The most expert person in the world can only make a router as secure as the firmware (router OS) allows. The following list of security features lets you judge how secure a router can potentially get. This is not a list of things to do to make a router more secure, that's on the home page of this site. If you care about securing a router, look for it to have the features below. Sadly, reviews of routers never discuss any of this.
- WPS (updated March 30, 2017)
- Is WPS supported? WPS has been such a security disaster that I would not want to use any router that supports it.
Since WPS is required for WiFi certification, it is widely present in consumer routers. Yet another reason, not to use a consumer
- At the end of March 2017, I added a new WPS page to this site with everything you ever wanted to know about it, and more.
- If you are using a router that supports WPS, then check to see if it can be turned off. There are two aspects to this. When the security issues with WPS first came
to light at the end of 2011, some routers would not disable WPS even when told to do so - a bug. Then too, some routers do not
let you disable WPS.
- WPS status: To verify that WPS is disabled use a WiFi survey type application such as the excellent WiFi Analyzer on Android. On Windows, look into
WiFiInfoView from Nirsoft - it is free and portable.
- NO DEFAULT PASSWORDS
Default passwords are a huge problem for routers and should not be allowed. Even default passwords that look random are not. Eventually, someone figures out the
formula for creating that password and can often use that, combined with public information from the router, to derive the password. Thanks to Russ for this idea.
- When initially configured, does the router force you to provide new, non-default WiFi passwords for every Wi-Fi network?
- When initially configured, does the router force you to provide a new, non-default password for logging in to the router itself?
One router that does is the Synology RT1900ac (User Guide, screen shot). I have read that DD-WRT also does this.
A malicious person on your network is bad enough, but we need to prevent them from being able to modify the router. The web interface of a router also needs to be protected from malicious web pages that exploit CSRF bugs.
- Is HTTPS supported? In 2013, Independent Security Evaluators tested 13 consumer routers. Some supported HTTPS, some did not. Every router that supported it, however, had it disabled by default. According to this thread, Netgear does not support HTTPS on the LAN side and customers have been asking for it since 2016.
- If HTTPS is supported, can admin access be limited exclusively to HTTPS?
- Can the TCP/IP port used for the web interface be changed?
- Does the router allow very short passwords?
- Can access be restricted by LAN IP address? To really prevent local admin access, limit it to a single IP address that is both outside the DHCP range and not normally assigned.
- Can admin access be limited to Ethernet only?
- Can access be restricted by MAC address? The TP-Link Archer C7 supports this. See screenshot.
- Can router access be restricted by SSID and/or by VLAN? The Pepwave Surf SOHO can do both of these since it can
assign an SSID to a VLAN (screenshot).
- Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
- Is there some type of lockout after too many failed attempts to login to the web interface? Peplink added this in firmware 7.0.1, released June 2017.
- Is there a CAPTCHA option for logging in? (D-Link offers this)
- Does the router create an audit log every time someone tries to logon, whether the logon was successful or not?
- Users on a Guest Wi-Fi network should not be allowed to access the router's admin interface
- Can you logout of the web interface? You should be able to. I have seen Linksys and D-Link routers without a Logoff button.
- Does it time out? It should, and you should be able to set the timeout period. See Cisco example.
- Is it off by default? It should be. The Linksys AC1900 (EA6900) has Remote administration enabled by default.
- Can it be limited to HTTPS only? To me, this is an absolute must. The Netgear Nighthawk R700, despite great reviews, only supports remote
management over HTTP which means your password travels in the clear. I have seen this too with low end Asus routers, while their higher end models
do offer HTTPS.
- Can the port number be changed? (also a must)
- Can access be restricted by source IP address or source network?
Here is an example of this, from
a Pepwave Surf SOHO router running Firmware 6.2. The "Allowed source IP subnets" is where you can set multiple IP addresses (yes, its a bit confusing) and IP
subnets from which remote administration is allowed. In reference to the two previous issues, the security for remote administration can be HTTP only, HTTPS only,
or both. In the screenshot, it is HTTPS only. The "Web admin port" is the port used for remote administration, in the screenshot it is 12345. The "Web admin access"
can be set to LAN only or, as in the example, both LAN and WAN.
Most of us, at home, have a dynamic IP address from our ISP which at first glance would seem to rule out using this security feature (anyone who works in an
office with a static public IP address can, of course, use it). But, a couple VPN providers offer static IP addresses. One is Nord VPN, which lets an account be assigned a
static IP address. TorGuard, another VPN company, also offers a static IP address ($8/month as of April 2015). If you know of another, email me.
- Does it time out? (it should) That is, if you forget to logout from the router, eventually your session should time out, and, you should be able to set the time limit,
the shorter, the more secure.
- Does the router create an audit log every time someone tries to logon, whether the logon was successful or not?
- Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
- Is there some type of lockout after too many failed attempts to login to the web interface? Peplink added this in firmware 7.0.1, released June 2017.
No one can hack into a network that does not exist.
FIREWALL (updated Jan. 14, 2019)
- Can the wireless network(s) be scheduled to turn off at night and then back on in the morning? Three routers that offer this feature are my favorite, the Pepwave Surf SOHO, the Amped Wireless RTA1750 and the Synology RT1900ac.
- Is there a WiFi on/off button? The idea is to make it easier to disable WiFi when its not needed. When this is easily done, more people will do it. This is a somewhat rare feature. Worse, many routers that I have seen with a WiFi on/off button had a very small button that was hard to reach.
Some routers with Wi-Fi On/Off buttons are the TP-Link Archer C7, C9, D9 and C3150, the Asus RT-AC68U, RT-AC86U and ROG Rapture GT-AC5300 , the Netgear R6220, some FRITZ!Box routers, popular in Germany and Australia (closeup) and the Synology RT1900ac.
Two Netgear routers (maybe more?) have the button in an easy to locate position on the top of the router: the Nighthawk X4 R7500v2 and the NETGEAR R6400-100NAS.
The Synology RT2600ac has the button on the side where it should be easy to reach. Same for the Asus RT-AC1900P.
There are three aspects to the security of a router firewall.
