Think of your home or office network as a walled city and your router as a border guard overseeing the flow of internet traffic, and keeping out online attackers who are constantly trying to make their way in.
Your router's defences
To be able to carry out their sentry duties, routers come equipped with built-in security features, such as:
- Firewall: This filters incoming and outgoing network traffic, blocking unauthorised access attempts based on a set of pre-defined rules. Only IP addresses with the right credentials are let in while those without them get blocked.
- Network Address Translation (NAT): NAT masks your devices' internal IP addresses, making them invisible to the outside world and preventing attackers from directly targeting them.
- Wi-Fi Protected Access (WPA2/3): This encryption protocol secures your Wi-Fi network with a password, preventing unauthorised users from hopping onto your connection and potentially snooping on your data.
What can attackers do?
An online attacker can target your router in different ways, including denial-of-service attacks, brute force attacks if your router has a weak password, or by exploiting software vulnerabilities. Once they break into your network, attackers may be able to gain remote access to your devices that are linked to your router – your CCTV cameras, your TV or even your garage door. If they have a record of your online activity history, they can target you with social engineering techniques.
Attackers can also use your router as a part of a botnet to run coordinated attacks across multiple networks (see box below).
Understanding botnets
A botnet is a network of compromised devices. If an attacker gains access to your router, they could use it to deploy coordinated attacks on other networks. Earlier this year, the NCSC was made aware of PRC-linked cyber actors who had compromised internet-connected devices including small office/home office (SOHO) routers, firewalls, and internet of things (IoT) devices. The NCSC and its international partners released an advisory to highlight and mitigate this threat.
Strengthening your router's defences
You can mitigate many of the risks your router faces with a few simple steps:
Change the default credentials: Routers come with default usernames and passwords that can be guessed easily. Change these to strong, unique passwords to prevent unauthorised access.
Update your firmware: When router manufacturers discover a security vulnerability, they regularly publish firmware updates to patch it. Installing these updates helps your router guard against attackers looking to exploit vulnerabilities.
Enable WPA2/3 encryption: Always use the latest Wi-Fi encryption protocol (currently WPA3) and choose a strong password. This ensures only authorised devices can connect to your network. If your router uses an obsolete security protocol such as WEP or WPA, we recommend replacing it.
Disable remote management: Most routers have a remote management facility that lets you access and manage your router from anywhere on the internet, but this also makes your router vulnerable to attacks. Disable this feature and if you must use it, make sure you use strong passwords and MFA on the remote access app or router account.
Create a guest network: Most routers will let you set up a separate Wi-Fi network for guests with limited access to your internal network. This prevents them from accidentally or intentionally accessing your personal data.
Regularly monitor your network
Keep an eye on the devices connected to your network. You can do this on your router’s web interface. If you see an unfamiliar device connected to your network, investigate it and change your credentials to keep intruders out.
Beyond the basics
For those wanting to go the extra mile, consider these advanced security measures:
Use a Virtual Private Network (VPN): A VPN encrypts all your internet traffic, adding an extra layer of security, especially when using public Wi-Fi.
MAC Address Filtering: This allows you to specify which devices are allowed to connect to your Wi-Fi based on their unique MAC address, so unfamiliar devices cannot jump on your network.