back to article Oh Britain. Worried your routers will be hacked, but won't touch the admin settings

Recent Mirai-style attacks against home broadband routers have had some effect but the majority of users have failed to act. A survey of 2,000 broadband users found the majority (53 per cent) have not changed the Wi-Fi password and other default settings, potentially opening themselves up to attack. The poll by ISP comparison …

  1. Paul Crawford Silver badge

    Why the surprise?

    If you said 53% of El Reg readers had done nothing, I would be shocked.

    To find out that the majority of Joe Public have little knowledge or interest in *how* they access the internet is really no big surprise. This is where the law should be hitting the suppliers of piss-poor security devices, but somehow they all get out on EULA style arguments.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why the surprise?

      Totally agree; roughly one person in six understanding the jargon of home router/access point interfaces sounds about right - surprisingly high if anything. And also with this from the article:

      it feels as if routers haven’t been designed with your average consumer in mind. Usability is generally poor, and changing something as simple as a Wi-Fi password can require you to go through multiple pages and acronyms.

    2. Simon Harris Silver badge

      Re: Why the surprise?

      Not guilty of not setting my own password, but guilty of forgetting the router reverts to the default after a factory reset (oops).

      Fixed now but it was running default settings for a few days. Need a red face icon!

  2. adam payne Silver badge

    It doesn't surprise me that hackers are now going after home routers after all they are a much softer target.

    It also doesn't surprise me that 53% of surveyed people haven't changed any settings on their router. These are the sort of people that just want to go onto the internet and are not bothered how it works just as long as it does.

    Manufacturers need to held to account for the weak security on their routers and the quite frankly stupid default settings some of them use. Having said that the end users need to be educated as well.

  3. Alister Silver badge

    I don't see why this is such a surprise.

    For the vast majority of households, an ISP router is considered to be a consumer device just like a TV, stereo, or bedside alarm clock, there is no expectation that you should have to fiddle with its internal workings, it should just work and be secure.

    It is only those of us who work in the IT world who take delight in replacing the ISP router with our own chosen brand, or making changes to settings, or investigate what devices are on the network.

    The onus is on manufacturers or suppliers to configure the device to be secure as sent from the factory, whether by providing random passwords for each device, or other similar mechanisms.

    1. Pete 2 Silver badge

      the cost of doing the right thing

      Yes, and it's not helped by the jargon-packed menus full of meaningless options and the fear of borking the whole, fragile, mess.

      And when your ISP threatens to charge you £60 to send and enginneer round, if the fault isn't on the line, you can see why people do nothing.

      Hmmm, "a possible £60 charge, or leave the thing with loopholes that I don't understand" you can see why it happens.

      Now if some watchdog or other could persuade the ISPs that buggy configurations and security lapses were their responsibility ... they'd probably lock them down so tight you couldn't get in with a pneumatic drill.

  4. chivo243 Silver badge

    53%

    Fall into these categories:

    What's a router?

    My son takes care of those things.

    Plug and Prayer's

    People who don't read the news, fake or otherwise.

  5. Anonymous Coward
    Anonymous Coward

    Automatic firmware updates?

    Just an idea.

    1. Anonymous Coward
      Anonymous Coward

      Re: Automatic firmware updates?

      Making something so critical automated would be asking for trouble. e.g. Requiring remote admin privileges (larger attack surface), possibility of power outage during the update, average non-tech savvy users annoyed at the random connectivity outage whilst it updates.

      1. Paul Crawford Silver badge

        Re: Automatic firmware updates?

        All are or have been solved. Signed updates? Yup, already done in all serious OS and no need for remote admin capabilities. Even Windows can do that.

        Avoid crashing mid-update? Can be done so long as you have enough disk/flash to store the system image twice - create new system in the 'spare' half and finally swap the entry point as an atomic operation, that way you either boot to new or to old, but never to something half-arsed.

        Or with less space have a simple boot loader that at least allows recovery from local file and is not updated so low risk of corruption.

  6. Anonymous Coward
    Anonymous Coward

    .

    Alexa, make my local network secure.

    1. LDS Silver badge

      Re: .

      "You cannot navigate outside Amazon now"

  7. Doctor_Wibble
    Holmes

    Plug'n'Play, sold like toasters...

    As per other remarks, routers are provided as plug-and-play boxes to make your internet go, not as a protection or control of any kind, so it's not surprising nobody bothers.