- Inbound WAN: What ports are open on the WAN/Internet side? The most secure answer is none and you should expect any router not provided by an ISP to have no open ports on the Internet side. One exception is old school Remote Administration, which requires an open port. Every open port on the WAN side needs to be accounted for, especially if the router was provided by an ISP; they often leave themselves a back door. The
Test your router page links to many websites that offer firewall tests. That said, none of them will scan all 65,535 TCP ports or all 65,535 UDP ports. The best time to test this is before placing a new router into service. See the page on New Router Setup for more.
- Inbound LAN: What ports are open on the LAN side? Expect port 53 to be open for DNS (probably UDP, maybe TCP). If the router has a web interface, then that requires an open port. The classic/standard utility for testing the LAN side firewall is nmap. There are some instructions for using nmap on the New Router Setup page. As with the WAN side, every port that is open needs to be accounted for.
- Outbound: Can the router create outgoing firewall rules? To me, this is a huge consideration. There are all sorts of attacks that can be blocked with outgoing firewall rules. For example, a firewall rule can insure that a baby monitor stays within the home and never sends any data to anywhere on the Internet. Here is an example of a Peplink firewall rule that blocks access to a domain for all devices connected to the router. Generally, consumer routers do not offer outbound firewall rules while business class routers do. In addition to blocking, it would be nice if the blocks were logged for auditing purposes. Note however, that devices connected to Tor or a VPN will not obey the outbound firewall rules.
Although every router offers WPA2 encryption with Pre-Shared Key (PSK) there are still things to look for:
GUEST NETWORKS (updated Jan. 26, 2021)
- Verify that the router offers WPA2 exclusively. If the only option is a combination of WPA and WPA2, then it is not as secure as WPA2.
- After opting for WPA2 encryption, a better router will always use AES or CCMP (two terms for the same thing). Some routers offer TKIP as an option
with WPA2. TKIP is not as secure. Meraki is high end wireless vendor owned by Cisco. I have seen a network running their hardware offer WPA2 with TKIP. If there is no secondary option, then, after you select WPA2, then you will need to use a WiFi scanner app, such as WiFi Analyzer on Android, to see if it is using AES, CCMP or TKIP.
- Look for WPA2 Enterprise support. This will be too high a bar for most people, but it is more secure than normal WPA2 (which technically is WPA2-PSK where PSK means Pre-Shared Key, which really means one and only one password). The upside is that WPA2-Enterprise lets every Wi-Fi user have their own userid and password. The downside is that it requires a RADIUS server to handle these userids/passwords. See the WPA Encryption page for more.
A guest network is a good thing for security. If nothing else, it gives you a second SSID with a second password, so you don't need to give visitors to your home or office the password for the main network/SSID. I blogged on this December 2015: To share or not to share - a look at Guest
Wi-Fi networks. But, all guest networks are not the same, here are some features you may run across.
- The biggest security feature of a wireless guest network is that it can keep guests/visitors and IoT devices away from the main/private network. When this is working
properly, guest users will not be able to see anything that is Ethernet connected to the router, or, anything that is connected to a non-guest
wireless network from the same router. Some routers always offer this separation, others let you configure it. The feature is assigned different names in different browsers.
- Asus calls it "Access Intranet"
- Both Synology and TP-LINK call it "Allow Guests to access my local network" (see TP-LINK example)
- D-Link calls it "Internet access only" in the Guest Zone
- TRENDNET also calls it "Internet access only" and they explain that it "prevents guests from accessing the private LAN network".
- Eero and AmpliFi have no configuration option for this.
- Peplink does not offer Guest Wi-Fi networks, but any Peplink SSID can be isolated by assigning it to a VLAN that does not allow inter-VLAN routing. (more)
- With Google Wi-Fi, sharing between the Guest and main network is always enabled, but devices on the main network are only shared if you specifically share them in a Google app.
More here: How Google wants to re-invent the router (April 2017).
- Older Netgear routers had an option to "allow guests to access my local network". From a March 2015 article at How-To Geek. I am not
sure if this still exists.
You can test whether the Guest and main networks are isolated with a LAN scanner app such as Overlook Fing which runs on iOS, Android,
Windows and OS X. If run from a Guest device, the scan should not see any devices on the private network. Another option is, from a guest network, to try and access a NAS or
a network printer or any other LAN device exposing a web interface. Finally, there is the simple Ping command.
- If isolating Guest devices from the main network is step 1, isolating them from each other is step 2. This increases security because if one Guest device (probably IoT) is
malicious, the router can prevent it from seeing any other devices. Guest devices can be fooled into thinking they are the only device connected to the router. Put another way, Guest devices
can see the Internet and nothing but the Internet. A few routers let you configure this, most do not. What is the default behavior when there is no configuration option?
You will need to test for yourself as described above. While it is more secure to not let Guest/IoT devices see other devices on a Guest network, there are times when you want to do this. The solution there is to have more than one Guest network, one where devices can see each other and one where they can not. Peplink is the only company I know that allows this level
of configuration and it does this on each of the many wireless networks their routers can create. As for consumer routers:
- TP-LINK calls this "Allow Guests to See Each Other"
- TRENDNET calls this "Wireless Client Isolation" and they explain that it "isolates guests from each other"
- Synology (as of SRM 1.2.3) has no option for this. Guest users are isolated from each other by default
- According to a March 2015 article at
How-To Geek, older Netgear routers had an option to "enable wireless isolation" which prevented guest users from seeing each other. However, the Netgear Nighthawk X6
combined two options into a single option called "allow guests to see each other and access the local network." Not good. As the article says
"There are numerous, and perfectly valid, reasons for wanting to enable one and not the other (e.g. your kids want to play network games with
their friends on the guest network so network isolation must be disabled, but you don't want them to access your LAN)..."
- If there are multiple guest networks (often one on the 2.4GHz band and another on the 5GHz band with different SSIDs), then the question becomes whether guest users on one guest
network can see guest users on another guest network.
- Guest networks should offer the same over-the-air encryption options as other Wi-Fi networks. Specifically, WPA2 or WPA3 . It is unlikely that a Guest network will support the Enterprise version of WPA2 or WPA3 (Peplink does). Way back when, Belkin and Linksys Smart WiFi routers did not support WEP, WPA or WPA2 on
their Guest networks. Way back.
- Each Guest network should offer its own password. Linksys offers two Guest networks but they must share the same password. Ubiquiti AmpliFi routers default to not having a password on the Guest Network. You can add a password, but this is done on a different screen in the mobile admin app and thus easily missed.
