This site focuses on the security of routers. Period. If you are interested in faster WiFi, look elsewhere. The site covers configuration changes to make a router more secure, and, picking a router that is more secure out of the box.
Why devote an entire site to router security?
I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. However, after some huge router flaws,
affecting millions of routers, caught my attention, I started following
the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my own router security and get more up to speed on the topic. After all, if a router gets infected with malware, or re-configured in a malicious way, most people would never know. There is no anti-virus software for routers.
I am not alone in pointing out the sad state of router software/firmware.
Router security may be a dull and boring topic, but it's important. For proof, see what can happen if your router gets hacked.
For the latest on routers, see the Routers in the news page.
Non-techies can start at the Introduction to Routers page, which discusses what a router is conceptually, then describes
the hardware and the many ways to communicate with a router.
This site has NO ADS. If you see ads, either your browser, computer or router is infected with adware. It also does not use Google Analytics or any third party analytics. In fact, it doesn't use any third part scripts/software of any kind. The search feature uses DuckDuckGo, but does not load any scripts.
I spoke on Securing a Home Router at the
HOPE conference in July 2014. This website grew out of that presentation. A PDF of the presentation is available
at box.net (last updated Oct. 4, 2014). Audio is available
at x.hope.net (thanks to 2600). An article about the talk appeared in Toms Guide.
I spoke again about Router Security, at the O'Reilly Security Conference on
Nov. 1st, 2017. The talk was very different from the first one. See a PDF of the slides or watch the video.
Picking a Router
The first step towards a secure router is choosing the right router.
Many people use the device given them by their Internet Service Provider (ISP), which I think is the least secure option for a
number of reasons. Understandably, many non-techies prefer this because they can call their ISP when things go wrong.
Slightly more secure, would be a consumer router, but that is not the best option either. To bolster this opinion, see the page on
router bugs. It is not an exhaustive list of bugs, but it illustrates the poor state of software on consumer routers.
The most secure option is a business class device.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. It is a low-end business class router, not geared to consumers. Its cost has been a fairly consistent $200 which is a bargain for a business grade router, especially one that does Wi-Fi. The user interface is, in my opinion, simpler than that of other business oriented routers. You can see for yourself, by kicking the tires of a much higher end Peplink router here. My description of the router, with its pros and cons is quite long. The Surf SOHO may not be a fit for you, but after reading about it, you should have no doubt if it meets your needs or not. My only relationship with Peplink is that of a customer. Other routers that appear to be a step up in class are pfSense, the Turris Omnia and DrayTek. See more about them.
How secure can a router get? Only as secure as its included features allow. For a list of router security features see my Security Checklist. The most expert person in the world can only make a router as secure as the included features allow.
Buying a used router from a stranger (think eBay) can be dangerous, as the firmware may have been maliciously modified. To protect against that, download new firmware using a different router. If possible, switch the firmware entirely, that is, if it came with stock firmware, try switching to DD-WRT, OpenWRT or anything else. Asus owners can switch from Asus firmware to that offered by Merlin.
Do not buy a router based on anything you read at technogearlab.com/networking/routers. The site is a scam.
Secure Router Configuration - Start With This
This relatively short list of configuration tweaks can greatly increase the security of any router.
- Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary.
- Wi-Fi encryption should be WPA2 with AES and each Wi-Fi password should be at least 14 characters long.
- Turn off UPnP and, if your router supports it, NAT-PMP, to protect both yourself and the rest of the Internet.
- Be smart about choosing an SSID (network name)
- Use a password protected Guest Network whenever possible, not just for guests but for IoT devices too.
- Turn off WPS
- Remote Administration is probably off, but verify that it is disabled
- Test Your Router for open ports using some online testers
- Periodically check for new firmware. At some point you will go a year or two, or more, without any updates. Time for a new router.
Secure Router Configuration - the FULL list
For the techies amongst us, the list below is as comprehensive as I can make it. Perhaps a spy agency would be the only one to implement everything on the list. Pick and chose, and implement as many as you can.
