Americas

  • United States

Asia

paul_gillin
Technology Journalist

How to boost cybersecurity defenses using your router

analysis
Mar 11, 20225 mins
NetworkingSecurity

If you work from home, the best cybersecurity protections may be inside a device you never think about: your home router.

COVID-19 has made us all more aware of the need to protect our computers at home from online evil. But when was the last time you pointed your browser at your router? The little box that connects your PC and all the other devices in your home to the internet has an array security features that many people are unaware of.

After speaking to Derek Manky, chief of security insights and global threat alliances at Fortinet’s FortiGuard Labs, I logged into my Verizon FIOS router for the first time in years and discovered there were no less than 18 devices connected to it, including TVs, printers, thermostats and a half dozen Amazon Echoes. Each is a potential security vulnerability. “If you look at your home router, you’ll be surprised what you find there,” Manky said.

Security suites do a pretty good job of protecting against external threats, but the enemy is increasingly inside the network. “The most prominent threat we’re seeing right now is the Mirai botnet,” Manky explains. Fortinet defines that as “Linux malware that primarily targets IoT devices such as IP cameras and routers… [and] can mine cryptocurrencies, perform [distributed denial of service attacks], execute arbitrary commands, and scan the internet for other vulnerable devices to infect.”

The last part of that statement is what should catch your attention in particular. Most routers used in home networks assume that everything connected to them can be trusted. By default, they allow each device to see – and possibly connect to – every other device. A compromised camera or thermostat could thus be used by an attacker to navigate to a PC and install malware or a keylogger that captures keystrokes.

“Once attackers get command and control, they establish an active communication channel,” Manky says. “If you see your thermostat connecting to a bunch of weird servers, you should block it.”

Zero trust begins at home

Corporate IT departments apply sophisticated network segmentation controls to reduce this risk. Segmentation enables administrators to isolate sensitive devices into protected sandboxes that have their own policies. It’s part of zero trust security, an increasingly popular form of cyber protection that assumes that nothing and no one on the network can be trusted.

Manky likens the scenario to physical home security. “Most people lock up their valuable assets to protect against someone breaking into their home, he says. “That’s segmentation and the same idea applies to cyberattacks. Segments make lateral movement much harder.”

Most home routers don’t support segmentation, though. The capability is available in software from Fortinet and others but if you want to try it yourself, it will take some poking around. I spent the better part of an hour digging through my router’s menus and user manual and couldn’t find anything related to network segmentation. I did find a new service called Verizon Home Network Protection that tightens security at the device level but doesn’t appear to prevent them from seeing each other. Comcast’s advanced network settings offers similar functionality. In both cases, they are disabled by default, and you have to turn them on.

Good router hygiene

Even if your router doesn’t support segmentation, there a few basic measures Manky recommends that can improve protection.

  • Enable guest mode, which sets up an alternative access point for untrusted devices and blocks them from seeing anything on the main network. Connect all your smart devices via guest mode and be sure to use a different password from guest access.
  • Be sure your router uses WPA2 encryption. It’s better than the alternatives although not perfect by any means. If you upgrade to Wi-Fi 6, you can get the more recent WPA3.
  • You did change your router password when you first plugged it in, right? Older routers, in particular, often came with default passwords that were published in the user guide or even no password at all. A Comparitech study last year found that about one in 16 home Wi-Fi routers can be accessed using the default administrator password.
  • Check to be sure firmware is updated on all connected devices. While many automatically install the latest release, that may not be true of your thermostat or video doorbell. Check the manual.
  • Consider wireless MAC authentication. The Media Access Control address is a string of numbers that looks like this: d0:4:b3:20:9f:5c. Every device has a unique MAC address, and most routers can be set to prohibit connections from any device whose address isn’t known.

If you want to get super geeky, you can configure an old laptop as a router and install Snort, a highly regarded open-source intrusion prevention system. However, your existing router probably has enough features to protect against the vast majority of threats. If it doesn’t, time to buy a new one.