- A Guest user should not be able to make administrative changes to the router. Better still, they should not be able to see, never mind logon, to the admin interface of the router.
I have never seen this discussed in relation to any consumer router so it is the sort of thing you will have to test for yourself. I have tested two, Peplink and Synology, both of which have a web interface. Synology routers do not allow Guest users to access the web interface of the router. It is not a configurable thing. With Peplink, this is configurable, you can limit router access to a single SSID or VLAN or to the untagged LAN. Routers that are administered with a mobile app are a
whole different thing. I have no idea if any of them limit router access by Guest devices.
- Some Guest networks are not normal, instead they are Captive Portals. This is the type of network typically seen in a hotel, where you have to first view a web page with details of
allowable behavior and acknowledge having seen it before being allowed Internet access. This is bad, mostly for usability; clients can appear to be connected, but they are not.
See this June 2015 article by Chris Hoffman Warning: Guest Mode on Many Wi-Fi Routers
Isn't Secure. I also blogged about this in June 2015: Linksys Smart Wi-Fi makes a stupid Guest network. Then, In January 2021, I wrote The Misery of a Linksys router which had more about their use of Captive Portals for Guest Wi-Fi.
- Some routers let you schedule the guest network(s). It would be great if you could turn it on for X hours and then have the router de-activate it.
Probably the worst thing about guest networks is leaving them on all the time. Synology and Peplink support this as does the Ubiquiti AmpliFi. So too does the Trendnet TEW-813DRU. The company has an online emulator from which I took a screen shot.
- No one can hack or use a network that does not exist. To that end, it should be as easy as possible to enable and disable a Guest Wi-Fi network. I would assume that a router administered with
a mobile app would involve fewer steps/clicks than one with a web interface. Another option is voice: Eero (owned by Amazon) can be told to start and stop the Guest Wi-Fi network with
Alexa commands. Likewise, at least one D-Link router can also be connected to Alexa and then told to start/stop the Guest Wi-Fi. On the other hand, this is not very secure, especially in a
home with children. Everything is a trade-off.
- Does the Guest network share the same subnet as the private network or use a different one? Different is better and is what I have usually seen.
- Nice to have: Some routers (Peplink, Ubiquiti AmpliFi and Synology for example) let you limit the total number of concurrent guest users. Synology screws this up
however as the two lowest options are 1 and 16. That is, you can not, for example, limit a Guest network to two or three users.
- Nice to have: Some routers let you limit the bandwidth of guest networks. In the TP-LINK example above, it is not clear if the limit
applies to the entire network as a whole or to each user individually.
- New Guest alert. It would be nice to be alerted every time a new Guest user/device logged on. The discontinued Norton Core router was the
only one I knew of that could alert you
when a new user joined the Guest Network. Eero does alerts of new users in its mobile app on the main network, I have not tested this on the Guest network. Peplink can log every
time a new device is assigned an IP address, but it does not offer passive alerts.
- FYI: On consumer routers, the Guest Wi-Fi network(s) use the same DNS servers as everyone else connected to the router. On higher end business/professional
routers, such as Peplink, Ubiquti UniFi, Cisco and Draytek, an SSID can be assigned to a VLAN and thus each SSID can use different DNS servers.
- FYI: Time limits. The discontinued Norton Core router could apply different time limits to each individual Guest device. Five minutes
before a users time was going to expire, the router could alert you, so that the time could be extended.
- FYI: Some routers do not let you chose the Guest network name. The Linksys Smart WiFi line, for example, always uses the SSID of the private network and appends
"-guest" at the end.
- FYI: Vouchers. The Ubiquiti UniFi system can run a Guest network based on vouchers. Users are forced to enter a voucher ID on a captive portal page. Vouchers can be single-use or multi-use. They last for a customizable amount of time and can also be linked to a bandwidth quota or bandwidth limits. You can print a sheet of codes, cut it up and give them out. The down side is that this requires Ubiquiti controller software. More
- FYI: Synology routers have Guest networks designed for businesses rather than consumers. One feature they offer is the ability to generate a new Guest Wi-Fi password every day.
Still, I would avoid Synology routers.
- FYI: Kick the tires on how an Asus router configures Guest networks and see documentation on guest networks from TP-LINK, Netgear and Linksys.
ROUTER ADMIN PASSWORD
- Can the userid for the web interface be changed? Every router lets you change the password, a few let you also change the userid. This is most
important when using Remote Administration. An
October 2016 study of 12,000 home routers by ESET found that "admin" was the userid "in most cases."
- Is there a read-only user? Most routers only allow for one userid, but some allow for two: one with full admin privileges and one that is only
allowed to view stuff but not make changes.
- Many users: this seems like overkill to me, but some routers let you define multiple userids. A Verizon DSL gateway, the D-Link 2750B lets you go so far as defining groups of users.
MAC ADDRESS FILTERING
- How long can the router password be? In one of my favorite stories, Brian Krebs ran across a router that only supported passwords up to 16 characters long. Quoting from
his article: "I helped someone set up a ... ASUS RT-N66U ... router, and ... made sure to change the default router credentials ...
... my password was fairly long. However, ASUSs stock firmware didnt tell me that it had truncated the password at 16 characters ....
when I went to log in to the device later it would not let me in ... Only by working backwards on the 25-character passphrase I'd chosen - eliminating
one letter at a time ... did I discover that the login page would give an "unauthorized" response if I entered anything more than that the first
16 characters of the password". I have also read of a D-Link router that limits passwords to 15 characters and also does not make this clear.
So, test if your router allows a 17 character password. It should.
- How short can the router password be? Very short passwords should not allowed.
- Are the password rules explained? When you change the router password, does the User Interface explain the rules about acceptable passwords?
That is, does it say anything about the length of the password or if any characters are not allowed?
- Does the router defend against brute force password guessing? After a certain number of wrong passwords it should do something to prevent further
I am well aware that MAC address filtering is far from perfect. That said, it does make it harder for bad guys to get on to
your network. Many people say not to bother with it, both because its a big administrative hassle, and, because it wil not block a skilled attacker. The administration hassle, however, is not the same on all routers.
UPnP (Revised Jan 12, 2019)
- The big question with MAC address filtering is whether this feature applies to all networks created by the router, or, to all networks on the
same frequency band (2.4GHz or 5GHz), or, in the best case, if there are separate MAC filtering lists for each individual network/SSID?
