Recently a security researcher discovered a backdoor in many D-Link routers, that lets anyone access the router without ever needing to know the username or password. This is not the first router security issue to arise and certainly won’t be the last.
To protect yourself, you need to make sure that your router is securely configured. This is more than simply enabling Wi-Fi encryption and/or not hosting a Wi Fi network that’s open. Here are 7 things you can do right now to secure your wireless router.
#1 Disable remote access
Routers provide a web interface that allows you to configure them via your browser. The router runs a web server and this web page is made available when you are on the local network of the router. But, most routers have remote access that lets you access the web interface from anywhere. Even when you create a username and password, if you have one of the D-Link routers that the vulnerability affects, it means that anyone can log in without having any credentials. However, if you have the remote access disabled, you would be safe from anyone being able to remotely access and tamper with your router.
To do this, you need to open the web interface for your router and find the Remote Management, Remote Access, or Remote Administration feature. Make sure that it is disabled. On most routers it is disabled by default but it still pays to check.
#2 Update the firmware
Just as our operating systems and every other piece of software isn’t perfect, router software also isn’t perfect. The router’s firmware, which is the software that runs on the router, could have security flaws. Router manufacturers sometimes release firmware updates designed to fix the security holes, although the support for most routers is quickly discontinued as they move on to the next model.
It is unfortunate that the majority of routers do not offer any auto-update features in the same way that web browsers or Windows do. This means you have to check the website of your router manufacturer for firmware updates and then manually install it using the router’s web interface. You should regularly check to be sure your router is running the most up to date firmware and if not then install it.
#3 Change the default login credentials
Many routers come with default login credentials and these that are fairly obvious, such as the ‘admin’ being the default password. If someone gains access to your router’s web interface through some sort of vulnerability or by simply logging onto your Wi-Fi network, it makes it easy to tamper with your router’s settings.
In order to avoid this, you need to change the router’s password to a password that is non-default and something an attacker would not be able to guess easily. Some of the routers even permit you to change the username used to log into your router.
#4 Lock down your Wi-Fi access
If someone does gain access to your Wi-Fi network, they can endeavor to tamper with your router, or they might do other bad things such as snooping on your local file shares or using your connection to download content that’s copyrighted, which can get you into trouble. When you run an open Wi-Fi network it can be dangerous. So, to stop this, always ensure your router’s Wi-Fi is secured. This is fairly straightforward. Set it to WPA2 encryption and make sure that you choose a reasonably secure password. Make sure you are not using WEP encryption and a weak password.
#5 Disable UPnP
Consumer routers have been found to have a variety of UPnP flaws. Millions upon millions of consumer routers respond to UPnP requests from the Internet, which creates a situation where attackers on the Internet are able to remotely configure your router. Flash applets in your browser might use UPnP to open ports, which will make your computer vulnerable. There are a variety of reasons UPnP can be vulnerable.
To avoid problems that are UPnP-based, you should disable UPnP on your router through the web interface. If you are using software requiring the forwarding of ports, such as a communications program, BitTorrent client, or game server, you will have to forward the ports on your router without depending on UPnP.
#6 When you are done configuring the router’s web interface, log out
In some routers, there have been flaws in the dross site scripting (XSS). A router that has an XSS flaw has the potential to be controlled by a malicious web page, which can permit the web page to be able to configure settings while you are logged in. If your router is using its default username and password, it would be easy for the malicious web page to gain access.
Even if you change the password on your router, in theory it would still be possible for a site to use your logged-in session to gain access to your router and then modify your settings.
If you want to prevent this, all you have to do is log out of your router when you are finished configuring it, and if you aren’t able to do that, then you will want to make sure that you clear out all of the browser cookies. While there is no reason for you to be paranoid, but when you log out of your router when you are finished is a quick and easy to protect yourself.
#7 Change the local IP address of the router
If you are totally paranoid, you might even be able to change the local IP address of your router. For example, let’s say that the default address is 192.168.0.1; then you could change it to 192.168.0.130. If your router was vulnerable and some malicious script in your web browser tried to utilize a cross site scripting vulnerability, which accesses known-vulnerable routers at their local IP address and tampers with them, but you had changed your IP address, then the attack would fail.
This step is not totally necessary, particularly since it would not guard against local attackers. If someone were on your network or there was software running on your PC, they could find out your router’s IP address and then connect to it.