14 min read
By Matt Langlois, Director of Engineering at QA Cafe
Hackers are targeting home routers to gain access to the devices in your home, or worse. Now that many of us are working from home, security is even more important! What can you do to ensure that your home router is as secure as it can be?
Security is hard. This is something that a colleague has been telling me for years. Being secure takes intent, knowledge, and effort. Unfortunately, if you just take a router out of the box and hook it up, it may not be secure. Companies are getting better at this, but not always. Putting some effort into the router’s settings and getting a basic knowledge of how it is set up will help you keep your home network - and your home - more secure.
Here’s a simple guide for people who are not network nerds like me. This is the same guidance and advice that I give to family and friends.
The first step in securing your home Wi-Fi network is to figure out how to manage your Wi-Fi router. Don’t worry, this is not as scary as it may seem.
Most routers have a web management interface that can be easily accessed by browsing to a special page using a web browser on your PC, phone, or tablet. Others may rely on apps that must be installed on your phone or tablet.
If you still have the original packaging or quick start guide that shipped with your router, instructions for managing it should be provided there. If you do not have the original packaging or quick start guide, no worries! You can likely find it on the manufacturer’s website with a quick Google search.
If you have made it to your router’s log-in screen then you are halfway there. You will still need to figure out the username and password so you can access the router’s management interface. Now you feel like the hacker, right?
If you never changed the username and password they should be set to the manufacturer’s default values which should be in the quick start guide. Some manufacturers also put this information on a sticker that is placed somewhere on the router itself (usually on the bottom or back).
Many manufacturers use the same default username and password for all devices, which is a huge security risk that I’ll talk about later. As a result, you may be able to find the default username and password by doing a quick Google search for your make and model router.
If the default username and password do not work, or if you forgot what you set them to, you will have to do a factory reset. Be careful here though! Doing a factory reset will destroy any settings that you may have made and may prevent you from connecting to your Wi-Fi network or the internet. Check out my thoughts and guidance on factory resets later in this guide before going down this path.
Lastly, if you use an app or if you created an account online to manage your router, you may need to find and complete the password reset procedure if you’ve lost your password.
The programs that tell your router how to operate come in one big package, called “firmware”. It’s important to make sure that you have the latest firmware installed on your router. In addition to new features, firmware often contains numerous bug fixes, and security patches. If you are running an older version of firmware your router may be susceptible to security issues that have been patched by the manufacturer.
Most relatively new routers have an easy way of checking for new firmware updates and automatically applying them if available. Automatic update features like this are usually found in the Maintenance or Administration section of the router’s management interface.
If your router does not have an automatic update feature you should be able to download the latest firmware from the manufacturer’s website and update it manually through the management interface, from your computer.
If you are using a Wi-Fi router provided by your Internet Service Provider (ISP), you may not need to worry about firmware updates. Your ISP is likely doing them for you automatically! This is one of the benefits of paying your ISP to manage your Wi-Fi router - they handle the upgrades and ensure that you are always running the latest firmware.
If you’d rather purchase your own router, just remember that the responsibility of managing and maintaining the router falls on your shoulders! Get into the habit of logging in and checking for firmware updates on a regular basis. It’s good practice and easy to do. Once per month should be enough. If you notice that your router has not had any firmware updates in over a year, consider upgrading to a new router.
One of the most important things you can do to secure your home network is to disable a feature often referred to as remote administration or remote management. This feature, if available, is often located in the Maintenance or Administration section of the router’s management interface
In a nutshell, this feature allows you to manage your router remotely from outside your local network. Think logging in to your home router’s management interface while enjoying a Latte at Starbucks.
While this may be extremely convenient in some situations, it is also extremely dangerous. If enabled, anyone that discovers your router’s remote management interface may be able to log in and modify your router’s configuration and/or compromise the security of your home network and the devices on your network.
Remote administration has very little real benefit for most people, so it is best avoided. Fortunately most router manufacturers disable this feature by default; regardless I recommend making sure that this feature, if present, is always disabled.
Along with disabling remote administration, changing the default username and/or password on your router is absolutely essential to ensuring that your home network is as secure as it can be.
