Oh Britain. Worried your routers will be hacked, but won't touch the admin settings

It doesn't surprise me that hackers are now going after home routers after all they are a much softer target.

It also doesn't surprise me that 53% of surveyed people haven't changed any settings on their router. These are the sort of people that just want to go onto the internet and are not bothered how it works just as long as it does.

Manufacturers need to held to account for the weak security on their routers and the quite frankly stupid default settings some of them use. Having said that the end users need to be educated as well.

I don't see why this is such a surprise.

For the vast majority of households, an ISP router is considered to be a consumer device just like a TV, stereo, or bedside alarm clock, there is no expectation that you should have to fiddle with its internal workings, it should just work and be secure.

It is only those of us who work in the IT world who take delight in replacing the ISP router with our own chosen brand, or making changes to settings, or investigate what devices are on the network.

The onus is on manufacturers or suppliers to configure the device to be secure as sent from the factory, whether by providing random passwords for each device, or other similar mechanisms.

53%

Fall into these categories:

What's a router?

My son takes care of those things.

Plug and Prayer's

People who don't read the news, fake or otherwise.

Automatic firmware updates?

Just an idea.

.

Alexa, make my local network secure.

It'll be the same people who decide it's alright to buy a house but won't change the locks because they think they have all the keys for it.

What a world we live in when people will be so worried about the possibility of their stuff being broken in to, yet won't take proactive steps to avoid it. Take responsibility for your own stuff, or don't use it. Simple.

This is the second story today on El Reg about products being shipped with insecure by default security. For devices that are intended for the consumer market, good security practices must be set as the default. Time and again, we read how consumers are not tech savy and don't know what to do (or can't be bothered) to keep themselves secure.

Default passwords etc

Personally I think 'default' passwords, admin and WiFi (and SSIDs) shouldn't even exist.

Part of the initial set up should be to force the user to log into the router/modem and put these details in themselves, with minimum standards on the complexity etc.

Even with an issue these days being that not everyone has an Ethernet enabled device, that could still be handled.

A possible option could be to have an initial, default but restricted Wifi SSID and password (and possibly a restricted Ethernet), restricted to a DMZ that only allows access to the routers admin page, and not the Internet itself.

So the user connect to new shiny router, with <any device with WiFi/Ethernet and a web browser>. And if via WiFi, uses the initial 'temp' SSID and password.

User is presented with a simple configuration web page (irrespective of what URL they typed in), that forces the user to set up a new admin password for the router, and then a new WiFi SSID and password (or to disable the WiFi if they don't want to use it).

The router doesn't enable Internet access until these steps have been completed.

If you only put in the new admin password, and don't change the WiFi SSID and password, then only Ethernet get Internet access, with any WiFi connections still being DMZ restricted to the router admin page.

Hopefully this is a good kick for the manufacturers of such kit to up their game for improved security and maintainability. Perhaps the devices should should go and fetch the latest firmware and auto-update say once a month / on each reboot. Obviously the devices would need double the flash storage to allow there to be two OS installs - one good install and one to roll forwards onto - like many other devices already do. This is not difficult to engineer in.

It sounds like there is a market today for local IT people to offer a service to improve people's home network security given that most just plug in kit and turn it on like any other device they buy on the high street Internet. This could be simple upgrades, change the passwords or more involved such as the use of open source firmware alternatives such as dd-wrt, OpenWrt or LEDE as a way of improving functionality and security at the same time.

In the near future, it will be much more difficult or impossible to use your own router.

Some telcos when installing fibre also move your telephones on it (yes, someone still uses landphones because there are good reasons for phones tied to a location instead of people...), and thereby install their router which also acts as a voice router - and you're bound to use it.

Of course you can always install a firewall and other separate devices (i.e. APs) to isolate your internal network from the router, but it's even more complex for most users.

Release the Hounds!

Why not provide some motivation.

Release a variant of Miria that allows the user to only access one site. That site tells them, that to regain internet access they must update their device and reset the admin password. Device's will continue to get infected until this is done.

Call it Miria the Hound and Release the Hounds!

Most consumer ISPs and providers of any turnkey service have a problem: A significant number of their customers are of limited financial means and buy based on the advertising of how cheap they can have broadband for. If you're on a contractor daily rate, you are quite possibly buying on quality rather than price and can afford a premium router. I have many friends on zero hour contracts who are struggling to get by and for whom buying an expensive router isn't an option.

For ISPs engaged in the race to provide "the cheapest broadband in Britain" there is obvious pressure to keep their subscriber base up and overheads down. They don't want the support overhead of large numbers of support calls. Some, such as IIRC Sky, make it a condition of service that the subscriber uses their supplied router because the remote admin capabilities speed up fault resolution which, for the most part, gives shorter support calls and happier average customers. In this competitive sector, you just don't want customers writing all over Mumsnet/Facebook/Twitter how difficult it was to get your broadband working.