If a router supports independent filtering lists for each SSID, then MAC address filtering can be used for the main, private SSID and not used
on guest networks. This makes it a practical solution as the maintenance hassle is so low.
- Another aspect that can make this much easier to deal with is comments. That is, instead of just maintaining a list of black- or white-listed MAC
addresses, the router should also let you add a comment to each MAC address. This way you can easily check if computer X is already in the list or not.
And, when tablet Y is lost, it makes it easy to remove it from the list. Of the routers I have seen, only AirOS firmware running on a Ubiquity
AirRouter offered the ability to add a comment. It looked like this.
Universal Plug and Play (UPnP) can be a security problem in two ways. It was designed to be used on a LAN where it lets devices
poke a hole in the firewall. It is how IoT devices make themselves visible on the Internet, where many of them get hacked, either due to security flaws or the use of default passwords. UPnP was never meant to be used on the Internet, but some routers mistakenly enabled it there too. Most routers let you disable UPnP on
the LAN side.
- Is UPnP enabled on the LAN side? As a rule, consumer routers have UPnP enabled, while business routers have it disabled. Can you disable it? If not, throw out the router. The D-Link DIR-880L is the rare
router that does not let you disable UPnP. Early releases of Luma routers did not let you disable UPnP. As of a software update from August 2016, UPnP can be disabled.
- Is UPnP enabled on the WAN side? Steve Gibson's UPnP exposure test is the only way that I know of to test for UPnP being enabled on the WAN/Internet side of a router. Start at his ShieldsUP!, then click they gray "Proceed" button. On the next page click the big orange button
labeled "GRC's Instant UPnP Exposure Test". I would take any router that fails this test out of service.
- If you must use UPnP, then look for a router that offers detailed status information about the state of forwarded ports, such as the app that made the UPnP request and details on the currently active port forwarding rules. Some port forwarding rules come from UPnP and some don't. It is best to use a router that clearly shows which port forwarding rules came from UPnP requests. Synology routers display a UPnP client list. The TP-LINK Archer C7 has an online demo of the C7 user interface. Click on Forwarding, then UPnP to see its display of UPnP information, which includes a description of the application that initiated a UPnP request, the external port that the router opened for the application, the IP address of the LAN device that initiated the UPnP request, and more. Netgear KB article, How do I enable Universal Plug and Play on my NETGEAR router? describes a UPnP Portmap Table that displays the IP address of each UPnP device accessing the router, which ports that device opened and what type of port is open and whether that port is still active for each IP address.
- Disabling UPnP: Eero enables UPnP by default, but it can be disabled. The Ubiquiti AmpliFi mesh router has UPnP enabled by default, but it can be disabled. Google Wifi routers enable UPnP by default, but you can disable it. UPnP was abused in Jan. 2019 to play videos on exposed Chromecast devices. This article by Lawrence Abrams has instructions for disabling UPnP on routers from Netgear, Linksys, D-Link, Verizon FIOS, TP-Link, Google Wifi and Eero.
- An example of the router security enemy is the UPnP PortMapper program that can be used to "manage the port mappings (port forwarding) of a UPnP enabled internet gateway device (router) ... Port mappings can be configured using the web administration interface of a router, but using the UPnP PortMapper is much more convenient". Ugh.
- NAT-PMP is very similar to UPnP but most often found on Apple devices. If a router
supports NAT-PMP, check whether it can be disabled. According to Apple, NAT-PMP is included in OS X 10.4 or later, AirPort Extreme and AirPort
Express networking products, AirPort Time Capsule, and Bonjour for Windows.
- Disabling NAT-PMP: How to Turn Off NAT-PMP
on Airport Routers from iOS, How to Turn Off NAT-PMP on Airport
Routers from macOS
- The Pepwave Surf SOHO ships with both UPnP and NAT-PMP disabled. You can verify this in firmware 7.1.2 at the Advanced tab -> Port Forwarding. There are checkboxes for both UPnP and NAT-PMP.
- pfSense supports both UPnP and NAT-PMP but not only does it let you disable
them, it also has some extra security of its own.
- Can it be limited by source IP address and/or source IP subnet? The secure answer is yes. For example, both Real VNC and Apple Remote
Desktop listen for incoming connections on TCP port 5900. Without this feature, anyone in the world can connect to these programs on that port.
Bad guys scan the Internet to find devices that are listening on port 5900. With this feature, you can limit who is allowed to talk to the software
on port 5900. The official term for this, I believe, is IP Filtering.
- Can port forwarding be scheduled? If a techie uses Real VNC or Apple Remote Desktop to help a non-techie with their computer, but only does so in
the evening, then this feature lets the forwarding of port 5900 be disabled in the morning, afternoon and late night.
SELF-UPDATING FIRMWARE (added Sept 29, 2016, revised Feb 15, 2017)
- Can you be passively notified (typically via email) by either the router or the company that produced it, when there is new firmware?
Peplink does this. See an example from December 2015, announcing firmware version 6.3.
Most routers require you to seek out firmware updates on your own.
- For a new router: does it attempt to update the firmware as part of the initial setup process? Tests run by the Wall Street Journal in early 2016 found that 10 out of 20 routers did not.
- For an existing router: can it automatically update the firmware on its own? If so, see the next topic. While auto-updating may be appropriate for routers owned by non-techies, it is not always a good thing. Personally, I prefer to be in charge. This lets me install bug fix releases fairly quickly but delay new versions/releases.
- How easy is the upgrade process? Better routers can completely
handle a firmware update in the web user interface. Lesser routers force you to download a file, then upload it back to the router. This harder procedure
makes it less likely router owners will update the firmware. Also, being able to handle the update completely in the router web interface, means
that the firmware upgrade can be done by a remote user.
- The new firmware may reset some options. To protect against this, its a good idea to manually backup all the current settings before upgrading.
The Pepwave Surf SOHO always reminds you to do this. Does your router?
- If there is a function in the web interface to check for new firmware, does it actually work? I can personally attest that many routers do not. David Longenecker writes that "Asus is
notoriously inconsistent at keeping their auto-update servers up to date..." Tests run by the Wall Street Journal in early 2016 found 2 of 20
tested routers incorrectly reported their firmware was up to date.
