Consumer Router Security
As the ‘tech-savvy’ person in my household, I was responsible for all things Internet related. As such, I have been a customer of many different ISPs in the UK and accrued a small collection of their routers in the process.
Until recently, I hadn’t paid much attention to my router’s security. Upon reading Michael Bazzell’s book Hiding from the Internet: 4th Edition (now outdated), I wanted to start using a VPN on my router as it allows every device connecting to it to benefit from an encrypted connection. I began digging through the settings of my British Telecom (BT) router to find if such a setting existed that would allow me to set up a VPN. There wasn’t. This led me down a rabbit hole where I began examining the other routers I had lying around and the features they offered. Which in turn began highlighting their privacy and security related shortcomings.
Comparison of Various ISP Issued Routers
The routers I chose to investigate are BT’s HomeHub 4, TalkTalk’s D-Link DSL3680 and OneStream’s Zyxel AMG1302-T11C. The specific model numbers are not entirely important, the main point is that they are all popular, British standard-issue ISP, routers. If you do not own one of the mentioned models, you should not assume you are safe, since many different models of router share the same underlying firmware.
I have chosen eight reasonably important categories against which to evaluate the ISP routers in terms of privacy and security.
- When the latest firmware update was
- Is WPS on by default and can it be disabled
- Is WEP present and can it be disabled
- Is the web interface HTTP or HTTPS
- Can the router act as a VPN client
- Can the default username and password be changed
- Can the SSID be hidden
- Can the default DNS address be changed
I will also explain why these categories are important and what the repercussions are.
Firmware is the underlying computer code that runs on electronic devices, such as routers. Naturally, over time computer code becomes susceptible to security attacks as vulnerabilities are discovered and exploits are created. Note how apps on your smartphone will receive updates every few weeks, this is to fix security issues, add new features and generally keep the customer happy. This increases the likliehood of said customer making a purchase within the app if they are happy with its functionality and features. Contrast this with routers, since the customer has already made the purchase and have committed to, usually, a twelve month contract they are essentially stuck with the router and so the manufacturer has seemingly little incentive to produce security updates.
The OneStream router’s firmware had been untouched for 13 months, BT’s for 14 months and TalkTalk’s for a pretty outrageous 25 months. I’m not sure who is more at fault here, the router manufacturer for failing to maintain the product they produced or the ISPs who are knowingly accepting and passing on sub-par hardware to a significant portion of the British population.
Vulnerabilities are being found daily in all kinds of software, so it seems logical to assume a few have surfaced for these routers between now and the date they got their last firmware update.
Only on TalkTalk’s router was Wi-Fi Protected Setup (WPS) on by default. All 3 offered the option to disable it.
WPS is a technology allowing users a simplified method of connecting their end devices to a wireless router. Instead of having to enter their WPA/WPA2 password, WPS allows the password to be ‘entered’ by simply pushing a specific button on the router.
However, one of the underlying technologies used in WPS is susceptible to brute forcing attacks. Meaning an attacker can gain access to the user’s WPA/WPA2 password.
The only way this can be mitigated is by disabling WEP. Which is why it is so important it should be off by default.
WEP was one of the early methods used to ‘secure’ a wireless communication channel between an access point and a user’s end device. It was introduced to the world in 1997, which in computing terms is a lifetime ago.
WEP’s keyspace is a relatively short 24 bits in length. This is what is used to add ‘randomness’ to the connection’s initialisation vector, with the goal of making it hard for an attacker to simply guess. Simply put, the same key will be used again in a short space of time. As it is sent in plain-text, i.e. not encrypted, an attacker can quickly decode even the strongest WEP key in about 24 hours. With that key they can access your wireless network, sniff traffic or even lock the victim out of their own network.
Fast forward 22 years and all of the routers I examined still had the option of enabling WEP. I should stress the WEP was not the default option, but it is still worrying that it remains an option. Assuming it is still kicking about for backwards compatibility reasons, you need to wonder if the average consumer actually has devices that old which require WEP. I’m willing to bet ‘no’.
