The Holiday Guide to Tech Support: Fixing and Hardening the Family Router

Bitdefender Internet Security Software

Planning to visit your elders for the Thanksgiving dinner? Chances are at least one device around the house needs some long-overdue servicing.

Take the family router, for example. Inexpensive, unpatched, end-of-life routers are everywhere. And some vendors never issue patches for certain commercial routers. Some manufacturers don’t even offer security updates for the devices they sell.

Bitdefender data shows that routers are the fourth-most-vulnerable device in smart homes. As a gateway to our digital lives, the router should be the most secure gizmo in the household – not among the weakest. Unfortunately, that’s rarely the case.

Worse, users don’t change the default credentials the router ships with, or choose weak credentials, opening the door to malicious guesswork and dictionary attacks. Users leave open ports when they shouldn’t and many people don’t bother to set up a guest network, allowing anyone to join the family network as if it were a public WiFi hot spot.

So, what should we do to ensure our family router is protected against intrusion?

Make sure the router is up to speed

As mentioned earlier, it’s not always certain that your vendor is on top of the latest vulnerabilities affecting your router model. This isn’t ideal since all of the household’s incoming and outgoing network traffic goes through the router. Search for your router model online and update to the latest firmware.

(If you’re switching ISPs, choose one that offers Router Protection with Live Virtual Patching, which basically acts as an auto-pilot for the security aspects of your router. The technology checks for commands on the router against known exploits to determine what vulnerabilities attackers could use against it, then it blocks these attacks.)

Change default credentials

This is as basic a router security tip as you’ll find. Many router models share the same default password. Even if it looks complex and hard to crack, these passwords are almost always searchable online.

Choose a unique alphanumerical password and change the username of your network while you’re at it, preferably into something that doesn’t identify the family. Be sure to choose a long password that includes all character types supported by the device and, if possible, set a custom username too.

Use WPA3 encryption

Wi-Fi Protected Access 3 (WPA3) is one of the most secure encryption options available. Even if someone is nearby to intercept your traffic, chances are they won’t be able to decipher the data. In addition to what its predecessor WPA2 offered, WPA3 features better encryption, security features and key exchange. If WPA3 is not available on your device, you can still stick to WPA2, but you should stay away from WPA or WEP at all times.

Disable WPS and UPnP

Wi-Fi Protected Setup (WPS) was created to enable easy pairing between the router and household devices. By requiring a passcode, it avoids the WPA password that most routers use. This exposes the device to brute force attacks where bad actors try various combinations of credentials until they guess their way in.

Universal Plug and Play (UPnP) is yet another protocol meant to allow devices to see themselves on the network or for apps to “escape” the restrictions set by firewalls. On the downside, it can let devices from other networks access exposed services on your network. Historically, it has enabled hackers to deploy malware and conduct DDoS attacks (Mirai Botnet). It’s best to disable it.

Set up a guest network

With friends and family members gathering for dinner, you may want to restrict access to your primary network where all your connected devices live.

Instead, set up a Guest network and give newcomers on the networka unique SSID and password. This way even if they have malware on their devices, your main network and your home devices are safe. You also limit their access to your personal data stored on NAS boxes or file shares exposed on the primary network.

Disable the web-based administrative interface

Granted, the administrative interface might have saved you a couple visits to your parents’ home in the past for troubleshooting, but it may allow attackers to reconfigure the device over the internet. Therefore it’s best to disable access to the interface, and turn off SSH or Telnet options for the router.

Use a VPN

Some router models allow owners to set-up a Virtual Private Network server that you can connect to from outside of the local network safely and effectively. Consider configuring an always-on VPN to conceal your IP address and get a second layer of encryption for the data you exchange over the Internet.

Get protection

Finally, the best way to ensure full protection for the entire home network is to get a trusted security solution like Bitdefender Total Security. For this year’s Cybersecurity Awareness Month, we’ve extended the free trial from 30 to 90 days. Check it out!

To help you get device care over with and get back to the dinner table, cyber-security experts at Bitdefender have prepared a maintenance checklist that you can download below:

Download the printable checklist here

Stay safe!