You probably don’t spend much time thinking about your wireless router—until it stops working, that is. Our inattention to routers has been a security problem for years, most recently last week when Brian Krebs reported that researchers at the Fujitsu Security Operations Center had discovered hundreds of routers were being used to spread a financial fraud malware called Dyre.
The researchers speculated that the vulnerabilities were likely due to users not changing the default credentials for their routers, making them easily accessible to criminals. To be clear, your wireless router password is different from your wireless network password—the former protects administrative access to the router, which allows you to configure its settings, and the latter protects access to the wireless network itself. But someone who has administrative access to your router can completely compromise the machine—and not just any machine, one that your devices most likely accept packets through every day. That may mean transmitting malware, like Dyre, but compromised routers can also affect pretty much every element of your online experience—for instance, an attacker might compromise your router in order to change your network’s domain name system settings, so that you are misdirected to fraudulent or malicious websites when you type in familiar URLs.
So it’s important to take your router password as seriously as you would take your laptop or email credentials—not least because some routers allow remote administration access by default. That means even people who are not logged on to your home network may be able to manage the router so long as they can guess the password. Still, router security isn’t entirely about passwords—it encompasses all the same concerns we worry about with our personal computers, including weak credentials, software vulnerabilities, and slow patching mechanisms. Despite the near ubiquity of wireless routers, however, we very rarely discuss, let alone understand, how to keep them secure.
Part of what makes router security hard—and important—is that we’re constantly interacting with other people’s routers. You may practice good security with your personal devices, but odds are that at some point you’ll want to join a wireless network at a coffee shop or airport or hotel, at which point you’ll be dependent on how well they protect their networks. Hotels, in particular, are notorious for having poor network security, and in March, there were reports of vulnerable wireless routers at hundreds of hotels worldwide.
We don’t always have a lot of control over the security of the networks we’re using. But even those routers that we do control—the ones that sit in our living rooms, flashing little green lights—aren’t a major focus for most people. When was the last time you updated your router’s firmware? Have you ever updated your router’s firmware?
Hacked home routers can be used to do more than just spread malware. In January, Krebs reported that insecure home routers were used to launch a series of denial-of-service attacks— including attacks on Sony’s and Microsoft’s gaming networks—perpetrated by the Lizard Squad. Routers, after all, are just computers—computers we tend to ignore, despite the fact that we’re often relying on them to guide and direct our interactions with the outside Internet.
In recent years, many computer security efforts have been focused on trying to protect our endpoint devices—the laptops and smartphones and tablets that we use on a daily basis and the applications that run on them. You might not do everything you’re supposed to do when it comes to securing your devices and the applications that run on them, of course. But at least you know that these tools and programs contain sensitive information you’d be sorry to lose and and that they serve important functions you wouldn’t want interrupted.
There are several straightforward measures you can take to help secure your home router beyond changing the default administrator credentials and using WPA encryption for your Wi-Fi network. These include using an OpenDNS server, rather than the one maintained by your Internet service provider; disabling remote administrative access (if it’s allowed by default); making sure your network name, or SSID, doesn’t include any clues about your router model or manufacturer; and updating the manufacturer’s firmware. You can even replace the firmware with a more secure open-source option.
We focus on securing endpoints and applications in part because it’s easier to shield them from an insecure Internet than it is to try to secure the Internet, or even to imagine what a secure Internet would mean. That doesn’t mean we’ve ceded the fight for network security, just that it’s a more complicated and challenging set of issues to take on—a set of issues that an individual vendor or application developer cannot easily address on their own.
Routers exist in an interesting in-between space as the gatekeepers that connect us to outside machines and networks. Much of our online activity is mediated through routers, yet, unlike our other devices, most of us hope to interact with or think about our home routers as little as possible. That’s understandable—but unfortunate.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.