I bought myself a Netgear R8000 router to replace my aged one and the new-user experience was one I wish would be replicated by all makers. The router was turned on and connected to my broadband. The first time I opened a web browser and accessed a non-https site, I was redirected to the router setup web app where it looked at the incoming network to check if it was behind another router and set itself up with sensible defaults for the environment. I was then forced to change the admin password. It then invited me to change my wireless SSIDs and passwords. It was so easy.

The R8000 is a premium router with a lot of flash to put software in. It has room for all this stuff as well as being a good candidate for open source firmware. With the pressure makers must be under to sell bargain-basement ISPs their devices in bulk at the cheapest possible price, I'm not holding my breath for the day they start shipping more capable devices rather than cutting costs for something that the average customer won't notice, unless they are made to build to a security standard by law.

Not just home users taking poor care with routers

I was visiting small software company recently (hence AC) - they had changed wifi password to one of their own choosing as you would expect

... however their visible wifi SSID began "buffalo" - i.e. it was using default router SSID which gave big hint to make / model of router allowing bad actor to search for known vulnerabilities for that device.

Someone really should have known better (I did express my surprise at default SSID in passing)

I consider myself to be tech savvy (been a sysadmin for almost 25 years) and yet I'm reluctant to update consumer-grade firmware for fear of bricking it, as the UI's on said devices appear to have been coded by someone for whom English is a 3rd language and only started coding after scanning through a programming book while on the loo last weekend.

Sounds about right. If I do a Wi-Fi scan in my flat mine is the only router that isn't Sky-XSDSD or TalkTalk-blah etc.

53% surprises me and it makes me question the reliability of the survey. I would have expected this number to be more like 90% if not higher than that. I bet I could knock on every house on my street and not one person would even know how to access their router even if they wanted to. I bet not one of them would have heard of Mirai or know what DDoS means.

It's up to the router manufacturers and ISPs (if they are managing the routers using tr069 or similar) to handle this, the consumers will most definitely not do it.

Lack of support from providers

I see little to no shock here.

The largest 6 broadband providers all ship their own devices. They do not provide any support for customer performing any configuration that is not default, i.e. factory reset or auto-configured from sources such that the providers TR069 solution.

Change a password, add a port forward rule, change the wireless channel or password, any hint that the shade of green the LED looks a little odd, it's suddenly an unsupported device and must be factory reset.

This sort of thing puts most people off even trying to make such changes. The providers don't equip the support teams with information that would even try to help customers make such changes. Why? Well that would cause call times to increase, and they really don't want you phoning to begin with.

Manufacturers need to do the right thing

How are next doors teenager going to get in without knowing the initial SSID and password?

SERIOUSLY??? If it is setup and uses the factory defaults, they will get in pretty damn easily. Mr Google will give you the default passwords for any WAP name that you enter into it's cavernous search jaws.

Most seem to be concerned about their Wi-Fi being freely used neighbours. Being a paranoid twat, I am more concerned with the likes of kiddie porn being downloaded through my Internet connection. It can be very difficult trying to prove that no, "I did not download those despicable files". Where I live, if it comes through your connection then you are guilty till you prove yourself innocent. Seems like a real good reason to change password and security key(s) to me. I have 63 characters in my WAP and I wish I could at least double that. See, told you I was a paranoid twat.

ISPs should find a way to block out routers that have the default password enabled and block the user until they change it.

It's been quite a few years since router manufacturers forced you on first usage to change the default password. So any of these older ones are unsupported by now and probably don't even have the latest firmware.

I was happy to see my new TP-Link Archer C2600 force me to not only change my password but also the default name [from "admin"].

Not always

The last two ISP's I used (eu countries), had obscure WAN passwords (ie I had to get the file out of the filing cabinet to enter it after a reset) and equally obscure wifi password, so its doable.

Non ISP routers have in the main easy peasy passwords and wifi with no crypto, however

the router from a well known asian company with a terracotta army has a really obscure password.

Most of the routers with easy peasy passwords seem from companies in the land of the free, but made of course in a large asian country. Lazy spring's to mind.

Home Router Security, and Any Router Security

When you first purchase your router the very first thing you do is change the main admin password. When turning on the WiFi section you also change the password for the WiFi access. You restart the router and log back in again under the new password. Now you can complete whatever setups necessary.

Most users use the default passwords from the time they buy their router. They figure since nobody knows their system exists along with the many millions of others there should not be an issue. It is true your system may not be discovered until one main exception. If you somehow install a malicious software from opening an attachment or visiting an infected web page, that malicious software may be the type that steels information for theft of information, and or to take over the user's network to use it for its own distribution or whatever.

Most of the time systems get a Trojan or malicious software because they let it in somehow. One of the most common ways is from opening unsolicited emails that contain executable code in its attachment or its main content (hidden code). Email programs are supposed to be protected against auto execution, but when the user opens a malicious attachment they are inadvertently allowing it to run. There is only so much capability the protection can offer. Common sense and understanding is a very important aspect of using a computer.

Downloading and installing infected programs is another common way malicious software gets in to systems. There is also visiting infected web pages, and especially clicking on the banners and links out of curiosity.