Historically many Wi-Fi router manufacturers used the same default username and/or password for all routers or devices within a specific product line. Common username/password combinations are admin/admin, admin/password, or just admin with no password.
As you can imagine, this makes it very easy for almost anyone to log in and manage your router! Enabling remote administration with an easily guessed default username and password is a recipe for disaster, and basically guarantees that your router and your home network will be compromised at some point.
Recently router manufacturers and service providers have started to use default passwords that are unique to every router. In addition, some also require that you change the default password when you first log in. This is a huge step in the right direction.
My advice here is simple. Know your router’s username and password and make sure they are not set to trivial default values. If your router only allows you to change the default password, make sure it is long and strong. And don’t forget it, you’ll need it!
Now that you can log in to your router using a strong password, the first thing to take a look at are your Wi-Fi settings. Remember that your Wi-Fi network can be seen by your neighbors and anyone else in close proximity to your router which is why it is so important to make sure that your Wi-Fi is properly secured.
Most Wi-Fi settings are found in a section titled Wireless (or similar) in the router’s management interface. You may find a large list of different Wi-Fi security options to choose from, including: no security (i.e., open to anyone), WEP, WPA (sometimes referred to as WPA1), WPA2, and in the near future WPA3. There may be variations of each as well depending on how the manufacturer designed things.
All Wi-Fi networks that you have enabled should be using some type of security, the stronger the better. You should never run unsecured Wi-Fi networks or Wi-Fi networks with any form of WEP or WPA security. WEP and WPA are very weak (and old!) and can be easily cracked using free tools available online.
Currently the strongest and most widely supported wireless security protocol is WPA2, which comes in two flavors: WPA2-Personal and WPA2-Enterprise. WPA2-Personal is what I recommend using in most homes. WPA2-Enterprise is for corporate environments that have additional infrastructure and user management requirements.
When configuring WPA2-Personal be sure to select WPA2-Personal only and not a mixed mode that supports both WPA + WPA2. Set long and strong passwords for your Wi-Fi networks, and use different passwords for different networks. For example, if you have a separate guest network, make sure to use a different password than your primary Wi-Fi network.
While WPA2-Personal has been the standard for many years it is not invincible and has been updated by WPA3. WPA3 is not widely supported in routers or on client devices like phones, printers, PCs, etc. yet which is why I recommend WPA2 currently. However, as soon as WPA3 becomes more prevalent I recommend switching to WPA3-Personal exclusively or a mixed mode that supports both WPA2+WPA3-Personal.
Your Wi-Fi router may have multiple radios (typically one 2.4 GHz and one 5 GHz radio). Both radios can be configured independently, so be sure to check the Wi-Fi security settings for all radios.
As always, longer and stronger passwords are much harder to crack. For Wi-Fi networks I often use a sentence that I can remember and that is easy to type with a few special characters mixed in. For example a password like “The c@t and d0g are so pleased” should be long and strong enough in most cases. Don’t use this password! Come up with your own and be creative or have some fun with it!
In addition to using WPA2-Personal or WPA3-Personal as your wireless security protocol, it’s also important to use the correct type of encryption. Encryption is what protects your data, so it is always best to use the strongest encryption method possible.
For WPA2-Personal there are two types of encryption available: AES (sometimes labeled AES-CCMP) and TKIP. AES should be used exclusively. TKIP is an older encryption method that is insecure and should be avoided whenever possible. Note that WPA3-Personal has dropped support for TKIP entirely for these reasons. Be sure not to use a mixed mode that supports both AES and TKIP as well.
Note that some router manufacturers combine both the wireless security type and encryption algorithm into a single configuration option while others separate them into two different options. If a single option is provided, be sure to select WPA2-Personal with AES.
UPnP is a feature that allows devices on your LAN to automatically open holes in the router’s firewall. It has historically been used by gaming consoles or PCs to support multi-player games.
UPnP is an easy target and the source of many router vulnerabilities. It should be disabled unless it is absolutely required. UPnP may be enabled by default, so it is best to verify how your router is currently configured and disable it if needed. Isolate IoT or other untrusted devices This is a slightly more advanced topic. Most people have a single Wi-Fi network in their house which is simple, easy to manage, and sufficient.
