This site focuses on the security of routers. Period. If you are interested in faster WiFi, look elsewhere.
See the recent updates to this site.
To be clear, this site is about ROUTER security, not ROUTING security. There is nothing here about MANRS (Mutually Agreed Norms for Routing Security).
Why Router Security
Why devote an entire site to router security?
I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. However, after some huge router flaws,
affecting millions of routers, caught my attention, I started following
the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my own router security and get more up to speed on the topic. After all, if a router gets infected with malware, or re-configured in a malicious way, most people would never know. There is no anti-virus software for routers.
I am not alone in pointing out the sad state of router software/firmware.
Router security may be a dull and boring topic, but it's important. For proof, see what can happen if your router gets hacked.
For the latest on routers, see the Routers in the news page.
Non-techies can start at the Introduction to Routers page, which discusses what a router is conceptually, then describes
the hardware and the many ways to communicate with a router.
This site has NO ADS. If you see ads, either your browser, computer or router is infected with adware. It also does not use Google Analytics or any third party analytics. In fact, it doesn't use any third part scripts/software of any kind. The search feature uses DuckDuckGo, but does not load any scripts.
Secure Router Configuration - the SHORT list top
This relatively short list of configuration tweaks can greatly increase the security of any router.
- Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary. More
- If your Wi-Fi network(s) is using the default password, change it, even if it appears to be random. A Wi-Fi password should be at least 16 characters long.
- If you are using the default SSID (network name) change it. When choosing an SSID, don't identify yourself.
- Wi-Fi encryption should be WPA2 with AES or WPA3.
- Turn off WPS
- Turn off UPnP
- Use a password protected Guest Network whenever possible, not just for guests but for IoT devices too.
- If the router has a web interface, Remote Administration is probably off, but since this is so very dangerous, take the time to verify that it is disabled. If the router is administered with a mobile app and a cloud service, disabling remote access to the router is unchartered territory. Lotsa luck.
- Port forwarding is an opened door (technically an open TCP/IP port). Poke around the router configuration to make sure there is no port forwarding going on. There is a small chance that something on your network needs a port to be forwarded, but every forwarded port is a security risk.
- For years, turning off IPv6 (IP version 6) was on the long list below, but as of August 2021, I think it belongs here on the short list too. Very very few people need it and it was recently disclosed that there is a possible security issue with it.
- Periodically check for new firmware. At some point you will go a year or two, or more, without any updates. That's when it is time for a new router.
Secure Router Configuration - the FULL list top
For the techies amongst us, the list below is as comprehensive as I can make it. Perhaps a spy agency would be the only one to implement everything on the list. Pick and chose, and implement as many as you can.
- If the router is new, see my suggestions for setting up a new router. Basic plan: make the most obvious few changes with the router off-line, go online behind another router to get the latest firmware, then make the rest of the changes.
- Change the password used to access the router (this is not a WiFi password). Don't use a word in the dictionary. Two words and a number should be fine (7coldapples). For more, see my router password advice. This is often the hardest step as it requires knowing how to access the router.
- If the router lets you change the userid used to logon to the router, change it
- If any of your Wi-Fi networks (a router can create more than one) use a default SSID (network name) then change it. Do not pick a name that makes it obvious that the network belongs to you. More...
- For Wi-Fi encryption, use WPA2 with AES or WPA3. If there is a choice to use TKIP or AES, opt for AES. There may also be an option to use both TKIP and AES - just use AES. Wi-Fi encryption will improve with WPA3 but WPA2 with AES is perfectly secure as long the password is long (next topic). If you see a reference to PSK that refers to the most common flavor of WPA2, which has a single password for the network. WPA2 Enterprise is the other flavor and it supports multiple users of a single network each with their own password.
- Wi-Fi passwords: Never use the default Wi-Fi password, even if it is long and random. Always change it/them. WPA2 passwords have to be long enough to fend off brute force attacks. This will not be an issue with WPA3. My best guess is that 16 characters should be sufficient, but the German government recommends 20. And, you really should not use a password anyone has ever used before.
- Check for new firmware. There are no standards here, every router has a different procedure. With most routers this will be an ongoing manual check, however, some are able to update themselves. Be aware of the risk; if something goes wrong you may lose Internet access. Best to do it at a time when your ISP has offices that are open, so the box can be exchanged, if necessary. For more, see the firmware updates page. Many routers no longer get firmware/software updates. If the last update for yours was a couple years ago, it is time for a new router.
