News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Should we trust our routers?

    Home Forums AskWoody blog Should we trust our routers?

    Viewing 9 reply threads
    • Author
      Posts
      • #2363429
        Susan Bradley
        Manager

        Michael Horowitz has a story about how the Asus GT-AC2900 router had THREE password bypass flaws…. https://twitter.com/defensivecomput/status/139076
        [See the full post at: Should we trust our routers?]

        Susan Bradley Patch Lady

      • #2363435
        anonymous
        Guest

        I have an asus router so I read this with interest and tried to see if my router was vulnerable.

        I think that Michael Horowitz’s interpretation that there are three “flaws” is a misreading. The Atredis post reference says that there are three different conditions needed to exploit the flaw, all three of which must be satisfied.

        I was unable to exploit my RT-AC66U B1 by following the Atredis instructions, but my router is not on asus’s list of routers supporting IFTTT

        1 user thanked author for this post.
        b
      • #2363442
        techweenie
        AskWoody Lounger

        Most Asus routers support Asuswrt-Merlin firmware – https://www.asuswrt-merlin.net/.  It is based on stock firmware, but fixes all known bugs with frequent updates.  Some of their work has made it upstream to stock firmware.  I’ve been recommending consumer clients buy Asus routers compatible with that firmware.

        3 users thanked author for this post.
      • #2363457
        Alex5723
        AskWoody Plus

        Users shouldn’t trust any router out-of-the-box.

        Users should check and change :

        Admin name
        Admin password
        Check and set encryption level
        Set wi-fi password
        Hide SSID..

        https://www.computerworld.com/article/3093427/how-to-secure-your-router-and-home-network.html

        • #2363468
          JohnW
          AskWoody Plus

          Users should check and change : Admin name Admin password Check and set encryption level Set wi-fi password Hide SSID..

          I would think that if you have done the first 3 items in the list, that last one is probably not necessary.

          Hiding your SSID can cause issues, so YMMV with that one.

        • #2363485
          techweenie
          AskWoody Lounger

          Hiding your SSID is actually a security risk. Due to how wifi works, it actually gives hackers more information than they would otherwise have. There’s a very good video on YouTube explaining it in great detail.

          2 users thanked author for this post.
          • #2363549
            Michael432
            AskWoody_MVP

            How can hiding the SSID be a security risk?

            It is not much a security improvement, but a risk? I have seen mesh router systems create hidden SSIDs. Its probably the rule rather than the exception with a mesh system.

            Get up to speed on router security at RouterSecurity.org

            • #2363552
              techweenie
              AskWoody Lounger

              Search for the video.  From my limited recollection, devices that know the hidden SSID send more information to connect than they would if the SSID were being broadcast.

              • #2363672
                Michael432
                AskWoody_MVP

                You are correct, I did mis-read the blog. When listing the three conditions, the author did not say either “and” or “or”. I assumed it was any of three conditions. So, its one bug not three.

                Get up to speed on router security at RouterSecurity.org

              • #2363674
                Michael432
                AskWoody_MVP

                I found this video

                which concluded there is no benefit to hiding the SSID. It did not conclude anything else.

                And, while the conclusion is true, it only applies to really good attackers that know their stuff, such as the guy that made the video. It may well not apply to script kiddies. So, while hiding the SSID will not stop all attacks, it could, maybe, stop some.

                And, this small benefit does need to be weighed against the hassle factor as the guy pointed out. If you only have one or two WiFi devices, the hassle is small. But if you have many, then the hassle is likely too high for the small benefit.

                Get up to speed on router security at RouterSecurity.org

              • #2363704
                b
                AskWoody MVP

                Microsoft recommends not hiding the SSID, because laptops/phones broadcast the name MORE OFTEN if it’s “hidden”:

                Why Non-broadcast Networks are not a Security Feature

                Windows 10 Pro version 21H1 build 19043.1052 + Microsoft 365 (group ASAP)

                2 users thanked author for this post.
              • #2364161
                anonymous
                Guest

                That page was last updated 14 years ago. I would have to assume there have been changes since then.

              • #2364168
                b
                AskWoody MVP

                Such as?

