That’s significant, because once a router uses DNS servers controlled by an attacker, that router can be used as a springboard for all manner of dirty deeds, ranging from malware
But what’s even more interesting is that the hack was successful only when the target router’s default administrative password had been left at the factory default setting. In other words, users were protected if they had simply changed their passwords, because the attack relied on the use of the device vendors’ default passwords, which are common knowledge.
There’s no telling just how many routers out there still use the default passwords, but it’s a safe bet it’s a lot. After all, many automated router setup wizards don’t prompt the user to change the default administrator password, and most routers bury this setting way down in the menu where casual users are unlikely to notice it.
This particular attack scenario illustrates how a seemingly minor and easily overlooked setting can still have profound security implications. Therefore, it seems like a good time to review some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Change the Administrative Password
As outlined above, if your router’s password is “password,” “admin,” “1234” or any of the other default value, you’re just asking for trouble, so change it immediately.
Change the Default SSID
Just as many users neglect to change their router’s administrative password, many also keep the default wireless SSID
Turn off SSID Broadcast
Broadcasting your SSID makes it super-easy to connect new wireless devices to your network. But it also advertises your network to any passers-by, which isn’t an ideal situation. Turning this feature off won’t hide your network’s presence to determined interlopers with special software, but the fewer people that know about your network, the better. As long as you know your own SSID, you won’t have any trouble setting up new devices.
Use WPA, Not WEP
Even though the weaknesses of WEP
Bottom line — use WPA to encrypt your wireless network, and avoid buying or using any device that forces you to use WEP to accommodate it. In addition to greatly improved security, there are also usability benefits to using WPA, because unlike WEP you don’t need to choose between ASCII
Reduce Wireless Power
If your router supports it, turn down your wireless radio’s power setting to try and keep the signal within the confines of your home or office. This may take some trial and error and it’s not always possible to precisely control where the signal travels, but you may be able to minimize the amount of signal that spills out to the street or the neighbor’s yard.
Eliminate or Reduce the Use of DHCP
Another option is to leave DHCP on but reduce the size of it’s address pool. Most routers put almost every available address — more than 250 in all — into the pool, which is far more than just about anyone needs and leaves plenty for unauthorized users. Limiting the number of available DHCP addresses to the specific number of devices you have lets you use DHCP addresses while preventing wireless trespassers from obtaining them.
Turn On MAC Filtering
Although it shouldn’t be used in lieu of wireless encryption, MAC filtering can be a good complement to it. Most routers support this feature, which limits access only to those devices with the hard-coded MAC addresses that you specify. Configuring MAC filtering can sometimes be a pain in the neck, but some routers will let you easily add a connected device to a filtering list, which can save you the trouble of having to hunt down the MAC addresses for each of your devices.
Make Sure your DMZ is Turned Off
The router’s DMZ
Turn Off Ping Response
This setting allows your router to respond to ping
Avoid Using Remote Management
Most routers have this feature, which allows you to log in and manage the device from outside your network. There aren’t too many situations where this is useful, so you should avoid using it unless absolutely necessary. If you do use remote access, change the default port number (usually 8080 or 8888) to something less obvious.
To be sure, none of these steps are foolproof (security seldom is), but most are simple, all are free, and ultimately, every little bit helps.