- If the router is new, see my suggestions for setting up a new router. Basic plan: make the most obvious few changes with the router off-line, go online behind another router to get the latest firmware, then make the rest of the changes.
- Change the password used to access the router (this is not a WiFi password). Don't use a word in the dictionary. Two words and a number should be fine (7coldapples). For more, see my router password advice. This is often the hardest step as it requires knowing how to access the router.
- If the router lets you change the userid used to logon to the router, change it
- Check for new firmware. There are no standards here, every router has a different procedure. With most routers this will be an ongoing manual check, however, some are able to update themselves. Be aware of the risk; if something goes wrong you may lose Internet access. Best to do it at a time when your ISP has offices that are open, so the box can be exchanged, if necessary. For more, see the firmware updates page. Many routers no longer get firmware/software updates. If the last update for yours was a couple years ago, it is time for a new router.
- If any of your Wi-Fi networks (a router can create more than one) use a default SSID (network name) then change it. Do not pick a name that makes it obvious that the network belongs to you. More...
- For Wi-Fi encryption, use WPA2 with AES. If there is a choice to use TKIP rather than AES, stick to AES. There may also be an option to use both TKIP and AES - just use AES. Wi-Fi encryption will improve with WPA3 but WPA2 with AES is perfectly secure as long the password is long (next topic). If you see a reference to PSK that refers to the most common flavor of WPA2, which has a single password for the network. WPA2 Enterprise is the other flavor and it supports multiple users of a single network each with their own password.
- Wi-fi passwords: it is critical that passwords be long enough to fend off brute force attacks. This will not be an issue with WPA3. My best guess is that 14 characters should be sufficient, but 15 or 16 characters is better still. And, you really should not use a password anyone has ever used before. See more about Wi-Fi passwords.. Note: The Ubiquiti AmpliFi mesh router defaults to using the same password for Wi-Fi and administering the router. Never do this, each function should have its own password.
- Change the DNS servers that your router gives out to attached devices. ISP assigned DNS servers are usually the default, and worst, option. Why bother? To use a company that specializes in DNS, to get some extra security and to have easy to remember DNS IP addresses. Two suggested DNS servers are 18.104.22.168 (from Quad 9, backed up by 22.214.171.124) and 126.96.36.199 (from Cloudflare backed up by 188.8.131.52). I also like OpenDNS at 184.108.40.206 and 220.127.116.11. Another option is 18.104.22.168 (Google backed up by 22.214.171.124). Some companies offer child friendly DNS servers. After configuring your preferred DNS servers, test that they are actually being used.
- Turn off WPS
- Turn off UPnP. UPnP is a protocol that lets devices on a LAN punch holes in the firewall of the router. This exposes these devices to the Internet at large where, if they are vulnerable, they can be hacked. Technically, UPnP enables port forwarding without the router owner even knowing what port forwarding is. You are safer with UPnP disabled. That said, there is a chance that disabling UPnP will break some network communication used by a device on your network, most likely an IoT device. To see if your router is doing any Port Forwarding, you can login to the router. No forwarding of ports is the safe, secure state. It also means that disabling UPnP will not cause you any grief. See Do You Know Where Your UPnP Is?.
- UPnP was intended to only work on the LAN side of a router, but some routers are so miserably mis-configured that they expose UPnP on the WAN/Internet side too. This is a common, and huge, mistake, akin to a surgeon amputating the wrong leg. Fortunately, there is an online test, from Steve Gibson, that checks your router for the existence of UPnP exposed to the Internet. On the first page, of his ShieldsUP! service, click on the gray Proceed button. On the next page, click on the yellow/orange button for GRC's Instant UPnP Exposure Test. As of June 2018, he had found 54,000 routers exposing UPnP.
- Turning off features you are not using reduces the attack surface. Among other features that should probably be disabled are Remote Administration (aka Remote Management, Remote GUI or Web Access from WAN), SNMP, NAT-PMP and Telnet access to the router.
- Change the LAN side IP address of the router. Even better, change the entire LAN side subnet. See the page on IP Addresses for more. This helps prevent many router attacks. And, while you are at it, set up DHCP to allow for some static IP addresses.
