Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Advisory

Advisory On Securing Your Routers

2 October 2023

Last Updated: 10 April 2026

Importance Of Router Security

Threat actors have targeted routers as an entry point into homes and offices. Routers are networking devices that connect your local network to the Internet, serving as a gateway for traffic between different devices and networks in your environment. A vulnerable router can expose connected devices to communications interception, credential theft, and other forms of attacks. It is therefore critical that routers are properly secured as they act as the first line of defence against external cyber threats.

Common Attack Vectors Targeting Routers

Routers can be compromised through various attack methods. Understanding these attack vectors is crucial to maintaining network security. Here are common ways in which your routers could be compromised:

  • Internet-Exposed Administration Interface: Exposing the administration control panel to the Internet or allowing remote management increases the attack surface by making router settings accessible to external threats.

  • Weak or Default Passwords: Many users do not change the default usernames and passwords to the administration control panel of their routers. Threat actors could exploit these default credentials to gain unauthorised access to the router’s settings and manipulate the network.

  • Brute-Force and Credential Stuffing Attacks: Threat actors may attempt to crack login credentials of the router's administration control panel through brute-force attacks. Increasingly, threat actors also use credential stuffing, where large sets of usernames and passwords leaked from previous data breaches are used to gain unauthorised access to routers whose login credentials have never been changed.

  • Known and Zero-Day Vulnerabilities: The majority of router compromises exploit known vulnerabilities in outdated firmware that have not been patched. Threat actors may also exploit previously unknown zero-day vulnerabilities that they discovered before manufacturers are able to release fixes. Keeping router firmware up-to-date is therefore one of the most effective defences against such exploitation.

What Threat Actors Can Do After Compromising Your Router

Successful compromise of a router by a threat actor may result in similar compromise to your network's confidentiality, integrity, and availability. Specifically, threat actors may be able to perform the following actions:

  • Exfiltrate Data: As routers perform internet gateway functions, threat actors may use the compromised router as a pivot point to steal sensitive data retrieved from your environment.

  • Monitor Network Traffic: As routers form networks and manage the flow of data among those networks, which includes the flow of data from those networks to the Internet, compromising the router will enable the threat actor to intercept and monitor all traffic that passes through the router. This potentially allows the threat actor to capture sensitive data, including usernames, passwords, and other sensitive information.

  • Manipulate Network Traffic: Threat actors who control the compromised router can potentially re-direct network traffic, for example through Domain Name System (DNS) hijacking, towards malicious phishing websites to phish for sensitive information from users or trick users into downloading malware onto their devices.

  • Perform Lateral Movement: With an initial foothold established in users' environment, threat actors can leverage the compromised router for network enumeration, vulnerability scanning, and subsequently, perform lateral movement to vulnerable devices.

  • Launch Attacks or Serve as Proxy Infrastructure: A compromised router may be enlisted into a botnet to launch Distributed Denial-of-Service (DDoS) attacks against internet services. Increasingly, compromised routers are also used by threat actors as proxy infrastructure to anonymise their malicious traffic, making it appear to originate from legitimate networks and complicate attribution and detection efforts.

Securing Your Router

Securing routers can be simple and fuss-free. At minimum, users and administrators are advised to implement the following essential controls for baseline security:

  • Never enable remote management access unless necessary. If required, restrict remote management to specific IP addresses.

  • Change the default admin credentials for your router and the Wi-Fi network password. Create a strong passphrase incorporating uppercase, lowercase, numbers and symbols.  

  • Perform regular patching to ensure that the router is protected with the latest security updates. Check if your devices are still supported by the manufacturer and will continue receiving security updates. Priority should be placed on replacing any existing end-of-support devices as soon as possible.

Additional controls may be implemented to further secure your router:

  • Enable port forwarding only for services that require external access and limit the IP addresses that can connect through forwarded ports.

  • Disable any unnecessary router services and features that are not in use or needed. Never disable the router's in-built firewall.

  • Implement network segmentation by separating your devices into different virtual local area networks (VLANs).

  • Enable Multi-Factor Authentication (MFA) on all accounts and services, where supported. MFA adds an additional layer of authentication beyond passwords.

  • Set up a guest network with limited access rights to keep guest devices separate from your primary network. Additionally, isolate Internet of Things (IoT) devices such as smart home appliances and IP cameras from your primary network by creating a dedicated network segment, as these devices are frequently targeted and may be used as a stepping stone to compromise other devices on your network.

Monitoring for Suspicious Activities

Monitor network devices and periodically review logs for any anomalous behaviour by comparing against expected configuration changes and patching plans. Some examples of anomalous behaviour include:

  • Unauthorised updating of firmware

  • Unauthorised reboots

  • Unauthorised modications to the router configuration; for example unfamiliar or unexpected DNS server addresses

Conclusion

Routers are a well-established initial access vector actively exploited by threat actors to gain a foothold into networks. Users and administrators should prioritise router security as a fundamental part of their cybersecurity posture. Failure to do so may place every connected device, account, and service at risk of compromise.

Back to top