Router security problems - where should we start?!
The fact that in 2008 98% of network passwords of the largest UK supplier of
broadband services could be hacked within 3-10 minutes coupled with the
fact that most routers ship with well-known default login passwords means
that criminals may soon 'own you' - your router, PC and web interactions!
Most routers manufactured in the past 5 years (since 2005) provide a
significantly higher level of security (WPA, not WEP) but:
- In 2008, almost all broadband suppliers still shipped their wireless hardware
with the old security software in use as a result,
only 60% of home wireless networks are high (WPA) security in 2010.
From my own crude observations - more than 20% of wireless networks
within range of the Stockport to Hale railway line had no security at all!
in 2008 whereas that is now less than 10%.
- Anyone who buys a router independantly of broadband provider is left on
their own to tackle a relatively complex task - and to get it right!
- many don't bother because "it worked" so fear changing any setting.
- The use of default login passwords means that
criminals can change the router software to make your
nightmares come true - e.g. substituting their own web
sites for the ones that you think are secure!
This can be done without cracking the network password (see below) but is
an absolute certainty as soon as your network password gets compromised.
If you have a wireless router and any combination of the following
apply to you then your PCs and network are an open door to criminals:
- If it doesn't say (WPA) after the
security description in 'View All (Wireless) Networks'
- If you have not changed the login password of your router from the default
to something 'substantial', see below
- If your network password is any one of: the login password, blank or the
factory default (latter two are a disaster!) or if it is simple, short or only
contains lowercase letters and numbers - see How to manage passwords for guidance.
from the BBC if you want 'confirmation'.
Conclusion and recommendation
Use WPA and set different passwords for both the router and the
network that are 2 or 3 UNRELATED and unknown (to others) WORDS,
ACRONYNMS, CODES or NUMBERS giving at least 10 mixed characters
(see How to manage passwords for more rigorous suggestions) long with at least one
of each: punctuation, numeric, upper case character as well as lower case.
This should give you adequate security for home use over the next 2-3 years
but as with all web-relating matters - watch this space!
N.B. If you cannot login to your router with the default password
(see below) but you are sure that YOU haven't changed your login
password then you have almost certainly already been attacked!.
Whether or not you use the wireless capability of your router - if it has one
then you had better make sure that it and the router are secure - or else!
There are TWO passwords that you need to worry about:
- The Network password scrambles all of the wireless communication
between the router and your PC(s). If this can be guessed or otherwise
obtained then you have a security breach that is only likely to get worse.
Immediately after gaining access a hacker would try to login to the router
with the default Login password (see below) which is unchanged by
50% of router owners because they don't know it is necessary.
- The Login password protects the router from anyone making changes
to the way in which you are routed through the Internet.
It also has access to all of the network traffic flowing from your PC(s)
to the Web and between PCs if you have them sharing resources.
The issue is that suppliers want to boast how easy and quick it is to
set-up their equipment and hence they provide default passwords, see:
Router password - defaults
ZDNet article - router hijacking using simple web pages
The latter does not depend upon getting the Network password!
and is an attack that can be launched from anywhere in the world as it only
needs you to access a single web page if you have left your router without
a web page - hence BOTH passwords are critical
The basic problem with wireless networks is that criminals don't
need to actually break into your house to steal your assets - they can
therefore spend the time to not just cover their tracks but to introduce
covert monitoring of your PC and all of your web interactions.
Bear in mind that once they have 'broken in' then they can then run your
router by remote control from anywhere in the world so they only need to
make a brief visit to your neighbourhood to get all they need!
Over time, password(s) will then be stolen that allow them to install
programs onto your PC! because that gives them much more control and
capability to wreak havoc.
If you make financial transactions online then that is an obvious line of
attack but often they simply use your PC for fraud, spam and blackmail instead.
Is the threat realistic and could it happen to me?
The software to make these attacks very simple is already available
for free download. The slight breathing space was that the early versions
really need a laptop that can run Linux rather than Windows - that's
easy with dual boot but not something that a 'typical' amateur would have.
HOWEVER, NOW you can simply download what is referred-to as a Live-CD
which can be booted on ANY LAPTOP to wreak havoc in neighbourhoods.
After the obvious prime targets are simply located by a slow tour of the
richest suburbs the hackers will be looking for the next tier of
households which don't have professional advice and support for their
PCs and networks despite their reliance upon their security.
Just like 'bagging' game, the criminals will want to claim territory and
'heads'. This may sound difficult but all they need to do is
simply: (1) set an ultra-secure login password at the router - no one who
uses the network will notice any change (2) enable remote management so they
don't have to bother leaving their home to manipulate your router!!! -
Bear in mind that at this stage they MAY decide to sell your router etc. at an
Internet auction (criminal equivalent to eBay!) so that the really 'dirty work'
can be done in Russia, China etc. where the chances of extradition are very low.
