacks any authentication mechanism, you should turn it off. Indeed, shut down any protocols and block any ports that aren\u2019t needed, as that will reduce the attack surface on your network.<\/p>\n\n\n\n When it comes to Wi-Fi passwords (and, thus, controlling who can actually access your wireless network), this is your chance to be creative. You can go up to 63 characters, but, in fairness, that shouldn\u2019t really be necessary. That said, make sure your password or passphrase is long and complex<\/a>, so that it can withstand brute-force attacks where ne\u2019ver-do-wells take countless stabs at a password in a bid to arrive at the right one. Of course, it must also be different from all your other login credentials, including the one you use to access the router\u2019s admin console.<\/p>\n\n\n\n You also need to specify a security protocol for your wireless connection. There\u2019s not much of a choice here, and the only option worth recommending is WPA2, short for \u2018Wi-Fi Protected Access 2\u2019. For homes, WPA2\u2019s best flavor is its personal mode (WPA2-Personal aka WPA2-PSK) and underpinned by AES encryption, which is, for all intents and purposes, uncrackable with today\u2019s computing resources. Robust over-the-air encryption scrambles all data as it travels between a Wi-Fi-connected device and a router, ensuring that a snoop cannot simply read it even if they somehow get their hands on the data.<\/p>\n\n\n\n There are two older Wi-Fi security modes that may still be available on your router \u2013 WPA\u2019s first iteration, simply called WPA, and the truly ancient Wired Equivalent Privacy (WEP). However, there\u2019s no reason to use either of them, especially the easily hackable WEP, as WPA2 has been mandatory on all Wi-Fi Alliance certified hardware since as far back as back 2006.<\/p>\n\n\n\n Of course, some of us are eagerly awaiting the arrival of WPA3-enabled<\/a> networking hardware on the market. Since this new security standard is set to usher in several major improvements for wireless security<\/a>, including better defense against password-guessing attacks, it really can\u2019t come soon enough.<\/p>\n\n\n\n At heart, routers are computers, so their operating systems, embedded as firmware, need to be updated for security vulnerabilities. Indeed, routers are notorious for being riddled with security loopholes mainly due to their running outdated firmware, which is commonly because we, the router owners, never install such updates. This makes things so much easier for attackers, as many incursions are facilitated by simple scans for routers with known security holes.<\/p>\n\n\n\n To check if your router\u2019s firmware is up-to-date, navigate to the device\u2019s admin panel. Unless you own a modern router that updates itself automatically or alerts you to new firmware versions, you will need to visit the vendor\u2019s website and check whether an update is available. If it is, well, you\u2019ll know what to do. This is not a one-time task, however, so be sure to check for new updates regularly, at least several times a year.<\/p>\n\n\n\n It\u2019s entirely possible that, because the router\u2019s maker has stopped issuing updates for your device, there may actually be no updates to be installed. This can happen especially with older routers, in which case you\u2019re best off simply buying a newer one.<\/p>\n\n\n\n At any rate, there\u2019s another reward for upgrading your firmware: Beyond updates to fix vulnerabilities, the new firmware version may also include performance improvements and new features, including those that have to do with its security mechanisms.<\/p>\n\n\n\n What else can you do, and with a minimal hassle factor, of course? Here are a few more quick tips:<\/p>\n\n\n\n Any router should enable you to create several networks, which is particularly handy with easily hackable Internet-of-Things (IoT) devices. If your home is \u2018smart\u2019, consider quarantining all that IoT tech in a segregated network, so that its vulnerabilities cannot be exploited to access the data on your computer, smartphone, or storage devices. You can also set up a separate network for your children and their gizmos.<\/p>\n\n\n\n Similarly, consider setting up a separate network for guests. That way, you only share your internet connection, not your network, and prevent the risk of malware from their devices jumping over to your digital assets in what is just one possible scenario how a guest can, however unknowingly, compromise your network.<\/p>\n\n\n\nDitch the defaults <\/strong><\/h2>\n\n\n\n
Keep snoopers at bay<\/strong><\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2019\/01\/NewYear_Snoopers.jpg\")
<\/a><\/figure><\/div>\n\n\n\nUpdate, update!<\/strong><\/h2>\n\n\n\n
Bonus tips<\/strong><\/h2>\n\n\n\n