                Windows 10 Pro version 21H1 build 19043.1052 + Microsoft 365 (group ASAP)

              • #2363926
                AlexEiffel
                AskWoody_MVP

                Michael,

                I think we should focus on things that makes a real difference in security like disabling UPnP, WPS, unsafe encryption and isolating networks from unsafe IoTs, although things like disabling UPnP creates issues for some users who aren’t aware of its implications and who don’t realize the software they uses offer an open port to outside while not being ready to find an alternative nor able to manually open the port.

                I don’t know if Windows still works the way it did before broadcasting the SSID more often if it was hidden, but Microsoft themselves said it was less secure to hide the SSID a long time ago.

                By the way, it would be really nice if you had RSS set up on your website so it is easy to get notified when you post something new on the “router security in the news” page and other pages, especially when it is time sensitive.

                There should be a check list of what are the features of a safe router that could be an inspiration to manufacturers who wantsto target this security market (secure defaults, maybe auto updating if done properly, support for security for x years, etc). But unfortunately, I don’t see any manufacturer going into this non profitable nonexistent consumer business until consumer awareness will be higher due to high profile issues, maybe, with luck.

                Still, a lot of people will take their chance when ISPs provide the router for “free” instead of paying more for something they don’t understand and they have to manually update while they don’t even understand how to configure it. Maybe with regulations for ISPs to ensure the support of a baseline of security, it would make a difference. I remember the biggest IPS in my country was still shipping WEP enabled devices years after it was known to be highly insecure.

                One day, maybe, a business could offer support and routers, handling maintenance remotely for you and having phone support for issues, but it is going to be a hard sell if the threat perceived is not significant enough. So many people have lived with viruses on their computer and just shrugs when you tell them. A lot of them just accept that they face something that they are not competent enough to avoid by themselves and they just hope for the best.

                 

                1 user thanked author for this post.
              • #2364205
                Michael432
                AskWoody_MVP

                Alex,

                Agreed. Hiding an SSID is a minor point either way.

                As for an RSS feed, I am halfway there. The home page of RouterSecurity.org has a link at the very top to see
                recent updates. As for a checklist of features, there is a page on the site with a checklist. See the site index.

                Secure routers have failed to gain traction. Both Symantec and F-Secure tried to sell secure routers but each failed in the marketplace. Speed. Speed. Speed. I like Peplink but security is a side effect of what they do, it is not their main focus. The only router focused on security is pcWRT and hardly anyone knows of it.

                As for consumer awareness, it may turn out that the hacked pipeline in the US was, in part, crippled because they did not segment their network. Seems likely. This might raise awareness of VLANs and Guest networks.

                There are routers that are dumbed-down and thus easy to configure and routers that self-update. But, when something goes wrong, who you gonna call? Not Ghostbusters. No doubt, knowing that your ISP is on the hook to fix anything, contributes to people using an ISP provided router.

                Get up to speed on router security at RouterSecurity.org

                1 user thanked author for this post.
              • #2366125
                dmt_3904
                AskWoody Plus

                I like Peplink but security is a side effect of what they do, it is not their main focus. The only router focused on security is pcWRT and hardly anyone knows of it.

                I have a Linksys WRT3200ACS.  It’s really way more technically-sophisticated than I can handle and it’s a few years old, last updated firmware 2/13/2020.  I don’t like how the guest network is implemented (open wifi – enter password, like a hotel) and although it’d be a challenge, I think I could set up a VLAN.  I think it’s time for a new router that has a proper guest network + good security, updated firmware.

                I tried finding a Peplink, but that proved a bit difficult, + I’m afraid it will also be a technical challenge for me.  Is there a good consumer router for people like me? It’s so confusing out there!  I want good security and a guest network so I can isolate IOT.  We’re not gaming or heavy internet users – though we do stream, we still have Satellite TV.  I do not want my ISPs router.  thanks.

              • #2366134
                dmt_3904
                AskWoody Plus

                I have an update to my post – I had looked for a Peplink about a year ago;  I don’t recall the details – but I had trouble trying to purchase one.  I see it now on Amazon.  It may be the best choice for me, as the consumer router market is pretty bad & finding non-biased reviews is even harder!

                One suggestion from AskWoody was to buy two routers and isolate.  If I’m going to do that, I might as well spend $200 on a Peplink.   I see a Surf SOHO MK3 for about $200.  I’ll read more on Routersecurity.org, here and online, but am leaning toward that.  Still open for any advice/suggestions.

