How to make Your Router More Secure on the Internet 4-15-2019

Many consumers are unaware of the critical importance of their routers in protecting them from Internet threats. A router prevents hackers and bots from being able to see your computer from the Internet. If a hacker can't see your computer, he can't hack your computer. Although router hacking is less common than computer hacking, it's prevalence is rising, because it is both harder to detect and harder to reverse.

Unfortunately, nearly all consumer-grade routers fail to do an adequate job of hiding your computer from hackers; thus, they are inherently insecure on the Internet. Andy Greenberg, a senior writer for WIRED magazine, covering security, privacy, and information freedom, wrote, "...home routers are notoriously prone to vulnerabilities that can allow remote hackers to take them over, ...". Michael Horowitz, a router security expert, wrote, "I think it is a mistake to use a consumer router. The big reason is that their security is not acceptable." Horowitz says that manufacturers of consumer-grade routers are concerned with making a profit, not with making secure routers. For a manufacturer, providing security updates year after year is not compatible with offering a low-priced router.

It is important to understand that private hackers are not the only ones who want to gain access to your computers. Government hackers are also active on the Internet. In fact, the US government's NSA also tampers with modems made in the United States, in order to spy on their owners, as Edward Snowden revealed for the first time in 2013. Your ISP also spies on you via the modem/router they provide to you when they set up your Internet service. They can do this, because the US government, under coercion from ISP industry lobbyists, passed a law in 2017 that allows ISP's to sell your private browsing history.

What makes Consumer-Grade Routers so Insecure?

There is a long list of reasons for not using consumer-grade routers. First, when manufacturers release new routers, their software (usually referred to as firmware, because it resides on a chip, rather than on a hard drive) is often full of bugs and security flaws, as a result of being rushed to market before the software is ready. Then, manufacturers update their router software as little as they can get away with, in order to maximize their profits. In fact, they really don't have an incentive to do anything at all to improve security until a widely-publicized security flaw is found. Very few routers update their software automatically, leaving it up to consumers to take care of this. But, manufacturers don't make much of an effort, if any, to inform consumers when they publish software updates. So, often consumers are completely unaware that their router software even needs to be updated, much less when it needs to be updated.

A major problem with routers provided by ISP's is that they usually include software and settings that make it easier for ISP's to watch where you're going on line. Unfortunately, software that makes it easier for your ISP to watch you often also makes it easier for everyone else to watch you, too. These settings and software are sometimes impossible for consumers to change or remove. This is because many consumer grade modem/routers are intentionally locked down to prevent consumers from undoing the IPS's modifications. Some routers will not even allow their owners to change passwords or select different DNS servers.

There are different routes you can take to improve your router security (pun intended).

The Optimal Router Security Solution

The best solution, according to Horowitz, is to buy and use your own modem and router. You should also buy a modem and router that are two separate pieces of hardware. And, the router should be of the commercial variety, not a consumer grade router. As Horowitz says, "When you buy a consumer router you are buying the hardware. The software is provided as cheaply as possible. When you buy a business class router you are buying the software."

Commercial router software is better than consumer router software, because commercial companies hire IT employees that understand network security. Knowledgeable customers make it much harder for manufacturers to unload substandard equipment on them. Manufacturers will manufacture and sell better products when they understand that their customers will go elsewhere to buy if they are being sold low-quality or inadequate products.

The Suboptimal Solution

Throwing away their cheap, ISP-supplied modem/routers and replacing them with more expensive equipment is simply not a reasonable option for many consumers. Add to this, the fact that commercial routers are harder to use, and it becomes apparent that not everyone will transition to the higher-security option. So, what can you do on a tight budget?

If you are on a limited budget and willing to learn, one thing you can do with some routers is to replace their software with open source software. Among the available open source router software are the three most popular: OpenWrt (now merged with LEDE), DD-WRT, and Tomato. OpenWrt supports the broadest base of hardware, but it can be difficult to configure. DD-WRT is more user-friendly and easier to install than OpenWrt. Tomato is very lightweight and has a more intuitive interface. You will have to do some homework here to decide which, if any of these, is right for you. If you are not at all technically inclined, replacing your router's software with open source software is not the way to go. Installing router software incorrectly can brick your router. So, do your research and think carefully before going this route.

At a Minimum, do This

If neither of the above options appeal to you, what can you do to get a higher level of security (however inadequate, as judged by the experts) out of your current router?

Easy Fixes:

If you can change the settings on your router, do this:

Settings to Change on Your Router

Change the administrative account user name and password.

Change the Wifi password, and if possible, make the SSID non-discoverable. For even more security, turn off WiFi completely and use a wired connection only.

If you decide not to turn off your WiFi, at least enable WPA2 WiFi encryption.

Turn off remote management, or remote administrative access.

Somewhat Harder Fixes:

If the router allows the following settings to be changed, do so:

Other Settings to Change

Disable PING, to prevent hackers from being able to easily discover the existence of your router.

Prevent hackers from easily communicating with your router by disabling the following: Telnet, SSH, UPnP, and HNAP.

To make it harder for your ISP to log the sites on the Internet that you visit, change the DNS server setting on your router to select a DNS server other than the one provided by your ISP.

Update your router's firmware to the most recent version.

Another thing you can do is to go to Steve Gibson's Shieldsup webpage to see what ports may be open on your router. Ports can be thought of as a mapping to computer memory locations where data is briefly stored during communication with other computers. For example, port 22 is used by the SSH communication protocol to talk with another computer that is talking to yours via SSH. If you are not playing multi-player games on the Internet and are not running a mail server or a web server on a computer connected to your router, then your router should probably not have any open ports. Close any currently open ports that don't need to be open.

Related Articles:

There's no Such Thing as a Secure Computer--How to be Relatively Secure

How to Avoid being Tracked and Spied-On while On Line

When Buying a Computer, More Knowledge Equals Lower Cost