Securing your router: keeping intruders out

routerset07

Your router is like your front door: leave it wide open, or just inadequately secured, and you can rest assured that one day you’ll have unwelcome visitors. With recent problems of passwords and other details being ‘stolen’ from many TalkTalk routers, it is essential that you now review the security of your (modem-)router. This article provides advice which should help you do that.

Watch the router’s logs

routerset01

Most people set their router up and leave it, assuming that it is configured correctly, remains secure, and does its job without bothering them any further. You may have been able to get away with that in the past, but now, more than ever, you need to keep a watchful eye.

The first place to check, at least once a day, is your router’s logs. You will see various attempts being made to find weaknesses in its configuration, but need to look closely at systems joining its local network (LAN), and any evidence of attacks. These logs are not stored on your Mac (so cannot be seen by Console), although some routers can be configured to send their logs by email if you wish. Details of how to access a router’s logs are given in its documentation, and almost invariably require you to point your browser at the router’s IP address, and enter its admin username and password.

I have put my router’s URL in Safari’s Favourites, and every day, in the early evening, I check its connection, speed, and logs. It takes but a minute or so, and gives me peace of mind.

Keep your router’s firmware up to date

routerset02

Even when new, many routers have firmware upgrades available. These may patch vulnerabilities, some of which are being actively exploited already. Using the router’s browser interface, check for updates and install them when they become available. Some routers automatically check for updates every week or so. If yours does not, perform a manual check every few weeks (at the least frequent).

Set a secure password

routerset03

Most routers ship with a default password which you are expected to change when you set it up, but most users leave it set to that default. Default passwords are often common to each model, or absurdly obvious such as password. When you set your router up, change its password to something that is unguessable, and different from those of your computer(s) and device(s). If there is any suggestion of compromise, change your password immediately – it costs nothing and can restore security if your information has been disclosed.

Disable remote management

routerset04

Many routers have an option which allows you to connect to them from the internet (WAN) and access their management features. Unless you have a really good reason not to, disable that, and ensure it remains turned off. If it is turned on by default, it will use a common and weak password, which makes it very easy for a remote hacker to attack. If it is turned off, it should make it very difficult for anyone outside your local network to attack.

Configure secure WiFi connections

routerset05

With almost all routers including WiFi support, check those settings very carefully. If you can, turn SSID broadcast off, as that advertises your WiFi network’s presence. In security options, use only WPA2, or WPA2 Enterprise if possible. The latter may be too restrictive if you want to offer visitors WiFi access, perhaps for their smartphones.

Never allow a guest network, or guest access

routerset06

Guest features are inherently less secure than the regular WiFi network. Unless it is absolutely essential, disable any guest access, and don’t turn it on. Ever.

Configure your firewall and other features properly

Even the cheapest routers now contain good firewalls, DHCP servers, and more. Ensure that those are properly set up, and not just left in their default configuration. Other articles here and elsewhere explain these in full detail.

Bundled routers

Some ISPs offer you inducements to use ‘their own’ routers, or even insist on them. Those are invariably commercial models made and sold under a different name, rebadged, and sometimes with firmware customisations. If they do not offer the features detailed above, they are not fit for purpose and you should insist that the ISP provides you with a router which does have the features.

In case of difficulty, insist that they provide you with a written indemnity to compensate you in full, in the event of any security breach. I suspect that a lot of TalkTalk customers are wishing that they did had done that before this latest breach.

routerset07

Manufacturers like to pretend that modern computer kit is ‘set and forget’, free of maintenance and any care. Routers are not. Ignore them, and one day you may well have a very nasty surprise. Once inside your network, intruders can do a lot of harm. Don’t let them.