By Brian X. Chen
The New York Times
From Our NYT Files: Your Wi-Fi Security Is Probably Weak. Here’s How to Fix That.
Chances are that when you bought a Wi-Fi router, you probably did not prioritize strong network security. After all, when we think about wireless connectivity in our homes, most of us generally care more about speed of data transmissions and how much range the router can cover. But it’s time to change our views. Network security needs to be high on our list of considerations because a Wi-Fi station is the gateway for devices to get on the internet. If your router is infected with malicious software, all your internet-connected devices become vulnerable, including your smartphone, computer, smart watch, television and Amazon Echo.
A recent cyberthreat underscores the need to take network security more seriously. Last month, Cisco’s threat research arm, Talos, in collaboration with the Federal Bureau of Investigation, discovered that a malware system with links to Russia had infected hundreds of thousands of Wi-Fi routers made by popular brands like Netgear, TP-Link and Linksys. This month, Talos revealed the problem was even worse than initially thought: Routers from other brands like Asus and D-Link had also been infected. That means base stations from every well-known router brand were a target for this malware, known as VPNFilter, which is capable of manipulating your web traffic. Attackers could use it to load a fake banking site on your computer browser that looks like the one you normally use and steal your credentials and clean out your bank accounts. They could also load spoof versions of an email site you use to steal your password and gain access to your communications.
Netgear, D-Link and Linksys said they advised people to install the latest security updates and to choose strong usernames and passwords. TP-Link and Asus did not respond to requests for comment. Our remedy? For starters, make sure your Wi-Fi station is always running the latest version of its “firmware,” or software system, just as you are supposed to keep operating systems up-to-date for your smartphone and computer. In a 2014 survey of I.T. professionals and employees who work remotely conducted by the security firm Tripwire, only 32 percent said they knew how to update their routers with the latest firmware. “Most consumers don’t know to patch these things,” said Matt Watchinski, a senior director of Cisco Talos, who helped research the VPNFilter malware. “They don’t treat it like they do their air-conditioner or refrigerator, where we all know we should change the filters.” Here’s a guide to some of the best practices you can embrace to ensure that your router — and, by extension, all your internet gadgets — is safe.
Routinely update the firmware
Even though a router lacks moving parts, it needs to be maintained with the latest security updates. Easier said than done, right? Here is a basic step-by-step for how to do that:
■ Consult the instruction manual for your router to get its IP address, a string of numbers that you will punch into a web browser for access to the router’s web dashboard. Jot down the number and store it somewhere safe like your filing cabinet.
■ After entering the router’s IP address into a web browser, log in to the base station with your username and password. In the router’s web dashboard, click on the firmware settings. Look for a button that lets you check for the latest firmware version.
■ If an update is available, choose to install it and let the router restart. Repeat this process every three to six months.
■ If you use a router provided by a broadband provider like Comcast or Verizon, call the customer service department and ask whether your equipment has been updated with the latest firmware.
Set a unique username and password
When you log in to your router, if your username and password are something like “admin” and “password,” you have a problem. Many Wi-Fi stations come with weak, generic passwords by default that manufacturers intend for you to change. The problem with having a weak username and password is that anybody within range of your router could log in to it and change its settings, potentially opening it up to the outside world, said Dave Fraser, chief executive of Devicescape, a company that helps make public Wi-Fi networks more reliable for mobile phone service. So while you are checking for firmware updates in your router’s web dashboard, make sure to also check your security settings and change the username and password to something strong and unique. Security experts recommend creating long, complex passwords consisting of nonsensical phrases and added numbers and special characters. (Examples: My fav0rite numb3r is Gr33n4782# or The cat ate the C0TT0n candy 224%.) Write down these credentials on the same piece of paper where you recorded your IP address.
Replace your router every few years
Even if your router still appears to work properly, the device has reached the end of its life when manufacturers stop supporting it with firmware updates, leaving it vulnerable to future cyberthreats. You can expect this to happen every three to five years. At that point, it is crucial to upgrade to a new piece of hardware. The best way to check is to look up your router on the manufacturer’s website and read notes about its firmware releases. If there hasn’t been a firmware update in the last year, the router has probably been discontinued. Among the routers affected by the VPNFilter malware, a significant portion of them were more than five years old, said Cisco’s Mr. Watchinski. How did we get here in the first place? Historically, manufacturers have designed routers by cobbling together open-source software platforms with commodity components to produce base stations as cheaply as possible — with little care for long-term security, Mr. Fraser said. “It is a miserable situation, and it has been from day one,” he said. But Mr. Fraser added that there were now “new world” routers with operating systems, tougher security and thoughtful features to make network management easy.
If it is time to update your router, rid yourself of some of these headaches by looking for a smarter router. Check for Wi-Fi systems that offer automatic updates to spare you the headache of having to check and download updates periodically. Many modern Wi-Fi systems include automatic updates as a feature. My favorite ones are Eero and Google Wifi, which can easily be set up through smartphone apps. The caveat is that smarter Wi-Fi systems tend to cost more than cheap routers that people are accustomed to. Eero’s base stations start at $199, and a Google Wifi station costs $119, compared with $50 for a cheap router. For both of these systems, you can also add base stations throughout the home to extend their wireless connections, creating a so-called mesh network. Another bonus? Mr. Fraser noted that more modern Wi-Fi systems should have longer life spans because the companies sometimes relied on different revenue streams, like selling subscriptions to network security services.