Techworld: Passwords matter. But how strong should they be and would you recommend changing them regularly, along with the user name?
Craig Young: The top priority should be to change the password from the default. When possible, changing the username as well can be helpful to thwart automated password attacks. While I would definitely recommend that people change their password on some kind of regular basis, in most cases it should be sufficient to set a strong password once and leave it alone. Changing passwords regularly does however become more important if remote management features are enabled. First because remote management invites remote brute force password guessing and second because it is far more likely for a router password to be compromised when the router is being externally accessed. Many devices do not use SSL and ones that do come with what’s known as a self-signed certificate. This leaves the management connections exposed to passive sniffing as well as active man-in-the-middle attacks.
Techworld: It important to keep the router firmware up-to-date but that's easier said than done – many vendors never issue updates for their routers after the first year. Is this really a case of choosing a more expensive router brand or a high-end product designed for small business use?
Craig Young: It is unfortunate but true that vendors frequently leave end users out in the cold when it comes to firmware updates. Many of the vendors in this space have a difficult time justifying additional engineering time to fix security flaws across existing product lines. While this may be related to thin profit margins in some cases, our research did not reveal any strong correlation between the selling price of a router and its relative security. Likewise in my experience paying more for a router does not mean the vendor will be any more responsive to vulnerability reports. In fact while preparing for the DEF CON 22 SOHOpelessly Broken router hacking competition, I found that one of the less expensive routers received an update very promptly while the most expensive routers in the contest are still awaiting various fixes.
If you want to pay for a more secure experience, ideally you want to skip the SOHO market entirely and jump right into enterprise gear. Vendors selling real enterprise products generally have well resourced security teams to evaluate and respond to threats. In the enterprise space there is far more concern placed on having a reputation for good security since the risks are typically much higher for business users. Ironically with the increase of feature sets on home routers, the price difference between enterprise and SOHO is eroding. Of course the problem with using enterprise IT equipment in the SOHO environment is that most SOHOs don’t have an enterprise IT team to configure and manage the network.
Techworld: What about alternative router firmware? If you’re running a home router do you think it is worth looking at something like DD-WRT or is that best left to techies? One of the best ways to avoid security flaws is to use software the attacker might not be as familiar with or that has more regular updates.
Craig Young: The use of alternative open firmware definitely can have its advantages for advanced users but it is not necessarily the case that it is any more secure or even more frequently updated than commercial router firmware. Back in 2012 I submitted a report to DD-WRT while testing a D-Link device running DD-WRT v24-sp2. The bug report is still open 2.5 years later. The advantages for an advanced user include the ability to have enterprise style features on consumer hardware as well as to fix bugs for themselves, remove unwanted services, and truly lock down the router. For the non-technical user however the benefits are far more limited and the difficulty to configure the system is far greater.
Techworld: Do you rate the fancy security features that are appearing on some expensive home routers? These often now include security features such as ‘router security assessments’, malicious site blocking and vulnerability protection. For example Asus has started using Trend Micro’s security inside its routers. Could the whole router misconfiguration issue be solved this way?
Craig Young: Web reputation engines can be powerful for detecting and thwarting Internet based attacks such as malvertising and exploit kits. Technology like the Asus with embedded Trend Micro or the ITUS networks shield may even detect and block some attacks against the router or recognise insecure configurations. I have yet to evaluate any SOHO products with these types of features, but I suspect that research will continue to demonstrate SOHO routers as a weak point in the security of the Internet.