However, if you have lots of IoT (Internet of Things) devices like sensors, cameras, light bulbs, smart coffee pots, etc. connected to your Wi-Fi network, you may want to isolate them from your PCs, phone, etc. The reason for doing this is that many IoT devices connect to cloud services for management and have a poor track record when it comes to security and support.
In my mind I think of IoT devices as “untrusted”, whereas my PCs, tablets, and phones are “trusted”. You may want to lump the devices that your friends, family, and guests bring over and want to connect to your Wi-Fi network in the same untrusted category.
Creating separate and isolated Wi-Fi networks for trusted and untrusted devices (and perhaps even guests) ensures that if any untrusted device is compromised it will not impact or compromise your trusted devices.
Most modern routers support multiple Wi-Fi networks which makes it easy to create separate Wi-Fi networks for untrusted, trusted, and guest devices. Be sure to use a unique password (long and strong!) for each Wi-Fi network.
Get into the habit of logging in and looking at the activity logs and device lists provided by your router.
While some of the information here may not make sense, you should be able to figure out if there is any suspicious activity or if there are devices you do not know connecting to your network. The more familiar you are with your network the easier it will be to spot weird things.
If you suspect your router has been compromised or if you’ve forgotten the username or password, you will have to perform factory reset to restore its default settings.
Factory resets are typically performed by inserting something really small, like a bent paperclip or thumbtack, into a small hole on the bottom or back of the router and holding it for 10 seconds or until the lights all blink. This is known as a hard reset. Some devices also offer a factory reset option within the management interface, which is known as a soft reset.
Factory reset procedures do vary so you should find the official procedure for your make and model from the manufacturer’s website or via Google search to make sure that you are doing it correctly. Also, and I can’t stress this enough, make sure that you know all of your router’s default settings before pushing any buttons!
A factory reset will change your Wi-Fi network and password, so you need to know what the default values are, and how to manage your router and what the default username and password are before doing a factory reset. You’ll need all of this information so that you can reconnect to the Wi-Fi network and log in and restore your old configuration or configure the router from scratch.
You should be able to find the default Wi-Fi network name and password on the manufacturer’s website, in the quick start guide, or via a Google search. Sometimes this information is printed on a sticker that is on the back or bottom of the router. Again, make sure you know this information before doing a factory reset! If you do find yourself in a bind and unable to connect via Wi-Fi after a factory reset, you will have to connect to one of the router’s Ethernet ports. To do this you’ll need a PC with an Ethernet port, which are more and more rare these days, and an Ethernet cable. Your PC should connect automatically over Ethernet without any additional configuration. From here you should be able to open the router’s management interface and log in.
Lastly, be sure to follow the guidance in this document to secure your router and Wi-Fi network if you perform a factory reset.
When you have your router perfectly configured you should save the configuration so that you can quickly and easily reload it in the future.
This will save you lots of time and frustration if you ever have to perform a factory reset. Get into the habit of saving your router’s configuration whenever you make changes. Most routers make it very easy to save or backup the configuration and reload it.
Often a password is your first and only line of defense.
My advice is to treat all passwords, regardless of what they are for, like you would the password for your online bank account. Keep your passwords safe and make sure they are always long and strong.
If you have a hard time remembering or generating good passwords, you may want to consider a service like 1Password, LastPass, or even iCloud Keychain which is built into most Apple products.
Finally, old and unsupported Wi-Fi routers are an easy target. If you have an older Wi-Fi router that is no longer supported by the manufacturer or that hasn’t had firmware updates in a number of years, you may want to consider upgrading to something newer.
A new and fully supported Wi-Fi router will likely have many new features, increased performance, and better Wi-Fi coverage than your old model. I personally feel that the added security of using a modern and well supported Wi-Fi router is worth the cost associated with an upgrade every three to five years.
Buying from and supporting manufacturers with a track record of long term support and security updates is recommended. A good Wi-Fi router does not need to be expensive!