ISE (Independent Security Evaluators) released a report recently about the security of SOHO (small office-home office) routers. They examined popular routers that ISPs supply their customers and that small offices and individuals often purchase. They found multiple vulnerabilities in these routers including some that could be compromised from the outside. Is your router on the list? The report lists some by name and omits a few names – presumably because they haven’t been patched yet.
In the report they list multiple suggestions for device administrators (that’s you if it’s at your house!). The overwhelming majority of these are not router-specific and are good security practice in general. In fact they’re covered – some in significant detail – in Learning Tree Course 468, System and Network Security. Because it’s an introductory course we focus on techniques that can be used not only by security professionals, but by even home network administrators to help secure their systems and networks.
While I urge you to read the report to get the whole benefit of their research, three of the mitigation steps they mention are covered in our class but deserve emphasis here due to the situation: first, keep your firmware updated. I know it’s easy to install a router and forget it. Isn’t that what “plug and play” is supposed to be all about? Well, some ongoing diligence is needed. You change the tires on your car, right? You change the filters in your air conditioner or furnace (or someone does it for you), and you install updates on your operating system, don’t you? Routers and other devices need updating, too, sometimes. The problem with routers is that they may need updating only once every few years so it is easy to forget. Be sure to check. Most routers (OK, all the ones I’ve seen in a long time) have some kind of button on the configuration screen to “update firmware” or something similar. Do it.
Disable services you don’t need. This is as important on a home router as on a corporate server. If you aren’t using a feature, turn it off. There is a possibility – no matter how slim – that there may be a security vulnerability in one of those unused services. Why take the chance?
Finally, pick a good password. I’ve written about this before, of course, but this is very important. At the very least change it to something other than the default. We discuss this in Course 468, of course, but you need to do this now, even if you haven’t taken the course. As an exercise, see how easily you can find the default password for your router using your favorite search engine.
When you comment below don’t tell us your new password, but do let us know whether you implemented the other changes suggested by the study.
To a safer Internet,