Security Corner

Nov 25 2009   2:04AM GMT

Golden Rule #3: Omit This Setup Step and Your Router Can Be Easily Compromised

Ken Harthun Ken Harthun Profile: Ken Harthun

Golden Rule #2 stressed having a NAT router–or router/firewall–between your PC and the Internet as a first line of defense. This is without question the first, most important security step, but it can be useless unless you have it properly configured; in fact, omitting one crucial first step can leave you even more vulnerable to attack that you would be without the device.

All routers come with a default user name and password, often as simple as admin/admin (when I’m faced with a router I haven’t seen before, this is the first thing I try–and it often gets me in). Default settings are a good thing because if you ever forget your password, you can reset the router and take it back to square one. However, this is also a dangerous security risk–these defaults are well known and published on the Web. A couple of years ago, for example, three of the more widely used consumer routers, Linksys, D-Link, and Netgear, were vulnerable to a JavaScript web page attack. Go to the wrong site and if you haven’t changed the default password, the attacker can change your router’s settings to send you to malicious websites. For example, you’ll think you’re looking at your bank’s login page, but it will be a fake look-alike that steals your account information as soon as you log in.

While the manufacturers try to patch such vulnerabilities, users often don’t apply the patches and even if they do, determine hackers often find other ways in. As recently as October, 2009, a blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company that it patched the routers. A report by Wired found that 45 percent of 2,729 publicly accessible Linksys routers still had a default password in place.

And that is precisely why you should put this on your list as Golden Rule #3: Always change the default user name and password of any configurable device you put on your home network.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: