Advisory On Securing Your Routers

A router is a networking tool that connects the devices in your local network to the internet. It serves as a gateway for traffic between different devices and networks in your environment. It is thus important to secure your routers as they are the first line of defence between your local network and external cyber threats. 

Importance Of Router Security

Key reasons to secure your routers:

• Protection from Unauthorised Access: An unsecured router could enable unauthorised users to connect to your network, which could result in potential data breaches or misuse of your internet connection. By securing your router, it restricts access to only authorised devices.
  

• Safeguard Privacy: An unsecured router could enable attackers to potentially monitor your online activities, including websites visited and communications conducted over the internet.
  

• Prevent Unauthorised Configuration Changes: An unsecured router could enable unauthorised users to make configuration changes to your router that disrupt your network's functionality or compromise its security. 
  

• Mitigate Network Attacks: An unsecured router is vulnerable to a wide array of network attacks, such as Distributed Denial of Service (DDoS) attacks and port scanning. Proper security measures can help prevent or mitigate these attacks.
  

Common Attack Vectors Targeting Routers

A router that is vulnerable to external cyber threats could be compromised in several ways. Understanding these attack vectors is crucial to maintaining network security. Here are common ways in which your routers could be compromised:

• Weak or Default Passwords: Many users do not change the default usernames and passwords that are configured on their routers. Attackers could exploit these default credentials to gain unauthorised access to the router's settings and manipulate the network.
  

• Brute-Force Attacks: Attackers could launch brute force attacks to crack the router's login credentials. Multiple combinations of usernames and passwords will be used until they find the correct ones.
  

• Zero-Day Vulnerabilities: Attackers may discover previously unknown vulnerabilities on routers and exploit them before manufacturers could release patches to fix them.
  

• Outdated Firmware: Router firmware that are outdated means known vulnerabilities are unpatched. Attackers could exploit these vulnerabilities to compromise the router's security.
  

What Threat Actors Can Do After Compromising Your Router

Successful compromise of a router by a threat actor may result in similar compromise to your network confidentiality, integrity and availability nexus. Specifically, threat actors may be able to perform the following actions:

• Exfiltrate Data: As routers perform internet gateway functions, threat actors may use the compromised router as a pivot point to steal sensitive data retrieved from your environment
  

• Monitor Network Traffic: As routers form networks and manage the flow of data among those networks, which includes the flow of data from those networks to the internet, compromising the router will enable the threat actor to intercept and monitor all traffic that passes through the router. This potentially allows the threat actor to capture sensitive data, including usernames, passwords, and other sensitive information.
  

• Manipulate Network Traffic: Threat actors who control the compromised router can potentially re-direct network traffic towards malicious websites to phish for sensitive information or download malware onto user devices.
  

• Perform Lateral Movement: With an initial foothold established in your environment, threat actors can leverage the compromised router for network enumeration, vulnerability scanning, and subsequently, perform lateral movement to vulnerable devices
  

• Launch Denial of Service (DDoS) Attacks: If the threat actor is able to compromise the router, it may become part of a botnet that can launch DDoS attacks on internet services for disruption purposes.
  

Detection & Mitigation Measures

While non-exhaustive, users and administrators are advised to implement the following detection and mitigation measures, where applicable, to better secure your router and reduce the risk of a threat actor compromising it:

Detection Measures:

• Monitor both inbound and outbound connections from network devices to both external and internal systems, including Secure Shell Protocol (SSH).
  

• Monitor network devices and periodically review logs for any anomalous behaviour by comparing against expected configuration changes and patching plans. Some examples of anomalous behaviour include:

• Unauthorised downloads of bootloaders and firmware images

• Unauthorised reboots

• Unauthorised operating system version changes or changes to the configuration

• Attempts to update firmware

• Unauthorised changes to the software stored and running on network devices.
  
  

Mitigation Measures:

• Perform regular patching to ensure that the router is protected with the latest security updates.

• Implement access lists or rule sets to block any unauthorised connections.
  

• Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. Priority should be placed on replacing any existing end-of-life and unsupported network equipment as soon as possible.
  

• Implement network segmentation by separating your devices into different virtual local area networks (VLANs).
  

• Periodically take snapshots of boot records and firmware and compare them against known good images.
  

• Change the default username and password for your router and implement a complex and unique password which includes a mix of upper and lower-case letters, numbers, and special characters.
  

• Disable remote management access unless necessary. If required, restrict it to specific IP addresses.
  

• Enable the built-in firewall and configure it to block inbound and outbound traffic that is not necessary for your network's operation.
  

• Enable port forwarding only for services that require external access and limit the IP addresses that can connect through forwarded ports.
  

• Disable any unnecessary router services and features that are not in use or needed.
  

• Set up a guest network with limited access rights to keep guest devices separate from your primary network.
  

Users and administrators should prioritise securing routers as they act as critical hubs for all network traffic. Neglecting their protection may eventually result in compromising your network.