- If you need Remote Administration, there are a number of ways to make it more secure. See the Security Checklist page for more.
- Many routers offer Remote Administration via a cloud service rather than the old fashioned way which required directly logging in to the router. If possible turn this off. With it active, you are trusting every employee of the router vendor.
- Guest networks are your best friend. Use them not only for visitors but also for IoT devices. They should be password protected. Guest networks are usually, but not always, isolated from the main network. Review all the configuration options your router offers for the Guest network to insure they are isolated. The Security Checklist page has a list of options you might find.
- Network Isolation/segmentation: Guest networks are merely an appetizer, using VLANs for network isolation is the main course. Devices that only need Internet access should be prevented from seeing and being seen by other devices on the LAN. This prevents a single hacked device from causing grief for other devices on your network. See the VLAN page for more.
- For routers with a web interface, lock down access to the router from the LAN side. The Security Checklist page offers a dozen possible options (see the Local Administration topic) such as changing the port number(s) and limiting access by IP or MAC address. For routers that use a mobile app for administration, think about locking down access to the mobile app. This may require signing out.
- Write down the critical information on a piece of paper and tape it to the router, face down. Include the Wi-Fi network names (SSIDs) and passwords, the router userid/password and the IP address of the router.
- Turn off Ping reply. Sadly, different routers use different terminology for this. To test it, have someone ping your public IP address from outside your network.
- Turn off wireless networks when not in use. Some routers let you schedule this, others have a physical Wi-Fi on/off button, others have a mobile app. In the worst case, you have to login in to the router web interface to disable the Wi-Fi. In that case, a browser bookmark can ease the pain.
- Test if your router supports HNAP. If so, it should be replaced.
- Your modem is a computer too. Your router may be able to block access to the modem from all devices on the LAN. I blogged about this. See part 1 and part 2.
- If your router supports outgoing firewall rules, block the ports used by Windows file sharing. You may also want to prevent any network printers from making any outbound connections. This way if a printer gets hacked, it can't phone home.
- If the router can send email when certain errors occur, configure this feature.
- Try to prevent your router from spying on you. If you own a Netgear router, be aware that they added "analytics" with firmware updates released in April 2017. If you don't want Netgear watching your network, you need to login to the router and disable these analytics. For more on this, see the Bugs page for July 2017. Likewise, Asus and other routers include anti-malware software that may also be watching you. For more on Asus and their partnership with Trend Micro see the Bugs page from May 2017 and look for "Privacy issues with Trend Micro software in Asus routers" Trend Micro software is in other routers too and other anti-virus companies are also partnering with router vendors.
- The Test Your Router page has many ways to kick the tires on your router. One thing to look for is open ports. At Steve Gibson's ShieldsUP! site (click the gray Proceed button), start with the Common Ports test and pay special attention to the SSH (22) and Telnet (23) ports as these services are frequently abused by bad guys. The only good status for any port is Stealth (assuming remote administration is disabled). Next, do the All Service Ports test and finally, do the Instant UPnP Exposure Test (orange button).
- Test your router with my Shodan Query My Router page. It generates both a Shodan query and a Censys.io query of your public IP address (added Feb. 21, 2018, modified Oct 12, 2018)
- The router tests mentioned above are only a partial solution. For the most thorough test, connect the WAN port of a router to be tested (inside router) to a LAN port on another router (outside router). Then, from a computer connected to the outside router, scan of the WAN side of the inside router using NMAP looking for open ports. This lets you test all 65,535 TCP ports and all 65,535 UDP ports.
- Routers that have a web interface are best administered with a clean web browser session. That is, start up a browser, work with the router and then shut down the browser when you are done. Better yet, use private browsing mode when working with the router. Even better, use a browser that has no (or very few) extensions or plugins installed.
- Eat your vegetables :-)
- When you are all done making configuration changes to a router, it is a good idea to back up the current settings. This way, should you ever have to reset the router, you can easily import/restore the last backed up state. Many routers can export the current settings to a file. However, the mesh routers that I have used can not. With my favorite router, the Pepwave Surf SOHO, settings are backed up with System ->
Configuration and click the Download button.
