Learning > Tech

Wi-Fi security: When the router is the weak link

While even the best models can have security flaws, there are ways to keep hackers at bay

Vincent Chang on 18 Jan 2017

The Straits Times


Facebook Email

Routers are supposed to be the first line of defence against hackers and malware. But, sometimes, they turn out to be the weak link and recent news headlines showed that even the latest routers can come with security flaws.


Earlier this year, the Federal Trade Commission (FTC) took network-equipment maker D-Link to court in the United States for failing to take reasonable steps to protect its routers and Web cameras from unauthorised access, an allegation denied by the firm.


Last year, Asus settled with the FTC over charges of security flaws in its routers. Last month, several popular Netgear routers were found to have a critical vulnerability that can be exploited by malicious websites.


Hackers have, in the past, seized on such vulnerabilities in routers, turning them into bots to be used in cyber attacks.


Infected routers, as well as Internet of Things (IoT) devices such as Webcams, were involved in two distributed denial-of-service (DDoS) attacks on StarHub's domain name servers last October, which affected the Internet connection of StarHub's home broadband subscribers.


Routers originating from Singapore were also used in global cyber attacks last year.


Trend Micro estimated that, from Q1 to Q3, there were around 150,000 attacks from almost 5,000 compromised routers in Singapore. Most cyber attacks came from routers in the United States (1.9 million attacks from 62,000 routers), China and South Korea, with Singapore in 11th place.


Mr Michael Lee, a security evangelist at RSA Asia-Pacific and Japan, said: "Routers are like miniature computers, with their own storage and operating system but, due to their smaller form factor, there is sometimes very little room to make future changes and updates."


Routers are used for years, often until a new wireless technology or standard is introduced.


On the other hand, manufacturers have little incentive to keep their products updated with security patches after a few years.




Even if the router manufacturer was to release a firmware update, users may be unaware or lack the skills to patch their routers.


"Fifty-six per cent of Singapore consumers do not know how to set up a secure home Wi-Fi network or router," said Mr Nick Savvides, a security advocate at Symantec.


Symantec's Norton Cyber Security Insights Report 2016 found that more than two in five consumers in Singapore are still using the default password issued by their provider when setting up their Wi-Fi.


Recent malware like Mirai targets IoT devices, including certain router models that are using default user names and passwords.


"By compromising one's router, hackers can spy on one's online activities, or trick the individual into clicking on malicious links," said Mr Ryan Flores, a senior manager at cyber-security outfit Trend Micro Asia Pacific.


Said Mr Robin Schmitt, general manager for Asia-Pacific at Neustar: "One way manufacturers can assist in addressing security vulnerabilities is by automating the deployment and installation of patches."


This approach is already used by new routers from Google and a number of network start-ups (Eero and Luma) that come with an automatic update functionality.


Symantec is also planning to launch its first router, the Norton Core, in the US later this year. This router inspects packets for malware and other online threats. It also monitors your home network for vulnerable IoT devices and quarantines them.


But while routers may become clever enough to detect malware and auto-update themselves, they can still be compromised by careless users.


Source: The Straits Times © Singapore Press Holdings Limited. Reproduced with permission.


The views, material and information presented by any third party are strictly the views of such third party. Without prejudice to any third party content or materials whatsoever are provided for information purposes and convenience only. Council For The Third Age shall not be responsible or liable for any loss or damage whatsoever arising directly or indirectly howsoever in connection with or as a result of any person accessing or acting on any information contained in such content or materials. The presentation of such information by third parties on this Council For The Third Age website does not imply and shall not be construed as any representation, warranty, endorsement or verification by Council For The Third Age in respect of such content or materials.