If you are part of the UMBC community and are reading this in the spring of 2020, then you are very likely working and/or teaching and/or learning from home over the Internet. In most cases, you have an Internet provider such as Comcast or Verizon and you have a router in your home to connect to them. The router is your gateway to the Internet. It is also the Internet’s gateway to you. (See links below for information about recently discovered vulnerabilities in home routers.)
The Basics
For most people, the home router does two things.
- It creates a small network that your devices can access either through WiFi or through a cable physically connected to the router.
- It also connects that little network to your provider and, through them, to the Internet.
Your router comes out of the box pretty much ready to go to work for you, but it’s not usually as secure as it could or should be. There are a number of settings, especially in older routers, that should be verified or changed to make sure that:
- No one joins your small home network without your knowledge and permission.
- No one out on the Internet can tell the router to behave in ways you don’t want it to.
How you view and change these settings will vary with the make and model of your router. There are some links at the end which may help you, but your best bet is to get the make and model of your router (usually printed on the back or the bottom) and search for them on Google, Bing, or some other search service. Include terms like “setup”, “manual” and “secure”. Try to use a site belonging to the router’s manufacturer. (You will probably be accessing your router through a web browser on your home network.)
Here is an initial to-do list:
- Secure your wireless connection
- This is the connection between your wireless devices (laptop, tablet, etc.) and your router on the “small network” in your house. Make sure encryption is enabled and set to WPA2 or WPA3. If there is an option for WPS encryption, disable it if possible. If not possible, consider getting a new router.
- Change the router’s administrative password
- There are two different passwords associated with your router. There’s your WiFi password that is entered in every device on your home WiFi network, and there’s that administrative password that you use to go into your router to view and change its settings. Modern routers often come with pre-set WiFi passwords.
- Update your router’s firmware
- If you’re a Windows user, you have dealt with software updates since you first booted the machine. This is much the same. Precisely how you update your router depends on its make and model. If your router has an auto-update feature, you should probably use it.
- MAC filtering
- This is not about Apple computers. Each wifi device, that connects with your router, no matter what kind of device it is, has a unique MAC address that you normally don’t see but can discover. This allows you to refuse access to all devices other than those whose MAC addresses you explicitly ‘whitelist’ (allow) in your router. If you’re comfortable doing this, consider implementing it.. WARNING: There’s a security vs. convenience trade-off here. You will have to whitelist every new device that you want to appear on your home network.
- If your router has a ‘remote management’ setting, turn it off.
Links for more information:
- https://www.wired.com/story/secure-your-wi-fi-router/
- https://lifehacker.com/how-to-make-your-wifi-router-as-secure-as-possible-1827695547
- https://www.consumer.ftc.gov/blog/2020/03/online-security-tips-working-home
- https://www.cisecurity.org/white-papers/cis-controls-telework-and-small-office-network-security-guide/
Links for more information about recently discovered vulnerabilities in home routers:
- https://arstechnica.com/information-technology/2020/03/new-attack-on-home-routers-sends-users-to-spoofed-sites-that-push-malware/
- https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/
- https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-to-spread-malicious-covid-19-apps/