Can attack a virus router

6 steps to the optimally protected router

Michael Seemann

Hackers love inadequately secured WiFi routers. With our check list you can make your router attack-proof.

EnlargeComplete protection for your router
© Aquarius Studio / Shutterstock.com

A Windows computer has it good: You protect it against attacks with an access password and security software. But computers or notebooks are not the only devices that are connected to the Internet in the home network. In addition, smartphones, tablets and networked streaming clients, smart TV, smart home switches and loudspeakers can be found in the network. However, these devices usually lack special protective functions: They have to rely on the Internet router, which brings them online, but reliably fends off dangers from there for WLAN and the home network. However, this only works if the router does not offer any security loopholes that attackers can exploit. But that's what hackers are constantly trying to do, as evidenced by many recent examples and perhaps even your router's event log. The following tips will help you take the right precautions to fully protect your router.

1. Always install the latest firmware

The router's basic protection is based on its firmware. If these are vulnerable or out of date, their vulnerability to attack increases. Since the firmware is nothing other than the router's operating system, it also contains bugs and errors like Windows, MacOS or Android and should therefore be updated regularly. However, many manufacturers refrain from regularly programming updated firmware, especially for somewhat older devices. Therefore, when you buy a router, you should check how reliably the firmware replenishment works with a certain manufacturer.

Most routers now offer an automatic update function: this installs new firmware immediately on request or notifies you of a new version, provided you regularly check the router menu. The popular Fritzbox router models have been set at the factory for many years so that newly available firmware updates are installed by the router independently.

The appropriate setting can be found in the menu of a current Fritzbox from Fritz OS version 7 under "System -› Update - ›Auto-Update". If necessary, you can adapt this to one of the three specified update "levels". If you want to decide for yourself when updates are not relevant to security, you can switch from the preset level 3 (III) recommended by AVM to level 2 (II) here. However, it is essential that you leave the check mark in front of the option “Updates to new FritzOS versions may be initiated from other devices in the home network without registering”. You can start an available firmware update directly from a Fritzfon connected to the AVM router without having to log into the router's web menu. Practical: A flashing signal on the DECT telephone informs you of the newly available firmware update. Alternatively, you can also be informed about new firmware updates by email.

Wi-Fi 6:The best routers, mesh systems & repeaters for Turbo-WLAN 802.11ax

2. Secure access to the router menu

EnlargeThe update "stage II" in the Fritzbox ensures that all security-relevant firmware updates are installed automatically. With other updates, you can decide for yourself whether you want to install them.

Surprisingly often, the router's menu offers a large area of ​​attack for hackers: Many users forego protecting it with an individual password, but simply leave it at the factory setting, which is often "Password" or can be found out quickly on the Internet. Manufacturers who issue a special password ex works and note it on the underside of the router housing or on an enclosed card do it better. However, you should also change this password. Owners of a Fritzbox should also protect access to the router menu not only with a simple password, but with a username-password combination. Please make the corresponding setting in the menu under "System -› Fritzbox user - ›Registration in the home network". Set the selection to "Login with Fritzbox user name and password". Also make sure that a tick in front of "Confirm execution of certain settings and functions" is activated directly under "Confirm". With this additional safety precaution, you prevent your Fritzbox from being tampered with remotely: Because you have to be on site here after you have changed an important Fritzbox setting, because you have to confirm this by means of a connected telephone or pressing a button on the housing.

EnlargeIn addition to the "Log in with Fritzbox user name and password", you should also leave the "Confirm execution of certain settings and functions (always) additionally" enabled.

3. Adjust user rights for remote access

You should create a new user to access the Fritzbox menu from the local network. You grant this user account all permissions except for remote access. As soon as you have logged on to the Fritzbox as this new user for the first time, you should deactivate the “admin” user in the account settings. This increases security because attacks are very often aimed at admin user accounts.

If you also want to access the Fritzbox menu via the Internet, set up your own user account with a particularly strong password. Then activate the option “Access from the Internet” only for this user account and also activate the “Confirmation via the Google Authenticator App”.

4. Provide a password for WLAN and guest access

EnlargeThe Fritzbox 7590 is one of the few WiFi-5 routers that already support the modern WPA3 encryption: It is best to set the so-called transition mode, which WPA2 devices also understand.

Although the WLAN of many home network routers is individually encrypted at the factory, you should still change the default WLAN password. The new password should have at least 20 digits and not only consist of numbers, but also upper and lower case letters. Be sure to select WPA2 (-PSK) as the encryption method, not a hybrid form that also includes WPA-TKIP, as this is no longer considered secure. If you have a current Wi-Fi 6 router or an older model with new firmware, it may already offer the newer WPA3 method.

WLAN clients can be brought into the wireless network very conveniently with the push of a button using the WPS function. However, you should only activate this procedure when you need it and otherwise leave it deactivated because it has security gaps. In the Fritzbox you can switch WPS on and off under “WLAN -› Security - ›WPS quick connection”.

As a matter of principle, you should only allow visitors to go online via the WLAN guest access. This is because they can access the Internet, but they cannot access devices in the home network. You do this in the Fritzbox using the "WLAN -› Guest Access "menu. Use at least WPA2 encryption for the guest WLAN as well. You can easily connect your guests to the guest network via the Fritzbox menu via WPS. Or you can print out the QR code for guest access, which visitors can scan using their smartphones and thus bring the mobile phone into the WLAN. iPhone users read the access data stored in the QR code directly via the iPhone camera and thus establish a connection to the guest WiFi.

Pro tips:More power for your WLAN

5. Use encrypted access to the router menu

EnlargeThe "Let's encrypt" certificate is a good way to make the warning in the browser disappear when accessing the Fritzbox using https.