- Is the firmware downloaded securely? (HTTPS, SFTP or FTPS) There are two parts to this question as the firmware may be downloaded
by the router itself or by you manually from the vendors website. Good luck answering this question.
- Is new firmware validated before it is installed? Good luck answering this too. If its not validated then a bad guy or spy agency might be able
to trick you or your router into installing maliciously modified firmware. In Feb. 2014 David Longenecker examined an ASUS RT-AC66R router in detail and found that it used no security at all in checking for, and downloading, new firmware.
- Does the router support multiple installed firmwares? This great feature lets you back out from a firmware update that causes problems and thus eliminates most of the risk that always exists when installing new software. The best company I have seen here is Peplink/Pepwave which lets you
easily reboot into the prior firmware. This can also help if a configuration change causes a problem.
The Linksys EA6200 can also restore a prior version of the firmware.
Routers that automatically update their firmware have their own issues. A list of self-updating routers is on the Resources page.
- Is there an audit log of each firmware update issued by the router vendor? Something along the lines of what Microsoft provides for Windows 10.
- Is there an audit log of each firmware update installed on your router? Only by comparing these two logs can you verify that the auto-update system is
working correctly. Also, if you experience network problems, it is vital to know when the last firmware was installed.
- How often does the router check for updates? Can you control this?
- Can you be notified of firmware updates beforehand? Afterwards? If so, what type of notification?
- If you are notified beforehand, can you schedule the firmware installation and the necessary reboots it entails?
- Even if you are not notified of available updates, can you set a schedule for when installation/reboots are allowed? That is, reboot at 3am but not at 3pm.
- Can you force the router to check for new firmware?
- Can you force the router to update to newly available firmware, or do you have to wait for its regular check-in?
- If you do nothing, how quickly will newly released firmware be installed? Eero promises to
install new firmware "within a few weeks"
- When the router phones home looking for updates does it do so securely with TLS?
- When the router downloads new firmware does it so securely with TLS?
- Is newly downloaded firmware validated in any way, such as being digitally signed?
- Does the router support multiple installed firmwares? (so you can fall back in case an update causes a problem) If not, then can you install old firmware if a new version caused a problem?
- Is there a manual over-ride mechanism for installing new firmware in case the auto-updating system fails?
- Does the vendor document the changes in each firmware update? If so, do they do it well?
- Can you tell what version of the firmware is now running? If its a multi-device mesh router/system, then the question applies to each device.
- How smart is the auto-updating system? Specifically, can it self-update within the same firmware version, but update when there is a major new firmware release? Synology offers this on their NAS boxes. You can configure the NAS to self-update from version 5.1 to 5.2 to 5.3, but not to automatically update to version 6.
- Can you backup the router settings to a file? Pretty much any router can do this, but with auto-updating I wonder if that feature still exists.
- In a mesh system involving multiple devices, do all the devices update their firmware at same time? If not, how is it handled?
- In a mesh, what happens if one device gets new firmware but another device does not? Can the system run if the three devices are not on the exact same firmware release?
As for answering these questions, someone from Linksys was kind enough to address these issues for their routers in Feb. 2017. I created a new page for
Self Updating Router Firmware and hopefully I can get answers from other router vendors too.
Is the router vulnerable to the Misfortune Cookie flaw? This is not something we can test for ourselves, nor
is there a full list of vulnerable routers anywhere. We need to have the router manufacturer issue a statement. So this is really a test of how the router
vendor handles security issues. Did they post anything on their website? If you ask them, will they intelligently respond? The bugs page on this site links to responses from Actiontec and Peplink that their routers are not vulnerable. I looked for a Netgear
response and could find nothing. ZyXEL patched some of their routers but not others. If a company is not forthright about this flaw, then you know
that they can't be trusted to make a secure product. And, even if they were vulnerable, but issued updated firmware, I would also be concerned as this
means they shipped extremely old software.
Can the router block access to a modem by IP address? See my blogs on this part one and part two. Put another way, does the router
offer outbound firewall rules.
LOGGING: (revised Nov. 23, 2015)
- Is there a log file (or files)? There should be, and hopefully, the data in the log is reasonably understandable and useful. I find the log created by Asus routers
all but worthless. An old Verizon DSL gateway, the D-Link 2750B, had both a System Log and a Security Log. The Pepwave Surf SOHO has a single log file. The D-Link 860L has three log files:
System, Firewall & Security and Router Status.
- Does it log unsolicited incoming connection attempts? I consider this particularly interesting as it helps to illustrate how dangerous the Internet is and why a
secure router is important. Its one thing to be preached to about how dangerous the Internet is, but quite another to see evidence of computers all over the world trying
to hack into your router. If you see computers from China trying to access certain ports on the router, you can research the ports, try to close them, or forward them
to a non-existing local IP address. This may be asking too much of a router, that is, it may require a NGF or UTM).
- Does it log failed logon attempts? Successful logons? Failed logons are obviously good to know about, but so too are successful logons, just in case the person in charge
of the router was not the one who successfully logged in. Hopefully, the logged information includes the source IP address.
- Is anything logged when a new device joins the LAN? It would make a great audit trail if the router logged the client MAC address every time a new device joined
the network. As of Firmware 6.3, released in Jan. 2016, Peplink can optionally log each time an IP address is given out by its DHCP server. There is no option, however,
to log the appearance of a new device with a static IP.
- Can it log all Internet access by a single device? In Nov. 2015 it came to light that a Vizio Smart TV was watching you
and phoning home screen shots, even when it was playing video from an external source (think Roku and DVD). This feature lets you keep a close watch any any such
"smart" device. It can be used to track children online. My favorite router company, Peplink, is due to roll out this feature in Firmware version 6.3 by the end of 2015.
- Does it log changes made to the router configuration? Peplink, does a poor job of this, their log typically just says "Changes have been applied" with no
indication of what was changed. On the other hand, the D-Link 860L logs nothing at all, not even the fact that something changed. The best I have read about are some
DrayTek routers that create an audit trail/log of all admin access/activity.
- Do the log files disappear when the router is powered down? If so, it makes it that much harder to spot trends or changes. The logs on the D-Link 860L are wiped
out when it is powered off. This is not true on the Pepwave Surf SOHO.
Can the router send an email message when something bad happens?
- If so, what types of errors can it email about? At the least, it should be able to send an alert if one of the log files fills up.