    People think they won't be a target, or they never open those emails or visit those sites, and maybe the rest of us are at fault for not nagging our non-technical friends to do that one password change.

    Never mind ISPs doing remote management with predictable passwords, not narrowing down the list of permitted addresses, etc...

  8. wolfetone Silver badge

    It'll be the same people who decide it's alright to buy a house but won't change the locks because they think they have all the keys for it.

    What a world we live in when people will be so worried about the possibility of their stuff being broken in to, yet won't take proactive steps to avoid it. Take responsibility for your own stuff, or don't use it. Simple.

  9. A Non e-mouse Silver badge

    This is the second story today on El Reg about products being shipped with insecure by default security. For devices that are intended for the consumer market, good security practices must be set as the default. Time and again, we read how consumers are not tech savy and don't know what to do (or can't be bothered) to keep themselves secure.

    1. Commswonk Silver badge

      Time and again, we read how consumers are not tech savy and don't know what to do

      By what means would the average consumer* realise that their router was insecure? By what line of reasoning is it realistic to conclude that consumers ought to know that they need to be tech savvy? If they were all that tech savvy then we wouldn't need IT experts.

      It's very difficult to blame the consumer without also blaming patients that they don't have the medical knowledge to do a proper self - diagnosis and write their own prescriptions.

      * I suspect the average consumer does not inhabit these pages...

      1. Alister Silver badge

        consumers are not tech savy

        I think you are quoting A Non e-mouse out of context here, I don't think he's blaming the consumer.

        What I understood him to be saying is that because consumers are not tech savy and don't know what to do, it is up to the ISP or device manufacturer to ensure that the device is secure by default.

        1. A Non e-mouse Silver badge

          Re: consumers are not tech savy

          @Alister - you are correct, that was my intention. Have an upvote.

  10. Boothy

    Default passwords etc

    Personally I think 'default' passwords, admin and WiFi (and SSIDs) shouldn't even exist.

    Part of the initial set up should be to force the user to log into the router/modem and put these details in themselves, with minimum standards on the complexity etc.

    Even with an issue these days being that not everyone has an Ethernet enabled device, that could still be handled.

    A possible option could be to have an initial, default but restricted Wifi SSID and password (and possibly a restricted Ethernet), restricted to a DMZ that only allows access to the routers admin page, and not the Internet itself.

    So the user connect to new shiny router, with <any device with WiFi/Ethernet and a web browser>. And if via WiFi, uses the initial 'temp' SSID and password.

    User is presented with a simple configuration web page (irrespective of what URL they typed in), that forces the user to set up a new admin password for the router, and then a new WiFi SSID and password (or to disable the WiFi if they don't want to use it).

    The router doesn't enable Internet access until these steps have been completed.

    If you only put in the new admin password, and don't change the WiFi SSID and password, then only Ethernet get Internet access, with any WiFi connections still being DMZ restricted to the router admin page.

    1. Commswonk Silver badge

      Re: Default passwords etc

      with any WiFi connections still being DMZ restricted to the router admin page.

      So that next door's teenager can set it up for you without your knowledge, I assume.

      1. Whiskers

        Re: Default passwords etc

        The 'next door teenager' aspect could be ameliorated by disabling the WiFi completely unless reconfigured via ethernet. That wouldn't apply to routers that have no ethernet connection available, of course, but then whoever gets to those first becomes the owner. A factory reset would give the person holding the device another chance to set it up themselves. Perhaps running the wifi at 'low power' and with a limit of 'one connected device only' until set up would give the purchaser a good chance of being the first one into the setup interface. Staff in shops selling the routers should be trained to be able to help innocent customers get started safely (I know that's unlikely to happen in reality).

        1. Anonymous Coward
          Anonymous Coward

          Re: Default passwords etc

          The 'next door teenager' aspect could be ameliorated by disabling the WiFi completely unless reconfigured via ethernet.

          Good thing all mobile phones, tablets and laptops feature Ethernet built-in then isn't it?

          Ohh.

      2. Boothy

        Re: Default passwords etc

        Quote: "So that next door's teenager can set it up for you without your knowledge, I assume."

        How are next doors teenager going to get in without knowing the initial SSID and password?

