Do I need a new router?

If you're using a cheap generic router, or worse the one provided by your internet service provider, then your Wi-Fi network is potentially already compromised and your data at risk. If you're looking to introduce a network of smart home, internet of things, devices then you definitely need to consider securing your network to much greater extent.

How is my network at risk?

There are currently 35 distinct classes of internet attack recognised but for our purposes the security concerns for your personal router fall into three distinct types:

  1. The ability to use built in management solutions to compromise the network
  2. The ability to use weak security defaults to target your devices
  3. The ability to use less secure devices to target more secure devices

Remote Access

The biggest issue with the router provided by your ISP is that it's by default designed to be managed remotely by your ISP. HNAP, or the Home Network Administration Protocol, allows your ISP to make changes for you from a call centre, or when they have firmware changes to role out. While the Wi-Fi password on your router device may be secure the chances are that the access codes being used by your ISP to modify your device are generic, or at least on a very shortly, freely shared list. This means that for a hacker to access your device remotely the might only need to get hold of this list either through social engineering, having worked for one of these companies, or hacking one of these companies servers. Add to the fact that your ISP will ship thousands if not millions of these devices and you have a recipe for an easily established botnet, or worse.

Once compromised your router can then be used to eavesdrop on everything you do within your network, or to conduct a man in the middle attack. Imagine the next time you go to visit Amazon, Ebay or some other online shopping portal your traffic was routed through someone else's server, allowing them to record, as well as modify your traffic. You enter your credit card information having selected your product and wait patiently for the site to deliver. The item arrives and you go on nonethewiser but now your credit card information, as well as your logins have been recorded for future use. If someone has control over your router, this is a trivial task.

Weak Security

Universal Plug and Play (UPnP) is the networking protocols let your PC, Printer and Television to discover each other and to communicate over your network. Normally, UPnP should only be exposed to the LAN interface, unfortuantely a for a lot of routers this is not the case, and a number of SMB exploits such as EternalBlue and EternalRed, the former devloped and then stolen from the NSA, exist and can be used to access any content being shared inside your local network.

If your router is out of date, or if you have a device that's not been properly patched anything your computer shares internally could be accessed internally.

IoT Devices and Smart Homes

In much the same way that you trust the people you share a house with more than those in the street outside so do your devices trust those inside your network far more than they will devices outwith it. This is fine in theory however devices such Philips Hue, Samsung SmartThings and the Wemo smart plug have all at some point in the past few years been hacked. If these expensive devices with huge brands supporting them are subject to hacking it raises the question of how secure can a generic £10 smart plug can be.

Remember each unique device represents a potential breach point

The problem with a Wi-FI based internet of things configuration is that each of these devices themselves represent an individual points of possible failure within your security system. A network with only 2 smart plugs from the same known brand can be taken as a single point of failure (as the liklihood of two identical devices being compromised is largely identical), in contrast a network with a Zigbee hub, 5 different Wi-Fi capable smart plugs and Wi-Fi bulbs from 4 distinct manufacturers has 10 possible points of entry. It might be helpful for your Google home, your Philips Hue or your smart television to be able to talk to each other. However they probably don't need the ability to talk to your laptop or your mobile phone.

If your router allows for the segmentation or firewalling of devices from each other, either through multiple SSID (service set identifier) or creation of a VLAN (virtual local area network) these devices can be walled off from your personal network. Compartmentalising different devices on your ISP provided router isn't generally possible, and unless you went high end on your commercial device it's probably not possible out of the box either.

How can I improve my network security?

There are three ways you can reduce the liklihood of your network being compromised;

  1. Upgrade to a corporate, or secure commerical router
  2. Disable unused or un-needed interconnectivity
  3. Segment your private devices from your guests and smart devices

Buy a new router

If you're looking to buy a new router consider a cheaper commercial (business) grade router, these don't offer insecure consumer functionality such WPS at all and will be ruggedized in a way that your consumer router simply won't be, they're also generally given more regular updates. If that's not in your price range then look for a security concious consumer router, or if you're on a tight budget, or have a consumer router lying around look at installing custom firmware such as DD-WRT which offers mroe security functionality. Then you can turn your ISP provided writer into an access point. This ensures that the ISP provided access point is no longer accessible, closes off any ports they've left open.

Segment your networds

Make use of either seperate SSIDs, or VLANs to isolate your personal devices, smartphones, laptops and tablets from the IoT devices. Create a seperate network for any guests and kids devices which are probably not as regularly patched.

Route your browser traffic via a VPN

As an added bonus to those using security focussed or opensource routers you can also enjoy the browsing security benefits of configuring your router traffic via a secure VPN. Thus keeping your browsing habits private from your ISP, and removing any risk of Man in the Middle attacks!