The router: the cornerstone of IT security in the home

Your router is the digital heart of your home network. It is the hub via which all Internet-enabled devices communicate – be they computers, TVs or smart home technology for controlling blinds or heaters. connecting the devices to one another and to the internet. This is why it is so important to ensure that your router is fully protected. Basic security lays the foundations for this comprehensive protection. The device configuration and the safe use of the WLAN network complete the package.

How do I configure my router securely?

If an attacker manages to access your router, there are a number of ways for them to damage your system:

• The attacker may obtain access to your passwords, e-mails or other private data
• The attacker may misuse your internet connection to execute attacks on other internet users, perhaps to send spam or to launch denial-of-service attacks
• The attacker may misuse your telephone line to dial premium-rate numbers, or
• The attacker may replace the firmware installed on the router, preventing it from working as it should

The BSI recommends the following actions:

• Change your password.
  The operating interface of your router is protected with a password. Do not under any circumstances continue to use the password that the manufacturer provided with the device. Change the password to something that you don't use for any other accounts. Click here for our tips on creating a secure password.
• Disconnect from the internet when you're configuring the router.
  Don't surf the internet while you are making changes to your router. Even if you've chosen a secure password, there is a risk that an attacker could get into your system if you change the configuration of your router and browse websites at the same time. Finish configuring your router first, restart it (by switching it off and on again, for example) and then start surfing.
• Use https.
  When configuring your router, ensure that the router configuration is accessed via https. You can check whether this is the case by looking in the address bar in your browser.
• Keep your firmware up to date.
  Check that the router firmware is up to date on a regular basis. The firmware is the operating software of a device. Updates are released to equip the device with new functions or to correct errors, including eliminating any security vulnerabilities. If your router was given to you by your internet service provider, ask them whether they regularly update the firmware remotely. The router's configuration menu will usually also include an "Updates" option, where you can install updates automatically. Use this option.
• Delete or replace the login banner.
  Some routers display detailed information on the model, including the manufacturer, device type and the firmware version number. This information could be useful to a potential attacker. Note down the information, but delete it from the device if possible. If necessary, ask the device manufacturer if you can replace or delete the login banner.
• Set up the MAC filter.
  The MAC address (media access control address) is the hardware address assigned to each individual network adapter. It serves as the unique identifier for the device in a computer network. Apple also calls it the "ethernet ID", "airport ID" and "Wi-Fi address"; Microsoft uses the term "physical address". If your router offers the option of setting up a MAC filter, take advantage of this feature.
  Only the network cards you have approved are granted access after their MAC addresses have been checked. Determining your MAC address.
• Deactivate any router functions that you don't need.
  Modern routers come equipped with a host of functions besides enabling you to access the internet. For example, you may be able to use your router as a media player. But these functions can also act as potential points of entry for attackers. Deactivate all router services that you don't need. Only activate the WLAN on your router when you intend to use it. Information on the services offered by your router and how to configure them can be found in your manual or on the router manufacturer's website.
• Deactivate remote access to your router.
  Many routers allow themselves to be configured from outside the home network. Check whether your router offers this function and whether it is activated, and deactivate it if necessary.
• Only change firewall settings if you know what you're doing.
  Many routers come with a built-in firewall. Only change the settings for this firewall if you understand the roles of the individual ports.
• Additional tips for WLAN routers
  If your router is a WLAN (wireless local area network) router, please also read our Additional tips for WLAN routers.

Using public WLANs

Most internet-enabled mobile devices can be connected to WLANs. Users like to make use of this feature because mobile phone contracts often place limits on the data volumes that can be sent via the cellular network. What's more, the transfer speeds achieved via WLAN are usually still much faster than those of the mobile phone network.

But using a WLAN also comes with risks - particularly if you're connected to a third-party WLAN with an unknown operator and background. In these cases, your data could be accessed and malware could be installed on your device without your knowledge.

Security tips

• Activate the WLAN function only when you need it.
  In public areas, the same premise applies as at home: If your WLAN is switched off, there is no way for attackers to get in.
• Don't access confidential data while connected to a third-party WLAN.
  If you absolutely have to access confidential data while connected to a third-party WLAN, use an SSL connection (e.g. https) or a VPN (virtual private network) where possible. A VPN provides an encrypted connection to a trusted network for all transmitted data, which prevents unauthorised third parties connected to a non-trusted network - such as a public WLAN - from viewing your data. Many employers use VPNs to enable external employees to connect securely to their network. Many internet companies and specialist service providers offer solutions for home use.
• Check the security level of the hotspot.
  Most hotspots do not use encryption. Read the description of the hotspot service or ask the owner of the network when connecting in places such as cafés.
• Many hotspots have a fundamental weakness:
  To ensure that the connection process is smooth for the user, there is no encryption at the air interface. This means that the users themselves bear responsibility for the confidentiality of the data transmission. If you want to access your company or home network from a public network access point, do so via a VPN (virtual private network).
• Deactivate file and directory permissions.
  Depending on the configuration of the hotspot, it is possible that your device will be visible to others on the network.
• If possible, deactivate automatic connection to recognised hotspots.
  Operators are free to give their WLAN any name they choose. Attackers could easily give their WLANs names such as "Telekom" (posing as the German phone network) or "Free Wifi" and then simply wait for smartphones to connect. This would enable them to obtain the access data that your device has stored to access WLANs with this name. They would also be able to read all data traffic. As even encrypted connections can be faked, exercise caution when using public WLANs, even if you're browsing SSL-protected websites (https://...).