Both the BT Home Hub and the TalkTalk router do not use the HTTPS protocol on their web interface.
HTTPS is the newer and more secure version of HTTP. Most web browsers communicate to their users that a site is HTTPS by displaying a 🔒 padlock somewhere around the URL bar. When a web site is HTTP and just displays static content, there isn’t really a security concern here. An HTTP website becomes a threat if it also asks for user input, such as input boxes where personal details can be entered.
The web interface of a router is the page you navigate to when configuring some of its settings. In some cases this page is http(s)://192.168.1.254 or http(s)://192.168.1.1. Since there is a lot of sensitive information being input by the user on this page, HTTPS should always be the preferred communication method.
Of the 3 routers I tested, only OneStream’s had the option of completely disabling HTTP, thus forcing HTTPS to be used when configuring the web interface. HTTPS was formally standardised in May 2000, so it isn’t exactly cutting edge. Nonetheless router manufacturers should have no excuse not to at least include an option to use HTTPS.
Router-level VPNs encrypt all of your connected devices data before being sent out towards the Internet. This is a good way to ensure your data is not snooped on by any party between you and the website you are visiting. Wanting to do such a thing doesn’t mean you have anything nefarious to hide, but privacy is a basic human right. Governments and ISPs aren’t always flying the privacy flag, so it is up to you to ensure you are communicating privately. In the same way if you pick up the phone to make a call, you speak freely assuming nobody is listening. Using a VPN when communicating on the Internet can almost guarantee this.
As a side note, you should not use free VPNs. They are a business after all and not a charity, think how they earn their money. Some do so by displaying adverts, some through ‘freemium’ pricing models and some by actually snooping on the very data you are entrusting them to protect! 
I recommend the VPN company ‘Mullvad‘. They collect no logs, are fairly priced, have very technically knowledgeable support staff and offer various privacy respecting ways to pay – such as cash by post and Bitcoin. Also included is a SOCKS5 proxy, essentially this allows you to configure your browser in such a way that if their VPN happens to goes down, your traffic will not leak or ‘fallback’ to using your ISPs default DNS.
In a nutshell, none of the routers I examined had VPN capabilities.
- Username and Password
Britain’s National Cyber Security Centre (NCSC) published guidelines on how users can chose better passwords to better protect themselves. All of the routers I looked at managed to violate this guidance in at least one way.
For example, the NCSC recommends that a user should be able to input a password of any length, i.e. no maximum limit. Imposing a limit could stop a user from entering a longer, more secure, password if they wanted to. BT’s router imposes a 20 character limit, which assuming the password consists of number and special characters is reasonably secure. However, when entering the password in the user interface, it is displayed in cleartext, not good. Typically passwords are obfuscated with the use of asterisks to hide them from anyone who may be looking at your screen.
OneStream’s router fares better as it allows for a password of up to 30 characters, strangely it rejected any special characters (e.g. £&^%$).
TalkTalk, again, rated poorly as it imposed a comparatively short limit of 15 characters. Even more worrying is the fact it allowed a user to enter a password of only 1 character in length, without displaying any sort of warning.
Only OneStream’s router had the ability to change the default username of admin to something else.
Passwords are one half of a login, the other half being the username. In this case 2 out of 3 routers have a default username of admin and this cannot be changed. Attackers can easily check publicly available information that shows what the default username of common routers are. Already they have ‘cracked’ half of the login. With all of the routers I looked at here imposing some sort of limit on password length, they are only reducing the time it would take an attacker to crack a password. None of the limits were particularly high either. In TalkTalk’s case there was no input validation, meaning a password of only 1 character was accepted. A password of this length could be ‘cracked’ in approximately 20 milliseconds.
The SSID is the name of a wireless network. A common example you may have seen is ‘BTWifi-with-FON’. It allows the user(s) of that wireless network to easily identify the network as theirs, to facilitate ease of connecting. SSIDs can be changed to something more meaningful than the default gibberish. To highlight a point, you may rename your SSID to ‘Jane’s WiFi’. From a privacy and security perspective this announces to anyone within range of your wireless network, who it may belong to. Potentially making you a target.