- Turn off WPS
- Turn off UPnP.
UPnP is a protocol that lets devices on a LAN punch holes in the firewall of the router. This exposes these devices to the Internet at large where, if they are vulnerable, they can be hacked. Technically, UPnP enables port forwarding without the router owner even knowing what port forwarding is. You are safer with UPnP disabled. To see if your router is doing any Port Forwarding, you can login to the router. No forwarding of ports is the safe, secure state. That said, there is a chance that disabling UPnP will break some network communication used by a device on your network, most likely an IoT device. This is why it is enabled by default on all consumer routers - to cut down on tech support calls.
But this is only half the story.
We also need to worry about UPnP on the WAN/Internet side of the router. UPnP was intended to only work on the LAN side of a router, but some routers are so miserably mis-configured that they expose UPnP on the WAN/Internet side too. This is a huge, mistake, akin to a surgeon amputating the wrong leg. Fortunately, there is an online test, from Steve Gibson, that checks the public side of a router for the existence of UPnP exposed to the Internet. On the first page, of his ShieldsUP! service, click on the gray Proceed button. On the next page, click on the yellow/orange button for GRC's Instant UPnP Exposure Test. As of June 2018, Gibson had found 54,000 routers exposing UPnP. For more, read about hacks via UPnP: Hacker Streaming PewDiePie Videos on Exposed Chromecast Devices (Jan. 2019) and for techies: Do You Know Where Your UPnP Is? (Oct. 2016).
- Guest networks are your best friend. Use them not only for visitors but also for IoT devices. They should be password protected. Guest networks are usually, but not always, isolated from the main network. Review all the configuration options your router offers for the Guest network to insure they are isolated. The Security Checklist page has a list of options you might find.
- Network Isolation/segmentation: Guest networks are merely an appetizer, using VLANs for network isolation is the main course. Devices that only need Internet access should be prevented from seeing and being seen by other devices on the LAN. This prevents a single hacked device from causing grief for other devices on your network. See the VLAN page for more.
- In the beginning, routers were administered via a web interface and a computer in your home/office. Now, many routers offer Remote Administration via a cloud service and a smartphone app. Management via a mobile app can be especially dangerous as it is likely to work from anywhere. Test this when away from home or by connecting your mobile device to the 4G/LTE network of your cellphone provider. If an app on your phone can get into the router remotely (when not connected to a Wi-Fi network from the router), then you are trusting every employee of the router vendor not to spy on you. Disable this if you can. This is a big issue to me, so much so, that I might replace a router if remote cloud/app access can not be disabled. My preferred router vendor, Peplink, has a cloud-based admin system called InControl2, however it can be easily disabled and the router can be completely administered locally.
- If the router has a web interface, turn off Remote Administration (aka Remote Management, Remote GUI or Web Access from WAN). It is normally OFF by default, but take the time to verify this.
If you need Remote Administration, there are a number of ways to make it more secure, such as using HTTPS on a non-standard port and limiting the source IP address. The Security Checklist page has more on this.
- Turning off features you are not using reduces your attack surface. Among the features that should probably be disabled are SNMP, NAT-PMP, IPv6, Telnet access to the router and Application Layer Gateways (ALG). A longer list is on the Turn off page.
- Change the LAN side IP address of the router. Even better, change the entire LAN side subnet. See the page on IP Addresses for more. This helps prevent many router attacks. And, while you are at it, set up DHCP to allow for some static IP addresses.
- Change the DNS servers that your router gives out to attached devices. ISP assigned DNS servers are usually the default, and worst, option. Why bother? To use a company that specializes in DNS, to get some extra security and to have easy to remember DNS IP addresses. Two suggested DNS servers are 220.127.116.11 (from Quad 9, backed up by 18.104.22.168) and 22.214.171.124 (from Cloudflare backed up by 126.96.36.199). I also like OpenDNS at 188.8.131.52 and 184.108.40.206. Another option is 220.127.116.11 (Google backed up by 18.104.22.168). Some companies offer child friendly DNS servers. After configuring your preferred DNS servers, test that they are actually being used.
- Write down the critical information on a piece of paper and tape it to the router, face down. Include the Wi-Fi network names (SSIDs) and passwords, the router userid/password and the IP address of the router.
- For routers with a web interface, lock down access to the router from the LAN side. The Security Checklist page offers a dozen possible options (see the Local Administration topic) such as changing the port number(s) and limiting access by IP or MAC address. For routers that use a mobile app for administration, think about locking down access to the mobile app (this may require signing out).
