Home and small office routers are critical to the security of the small networks connected through broadband and yet until quite recently they were barely talked about as a possible security vulnerability. Beyond telling people to use Wi-Fi encryption they were ignored.

Turns out, there’s a lot more to it than that. Meanwhile, the number of attacks is growing. There’s now plenty of router security advice out there, not all of it easy to follow for the non-expert. We talked to Craig Young of Tripwire to try and disentangle not only the best advice but the thinking behind it. If it’s true you should turn off vulnerable services on your router to stop remote hacking are there any downsides in doing this?

Internet modem

All advice below is accessed through the management interface on any home router (usually by typing 192.168.1.0 in the web browser address bar) although the way individual settings are modified will vary by make and model. Tripwire's State of Security blog can be found here.

Techworld: So what is the core problem with home routers and their security?

Craig Young: SOHO router security is a problem of enormous proportions with the potential to wreak havoc on the Internet as we know it.  According to the US Census Bureau, in 2013 73.4 percent of households reported that they have a high-speed connection.  Our research has revealed that four out of five top-selling home routers are vulnerable to attack with nearly half of them being exploitable with publicly available reports.  My napkin math would indicate that 25-30 percent of US households use routers vulnerable to known/published exploits - far more households are using routers with easily discovered flaws.  The cumulative bandwidth of all these vulnerable devices could be harnessed to create a devastating DDoS attack against any target. Some threat actors such as Lizard Squad have already begun selling DDoS services using bandwidth from hijacked home routers.

Techworld: You recommend disabling remote management over the Internet. This used to be enabled by default on many home routers but more recent  routers reverse that setting – these days it has to be turned on rather than turned off.

Craig Young: Yes, in general remote management is not enabled by default on many current generation SOHO routers.  For as long as I have been working with router vendors and evangelising about router security, I have observed a common line of thinking that only someone on the local network can target HTTP based router vulnerabilities unless remote management has been enabled. This is a big misconception as cross-site attack vectors can be leveraged through phishing campaigns, malvertising, or other social engineering techniques.

Techworld: Do you think it’s worth turning off UPnP support too?

Craig Young: UPnP is one of the many features I would turn off.  Not only have popular UPnP libraries been shown to have numerous critical security failings, but also at its core Universal Plug and Play is a technology for gaining convenience at the expense of security.  Personally I think the idea of letting unauthenticated software or devices poke holes in the perimeter firewall is ludicrous.

Techworld: People are told not to use the default IP ranges such as 192.168.1.1. There’s a lot of confusion about private address ranges beyond this range. You recommend using 10.9.8.7 or suchlike to defend against Cross-Site Request Forgery (CSRF) attacks, but why is this so effective and are there any downsides for an SME or home user?

Craig Young: Private ranges are defined by the IETF in the 1996 publication of RFC1918.  This document specifies three Internet address ranges that will not be routed over the Internet so that they may be reserved for private IPv4 networks such as home LANs.  The biggest chunk of reserved addresses has the 10/8 prefix meaning that any of the more than 16 million addresses starting ’10.’ may be used for a private network.  All told there are nearly 18 million addresses available for private networks but only 4 or 5 tend to be used as default addresses for SOHO routers.

Cross-site request forgery (CSRF – ‘see-surf’) is an attack in which the victim’s web browser is abused to connect to services that are not exposed to the attacker either due to authentication or firewalling.  Traditionally CSRF is used to leverage the trust relationship between a web browser and a web application.  This generally means that the victim must be logged into the vulnerable application while accessing malicious content.  I have found however that several very popular routers contain authentication weakness issues making it possible to use CSRF to manipulate router settings or achieve code execution through simple web requests that can be sent from any system connected to the local network.  

In both cases attackers must know or correctly guess an address for the router.  With default router settings it is trivial for an attacking site to identify the router address.  This is because SOHO router vendors use only four or five of the nearly 18 million available private addresses.  Using one of these default addresses (e.g. 192.168.0.1, 192.168.1.1, 192.168.2.1, 10.0.0.1, etc.) drastically reduces the amount of guesswork needed for a CSRF attack to succeed. 

Unfortunately some router vendors go even further in facilitating CSRF by having a hardcoded DNS entry for all routers from that brand. (e.g. routerlogin.net, tplinklogin.net, dlinkrouter.local, etc).  Even with a non-standard IP address, these hostnames may still be useful for a CSRF attack.  It is possible however to avoid this hostname-based CSRF through configuration changes to devices on the network.  Basically the idea is to add a host record to any local computers so that they will never send a DNS request for the router’s hardcoded hostname (most operating systems have a ‘hosts’ file or something similar allowing hostname lookup to be performed locally rather than from DNS).

In my view, there is little downside for home users to change the IP scheme on their router.  The only concern would be if the device owner needs to access the router interface but cannot remember its new IP.  This is entirely avoided by writing down the router IP or resolved by viewing the network settings of any device on the network.

Next section: Encryption

Techworld: You also recommend turning on WPA Wi-Fi encryption and turning off WPS Wi-Fi setup used to connect new devices. Most people turn on WPA2 encryption for the Wi-Fi but ignore WPS feature whether they’ve used it or not. The attacker has to be nearby the router so why is it so risky?

