How secure can your router get?

23 security features to look for in a router

best vpn routers smb 1

Speed sells. Every router review is focused on speed. When they discuss signal strength, its only because it increases the speed. There may be a brief mention of other features, but the undeniable focus is on speed.

Why migrate from WiFi G to N? Speed. Why upgrade from N to ac? More speed.

To a Defensive Computing blogger this is terribly wrong. The security of a router is far more important than its speed.

A hacked/compromised router is the worst thing that can happen to computer users.

Any computing device (smartphone, tablet, laptop, desktop, refrigerator) sitting behind a compromised router can be attacked in every known way.

Needless to say, a router can be used for spying, not just on normally insecure communications but its also a perfect host for man-in-the-middle attacks on supposedly secure communication (SSL/TLS/HTTPS).

Compromised routers can send victims to scam versions of websites, a great way to collect passwords. They can also slow down your net connection, especially if they are used for DDoS attacks or spamming. In August, Jeff Atwood wrote about two people whose routers were hacked. One router modified web pages to show extra ads, another tricked a victim into installing a hacked version of the Chrome browser. And, of course, a router can be used to install malware on computers too. Did your last Flash update really come from Adobe? How would you know?

To further illustrate the point, consider translators. If two heads of state, without a common language, are having a private meeting, they are at the mercy of their translators. We can only imagine what a pair of malicious translators could do. Likewise, your router is in the middle of every communication you have on the Internet. You are at its mercy.

Still not convinced? The NSA loves to hack routers.

Lights and wires behind a router

To help people judge how secure any given router can possibly get, I created a Router Security Checklist on my website. If security is your priority, these are 23 features to look for.

To be clear, this is not a list of steps to increase the security of your router. That's a whole different thing, only part of which is now up on my still-to-be-completed website.


Since WPS (Wi-Fi Protected Setup) got me started on router security, it deserves a special mention. WPS is required for consumer routers to be certified, yet I would never use a router that supported it. WPS was developed by the group that gave us WEP (the Wi-Fi Alliance) and suffers from both design and programming flaws. Its intellectual pornography.

WPS is a complicated protocol supporting multiple modes of operation for multiple purposes. Only one mode of operation lets your neighbors hack into your wireless network. If routers let us keep the safe modes and disable the one with the security flaw, that would be great. None do (that I am aware of). That's yet another WPS flaw.

Router security starts at the very beginning - logging in to the router with a userid and password. Less secure routers always use the same userid, better ones let you change it. Bad routers only support short passwords, good routers support longer ones. At one point, Asus let you configure a 25 character router password, then it ignored all but the first 16 characters. You can't make this stuff up. 

Along the same line, secure routers impose restrictions on access to their administrative interface. For example, some routers can be configured to only accept logons from Ethernet connected devices. Others can restrict access by IP address and/or MAC address. While some only support HTTP access, better routers can be configured to use HTTPS on an alternate port (something other than 443).

Good security always requires installing bug fixes, and the way router owners are notified about available updates varies drastically. Some routers make you manually hunt down firmware updates on the vendors website. Other routers can check for new firmware on their own but require you to logon to the box, find that feature and click a button. Still others automatically indicate the availability of new firmware as soon as you logon to the router, assuming you ever do so. Google's new routers self-update their firmware, as do some Linksys models. I have yet to encounter a router vendor that emails customers when there is a firmware update as Synology does for their NAS boxes.

No doubt everyone knows to use WPA2 encryption. Better routers will always use AES for WPA2 encryption, others continue to offer the less secure TKIP option.

Remote access to a router (often called Remote Administration) is universally vilified as a security problem. It does not have to be. With the right options, described in my list, it can be done fairly securely.

MAC address filtering is touted as a good security feature by people that don't understand the technology and derided as easily bypassed by those that do. Both sides are wrong. Depending on how the feature is implemented in a router, it can indeed improve security, even with its limitations. My checklist details the differences between MAC address filtering done right and done wrong.

A wireless network that does not exist can't be compromised. Thus, a router is more secure if it can schedule the wireless network to be off at times when it won't be used. Another option is a button on the router to turn the wireless network on and off.

Guest networks can be a great security feature if implemented well. Some routers, however, do a miserable job of this. The checklist details what to look for.

Routers have more bugs than a forest. Measuring the quality of software is hard, but the Misfortune Cookie flaw gives us a window into how seriously a router vendor takes security. What was unique about this December 2014 flaw was that you couldn't reliably test for it. The only way to know if a given router was vulnerable, was to be told by the vendor.

Actiontec and Peplink issued notices that their routers were not vulnerable. ZyXEL released updated firmware for 11 of their routers, but considered another 49 models end-of-life. Netgear never said anything about it.

Take a look at the security feature checklist and let me know what you think, either as a public comment below or a private email to routers --at-- 


While Americans may not focus on the security of their routers, Germans soon will. Many in Germany are now required to use a router from their ISP, a situation known as "router coercion" according to a Google translation of a German web page. This is expected to change in early 2016.

In preparation for this new-found freedom, the German Federal Office for Information Security (BSI) is planning a security rating system. Using a list similar to mine (I don't speak German so I can't specifically comment on their list) they will assign a numerical security rating to routers.

The next time you read about a new router, think about what's not said. Router reviews are like cigarette commercials, both leave out the most important issue. For cigarettes its cancer, for routers its security.

Why is Apple letting Macs rot on the tree?
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies