Home Wi-Fi Routers Lack Basic Security

Is your home Wi-Fi router a gateway to invasion by cyber-criminals?  According to recent findings by Consumer Reports, it very well could be.  They tested 29 popular home routers, and were only able to recommend 6 basic Wi-Fi routers, and 3 more expensive Wi-Fi mesh routers.  Mesh routers allow you to install several Wi-Fi access points that communicate with each other, allowing improved coverage for large interior or exterior spaces, or where there are structural or electromagnetic interference.

Some of the shortcomings are perennial problems, that are significant enough to have landed the manufacturers Asus and D-Link in trouble with the FTC.  Consumer Reports found:

  • 20 routers do not let you change the default administrative user name from “admin.”  The provides an attacker with half of the credential pair – user name and password.
  • 20 routers do not block multiple failed login attempts, which means an attacker can keep hammering away with automated password tools.
  • 11 routers let you set weak passwords of fewer than 8 characters, without complexity requirements.  With some routers, use of special characters is not supported.
  • 1 router did not require the user to change the default password of “password.”
  • 20 of the routers had UPnP or Universal Plug and Play turned on by default.  UPnP allows devices to connect easily to the wireless network automatically, and as such is a serious security risk.
  • 11 routers do not provide automatic software and firmware updates, which leaves the task to the owner.  In my experience, nobody updates these instruction sets, which leaves the routers vulnerable to new threats.

You can find the results at the Consumer Reports website, but you do need to be a paid member to see all the results.  CR did recommend the Synology RT2600ac and Netgear Nighthawk X10 AD7200 among traditional routers, and  the Netgear Orbi and Eero mesh routers.

No matter what wireless router you use, there are setting changes you can make to secure your wireless network.

  • Change the default user name (if possible) and password.  This allows you or anoyone else access to the router web application for configuration purposes and is different from the network passphrase used to log on to the network.
  • Use a strong password of at least 10 – 12 characters or more.
  • Disable remote management options, or if necessary, secure remote management with a strong password.
  • Disable Universal Plug and Play.
  • Enable the firewall, if your router has one.  Most do.
  • Enable automatic updates if you can
  • Manually update the software and firmware periodically if you can’t use automatic updates.  If you don’t feel qualified, hire a tech to do it for you.
  • Use WPA2 encryption.  This feature is enabled when you create a passphrase for your wireless network.  The Service Set Identifier (SSID or network name) and the passphrase combine to ensure that your radio communications between the Wi-Fi router and your laptop or other device is encrypted, and cannot be read if intercepted.
  • If your older router only supports WEP or WPA encryption, but not WPA2, it is time to buy a new router.
  • If this gear is owned and managed by your ISP, find out how to access the settings menu, or call their support line for help making the necessary configuration changes.

Wireless networks have become the go-to networking solution in a lot of places, replacing the somewhat more secure wired Ethernet networks.  It is important to make sure your router settings are protecting you and your information from bad actors and cyber-attackers.

More information:

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.