What are the best ways to improve router network security? Our guide outlines the risks being found with poor security and how you can improve it.
Security on the World Wide Web cannot only extend to websites and clouds. It starts much earlier: with the router, with the device’s access point to the Internet. A security study shows how network security is underestimated. Read the terrifying results of the test, as well as tips to improve router network security.
WLAN router in the test
The Router Security Report 2020 speaks of “alarming results”. A total of 127 routers for private users from seven well-known manufacturers were tested. The study noted security deficiencies, “sometimes even very significant. These range from missing security updates to hard-coded passwords that are easy to decrypt and known vulnerabilities that should actually have been fixed long ago,” explains the study.
The shortcomings that the researchers discover are serious: The evaluation showed that not a single router was without errors. Some even had hundreds of known vulnerabilities. 46 routers had not received a security update in the past twelve months. In fact, there is even an extreme case that has not received a security update for 2,000 days – that is: more than 5 years!
Over 90 percent of the routers tested use Linux as the operating system, but often in outdated versions. The study clearly sees the router manufacturer’s duty here to improve router network security: “Linux is constantly working on closing security gaps in its operating system and developing new functionalities. The manufacturers actually only have to install the latest software, but they don’t integrate it to the extent that they could and should.”
In addition to long-standing security gaps that the manufacturers could and should have eliminated long ago, the scientists were also amazed at the lax use of passwords: “Many routers have easy-to-crack or known passwords or hard-coded login data that cannot be changed by the user. “
At the time when the study was testing, all devices were actively being advertised by the manufacturers. From this, the researchers concluded that all routers are new enough to actively receive updates. Overall, the researchers were able to determine that the manufacturer AVM “attached more importance to the security aspects than the other providers”, “even if AVM routers are also not without security deficiencies”. In the tests, ASUS and Netgear showed themselves to be “more reliable than D-Link, Linksys, TP-Link and Zyxel” in various points.
Network security: targeting vulnerabilities
To find the weak points, it was not necessary for the researchers to laboriously examine the router manually. It was sufficient to use the open source tool “Firmware Analysis and Comparison Tool” (FACT) to examine the router software for five security aspects:
- How much time has passed since the last firmware release for this device?
- In which version is the underlying operating system kernel?
- Are there any exploit protection measures in place?
- Do private crypto keys exist in the system?
- Are there preset passwords?
Specifically, 127 firmware images from the seven router manufacturers Asus, AVM, D-Link, Linksys, Netgear, TP-Link and Zyxel were examined automatically using the tool.
Security risks are increasing
The researchers downloaded the firmware images using FACT. The router operating system has been extracted; as already mentioned, most of them use Linux. The next task was to check the software for the security aspects mentioned above. Indeed, the results that the tests showed can only be described as alarming:
22 of the routers were not provided with firmware updates at all in the past two years. Over a third of the routers tested are based on clearly outdated Linux kernel versions (no security update for at least 9 years). The sad record in this regard is held by a Linksys device based on an almost 18 year old Linux kernel. According to the study, AVM is the only manufacturer that consistently uses newer kernel versions.
The researchers also noticed an average of around five private crypto keys per firmware image examined. Here, too, AVM is the notable exception: not a single key was found in the firmware.
In an incredible 50 of the 127 images tested, the FKIE found preset passwords that were extremely easy to crack in 16 routers. Asus has the edge here: It is actually the only manufacturer that does without preset passwords.
With their tool, the researchers did not analyze in depth, but rather superficially – and so many security gaps were already noticed. Some of these security vulnerabilities may not necessarily turn out to be vulnerable. Nevertheless: The analysis shows that tangible security deficiencies are an integral part of routers for even home users, and there is a great need to improve router network security there as well as in business environments.
In fact, it is still an impossibility to report security holes to router manufacturers. Updates are either delayed or not at all. There is no need to even try to find out details about when which vulnerability could be closed. Even if the identified shortcomings are not actively exploited, it should be clear that the implementation of modern technologies could prevent attacks. Currently, some data can be read out that can also ensure that the encryption of communications in the affected network is vulnerable.
Urgent need for action to improve router network security
One thing becomes clear through the test carried out by the researchers: there is an urgent need for action! Only when the manufacturers rely on efficient security measures for their devices will users be able to work towards more network security and improve router network security.
Manufacturers are responsible
As the researchers have found, Linux itself is always up to date – only the router manufacturers do not use it. Why? Somebody has to sort of put together the security updates. They have to be tested so that another function of the router does not stop working. That costs money.
Another problem is that of the non-existent liability: If routers and thus the network are hijacked by third parties, the router manufacturers are not liable. That is why researchers like Weidenbach are calling for binding security guidelines that oblige manufacturers to implement updates and other security measures.
Of course, consumers can also take action: Don’t just have a router sent to you. Decide for yourself which one you want to use. According to the current study, updates are made once a year. Although this would also be completely inadequate, it is still better than nine-year-old systems, he explains. His ideal would be weekly updates that are carried out automatically without user intervention.
Ways to improve router network security
Unfortunately, you cannot rely on the manufacturers at the moment – as long as there are no binding guidelines, there is no reason for the manufacturer to change anything. However, you can always optimize your network security, for example with the following tips:
- Updates: Be smarter than the manufacturer of your router. Whenever an update is released, apply it quickly. Always keep the firmware as up-to-date as possible to avoid security loopholes being exploited.
- Router Password: Avoid purchasing a router that does not allow you to change your password. If there is a preset password, please change it. To do this, combine at least eight characters made up of small and capital letters, numbers and – if possible – special characters.
- WiFi password: Not only your router, but also your WiFi is usually password protected. Change the preset password here too. Ideally, this password consists of significantly more than eight characters, 20 are recommended.
- Network name: If your router allows this, also change the network name. Refrain from making references to your life by giving your name, your street or place of residence, the manufacturer’s name or even the type of device.
- WPS button: It’s really practical: new network devices can be wirelessly integrated into the network at the push of a button (WiFi Protected Setup, WPS). But is that also safe? It is advisable to deactivate the WPS button after integrating all clients. This gives you control over when new devices want to register on the network.
- Remote access: Almost every modern router offers the option of accessing the router’s web menu via any browser. Indeed, this remote access can become a gateway for cyber criminals. When it comes to the home router, which you can only access from within your own four walls, you can deactivate this remote access. If you do not want to do without remote access or if you cannot do so, you must connect via HTTPS and / or VPN.
- Guest access: Most routers have guest access: If guests come, they can, for example, integrate their smartphone into the home network via this guest access. Take advantage of this opportunity! Because: As a rule, such a guest access is separated from the home network. Guests can surf the web free of charge, but have no access to the devices in the home network. It goes without saying that you set up an ID for guest access that differs from your password. Some routers allow you to automatically deactivate guest access after set intervals.
- WLAN in absence: If you are away from home for a while due to a vacation or a business trip, you can temporarily deactivate the WLAN on the router. In this way, you reduce the attack surface when you are away. However, if you have integrated surveillance or smart home devices into the network, this tip can sometimes be irrelevant.
- WLAN if required: Those who primarily surf the web with a cable and, for example, only work wirelessly on TV in the evening, can also use the WLAN as required. Most routers allow time switch options: You could deactivate your WLAN between midnight and 6 p.m. and activate it in the evening to watch TV.
- MAC filter: Set up a MAC filter to restrict access rights to your network. Many manufacturers offer instructions for setting the so-called media access control address on their websites.
- Functionalities: Many routers bring a number of functionalities with them – tools and tools that you do not necessarily need all. Deactivate all functions of your router that you do not need. This is how you reduce the attack surface.