We present a series of practical tips to improve the security of your WiFi and router.
When the security of the WiFi router is compromised, both personal information stored on devices connected to the local network and those sent and received are at risk. This is something that does not happen infrequently and some users may not be aware of it, at least until it is already too late. It is therefore important to know which aspects should cause greater concern and which, on the other hand, should not sound like an alarm bell at all.
For the purpose of WiFi security and of your local network, the choice of router is obviously essential: it is essential to buy a router from a designed and built by a supplier of networking equipment that is reliable and offers long-term support, such as new firmware updates. In another article we have when it is preferable to change routers: the non-support of the router with the suspension of the releases of the security updates (new versions of firmware) and even the presence of known vulnerabilities are among the main reasons that should lead to setting aside an old device (or better still to replacing the original firmware with a “custom” version like DD-WRTprovided that the router model is still supported, thus contributing to the reduction of WEEE waste…).
Remote management of the router, web interface and mobile applications
For some time now we have been recording a trend that is increasingly establishing itself among router manufacturers. Or rather that the latter are dropping from above on end users.
Historically, for the management and the router configuration you have always used the web administration interface exposed on the local network by the device itself. L’web interface it typically responds on port 80 (HTTP) or 443 (HTTPS) and can be accessed by typing the router’s private IP address into the address bar of your favorite web browser.
In another article we saw how to change WiFi password on the router: the procedure for logging into the web interface or administration interface of the router, as a rule, it is exactly the one described.
The fact is that for some years now more and more router manufacturers have been urging users to use amobile device application for router configuration. Due to the pressure exerted by a new generation of users who generally lack patience and are not interested in using a computer, many manufacturers of networking devices have developed and started distributing a mobile app to manage their routers as an alternative option or supplementary to the web interface. In recent times there has been “forcing the hand” and the mobile app tends to become, for some router models, the only solution available for configuring and managing the router.
The app is based on an infrastructure made available on cloud from the router manufacturer and allows you to manage the device, via smartphone or tablet, even remotely without even being connected to the network via WiFi. Since a server from the router manufacturer acts as an intermediary, this is not necessary open none entrance door on the router and expose it to the Internet network (WAN port).
The router thus becomes administrable remotely and all the configuration settings become immediately accessible, wherever you are, locally or remotely, through a compact and versatile graphical interface, that of the app for mobile devices. Everything nice? In our opinion, absolutely not.
The router you buy is yours: you paid for it, and in some cases even handsomely. You should then be perfectly able to use it without any obligation bond with the supplier. Yet some router manufacturers, at least for certain device models, push so much on theapp mobile. Why? Because while ensuring on the one hand the simplicity and convenience of managing the router from a mobile device, on the other they can gather information on the operation of the device and possibly extract profitable data that photograph user habits and the activities they perform most frequently.
Using a mobile app that requires a login activated at the manufacturer implies that those using these solutions do not really own their network.
In addition to the obvious implications in terms of privacy, the question has great significance also with respect to the issue of security. Who can rule out that the router provider is not being hacked? And when this happens, it is possible that a third party could poke his nose into other people’s networks, from a distance. It happened: just do some simple research on the net and probably similar incidents could happen in the future.
Let’s clear up the misconceptions: mobile router management apps aren’t the “devil.” Indeed, they simplify the management of the router when a PC cannot be used. There are no potential problems in terms of security and privacy, however, only if they connect locally to the router (that is, they can only be used within the LAN and not remotely via an account created on the manufacturer’s servers…) . Asus is one of the few vendors that provide an app (called Asus Router) which works locally without a login – it is an exception compared to others vendor and it is a choice that we particularly appreciate.
Some manufacturers even tend to hide the possibility of accessing the web interface: look, in most cases it is still there and usable using the authentication data printed on the label attached to the bottom or back of the router.
Most routers additionally offer the so-called remote management that is, an optionally activated function that allows you to manage the device remotely, through the Internet, by connecting with the public IP assigned by the telecommunications operator to the router itself. Here, remote management is one of those functions that should be kept disabled (unless you explicitly indicate the IP addresses that are entitled to connect remotely; but you must use static IPs).