        1. Commswonk Silver badge

          Re: Default passwords etc

          The 'next door teenager' aspect could be ameliorated by disabling the WiFi completely unless reconfigured via ethernet. That wouldn't apply to routers that have no ethernet connection available, of course, but then whoever gets to those first becomes the owner. A factory reset would give the person holding the device another chance to set it up themselves. Perhaps running the wifi at 'low power' and with a limit of 'one connected device only' until set up would give the purchaser a good chance of being the first one into the setup interface. Staff in shops selling the routers should be trained to be able to help innocent customers get started safely

          I apologise for quoting the above more or less in full but it really does show a good way ahead. Personally I wouldn't touch a router that had no Ethernet connection; it is what I use at home and the first thing I look for if we are away in a holiday let with wifi; part of my "kit" includes a 5 metre Ethernet lead.

          That aside, my router has a couple of buttons used for occasional use for wifi setting up; for routers without Ethernet one of these could be configured to enable wifi set up when pressed (say twice) to prevent or at least minimise the risk of unauthorised intervention.

          While changing the admin password etc on my router is straightforward, there are some things that most certainly are not. The prime example is setting up the USB socket for shared memory on the rear; getting that working on this PC (XP) and my Win7 laptop (with or without Ethernet) was a monumental PITA; the "instructions" supplied with the router were no help whatsoever and the on - line "help" only marginally better. I did get there in the end but it was a profoundly unsatisfactory experience. Perhaps my router (no names no pack drill) is an exception but decent complete & accurate printed user instructions would be a major step in the right direction.

          How are next doors teenager going to get in without knowing the initial SSID and password?

          As the subject is "insecure by default routers" I think that is the answer; the same way as anyone else could hack it.

          And that's quite enough for now...

  11. Dwarf Silver badge

    Hopefully this is a good kick for the manufacturers of such kit to up their game for improved security and maintainability. Perhaps the devices should should go and fetch the latest firmware and auto-update say once a month / on each reboot. Obviously the devices would need double the flash storage to allow there to be two OS installs - one good install and one to roll forwards onto - like many other devices already do. This is not difficult to engineer in.

    It sounds like there is a market today for local IT people to offer a service to improve people's home network security given that most just plug in kit and turn it on like any other device they buy on the high street Internet. This could be simple upgrades, change the passwords or more involved such as the use of open source firmware alternatives such as dd-wrt, OpenWrt or LEDE as a way of improving functionality and security at the same time.

    1. Anonymous Coward
      Anonymous Coward

      It sounds like there is a market today for local IT people to offer a service to improve people's home network security

      If they CBA to change a router password, will the great unwashed understand advertising offering to "fix" their security, will they care enough to pick up the phone to arrange a visit, and will they then pay any reasonable tab?

      What's your basic cost to serve? Customer acqusition costs, travel and broken appointments are real killers, even if you could do the job (including social niceties) in half an hour. As a benchmark, gas fitters don't live lives of luxury, yet need to charge about £70-120 for forty minutes work that involves nothing more than a basic safety check and whip round the boiler with a hoover. I can't see many people paying that sort of money for an "internet security check".

      1. tiggity Silver badge

        The gas engineers I know are not poor e.g. one is (sole) owner of a light aircraft & he can afford the fuel to fly it regularly.

        Work to learn the skills initially (& then a smaller bit of ongoing effort keep up with changing tech & regs) but a nice earner once you have your certification.

        Cold snap emergency callout time of year can often lead to eye watering quotes for a visit as demand is really high as cold snaps are when heating issues often become apparent.

  12. LDS Silver badge

    In the near future, it will be much more difficult or impossible to use your own router.

    Some telcos when installing fibre also move your telephones on it (yes, someone still uses landphones because there are good reasons for phones tied to a location instead of people...), and thereby install their router which also acts as a voice router - and you're bound to use it.

    Of course you can always install a firewall and other separate devices (i.e. APs) to isolate your internal network from the router, but it's even more complex for most users.

  13. Mahhn

    Release the Hounds!

    Why not provide some motivation.

    Release a variant of Miria that allows the user to only access one site. That site tells them, that to regain internet access they must update their device and reset the admin password. Device's will continue to get infected until this is done.

    Call it Miria the Hound and Release the Hounds!

    1. Anonymous Coward
      Anonymous Coward

      Re: Release the Hounds!

      Because that's just as illegal as releasing the original malware, and would very likely land the developers in front of a judge.

  14. Paul Stimpson

    Most consumer ISPs and providers of any turnkey service have a problem: A significant number of their customers are of limited financial means and buy based on the advertising of how cheap they can have broadband for. If you're on a contractor daily rate, you are quite possibly buying on quality rather than price and can afford a premium router. I have many friends on zero hour contracts who are struggling to get by and for whom buying an expensive router isn't an option.

