 You probably don’t spend much time thinking
about your wireless router—until it stops working, that is. Our
inattention to routers has been a security problem for years,
most recently last week when
Brian Krebs reported that researchers at the
Fujitsu Security Operations Center had discovered hundreds of
routers were being used to spread a
financial fraud malware called Dyre.
The researchers speculated that the vulnerabilities were likely
due to users not changing the default credentials for their
routers, making them easily accessible to criminals. To be
clear, your wireless router password is different from your
wireless network password—the former protects administrative
access to the router, which allows you to configure its
settings, and the latter protects access to the wireless network
itself. But someone who has administrative access to your router
can completely compromise the machine—and not just any machine,
one that your devices most likely accept packets through every
day. That may mean transmitting malware, like Dyre, but
compromised routers can also affect pretty much every element of
your online experience—for instance, an attacker might
compromise your router in order to change your network’s domain
name system settings, so that you are misdirected to fraudulent
or malicious websites when you type in familiar URLs.
So it’s important to take your router password as seriously as
you would take your laptop or email credentials—not least
because some routers allow remote administration access by
default. That means even people who are not logged on to your
home network may be able to manage the router so long as they
can guess the password. Still, router security isn’t entirely
about passwords—it encompasses all the same concerns we worry
about with our personal computers, including weak credentials,
software vulnerabilities, and slow patching mechanisms. Despite
the near ubiquity of wireless routers, however, we very rarely
discuss, let alone understand, how to keep them secure.
Part of what makes router security hard—and important—is that
we’re constantly interacting with other people’s routers. You
may practice good security with your personal devices, but odds
are that at some point you’ll want to join a wireless network at
a coffee shop or airport or hotel, at which point you’ll be
dependent on how well they protect their networks. Hotels, in
particular, are notorious for having poor network security, and
in March, there were
reports of vulnerable wireless routers at hundreds of hotels
worldwide.
We don’t always have a lot of control over the security of the
networks we’re using. But even those routers that we do
control—the ones that sit in our living rooms, flashing little
green lights—aren’t a major focus for most people. When was the
last time you updated your router’s firmware? Have you ever
updated your router’s firmware?
Hacked home routers can be used to do more than just spread
malware. In January,
Krebs reported that insecure home routers were used
to launch a series of denial-of-service attacks— including
attacks on Sony’s and Microsoft’s gaming networks—perpetrated by
the Lizard Squad. Routers, after all, are just
computers—computers we tend to ignore, despite the fact that
we’re often relying on them to guide and direct our interactions
with the outside Internet.
In recent years, many computer security efforts have been
focused on trying to protect our endpoint devices—the laptops
and smartphones and tablets that we use on a daily basis and the
applications that run on them. You might not do everything
you’re supposed to do when it comes to securing your devices and
the applications that run on them, of course. But at least you
know that these tools and programs contain sensitive information
you’d be sorry to lose and and that they serve important
functions you wouldn’t want interrupted.
There are
several straightforward measures you can take to
help secure your home router beyond changing the default
administrator credentials and using WPA encryption for your
Wi-Fi network. These include using an
OpenDNS server,
rather than the one maintained by your Internet service
provider; disabling remote administrative access (if it’s
allowed by default); making sure your network name, or SSID,
doesn’t include any clues about your router model or
manufacturer; and updating the manufacturer’s firmware. You can
even replace the firmware with a more secure
open-source option.
We focus on securing endpoints and applications in part because
it’s easier to shield them from an insecure Internet than it is
to try to secure the Internet, or even to imagine what a secure
Internet would mean. That doesn’t mean we’ve ceded the fight for
network security, just that it’s a more complicated and
challenging set of issues to take on—a set of issues that an
individual vendor or application developer cannot easily address
on their own.
Routers exist in an interesting in-between space as the
gatekeepers that connect us to outside machines and networks.
Much of our online activity is mediated through routers, yet,
unlike our other devices, most of us hope to interact with or
think about our home routers as little as possible. That’s
understandable—but unfortunate. |