What you can do and at what cost
If your router is less than 3 years old then you can probably switch from
low (or zero?!) security to a better one (WPA).
Even if you can't then the most basic protection is to change the password
on the router to something complex.
Backing up your configuration to a file on your PC prior to making such a
change is recommended as you can then restore all of the settings en-masse
after using the 'factory reset' button hidden at the back of the router.
Background and further reading
The link below is deeply technical at times but demonstrates the rigour
that has been applied to the thinking.
The references to the software downloads and the 'DIY videos' of people
using the software to hack into networks have been circulating the web
for a few months and it will only get easier and quicker.
A good read for anyone who understands the terminology and at least the
basics of the technology is
. It is rigourous and highlights that Bluetooth is even weaker than
WEP but the typical consequences are much lower risk value.
The security article from a well known speaker (Steve Gibson - famous for
the tool to remotely check your basic level of web security -
http://www.grc.com/default.htm - Shields Up - halfway down the page
The link to the article is:
, just over half way down you will find a long opening paragraph:
Steve: Well, we haven't talked about WEP for a long time.
Back on Episode 11, which was, what, 78 episodes ago, back in October of '05
was our coverage, the actual title was Bad WiFi Security.
And that was really the last time, although we've mentioned it in passing
many times since, but it was the last time we really gave strong coverage
to the problems with the original encryption for WiFi, which was called WEP,
which is an acronym, WEP, which stands for Wired Equivalent Privacy.
And the goal of WEP was, and the reason they named it Wired Equivalent Privacy,
was they wanted to create a level of privacy for radio WiFi that they felt was
as strong as if the communication was wired, as if it was wired equivalent.
Well, they really fell far short of that. And a couple weeks ago a new group, three German guys at a technical university in Germany, published a paper where they demonstrated how they had figured out that they could crack WEP, that is to say, determine the encryption key being used in under a minute.
Leo: Whoa, that’s not good. How long did it take before?
Steve: Well, it took much longer. In fact, it took on the order of five million packets captured...
Leo: That was the key, you had to have a certain amount of data before you could crack it.
Steve: Exactly. These guys have brought that down to about 40,000 packets from five million.
There is lots more at the link preceding this clip...
What can I do to make my Wireless network safer even if that won't stop anyone who WANTS to break in
To ensure that new and inexperienced customers have a good experience when
buying a Wireless router the makers ship them with less than zero security
in that their passwords are in the public domain or non-existent and the
network will be accessible to any PC within range as soon as you turn it on.
Here are some things you can do to protect your network, only numbered for
reference if you want to discuss them:
- Using the adminstration dialogue of your router in your browser -
see which one of these links works in your browser:
and less likely are:
- Change the login password of your router - sometimes referred to
as administrator or root.
Don't use the same password as any other site or PC and make it very, very
long and write it down in two places that visitors are unlikely to see.
If you can't even log into your router using the password provided
by the router provider (e.g. password, admin, blank etc.) then you MAY
have the problem that someone outside of your household has already done so!
To remedy this you need to reset the router (tiny hole at the back usually)
and you will most likely need to set-up your link to the Internet from your
router after such a reset.
- Use WPA encryption instead of WEP. WEP (Wired Equivalency Privacy)
encryption has well-known weaknesses that make it easy for a
determined user with a Laptop and a downloadable CD to crack the encryption
and access YOUR wireless network.
WPA (Wi-Fi Protected Access) provides much better protection
and is supported by Windows XP with SP2.
- If your router or PC WiFi devices are very old you may not have the WPA
option but at least use WEP as it is better than nothing.
With WEP you should not just choose long pass phrases but also change them
regularly - writing them down at least confines the risk to people INSIDE
- If your router has the 'Remote Administration' feature and you have a PC
which can be connected by wire (Ethernet / TJ45) when it is needed then you
can turn off Remote Administration completely - that SHOULD be the default
but you should check it just in case someone has already hacked your router
Turning on the feature for devices which are attached by Wireless is an option
on SOME routers but again you really must use long passphrases and the network
password should be different from the Wireless password.
Allowing Internet users! to remotely manage your router is a really
bad idea unless you use an extremely good passphrase and the router login
uses a secure browser session.
Things that don't help a lot as long as you have done the above are:
- Using MAC filtering for access control as addresses can be "spoofed"
(imitated) by a knowledgable person and if they have the technology to crack
your password then spoofing a MAC address isn't a problem to them.
- Not transmitting the name of your network (ESSID) - again - if you have at
least got WEP enabled with a good password then any intruder that can get past
that would have no problem whatsoever 'sniffing' your ESSID.
Even more reading if you feel the need or just for confirmation of the above:
What follows is an example of POOR ADVICE just so you can see what WAS said
This page © Business before Technology 2006 - see the respective sites of the owners for their copyright as well as terms and conditions
Links and other information last validated on 7th August 2007.
Please use the Contact us page to suggest any additions or revisions.