- This is particularly useful for multi-WAN routers, that is, routers that are connected to two or more ISPs. When one Internet connection fails, it can use another to send
an alert email. Peplink is great at this.
- Can messages be sent to only one recipient or to many?
- I have not seen a router that can send a text message, but there are services that convert emails into texts.
Not everyone needs DDNS, it is mostly used for remote administration. If you do need it, there are some options to look for.
MONITORING ATTACHED DEVICES
- Does the router phone home to the DDNS provider using HTTP or HTTPS? Good luck trying to figure this out. The DDNS provider may have a log file that you can check or use this as a test of technical support.
- How many DDNS providers are supported? The more the better. Also good, not being limited to Dyn.
Its nice to know who/what is connected to the router
Can you disable the file sharing of storage devices plugged into a USB port? This came up in May 2015 with the industry-wide NetUSB flaw. Some routers
let you disable the buggy file sharing, others did not. Netgear, for example, admitted there was no way to disable to flawed file sharing software.
NetUSB was the second file sharing flaw that I am aware of. Asus had a bug here that exposed
files plugged into a USB port to the Internet at large.
- A good router will offer, at a glance, a list of all the attached devices. Having them all shown on one screen makes it easy to spot anything out of the ordinary. This screen shot from a Pepwave Surf SOHO shows that it uses a space-saving single line per attached client.
- Along with this, a great feature to have, is the ability to give friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. This too, should make it easier to spot new devices. The name column of the Surf SOHO display of attached clients is editable, allowing you to enter anything that makes sense to you. The Ubiquiti AmpliFi could not do this initially, but a later firmware update added this ability.
- I used to have a router that would only show devices with a DHCP assigned IP address. You never knew about any devices with static IPs, which stinks. In December 2014, Chris Hoffman
wrote "Many routers simply provide a list of devices connected via DHCP". Hopefully this gets phased out over time.
- Internet sessions/sockets: It can be very handy to see all the connections a LAN-resident device has to the Internet. For one, you can verify that a VPN is working the way it is supposed to, that all traffic flows over a single encrypted link to a VPN server. You can also use it to verify that an online banking app really has a secure connection to the bank. And, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits. Among the routers that report on this level of detail are the D-Link DIR860L and my favorite, the Pepwave Surf SOHO.
- The item above refers to connections a device currently has. It would also be helpful if the router could produce an audit trail of every connection made by a single device. This crosses over into the topic of Outbound Firewall rules. (Added Jan 30, 2019)
- Non-security: If the router is creating multiple WiFi networks, it is nice to see which devices are connected to which network. The Pepwave Surf SOHO does this in the "Network name (SSID)" column.
- Non-security: Its nice to be able to see the signal strength, from the routers perspective, for each attached wireless device.
The Pepwave Surf SOHO does this in the "Signal" column.
- Non-security: Another nice monitoring feature is showing the current bandwidth used by each connected device. The Pepwave Surf SOHO does
this in the "Download" and "Upload" columns. It defaults to kbps but can be changed to Mbps.
- Non-security: Its nice to have a bandwidth history.
The Pepwave Surf SOHO offers a daily bandwidth summary showing total Upload and Download
Megabytes. From the daily summary, you can drill down to an hourly summary. From the
hourly summary, you can drill down to each specific device within that hour.
- Hiding on the LAN: Here is an oddball case that I ran across. A device may be able to hide from the router, if it only talks to devices on the LAN and
never makes a request out to the Internet. That is, if it only makes use of the switch in the router, but never the higher level functions of the device.
You can test this if you have a printer or a NAS with a static IP address. Reboot your router, then, from a computer on the LAN, send an HTTP request
to the device with the static IP address and get back a web page. Then check the router list of attached devices. Does the router show the
printer/NAS/whatever as being on the network? Maybe not. Yet, it communicated with a device on the LAN.
If you must use a router to share files, then look for one that offers a way to safely
disconnect the USB storage device. At least some Linksys routers have a Safely
Remove Disk button. TRENDnet labels their button Safely Remove USB Device.
And, just for good luck, avoid putting sensitive files on the storage device plugged into the router. My
suggestion, however, is to look for a low end Synology or QNAP NAS device. As of May 2015 the cheapest Synology NAS (model DS115j) is $100 without
a hard drive. QNAP seems to start around $120, also without a hard drive.
Access to the web interface of a router is typically done via IP address. But dealing with IP addresses may well be too much for non-techies. Thus, to make
things easier (almost always a security issue in the making) for people, some router companies offer fixed names. This lets someone on the LAN get into
the router with http://something.easy rather than http://126.96.36.199. Netgear uses www.routerlogin.com and www.routerlogin.net. TP-LINK
uses tplinklogin.net, Asus uses router.asus.com, Netis uses netis.cc, Edimax uses edimax.setup, Amped Wireless uses
setup.ampedwireless.com, Linksys uses
myrouter.local and linksyssmartwifi.com. According to
RouterCheck.com (the page is
both undated and un-credited) this is a security weakness. Even if you follow the advice offered on this site, and elsewhere, to use a non-standard local
subnet (such as 10.11.12.x) bad guys can still find your router (most likely via CSRF in a malicious web page) using these aliases. In addition, none
of the router vendor documentation indicates that any of these names support HTTPS, which should always be used when logging in to
SSID hiding: (added Nov. 11, 2015) Like MAC address filtering, this offers only a small increase in security and comes with a high hassle factor. It was not included here at first, because I had not run across a router that did not offer it. But, there may well be some. Some routers, like those from Google, are focused on ease of use for non-techies and thus throw many features overboard. They, and others, may well omit this feature. Not sure.
Smartphone apps: (updated Feb. 1, 2019)
Security when administering a router via a web browser is easily understood, but smartphone apps are different.
PRIVACY (Updated Jan. 17, 2019)
- Does the app talk directly to the router or does it talk to the hardware vendor?
- If the app works remotely, how?
- What permissions does the app need? Does it ask for more permissions than it needs?
- Can you log out of the app?
- Does the app communicate with Bluetooth or WiFi?
- If app uses WiFi, is it HTTP or HTTPS? See also, the section above on securing local admin access
- If app uses Bluetooth, how secure is it? I am not familiar with Bluetooth security. Eero and Luma both use Bluetooth.