              • #2366173
                Michael432
                AskWoody_MVP

                Finding non-biased router reviews is indeed very hard. The Pepwave Surf SOHO has been $200 for a long long time. MK3 means its the third hardware generation which is the latest. Perhaps the biggest limitation of the Surf SOHO is the max speed of 120Mbps.

                Get up to speed on router security at RouterSecurity.org

              • #2366166
                Michael432
                AskWoody_MVP

                Peplink routers are sold by Amazon and 5GStore in the US. Other outfits too. The routers are intended for techies, not consumers. That said, there are setup instructions here
                https://www.routersecurity.org/SurfSOHOinitialconfiguration.php
                so you can judge for yourself its too much.

                Consumer routers are judged solely on speed. Its like judging a car by the tires. Eero is well liked and you can buy just one, no need for a whole mesh setup. Eero is very much dumbed down for consumers, there are very few configuration options. But, its from Amazon.

                Any router will do Guest networks better than Linksys. You had bad luck there.

                Get up to speed on router security at RouterSecurity.org

                2 users thanked author for this post.
      • #2363497
        Alex5723
        AskWoody Plus

        Users should check and change : Admin name Admin password Check and set encryption level Set wi-fi password Hide SSID..

        I would think that if you have done the first 3 items in the list, that last one is probably not necessary.

        Hiding your SSID can cause issues, so YMMV with that one.

        Hiding SSID is an added security level.

        Pros and Cons : Network cloaking

        • #2363584
          Paul T
          AskWoody MVP

          Hiding the SSID is obfuscation. Obfuscation is not security.
          Security is knowing a system exists but there is no way to access it without the correct credentials.

          cheers, Paul

          2 users thanked author for this post.
      • #2363501
        RexOfRome
        AskWoody Lounger

        I have a AC2900 (RT-86U). I don’t know if it’s the same as the GT-AC2900. When I logged in the notification icon in the upper right was not flashing which it has in the past when there was an update. I went to the administration section / firmware update and clicked the check button. It found an update and I installed it. It would sure be nice if we could register our routers with Asus and they would send an email notification when there is an update. Without logging into your router and checking how would you know?

        Off topic:

        I love my Asus router, it works great. I recommend setting up the built-in VPN and using OpenVPN Connect on your phone or tablet. You can then access your network safely and know that if anyone is sniffing your remote WiFi connection they won’t be able to see your traffic.

        • #2363516
          opti1
          AskWoody Plus

          It would sure be nice if we could register our routers with Asus and they would send an email notification when there is an update. Without logging into your router and checking how would you know?

          This is where I go to stay on top of ASUS routers:

          https://www.snbforums.com/forums/asus-wireless.37/

          Lots of good people there, including ‘Merlin’. Excellent resource.

        • #2364177
          Michael432
          AskWoody_MVP

          Just yesterday I was working on an Asus RT-AC1900P router. The check for update feature in the web admin failed – it could not connect to the needed Asus server. Then, when checking the Asus website for an update, the most recent firmware was a beta from Feb 1, 2021. So, my choice was the beta or the version before it with known flaws.

          It would indeed be great if router vendors emailed you about updates but in my experience that is quite rare.

          Get up to speed on router security at RouterSecurity.org

      • #2363537
        anonymous
        Guest

        Dump the stock firmware and go with Merlin.

         

        • #2363551
          Michael432
          AskWoody_MVP

          What features does Merlin add that you have found useful?

          From what I understand (no expert) the Merlin software is focused on adding features, not on security. So, if Asus fixes a flaw in one router and not in their other models, Merlin software would not be a cure.

          Get up to speed on router security at RouterSecurity.org

          • #2363707
            Ascaris
            AskWoody MVP

            The problem you have with OEM firmware is that very often, the OEM will simply stop offering updates when the model is no longer in production, so any new issues discovered have no chance of being fixed. Aftermarket firmware doesn’t have that issue, and if the router still has significant popularity in the user base, the firmware updates will probably keep coming.