    For ISPs engaged in the race to provide "the cheapest broadband in Britain" there is obvious pressure to keep their subscriber base up and overheads down. They don't want the support overhead of large numbers of support calls. Some, such as IIRC Sky, make it a condition of service that the subscriber uses their supplied router because the remote admin capabilities speed up fault resolution which, for the most part, gives shorter support calls and happier average customers. In this competitive sector, you just don't want customers writing all over Mumsnet/Facebook/Twitter how difficult it was to get your broadband working.

    I bought myself a Netgear R8000 router to replace my aged one and the new-user experience was one I wish would be replicated by all makers. The router was turned on and connected to my broadband. The first time I opened a web browser and accessed a non-https site, I was redirected to the router setup web app where it looked at the incoming network to check if it was behind another router and set itself up with sensible defaults for the environment. I was then forced to change the admin password. It then invited me to change my wireless SSIDs and passwords. It was so easy.

    The R8000 is a premium router with a lot of flash to put software in. It has room for all this stuff as well as being a good candidate for open source firmware. With the pressure makers must be under to sell bargain-basement ISPs their devices in bulk at the cheapest possible price, I'm not holding my breath for the day they start shipping more capable devices rather than cutting costs for something that the average customer won't notice, unless they are made to build to a security standard by law.

  15. Anonymous Coward
    Anonymous Coward

    Not just home users taking poor care with routers

    I was visiting small software company recently (hence AC) - they had changed wifi password to one of their own choosing as you would expect

    ... however their visible wifi SSID began "buffalo" - i.e. it was using default router SSID which gave big hint to make / model of router allowing bad actor to search for known vulnerabilities for that device.

    Someone really should have known better (I did express my surprise at default SSID in passing)

    1. wyatt

      Re: Not just home users taking poor care with routers

      Changing the SSID doesn't achieve much, you can run the MAC address though the internet and it'll tell you the manufacturer.

  16. thomn8r

    I consider myself to be tech savvy (been a sysadmin for almost 25 years) and yet I'm reluctant to update consumer-grade firmware for fear of bricking it, as the UI's on said devices appear to have been coded by someone for whom English is a 3rd language and only started coding after scanning through a programming book while on the loo last weekend.

    1. Barry Rueger Silver badge

      A very important point. A lot of people have had a device borked by a bad upgrade - Anniversary anyone ? - and not unreasonably conclude that upgrades should be avoided as long hardware seems to work OK.

  17. Ol'Peculier

    Sounds about right. If I do a Wi-Fi scan in my flat mine is the only router that isn't Sky-XSDSD or TalkTalk-blah etc.

  18. Paul Hayes

    53% surprises me and it makes me question the reliability of the survey. I would have expected this number to be more like 90% if not higher than that. I bet I could knock on every house on my street and not one person would even know how to access their router even if they wanted to. I bet not one of them would have heard of Mirai or know what DDoS means.

    It's up to the router manufacturers and ISPs (if they are managing the routers using tr069 or similar) to handle this, the consumers will most definitely not do it.

    1. Commswonk Silver badge

      I bet I could knock on every house on my street and not one person would even know how to access their router even if they wanted to. I bet not one of them would have heard of Mirai or know what DDoS means.

      Any why should they exactly? I doubt if many doctors who asked their neighbours what ankylosing spondylitis was would find many who knew the answer without looking it up. I wouldn't expect my neighbours to know what an EEPROM is but it would reflect badly on me for expecting them to know, not badly on them for not knowing.

      As it happens I agree with your assertion that it should be up to the router manufacturers to produce properly secure equipment with sensible written instructions, but I'm not going to hold my breath.

  19. Anonymous Coward
    Anonymous Coward

    Lack of support from providers

    I see little to no shock here.

    The largest 6 broadband providers all ship their own devices. They do not provide any support for customer performing any configuration that is not default, i.e. factory reset or auto-configured from sources such that the providers TR069 solution.

    Change a password, add a port forward rule, change the wireless channel or password, any hint that the shade of green the LED looks a little odd, it's suddenly an unsupported device and must be factory reset.

    This sort of thing puts most people off even trying to make such changes. The providers don't equip the support teams with information that would even try to help customers make such changes. Why? Well that would cause call times to increase, and they really don't want you phoning to begin with.

