There is an undervalued and critical piece of equipment in almost any home in any advanced country – an internet router. This thing is big business because every home and business needs one (although the ones for business are a slightly different and better) to get online… AND most people are now online in most advanced countries.
So to recap, every home has a little piece of equipment that gives people access to the internet. As you can imagine, in this current world of hackers, the NSA and pervasive cyber security threats, the router is like a golden key. If you can exploit it, you basically can control what a person who is using it to browse on an iPad, play a game or watch Netflix…can do. You can do real damage to the security of a home if you can exploit the router.
The router itself tends to be basically a small Linux PC configured to get traffic to the internet for all your devices, wired or wireless. As such, it can become vulnerable to emerging security threats and viruses and just like your PC, it needs to be occasionally updated and refreshed. So let me ask the internet: how many times do you think regular Joe and Jane Blow update their router? Well look, your guess is as good as mine, but basically I think it’s very little. In this case, the aphorism, “out of sight, out of mind” pretty much applies. One of the first things I check when I go to the homes of family is whether their router has a default SSID, default password and default settings. And if it does, I change it.
This is because the defaults are toxic – anyone who is familiar with defaults can get in and subvert the internet access of your entire household. And trust me, all the default passwords are just a google search away.
You know that old prayer…? “….God grant me the wisdom to know the difference.” Ordinary people will not be fussed with updating their routers. This is a simple back calculation from the fact that ordinary people don’t update their Personal Computers either (so much so that Microsoft and Apple, try to just configure it to update itself without intervention). So they will def not update something sitting in their basement room somewhere. But all these millions of routers collectively are the foundation of home internet use security. So what to do?
Just like OS and PC makers, router manufacturers need to take some responsibility for making their customers secure by default and the internet as a result. This is the only way. If you agree with this premise, we then need something like a set of rules that will govern this new (and logical) responsibility. A consumer router bill of rights if you wish. I’ve basically divided these common sense rules into 2 categories – smart defaults and automatic updates.
Router bill of rights:
-
Auto update – update firmware when available
The microcode that drives the hardware of a router will occasionally need to be updated because of new wireless standards or fixing bugs in hardware like the implementation of wireless standards and other link layer protocols. A side effect of this capability means that routers can serve longer as it scales to new standards for customers.
-
Auto update – update the router OS automatically
Most of the functionality in a router is in the software at this point. And this software just needs to be updated automatically to cover software vulnerabilities and updates. This update has to be seamless and automatic and require no user intervention.
-
Auto update – auto security updates as often as needed.
Most operating systems have regular security updates. For example Microsoft releases updates every Tuesday. Routers should have a similar automatic security update regime.
-
Smart defaults – randomize admin passwords
One of the biggest problems with routers is that customers don’t change the default router password. And these defaults are well documented on the internet. Access to the router usually means game over for the computers on your home network. The fix is simple – in the same way that WPS PINs are unique, router passwords should be unique by default. The user can then update the password. Or not. But the likelihood that they will be comprised will be much much less.
-
Smart defaults – no remote access
Under no circumstances should an internet router have remote access over the internet enabled by default. Period.
-
Smart defaults – no information leakage
Information about the router should be obfuscated as much as possible – it should not return ping udp packets. It should not expose router manufacturer and model information. Maybe even do some mac address obfuscation…
-
Smart defaults – best encryption, best wireless security by default.
Wireless security usually has 2 layers – the security protocol and the encryption regime. Routers should have the strongest on by default.
There are probably a few more rules we can add to these, but these are the main ones? Can you think of any that I missed that are important. Send it to me at oji@udezue.com.