- For routers that do not require a vendor account, we still have to ask: how much, if any, data does the router send back to the hardware manufacturer? I have tested this with my favorite router, the Pepwave Surf SOHO. The only outbound requests the router made were for the time of day. It did not send anything back to Peplink at all. Netgear swings both ways. While an account is not needed, in July 2017, they started collecting "analytics". For more on this see the Bugs page for July 2017, this article and What router analytics data is collected and how is the data being used by NETGEAR? (last updated Aug. 2018).
- Linksys is owned by Belkin, which in turn, is owned by Foxconn Interconnect Technology, a subsidiary of Foxconn, the Taiwanese company best known for making iPhones.
- Integrated security software: Some router vendors are integrating security software into the router firmware. One example is Netgear, which offers BitDefender software with some of their router firmware. This is sold to the public as good for security, but the flip side is that it is bad for privacy. Considering the EULA that Trend Micro requires router owners to agree to, it may be best to avoid routers that include Trend Micro software. The EULA notes that web page URLs and email message may be sent to Trend Micro. For more, see Review: ASUSWRT router firmware by Daniel Aleksandersen (May 2017) and The Asus RT-AC68U router - it's fast but it also secure? by John Dunn (July 2015).
NEW DEVICE NOTIFICATION (updated July 22, 2019)
As the administrator of a Local Area Network, I would like to be dinged every time a new device gets onto the network. The ding could be a text message, an email, perhaps even a beep sound. Something, to alert me about a device (really a MAC address) that has not been seen before. There are two ways this might go, either I have to approve the new device before it is allowed access or it is allowed by default, but I am notified and can disable it later.
RECENT DEVICES (added August 9, 2017)
- I have read that Gryphon will assign new devices to a Guest user profile and that the Guest profile can be blocked from the Internet. It is also said that their mobile app can ding you about new devices. Their website has no documentation on this that I could find.
- Eero routers will do this, but it seems to be an option to disable a new device after it has already been on the network, rather than a mandatory approval before being allowed on the network.
- A Fingbox is not a router, it is networking device that you add to your existing network. It can notify you both when devices join and leave the network. New devices can be blocked automatically. Notification is by an alert on a mobile device running the Fingbox app and/or by email. No texts. In the User Guide look for "alerts". For more about Fingbox, see the Add-on Security Devices section of the Resources page.
- A reader comment to this July 2019 review of Disney’s
Circle said that it can block all new devices, by default. Not sure how the notification works.
- The second generation Bitdender box says you can "receive notification in smart application when new device connected to your home network and control what that device is allowed to do."
- Luma says that their router "automatically recognizes any new devices in your home, and lets you grant or deny them access with a quick swipe." Again, I have not seen a review that mentioned this feature. A Nov. 2016 article on SmallNetBuilder said "If an unknown device is found on the network, Luma can send a notification through the app, alerting the owner of the unidentified device." The article, however, was a paid ad.
- The Aztech AIR-706P router is managed by the Aztech Smart Network mobile app. According to this Aug 9, 2017 article, it has a Wi-Fi Connect feature that can push a notification to a mobile device when something connects to the router.
- The Users Guide for the Amped Wireless ALLY routers says "ALLY notifies you of important events on your network ... for example when a new device joins your network." It is not clear if this includes a previously seen devices logging on again to the network.
- The User Guide for the Norton Core router says it can do this for the Guest Network but its not clear if it can also do it for the main network. The router has been discontinued as of early 2019.
- A company called SkyDog used to offer this feature, but they disappeared in July 2014 when Comcast bought the company.
It would be nice if a router displayed a list of devices that had recently been on the network. This makes it easier to audit for devices that should not be there. Eero and the Norton Core router do this. Peplink sort of does this. Its display of currently attached devices, includes devices that are not currently attached but were recently attached. I think devices are included in the display until the lease on their IP address expires. Peplink can also log to its Event Log every time its DHCP server gives out an IP address. The message includes the MAC address of the new device, so you can audit based on that.
FACTORY RESET (Added Nov 27, 2018)
A factory reset should put the router into a secure state, and, it should erase all personal data.
Is HNAP supported?
The correct answer is no and on recent routers the answer will be no.
The Home Network Administration Protocol has been the basis for multiple router flaws.
In April 2015 it was found to make a number of D-Link routers vulnerable.
In Feb 2014 is was used as part of an attack on Linksys
routers (see this for more). The Linksys firmware in their classic WRT-54G supported HNAP. In 2010 HNAP was used to hack D-Link routers.
As far as I know, there is no way to disable HNAP.
There are two ways to check for HNAP support. First, ask the router vendor. If nothing else, this can be a great test of technical
support. If the company can't or won't answer this question, their routers are best avoided. Peplink, my preferred router vendor, does not
support HNAP - I asked them. For a technical test, try to load HTTP://188.8.131.52/HNAP1/ where 184.108.40.206 is the IP address of your router.
This works from inside your network using the routers internal IP address. The real danger, however, is from the outside, so have someone try
it from the Internet using the public IP address of your router which you can find at many sites such as ipchicken.com or checkip.dyndns.com.
For good luck, also run this test on port 8080, which would look like HTTP://220.127.116.11:8080
Rare security features
It can be argued that VLAN support belongs in the list above and I may add it at some point. It's certainly a security feature and not all that
rare. VLANs (Virtual LANs) let you logically divide a single LAN into isolated sections. If attackers gain access to one section of the network, the VLAN prevents access to other areas of the same network. Sony Pictures would have been well advised to employ VLANs, it would have limited the damage from their breach. Security is also much improved by isolating IoT (Internet of Things) devices as much as possible. VLANs are not in the list above because many people get close enough to the VLAN experience with Guest networks. One difference, however, is that a VLAN is a separate subnet, a feature that Guest networks are not likely to include. I use a VLAN isolated wireless network at home for assorted devices that only need Internet access and do not need to see a network printer or a NAS box, let alone the computers on the LAN. The Pepwave Surf SOHO can even prevent this network from directly accessing the router. VLANs are not just for Wi-Fi, some routers, such as the Pepwave Surf SOHO and the Ubiquiti Edge Routers, can put each Ethernet LAN port into its own VLAN.
I know of two routers that can make multiple SSIDs and within each one, isolate devices so that they can not see each other: the Pepwave Surf SOHO and the Invizbox 2.