By enabling remote management on the router, one or more ports are opened which are then exposed on the WAN port: it is true that the router requires authentication for access but there are countless cases of vulnerability which allow the page to be passed by login without knowing the correct username and password.
Litmus test is the decision of Netgear, little publicized, which from 2021 – starting with some versions of the firmware for its routers and WiFi mesh systems – decided to permanently and “officially” remove remote management (in all configurations in which the function was disabled) : this is an example. As can be seen in the firmware release notes, the phrase “Removes the remote management feature from the router web interface (if disabled at time of update) to improve router security” that is to say “Removes the remote management feature from the web interface (if disabled upon upgrade) to improve router security“.
In general, therefore, it is better to prefer the router’s management web interface, unless the mobile app provided does not provide for the possibility of use without external user accounts. It is also preferable to keep remote management of the router disabled.
Admin password and WiFi password
Each router provides for the use of a default username and password for accessing the web interface. This data should always be changed to custom ones.
In any case it is good to make sure that the administrative password of the router is difficult to guess and, above all, different from the WiFi password.
A WiFi network usually presents itself to neighboring devices with a name or the SSID (Service Set IDentifier): this name must not be a secret. Who tells you that making WiFi secure is possible hide its SSID does not know the subject well: detecting the presence of a WiFi that does not perform the broadcasting of its SSID is trivial. Hiding the SSID cannot be considered as a valid security measure.
When it comes to password WiFi, what matters is to keep it secret. Some argue that it is best not to associate the concept of security with the complexity of the password used a WiFi protection. In reality this is not exactly true: Mathy Vanhoef is a well-known computer security researcher who discovered several vulnerabilities in WiFi protocols, including KRACK (Key Reinstallation Attack), Dragonblood, FragAttacks against WPA2 and WPA3 security protocols. Also recently, Vanhoef discovered a new flaw in WiFi standards that allows network traffic to be hijacked.
Here, Vanhoef over the years has recommended the use of long and complex passwords as an important security measure to protect WiFi networks. In particular, he pointed out that weak passwords are one of the most common ways for attackers to gain access to a WiFi network, and that using a strong and complex password can make it much more difficult for attackers to guess your password and access your networks of others. Are strong passwords harder to type on printers, smart TVs, and mobile devices? True, but using them really helps. And then, at least for smartphones and tablets, there are the QR codes which help to recover the network security key and quickly enter it into the various devices that need to connect to WiFi.
What happens if an unauthorized user gains access to WiFi
If an unauthorized person somehow manages to connect to the WiFi network of others by successfully passing the authentication procedure, he can potentially access the shared resources on the local network. First of all, it can check who is connected to the WiFi network or router, for example via an Ethernet cable, it can check which services are listening on the various ports and on each single host connected with LAN, can try to exploit security vulnerabilities of operating systems, services and applications to access confidential information and sensitive data, can directly access shared resources on the local network without passwords or with weak algorithms. We talked, for example, about the attacks pass-the-hash e pass-the-ticket in the case of enterprise-wide Active Directory implementations.
Enable the guest WiFi network
To separate the clients belonging to occasional users who need to temporarily use the network connection from the actual LAN and therefore from their own infrastructure, it is important to use the reti WiFi guest enabled on the router.
They can be assigned a completely different WiFi password from the one used on the main network. The important thing is to check the actual carefully client isolation connected with the guest WiFi network with respect to the main LAN.
In another article we saw that guest WiFi networks are isolated only in words and in practice the clients connected to them can “see” the devices connected to the main network. Open up heaven!
Timely update the firmware
Firmware is the software that runs on the router: it integrates the operating system (often based on Linux kernel) and governs the operation of the device including the way it manages the connection, the security of the same, the configuration of the network settings. The firmware is responsible for many of the basic and advanced functions of the router; for this he often receives…