- Turn off Ping reply. Sadly, different routers use different terminology for this. To test it, have someone ping your public IP address from outside your network. Steve Gibson's ShieldsUP! service also tests this.
- Turn off wireless networks when not in use. Some routers let you schedule this, others have a physical Wi-Fi on/off button, others have a mobile app. In the worst case, you have to login in to the router web interface to disable the Wi-Fi. In that case, a browser bookmark can ease the pain.
- Test if your router supports HNAP. If so, it should be replaced.
- Your modem is a computer too. Your router may be able to block access to the modem from all devices on the LAN. I blogged about this. See part 1 and part 2.
- If your router supports outgoing firewall rules, block the ports used by Windows file sharing. You may also want to prevent any network printers from making any outbound connections. This way if a printer gets hacked, it can't phone home.
- If the router can send email when certain errors occur, configure this feature.
- Try to prevent your router from spying on you. If you own a Netgear router, be aware that they added "analytics" with firmware updates released in April 2017. If you don't want Netgear watching your network, you need to login to the router and disable these analytics. For more on this, see the Bugs page for July 2017. Likewise, Asus and other routers include anti-malware software that may also be watching you. For more on Asus and their partnership with Trend Micro see the Bugs page from May 2017 and look for "Privacy issues with Trend Micro software in Asus routers" Trend Micro software is in other routers too and other anti-virus companies are also partnering with router vendors.
- The Test Your Router page has many ways to kick the tires on your router. One thing to look for is open ports. At Steve Gibson's ShieldsUP! site (click the gray Proceed button), start with the Common Ports test and pay special attention to the SSH (22) and Telnet (23) ports as these services are frequently abused by bad guys. The only good status for any port is Stealth (assuming remote administration is disabled). Next, do the All Service Ports test and finally, do the Instant UPnP Exposure Test (orange button).
- Test your router with my Shodan Query My Router page. It generates a Shodan query, a Censys.io query and nine other queries of your public IP address. If your router has been doing bad things, hopefully one of the queried sites will have detected it.
- The router tests mentioned above are only a partial solution. For the most thorough test, connect the WAN port of a router to be tested (inside router) to a LAN port on another router (outside router). Then, from a computer connected to the outside router, scan the WAN side of the inside router using NMAP looking for open ports. This lets you test all 65,535 TCP ports and all 65,535 UDP ports. There should be no open ports. Remote administration will require an open port but it should, normally, be disabled.
- Speaking of nmap, it is also useful to run it on the LAN side of the router. There should be one port open for local administration, assuming the router has a web interface. The hard part will be getting the router manufacturer to explain any other open ports. One reason I like Peplink is that getting an answer to this sort of thing is easy. When someone found port 8183 open on the LAN side the company explained why. In 2019, I blogged about a Netgear router that was still somewhat operational for UPnP, even when UPnP was disabled. The smoking gun was two open LAN side ports. (added Sept 8, 2020)
- MAC Address Filtering: A MAC address is a unique identifier assigned to every network interface. A router typically has three, one for the WAN/Internet port, one for LAN side Ethernet and another for Wi-Fi. A laptop computer will have one MAC address for Wi-Fi and, if it has an Ethernet port, a different MAC address for Ethernet. This option can be used to limit the devices that can connect to a Wi-Fi network (or maybe all Wi-Fi networks depending on the router). You can either set up an INCLUDE list of allowed MAC addresses or an EXCLUDE list of banned ones. The bookkeeping involved in maintaining these lists can be a pain in the neck. Perhaps the most interesting aspect of this is how much it tells you about someone making a recommendation. People who do not understand the technology recommend using it, unaware of a flaw. People with an intimate understanding of how it works, say not to use it because of the flaw. MAC addresses are always broadcast unencrypted, so a bad guy can see the allowed ones and copy them. Should you use it? It depends. While the security is far from perfect, it should block unsophisticated attackers, even if they know the Wi-Fi password. And, if you only have a small number of Wi-Fi devices, then the bookkeeping is not that bad. But, it can be hard to learn the MAC address of a Wi-Fi device, especially an IoT device or one using an operating system that creates random private MAC addresses. The world changes. (added April 26, 2021)
- Someone who works from home should have an their own network that is isolated from all the other devices in their home. I wrote about this in a September 2020 blog, A second router can make working from home much more secure. Because this network will have a very small number of connected devices, there are router options that, normally rejected for a larger network, now make sense. Specifically: disable DHCP, enable MAC address filtering, do not broadcast the SSID, use only 5GHz Wi-Fi and lower the Wi-Fi radio signal strength. None of these features is a perfect barrier to entry, but since no one does this, bad guys without good technical skills should be tripped up. And, use Ethernet whenever possible (many printers support Ethernet and USB/Ethernet adapters are cheap). This makes the most sense when using two routers or a main router that supports VLANs. These options are not a good fit when there is only one consumer/ISP-supplied router.
