Router: The First Line of Defense or the First Mistake?
- The default passwords most routers use are too simple and are usually are made with known algorithms. Also, the routers don't require (some only recommend) change of password. Not only can the default network access password be weak, but the router control panel password is usually default also.
- If the client wants to use the default password, he should be reminded to remove the sticker from the back of the router (that sticker that anyone, even the "cleaning lady" can read) that has the default password.
- The default setup allows wireless access to the main control panel. There is nothing wrong with this, and that option is needed (the problem is that some routers don't allow disabling of wireless access), but the client should be informed of the risks and security slack that wireless allows. With that information, the client should make the decision of whether he wants to connect only by cable or by wireless.
- Most routers have WPS enabled by default. Usually, this is left on by default without proper configuration or even warning of the danger of having WPS enabled (when most of the time it is not even used). It's one thing if the client has a WPS button that requires physical access, but always having WPS on is different because having it on makes it easier for attackers to break in.
- Encryption: Luckily for us, the default encryption is WPA2. However, we still see lots of WEP-encrypted networks (because many people have no clue what that is, or because WEP is the default on old equipment) or networks with no encryption at all. Most normal users (non-tech savvy users) have no idea of the risks that WEP creates.
- Open ports are also a problem. Normally, users simply get the router working and start doing their normal routines (check email, Facebook, etc.), without even checking for open ports. Lots of routers allow for SSH or Telnet that can allow the attacker to send remote commands. Some routers allow the disabling of those services, but some don't. When we can't disable services like that, it's a risk! Not only that, but on some routers, changing the control panel access password doesn't change the SSH/Telnet access, leaving it in default. While the web form control panel blocks access after three to five wrong login attempts (blocks for about one minute), the SSH and Telnet services don't. That means the attacker can use brute force on the router credentials more easily with those open ports.
- Frequency conflicts aren't exactly a "security issue," but who likes slow Internet? Not only does our network slow down, but every network nearby also gets slowed down.Most ISP technicians install the router without even checking nearby networks to see if they could configure it to another channel that has less interference. If, like me, you live in a full building with lots of networks, then you can easily see that most routers are usually left on the same channel, and residents mostly complain about slow Internet (until they call the ISP and they are instructed to reboot the router, which will make it "hop" to another less used channel). Good network managing could prevent lots of these situations.
- Firmware is the least updated part of any domestic network. Most people don't have a clue that the router has to be updated, and they are not informed of that by the ISP. While the PCs and other devices have automatic updates, the router is usually left unprotected because of a lack of firmware updates. Not only that, but most companies don't even spend time making firmware updates to fix flaws of cheap domestic routers.
Final ThoughtsAll of these vulnerabilities have to stop if we want data security. This type of mindset has to change! The ISPs have to understand the risks of "not caring" about the client's security, leaving everything to the client to know what is best or not.The clients should have security in mind, try to understand the equipment they want to use, and, especially important, they should test it! They should not just believe it's safe because the ISP says so.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!