The Asus ROG Rapture GT-AC5300 can use Amazon Alexa voice commands to turn on the Guest network and/or pause the Internet. It can also use IFTTT to send an email when a specific device gets on the network. (source).
VPNs and Tor: a router that can function as a VPN server lets you connect to it securely when traveling. To me, no big deal. A router that can function as a VPN or Tor client can provide some security to multiple devices, even those that are unable to use a VPN or Tor on their own. The Resources page has a list of routers that can function as VPN and/or Tor clients.
The lifespan of a router is like that of a banana, but the real problem is that it does not turn brown when it goes bad. Router manufacturers, as a rule, are not up-front and honest about how long their devices will be updated with security patches. If you look for new firmware and see the latest release was 2 years ago, does that mean the router has been abandoned (probably), or, have their simply been no bugs in the last two years (unlikely). In November 2018 the German government released router security guidelines and the big gripe was that they said nothing about this.
The Portal router, which is expected to start shipping late Summer 2016 has an unusual take on Guest networks.
Exactly what it is, however, is not clear from their documentation which says: "You never need to give out your network password, and your guests never need to
remember it. Granting Guest Access is done using the Portal App, which uses Facebook credentials or email addresses. Guest Access is time and distance controlled, making it
very secure. Whenever a device that has been granted Guest Access is within range of your network, Portal automatically creates a guest network with random SSID and
credentials. This information is securely exchanged over Bluetooth. When the guest device leaves your network, Portal deletes the guest network and credentials."
Sounds interesting, I hope to fully understand it someday.
This may be asking too much, as I have not run across it anywhere: the ability to modify the Ethernet MAC address that is used as the base of
WiFi networks. This would allow a router of brand X to masquerade as brand Y. This is a common feature, but I have only seen it apply to the WAN port. It exists
because some ISPs use the MAC address as part of their security. I would also like it on the LAN WiFi side of things.
October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to this one, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless
routers. Three years later (November 2018), they released some security guidelines. See Germany proposes router security guidelines by Catalin Cimpanu of ZDNet and
Germany pushes router security rules, OpenWRT and CCC push back by Richard Chirgwin of The Register.
Many routers are sold as a set of devices, commonly referred to as a mesh. Examples are Google Wi-Fi, Netgear Orbi, Eero, Ubiquiti AmpliFi. This begs the question, for which I have no answer, how is the communication between the two or three devices in a router system protected? As a rule, the main router controls firmware updates on the satellite devices. How? Securely?
Some non-security features to look for
Wake-on-LAN. It's not a security issue, but it is nice to have. Grandmas out at a movie? Login to her router, turn on her computer remotely, install bug fixes for her and
then turn it off :-) Asus routers have done this for a long time. Peplink introduced WOL in firmware version 6.3 in December 2015.
Kick the kids off the Internet at bedtime. This can be done a few ways. Perhaps the best approach is to have a dedicated network/SSID for the kids to use,
keeping the passwords for other WiFi networks a secret from the children. Then, a router with scheduling ability, can disable the kiddy network at bedtime. This
can also be done using a single network/SSID but then you have to deal with identifying individual devices either by their MAC address or their IP address.
This takes a bit more technical skill, is a bit more of a hassle to setup and maintain and requires that a specific device is always used by the same person.
Speed tests: Some routers can run their own speed tests. To really know how fast your Internet connection is, requires an Ethernet connected device plugged
directly into the modem, no router at all. But, a router running its own tests should be good enough.
Current bandwidth: If the Internet seems slow, it can be helpful if the router shows the current bandwidth being used by each attached device. While some can do this, you have a great router if the list of attached devices can be sorted to show those using the most bandwidth at the top. The Surf SOHO does this.
CPU usage: It can be helpful to see CPU usage as it lets you gauge when its time for a new router. Check it at times when your router is the busiest and/or when streaming a video or two.
I prefer external antennas to internal ones as they are more flexible. I also prefer removable external antennas as they can be replaced if broken.
They can also be upgraded should the need arise.
Ethernet lights: When things go wrong, it can be handy to have Ethernet status lights. There are two aspects to this. The main body of some routers
have indicator lights for each LAN side Ethernet port. I prefer this, the more information provided, the better. Also, the Ethernet port itself, may have
two lights, indicating the link status/speed and activity. The lights on the Ethernet port often indicate the link speed (normally 100Mbps or 1,000Mbps)
and, when blinking, that data is being transmitted. Plus, just their being on at all, told us something about the link.
Some routers have done away with the
lights on top/front and/or the lights on the Ethernet ports. For example, the TP-LINK Archer D9 has a single Ethernet light on the front - beats me how
it indicates the status of multiple Ethernet ports. Still, it is a step up from the $300 D-Link DIR 890L/R, released in February 2015 that has no Ethernet lights at
all on the top. The Amped Wireless RTA1750 is
unusual in that its Ethernet status lights on the front are all white. And, if you don't like them, there is a switch that turns them all off. The Asus
RT-AC68U also has a button to turn off all the lights. I read that the upcoming Synology RT1900ac router (scheduled to be released some time in 2016) will let you schedule the status lights. Thus, you could have them on during the day, but off at night.
Context sensitive help. That is, rather than having to refer to a separate monolithic manual, that may or may not be kept in sync with the firmware,
it is best to have help directly available in the web interface (assuming there is a web interface).
Documentation: Find the User Guide for the router. Look at the first two pages. Is there a date that the manual was written? Does it show the
version/release the manual applies to? Is there a Last Update date? This offers a glimpse into the professionalism of the company that made the router.
If the manuals are missing basic information, such as a date and version number, the company is running a
second class amateur operation. Another give-away is the failure to update the User Guide to reflect changes in the firmware.
Apple fails this test. The latest setup guide that I could find for the
AirPort Extreme router
has no date and no version number. A check in June 2015 for AirPort manuals
turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012.
Worse still, the only manuals Apple offers are short Setup Guides. They don't have a long User Guide.
Website blocking is arguably a security feature, but an optional one. In the old days, some routers would only block HTTP access to the site, but not block HTTPS. And, if you use this feature, you also need to be able to carve out exceptions which may mean learning the MAC address of privileged devices or giving them a static IP address or using DHCP reservations. And, if a router blocks sites by name, then chances are that direct IP address reference to the website will not be blocked. So, I left it out of the checklist above.