This is why I would advise to a) don’t include any identifying information in the SSID or b) better still, disable the SSID from being broadcast. Whilst not a silver bullet strategy, this is a useful step that can tighten up your router’s security. The idea being, if it is hidden a malicious user cannot connect to it. Think security through obscurity. As with anything security related, there are ways attackers can bypass this and still see your hidden network. But the aim of the security game is: defense in depth!
My investigating revealed only 1 of the 3 routers – OneStream’s – had the ability to disable SSID broadcasting.
A useful privacy tip is to append “_nomap” to the end of your SSID. Even if you have hidden it. This signals to Google that you choose not to have your router’s SSID submitted and included in their location services database . One strategy Google uses to accurately locate you and your smartphone when using Google Maps for example is through GPS. However if a strong GPS signal doesn’t exist, Google can scan your surrounding WiFi networks (granted you have Wi-Fi enabled) to try and paint a picture of where you might be. This works as a lot of Wi-Fi SSIDs are uniquely named and most people do not use the “_nomap” option. Since SSIDs can be quite unique in name they could potentially locate you on a map.
The results were slightly more promising in this test. 2 of the 3 routers did have the ability to change the default ISP assigned DNS address to something of the user’s choosing. BT’s router being the one that could not.
Your DNS address is the address all your web queries are sent to, before being routed to the Internet and back to you. Usually the default DNS address used by your devices is the one which is assigned by your ISP automatically. 9 times out of 10 this address belongs to the ISP. In the UK, ISPs are required by law to store 12 months worth of each of its customers browsing history. This data includes your account number, source IP, destination IP and URL . This ‘basic’ data can be obtained without a warrant. With a warrant, needless to say, even more data about your online activities can be gleaned.
Having the ability to change your router’s DNS address is important as it allows you to opt-out of such data collection activities. There are plenty of DNS providers other than just your ISP. Just like there are unscrupulous VPN providers, the same goes for DNS providers. Some are motivated by profit and may not be solving the problem you are trying to fix. Some solid DNS providers that do not collect any identifying logs (or at least very minimal or temporary) are CloudFlare’s 22.214.171.124 and Quad9’s – wait for it – 126.96.36.199. The latter being a non-profit organisation.
My investigation highlighted many areas in which the firmware that ships with common British ISP routers could be improved.
Perhaps more interestingly though, it raises the question ‘why are they so insecure in the first place?’ Some will argue that cost is the main factor at play here. However this is not always the case, as the cheapest router in this test (in terms of line rental / overall contract price) actually performed the best in terms of security. With the routers from the ISP heavyweights performing comparatively poorly. There are many open source firmware that ISPs could choose to implement for free that provide a greater wealth of features and improved security, such as: DD-WRT, Tomato and OpenWRT. These are also being actively maintained with security updates and patches.
My suggestion to any interested readers is to have a dig around in your own router’s settings and tighten up what can be tightened up and run a VPN on your end devices. Failing that, if possible buy a better router. The Asus DSL-AC56U ticks all of the above boxes and more. It can also be flashed with the open source firmware mentioned previously, for extra flexibility.
 Brinkmann, M. (2014). Add _nomap to your router’s SSID to have it ignored by Google and Mozilla. [Online] gHacks. Available at: https://www.ghacks.net/2014/10/29/add-_nomap-to-your-routers-ssid-to-have-it-ignored-by-google-and-mozilla/. [Accessed 29 Oct. 2019].
 O’Neill, P. (2017). Hotspot Shield accused of snooping on VPN users and selling data to advertisers. [Online] CyberScoop. Available at: https://www.cyberscoop.com/hotspot-shield-accused-of-snooping-on-vpn-users-and-selling-data-to-advertisers/. [Accessed 29 Oct. 2019].
 Jackson, M. (2016). IPAct – Controversial New UK ISP Internet Snooping Bill Becoming LAW. [Online] ISPreview. Available at: https://www.ispreview.co.uk/index.php/2016/11/controversial-new-uk-internet-snooping-bill-approved-mps.html/. [Accessed 1 Nov. 2019].