I run an ad-free website devoted to router security called, appropriately enough, RouterSecurity.org. As such, I am always on the lookout for articles on the subject. The recent FTC action against Asus, for poor router security, got me poking around the FTC website, where I stumbled across some awful security advice.
The article, Securing Your Wireless Network, is dated September 2015. The author is anonymous, never a good sign. Here's what my government got wrong.
The very first sentence sets the tone. It says "Going wireless generally requires connecting an internet 'access point' – like a cable or DSL modem – to a wireless router ..."
Modems, of course, are not access points. Apples and oranges. Modems are wired, access points are wireless.
As for WPA2 encryption, the FTC says it "should protect you against most hackers."
This is a common mistake. WPA2 is only half the story, it needs to be combined with a long password. If the password is short, WPA2 offers no protection from brute force attacks.
The discussion of WEP, WPA and WPA2 also presents half the story. There was nothing about AES, CCMP or TKIP. Long story short, don't use TKIP.
The article says that "Your computer, router, and other equipment must use the same encryption" which is literally true, but also irrelevant. Devices automatically adjust themselves to the encryption offered by the router, this is not something we need to worry about.
As if we were time traveling, the FTC warns that "Wireless routers often come with the encryption feature turned off." This has not been true for a very long time.
You can usually stop reading as soon as someone suggests using MAC address filtering to limit the devices that can get on a network. It's an ancient security feature that newer routers don't even offer. It's also a big hassle and the protection it offers can be bypassed.
Another piece of advice, to "Change the name of your router from the default" had me stumped initially - routers don't have names. It turns out, the author decided to invent new terminology. He/she/it uses "router name" to mean SSID, the name of a wireless network.
Not being familiar with the terminology is a good clue that someone does not understand the technology.
While changing the default network name is good advice, the article assumes every router creates one and only one network. This too was true, many years ago.
For network names, the FTC suggests changing "the name to something unique that only you know." That's profoundly stupid. Not only don't network names have to be unique, how would you even know if one was? As to your being the only one to know your SSID, that's both impossible and not a security feature.
For a router's Administrative password, the article advises "at least 12 characters, with a mix of numbers, symbols, and upper and lower case letters." This is overkill, since router passwords are not normally subject to brute force attacks. A router password of "7tulips" is just as good as "kR4hx82WXklq5". In contrast, Wi-Fi passwords are always vulnerable to brute forcing and the article offers no advice about them.
Update: Feb. 29, 2016. Sander Smith of RouterCheck.com suggests that I am not sufficiently pessimistic. He argues that malware on a computer can try to brute force the routers Administrative password, since so few routers do anything to prevent multiple guesses. His self-described "rudimentary" testing found that a typical router could handle about a dozen login attempts per second which multiplies out to roughly 30 million/month. And, this is not theoretical, the Vicepass.a trojan attacks router passwords.
When it comes to firmware updates, the author seems to be living a fantasy. Readers are advised to "register your router with the manufacturer and sign up to get updates." Few router companies send emails or texts when firmware is updated. Heck, routers sometimes fail to report available updates even when you manually check. This was one of the many things the FTC dinged Asus for.
There were also errors of omission. Router security has to include guest networks, UPnP, WPS, testing the firewall, and more.
Then, there is this: How to lock down an insecure wireless network router, written by Zack Whittaker of ZDNet just a week ago.
The sixth suggestion, to disable guest access, almost knocked me off my chair. Whittaker writes.
Some routers provide guest access. While this function often separates out your home network and your guests who use the temporary access, some hackers have been able to tunnel through the security wall into other parts of the network. If you really want to keep out people who shouldn't be on your network, disable this feature.
To me, this is malpractice.
For starters, I keep abreast of router security flaws and have never heard of a flaw in the guest network of any router. But, bug or no bug, guest networks are an excellent security feature.
A router that fully supports guest network security (not all do of course) will let you totally isolate guest users. That is:
- Guest users can not see any Ethernet connected devices
- Guest users can not see devices connected to a different SSID created by the same router
- Guest users can not see other devices connected to the same guest network
- The Guest network runs in a different IP subnet. If the main network were, for example, 192.168.1.x, then devices on the guest network might use an IP
address in the 192.168.250.x range.
- Guest users can be locked out from the router itself. Of course they have to communicate with the router to get to the Internet, but Guest users can be restricted from ever seeing the login prompt. That is,if a guest user entered http://routeripaddress they would not be prompted for a userid/password.
Router security doesn't get any better than a guest network on a router offering all these features. Even a router that does not fully isolate guest users, still lets you keep the password to the main network a secret, and the guest network can be disabled when its not needed.
Whittaker also makes some of the same mistakes as the FTC. For example, he says to use WPA2 with no mention of AES, CCMP, TKIP or password length. And, he suggests MAC address filtering and not broadcasting the SSID.
Even a good suggestion, to use OpenDNS, is ruined by providing a wrong IP address (instead of 220.127.116.11, the article has 18.104.22.168).
Perhaps I should say it here more often: a big part of Defensive Computing is knowing who to trust.