- Many routers let you change the WAN MAC address. If you can, do so. This only applies when you have a stand-alone router, it should not be done on a combination modem/router device. A MAC address is 6 bytes long, the first 3 bytes identify the company that made the hardware. Making a router from company A appear to be manufactured by company B may offer some defense against a malicious ISP. Valid MAC Addresses can be found here. It would be great if we could change the WiFi MAC address(s), but I have not seen that option on any router. This is what the feature looks like on a router made by Asus, TP-Link, Linksys and Peplink. (added April 16, 2021)
- Your router may not be the only device creating a wireless network. Many HP printers (and probably other vendors too, but I tend to see this from HP)
create their own Wi-Fi network using a feature called Wi-Fi Direct that lets wireless devices connect to the printer directly without going through the router. The security of Wi-Fi Direct is poor, so you should either connect a printer to your network -or- use Wi-Fi Direct. Do not use both. Suggestion courtesy of Ryan Woodings, the founder of MetaGeek.
(added March 19, 2020)
- Routers that have a web interface are best administered with a clean web browser session. That is, start up a browser, work with the router, then logoff the router and shut down the browser.
Here is one reason why you should logoff (from Nov. 2020). Better yet, use private browsing mode when working with the router. Even better, use a browser that has no (or very few) extensions or plug-ins installed.
- Bad neighbors can not target a Wi-Fi network that they do not see. To weaken the Wi-Fi signal that leaks out of your home, turn down the transmission power of the router.
There are some other roadblocks that, while not foolproof, are nonetheless a barrier to be overcome. Details are on the Bad Neighbors page.
(added September 2019)
- Eat your vegetables :-)
Final Steps top
When you are all done making configuration changes to a router, it is a good idea to back up the current settings. This way, should you ever have to reset the router, you can easily import/restore the last backed up state. Many routers can export the current settings to a file. With my favorite router, the Pepwave Surf SOHO, settings are backed up with System -> Configuration and click the Download button. The mesh routers that I have used can not export the current configuration settings to a file. If that's the case for you, consider taking pictures of the configuration screens.
One reason you might have to re-install the current configuration settings is if someone resets the router. All routers come with a pinhole reset. Someone malicious, who can physically touch the router, may simply reset the router to factory defaults as a way to get around the security. A business may try to physically restrict access to the router, but at home, this is probably not viable. To offer the best Wi-Fi performance a router needs to be out in the open which leaves it vulnerable to being reset.
Old school, techie-oriented routers have a ton of features. After making the changes above, its probably best to live with the router a while before changing some of the more obscure settings. Once you have a performance baseline, then consider enabling features like the detection and prevention of Denial of Service (DoS) attacks or SYN Flood attacks. Peplink, for example, offers Intrusion Detection and DoS Prevention that protects against 9 types of attacks. DrayTek routers offer protection from over 15 types of attacks.
If you do not use a VPN then you can turn off the VPN pass-through options.
Some Additional Thoughts top
I also have write-ups on Synology routers, Google Wifi mesh routers, Eero, the Turris Omnia router, Apple routers. These are mostly, but not exclusively, focused on security.
Off Topic: When one router does not provide sufficient Wi-Fi coverage, two common options are to add an Access Point (or two) or a mesh router system. The other popular option is a Wi-Fi extender (aka Wi-Fi booster or repeater), a single device that wirelessly connects to the router. If shopping for a Wi-Fi extender, be aware of these differences. Some can extend the existing network using the existing SSID, others require you to create a new SSID (or two). Some have two radios (2.4GHz and 5GHz), some have three. Those with three, use one to talk to the router and the other two to talk to your devices. An extender with two radios will offer the best performance if one radio frequency band is dedicated to communicating with the router and the other is dedicated to communicating with your devices. Finally, some have Ethernet ports, most do not.
The term "modem" is often mis-used. See exactly what a modem is.