            There are no guarantees in life, but if you take my Netgear WNDR3700 as an example, it received its last official update in about 2010 (even though the WNDR3700 model remained active for many years after that… my hardware revision, v1, was out of production, so only the latest version got updates, until it was not the latest version anymore). With DD-WRT, another common aftermarket firmware, it’s still an actively updated model.

            The aftermarket router firmware devs update the kernel as a part of their process, so even if the only fix is by the Linux kernel guys, it still makes its way to the router.

            More likely, the Merlin people do concern themselves about security issues as well as features. I am not familiar with that particular software, but DD-WRT has a lot of fixes that are specifically for security, even though its main focus is the features too (it has pretty much everything).

             

            Group "L" (KDE Neon Linux 5.22.0 User Edition)

            1 user thanked author for this post.
          • #2366390
            anonymous
            Guest

            No, that’s not correct and you’d know that if you weren’t here to sell your stuff.  In fact, Merlin and Voxel are all about increasing performance, stability and security.  Features are secondary.  Really easy to find that info, start with github or smallnetbuilder.

      • #2366373
        Paul T
        AskWoody MVP

        I don’t like how the guest network is implemented (open wifi – enter password, like a hotel)

        Why do you care what the guest network security is like? It’s for guests, not your devices.

        You can add 3rd party firmware to fix the guest wifi and gain other things.
        Linksys WRT 3200 ACM router review | TechRadar

        cheers, Paul

        • #2366385
          dmt_3904
          AskWoody Plus

          I want to put my TV on there for isolation.   Now, the only devices on my network are IOS devices, laptop, printer and TV.  Not my toaster, refrigerator, stove, washer, dryer, generator, iron, 😁

          I’ve heard we need to separate these devices from the main network, though for me it’s only tv. How do you separate IOT devices and/or protect your network?

          • #2366434
            Michael432
            AskWoody_MVP

            High end routers can separate devices using VLANs. Consumer routers can do it with a Guest WiFi network or by using two routers.

            Get up to speed on router security at RouterSecurity.org

        • #2366386
          dmt_3904
          AskWoody Plus

          Also my router hasn’t had a firmware update since 2/13/20.

        • #2366433
          Michael432
          AskWoody_MVP

          A Guest WiFi network is an excellent place for not-well-trusted IoT devices.

          Get up to speed on router security at RouterSecurity.org

      • #2366389
        anonymous
        Guest

        Some of these posts are advertising and it continues.

        Use Merlin or Voxel.

        Or one of those really old above touted routers.

        If it really, really matters, you can actually buy one and don’t mind paying a lot, go commercial.

      • #2367812
        dmt_3904
        AskWoody Plus

        I have been around the block searching for a new router!  I was looking for a new new router bc I want better security. I thought my router wasn’t very secure + I do not like how Linksys has implemented the guest network – captive login via the internet. It seems to me most routers today are a nightmare when it comes to security, it’s really terrible that the industry can get away with this – most consumers have no idea (and don’t care, ignorance is bliss!) And many online reviews mention security as an aside, if at all.

        I’d love to get a Peplink and be done with it, but I checked router.org on how to configure and, ugh – I know I’d mess it up!! I agree those routers are for tecchies.  I started researching ASUS bc I’d read they have “commercial-grade” security, great!! But, then I found out that there are some serious security issues (e.g phoning home to Trend Micro with each and every site you visit to check it against a db). So, no thanks on that! Then I started researching Merlin, but found that my Linksys already supports opensource firmware, why switch to a new router?  But, like with the Peplink, when I read how to install/use the software, I found it to be highly technical and above my level.

        I’ve come to the conclusion that my router isn’t terrible and I probably don’t need to replace it. It will be a problem if/when they stop updating the firmware – Linksys WRT3200ACM, last update 2/2020. I need a secure guest network. I looked at creating a VLAN– but that also seemed technically difficult. Is there a way for me to secure the guest network on this router so I can isolate my TV (and other iot devices?)?  Any suggestions?

        If not, I may need to find a router with a good guest network (I was checking on this one NETGEAR – AX1800 Wi-Fi 6 Router). I would look for a router with WIFI6 & WPA3 – bc those are the new stds – though I’ve read that even WPA3 has security issues!!   It never ends!

        Hope everyone has a great holiday weekend!

    Viewing 9 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Should we trust our routers?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.