Craig Young: These suggestions are aimed at preventing uninvited guests from accessing your private network or using your Internet connection for criminal activity.  This is particularly important in urban areas where many Wi-Fi networks are accessible from the privacy of one’s home.  While WPA2 with a strong passphrase is effective at keeping your neighbor off of your WLAN, WPS is designed to share the passphrase when a nearby device provides the correct 8 digit numeric pin. 

Due to design flaws in the protocol, an attacker doesn’t have to try all 100,000,000 combinations but rather at most 11,000 guesses.  To make matters worse, implementation specific flaws have been found on a variety of routers making it possible for an attacker to determine the WPS pin with just a single guess followed by calculations based on the received response.

Once an attacker is on your network, they may proceed to attack the router, local computers or other networked devices.  Another dreaded scenario of course is having law enforcement come break down your door because your home Internet connection was used to perpetrate a crime.  The bottom line is that there are instances where a nearby attacker may look to gain access to your network whether it is simply to get ‘free’ Internet or something more sinister, WPS is kind of like a calling card telling attackers ‘try me first’.

Techworld:  You recommend that people log out after con­figuring the router. Some routers don’t log out automatically but why does it matter so much?

Craig Young: This goes back to the problem of authenticated CSRF. After logging into any web site (including a router admin page), the browser must include authentication information on each request so the target server knows that it is an authenticated request.  Logging out of the system is intended to invalidate the authentication information and instruct the browser not to send it along with subsequent requests.  If this logout process does not happen (either automatically by the router or intentionally by the user) any web page can potentially issue requests to the router and have them processed as authenticated commands.  Authenticated CSRF is almost universal among SOHO routers and can commonly be used to perform actions like reconfiguring the router to perform domain name lookups from an attacker controlled DNS.

Next section: Passwords

Techworld: Passwords matter. But how strong should they be and would you recommend changing them regularly, along with the user name?

Craig Young: The top priority should be to change the password from the default.  When possible, changing the username as well can be helpful to thwart automated password attacks.  While I would definitely recommend that people change their password on some kind of regular basis, in most cases it should be sufficient to set a strong password once and leave it alone.  Changing passwords regularly does however become more important if remote management features are enabled.  First because remote management invites remote brute force password guessing and second because it is far more likely for a router password to be compromised when the router is being externally accessed.  Many devices do not use SSL and ones that do come with what’s known as a self-signed certificate.  This leaves the management connections exposed to passive sniffing as well as active man-in-the-middle attacks.

Techworld: It important to keep the router firmware up-to-date but that's easier said than done – many vendors never issue updates for their routers after the first year. Is this really a case of choosing a more expensive router brand or a high-end product designed for small business use?

Craig Young: It is unfortunate but true that vendors frequently leave end users out in the cold when it comes to firmware updates.  Many of the vendors in this space have a difficult time justifying additional engineering time to fix security flaws across existing product lines.  While this may be related to thin profit margins in some cases, our research did not reveal any strong correlation between the selling price of a router and its relative security.  Likewise in my experience paying more for a router does not mean the vendor will be any more responsive to vulnerability reports.  In fact while preparing for the DEF CON 22 SOHOpelessly Broken router hacking competition, I found that one of the less expensive routers received an update very promptly while the most expensive routers in the contest are still awaiting various fixes.

 If you want to pay for a more secure experience, ideally you want to skip the SOHO market entirely and jump right into enterprise gear.  Vendors selling real enterprise products generally have well resourced security teams to evaluate and respond to threats.  In the enterprise space there is far more concern placed on having a reputation for good security since the risks are typically much higher for business users.  Ironically with the increase of feature sets on home routers, the price difference between enterprise and SOHO is eroding.  Of course the problem with using enterprise IT equipment in the SOHO environment is that most SOHOs don’t have an enterprise IT team to configure and manage the network.

Techworld: What about alternative router firmware? If you’re running a home router do you think it is worth looking at something like DD-WRT or is that best left to techies? One of the best ways to avoid security flaws is to use software the attacker might not be as familiar with or that has more regular updates.

Craig Young: The use of alternative open firmware definitely can have its advantages for advanced users but it is not necessarily the case that it is any more secure or even more frequently updated than commercial router firmware.  Back in 2012 I submitted a report to DD-WRT while testing a D-Link device running DD-WRT v24-sp2.  The bug report is still open 2.5 years later.  The advantages for an advanced user include the ability to have enterprise style features on consumer hardware as well as to fix bugs for themselves, remove unwanted services, and truly lock down the router.  For the non-technical user however the benefits are far more limited and the difficulty to configure the system is far greater.

Techworld: Do you rate the fancy security features that are appearing on some expensive home routers? These often now include security features such as ‘router security assessments’, malicious site blocking and vulnerability protection. For example Asus has started using Trend Micro’s security inside its routers. Could the whole router misconfiguration issue be solved this way?

Craig Young: Web reputation engines can be powerful for detecting and thwarting Internet based attacks such as malvertising and exploit kits.  Technology like the Asus with embedded Trend Micro or the ITUS networks shield may even detect and block some attacks against the router or recognise insecure configurations.  I have yet to evaluate any SOHO products with these types of features, but I suspect that research will continue to demonstrate SOHO routers as a weak point in the security of the Internet.