The best possible over-the-air encryption is offered by WPA2 Enterprise instead of the more popular WPA2 Personal. For more on this, see the WPA2 WPA3 encryption page.
In August 2021, I blogged about Hiding on a Wi-Fi network. This was about hiding your computer from other devices on the LAN. This is mostly an issue when connected to a public Wi-Fi network, but it is also an issue with dedicated IoT networks at home.
Ongoing Care and Feeding and Defense top
- If the router does not self-update, then check for new firmware every month or two. If the router does self-update, check every now and then that the self-updating system is actually working. More...
- Register the router with the hardware manufacturer on the chance that they notify you of firmware updates. Netgear, for example, has a security newsletter that announces bug fixes. In December 2021, Google sent owners of their OnHub routers a note about their being discontinued and a coupon for large discount on a new router.
- Sometimes, when a router is hacked to run malware, the infection is permanent, but most of the time the infection is temporary. When it's temporary, the malware is removed by simply restarting the router. Malware on a router can easily go undetected, so, it can't hurt to reboot your router every now and then. Just for good luck. Maybe weekly. Maybe monthly. The VPNFilter malware, disclosed in May 2018, makes this all the more important.
- Every router can display a list of attached devices. It is good to check this every now and then to insure that you know what every device is. Better routers will let you assign names to each device (Susans iPad, Bobs laptop, Georges iPhone). You may want to assign every device a name that begins with "**" for example. That way you can easily scan the list of devices (some households have quite a few Internet-using devices) for names that do not start with your favorite string of characters. Be aware that the list of devices may not include all devices connected to the router. Read the fine print. It may only be those that are active at the moment or only those using DHCP. Some mobile apps for routers show you information about devices that have recently been on your network, even if they are not currently using it. FYI: If you have more than one SSID (you should) a good router will show you which SSID each wireless device is connected to. The Surf SOHO does this.
- A common attack against routers is to change the DNS servers. You need to know what the DNS servers should be (discussed above). Many websites report the currently used DNS servers. For example, www.perfect-privacy.com/dns-leaktest. Pick one or two and get in the habit of checking that your DNS servers have not changed. Consider making one of these sites your web browser home page to insure that you check it periodically. Yes, it is possible for a computer to be manually configured with DNS servers of its own and ignore the ones in the router. This would be a good thing to do on a laptop that you travel with and use on public Wi-Fi networks. It can insure you use known, trusted DNS servers. On the other hand, Peplink routers can force all attached devices to use the DNS servers in the router, even when the clients are configured to use other DNS servers. So, its complicated.
- If the router has any logging facilities, check the logs every now and then.
- Electricity: If either a modem or router is damaged by an electric surge, then you lose Internet access, perhaps for quite a while. It is best to connect each device to either a Surge Protector or a UPS. If shopping for a UPS, get an on-line or line-interactive model. These will boost the power when its a bit low and trim it when its a bit high. This is in addition to being a big battery for when the power fails. Any UPS should also provide surge protection. A good place to start when shopping for a UPS is the Tripp Lite SmartPro 1300VA which sells for about $150. Specs: LCD 120V 720W Line-Interactive UPS, AVR, Tower, LCD, USB, 8 Outlets.
Picking a Secure Router top
This topic has been moved to its own page. In brief: I recommend the Pepwave Surf SOHO router.
Conference Presentations top
I spoke on Securing a Home Router at the
HOPE conference in July 2014. This website grew out of that presentation. A PDF of the presentation is available
at box.net (last updated Oct. 4, 2014). Audio is available
at x.hope.net (thanks to 2600). An article about the talk appeared in Toms Guide.
I spoke again about Router Security, at the O'Reilly Security Conference on
Nov. 1st, 2017. The talk was very different from the first one. See a PDF of the slides or watch the video.
For other Router Security opinions, I maintain a list of articles. Many stink, the good ones are noted in bold.
You Are Safe Here top
This site is as clean as clean gets. There are no ads. There are no trackers. It does not set any cookies. None of the links here are affiliate links, I do not
profit from this site in any way. No need to believe me. You can test for setting cookies at cookieserve.com.
You can also test at Blacklight a website privacy inspector from The Markup. Just click here to run a live Blacklight test of this site. If you see any ads here, something (your
computer, browser or router) has been hacked.
Page Created: January 30, 2015
Last Updated: December 29, 2021 5PM CT
Viewed 1,650,923 times
(648/day over 2,548 days)
Copyright 2015 - 2022