  20. JJKing Bronze badge

    Manufacturers need to do the right thing

    How are next doors teenager going to get in without knowing the initial SSID and password?

    SERIOUSLY??? If it is setup and uses the factory defaults, they will get in pretty damn easily. Mr Google will give you the default passwords for any WAP name that you enter into it's cavernous search jaws.

    Most seem to be concerned about their Wi-Fi being freely used neighbours. Being a paranoid twat, I am more concerned with the likes of kiddie porn being downloaded through my Internet connection. It can be very difficult trying to prove that no, "I did not download those despicable files". Where I live, if it comes through your connection then you are guilty till you prove yourself innocent. Seems like a real good reason to change password and security key(s) to me. I have 63 characters in my WAP and I wish I could at least double that. See, told you I was a paranoid twat.

    1. TS15

      Re: Manufacturers need to do the right thing

      Initial details / factory defaults - most routers ship with some sort of randomly generated default wifi key / admin password that gets provided on a label stuck to the router.

      Simple for new users to handle for setup if you're right in front of the device. Not so simple if you're trying to "borrow" your neighbour's connection from next door.

    2. rh587

      Re: Manufacturers need to do the right thing

      SERIOUSLY??? If it is setup and uses the factory defaults, they will get in pretty damn easily. Mr Google will give you the default passwords for any WAP name that you enter into it's cavernous search jaws.

      Have you been living in a cave?

      Certainly in the UK all the big providers for the past few years have been randomising credentials at point of manufacture.

      For instance, I can see three BT networks from here (BTHub5-XXX; BTHub4-XXX).

      All three SSIDs are different, and googling them returns zero hits - much less the WPA keys!

      And I can guarantee the default WPA keys on the back of each of those routers will be different, as will be the default admin password provided.

      Happily, in the world of ISP-supplied routers, the days of admin:admin or admin:password defaults are largely gone (I'm sure some exceptions exist but I haven't seen any for a while now). Third party routers may be different, working on the assumption that if you're buying your own gear you're going to be going in and doing your own configuration and are sufficiently informed/motivated to change the defaults.

      What the gent was suggesting was a "setup" wifi network with such randomised credentials, which you connect to and are then required to name a private SSID/key in order to get internet access. But I'm not really sure how that's better than a randomised/strong set of default creds.

      The greater risk is the ISP leaving WAN ports open for TR-069 or some other management service without proper security, or otherwise not properly securing their network and doing proper ingress/egress control.

  21. Gis Bun

    ISPs should find a way to block out routers that have the default password enabled and block the user until they change it.

    It's been quite a few years since router manufacturers forced you on first usage to change the default password. So any of these older ones are unsupported by now and probably don't even have the latest firmware.

    I was happy to see my new TP-Link Archer C2600 force me to not only change my password but also the default name [from "admin"].

  22. Anonymous Coward
    Anonymous Coward

    Not always

    The last two ISP's I used (eu countries), had obscure WAN passwords (ie I had to get the file out of the filing cabinet to enter it after a reset) and equally obscure wifi password, so its doable.

    Non ISP routers have in the main easy peasy passwords and wifi with no crypto, however

    the router from a well known asian company with a terracotta army has a really obscure password.

    Most of the routers with easy peasy passwords seem from companies in the land of the free, but made of course in a large asian country. Lazy spring's to mind.

  23. Jerry G.

    Home Router Security, and Any Router Security

    When you first purchase your router the very first thing you do is change the main admin password. When turning on the WiFi section you also change the password for the WiFi access. You restart the router and log back in again under the new password. Now you can complete whatever setups necessary.

    Most users use the default passwords from the time they buy their router. They figure since nobody knows their system exists along with the many millions of others there should not be an issue. It is true your system may not be discovered until one main exception. If you somehow install a malicious software from opening an attachment or visiting an infected web page, that malicious software may be the type that steels information for theft of information, and or to take over the user's network to use it for its own distribution or whatever.

    Most of the time systems get a Trojan or malicious software because they let it in somehow. One of the most common ways is from opening unsolicited emails that contain executable code in its attachment or its main content (hidden code). Email programs are supposed to be protected against auto execution, but when the user opens a malicious attachment they are inadvertently allowing it to run. There is only so much capability the protection can offer. Common sense and understanding is a very important aspect of using a computer.

    Downloading and installing infected programs is another common way malicious software gets in to systems. There is also visiting infected web pages, and especially clicking on the banners and links out of curiosity.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019