- Old school, techie-oriented routers have a ton of features. After making the changes above, its probably best to live with the router a while before changing some of the more obscure settings. Once you have a performance baseline, then consider enabling features like the detection and prevention of Denial of Service (DoS) attacks or SYN Flood attacks.
Peplink, for example, offers Intrusion Detection and DoS Prevention that protects against 9 types of attacks. DrayTek routers offer protection from over 15 types of attacks.
- If you do not use a VPN then you can turn off the VPN pass-through options.
The best possible over-the-air encryption is offered by WPA2 Enterprise. While all routers support WPA2 encryption, what this really is, is WPA2 Pre-Shared Key (WPA2 PSK). In English, this means there is one password for each SSID. A router using WPA2 PSK that creates three SSIDs will have one password for each SSID. WPA2 Enterprise gives each Wi-Fi user their own userid/password. Support for WPA2 Enterprise is typically found only on business class routers, none of the consumer-focused Mesh Router systems support it. The software used to maintain the list of userids/passwords for each SSID is called RADIUS. In a large organization a router running WPA2 Enterprise might be configured to talk to a RADIUS server on the LAN side that is maintained by the organization. I have used a LAN-resident Synology NAS as a RADIUS server for a Peplink router. The Synology routers are (I think) unique in that they can run a RADIUS server on the router itself. Then too, you can outsource the care and feeding of a RADIUS server.
One reason you might have to re-install the current configuration settings is if someone resets the router. All routers that I have seen come with a pinhole reset. Someone malicious, who can physically touch the router, may simply reset the router to factory defaults as a way to get around the security. To offer the best Wi-Fi performance a router needs to be out in the open which leaves it vulnerable to being reset. A business may try to physically restrict access to the router, but at home, this is probably not viable.
Finally, some thoughts on Google Wifi mesh routers, the Turris Omnia router, Apple routers and mesh routers in general.
ONGOING CARE and FEEDING and DEFENSE
- If the router does not self-update, then check for new firmware every month or two. Also, register it with the hardware manufacturer on the chance that they notify you of firmware updates. Netgear, for example, has a security newsletter that announces bug fixes. Even if the router does self-update, check every now and then that the self-updating system is actually working. More...
- Sometimes, when a router is hacked to run malware, the infection is permanent, but most of the time the infection is temporary. When it's temporary, the malware is removed by simply restarting the router. Malware on a router can easily go undetected, so, it can't hurt to reboot your router every now and then. Just for good luck. Maybe weekly. Maybe monthly. The VPNFilter malware, disclosed in May 2018, makes this all the more important.
- Every router can display a list of attached devices. Check this every now and then to be sure that you know what every device is. Better routers will let you assign names to each device (Susans iPad, Bobs laptop, Georges iPhone). Check that you are seeing all devices, not just those that are active at the moment or just those using DHCP. Some mobile apps for routers show you information about devices that have recently been on your network, even if they are not currently using it. If you have more than one SSID (you should) a good router will show you which SSID each wireless device is connected to. The Surf SOHO does this.
- A common attack against routers is to change the DNS servers. You need to know what the DNS servers should be (discussed above). Many websites report the currently used DNS servers. For example, www.perfect-privacy.com/dns-leaktest. Pick one or two and get in the habit of checking that your DNS servers have not changed. Consider making one of these sites your web browser home page to insure that you check it periodically. Yes, it is possible for a computer to be manually configured with DNS servers of its own and ignore the ones in the router. This would be a good thing to do on a laptop that you travel with and use on public Wi-Fi networks. It can insure you use known, trusted DNS servers. On the other hand, Peplink routers can force all attached devices to use the DNS servers in the router, even when the clients are configured to use other DNS servers. So, its complicated.
- If the router has any logging facilities, check the logs every now and then.
For other Router Security opinions, I maintain a list of articles. Many stink, the good ones are noted in bold.