Change your router password now, experts say
Update, Oct. 01, 2024: This story, originally published Sept. 30, now includes a new warning about two zero-day router security vulnerabilities listed by CISA, even more reason to update passwords and firmware.
If you are reading this, you are almost certainly doing so without realizing you could be leaving the door open to hackers. New research has revealed that an astonishing 86% of broadband users have little idea about cybersecurity, or at least the security of the device they use to connect to the internet. That’s the number of people who have never changed their broadband router admin password from the factory default, and that’s a grave concern, security experts have warned. Here’s why and what you need to do about it right now.
Broadband Genie Router Security Survey Discloses Critical Security Lapse
The latest router security survey carried out on behalf of Broadband Genie has provided a chilling insight into the security habits of internet users. Or should that be insecurity habits? To compare how router security attitudes had changed when compared to the previous two surveys, completed in 2018 and 2022, the survey polled more than 3,000 users., asking identical questions as in previous years.
The headline statistics to be pulled from the report are that 52% of users had never delved into their router settings to configure the device differently from the factory default state in any way. An astonishing 86%, however, admitted to never having changed the factory set administrator password default either. These figures show an increase from earlier survey results, showing that cybersecurity awareness would appear to be decreasing among the general router-using population.
This is staggeringly depressing for someone like me who spends a large part of his working life trying to convey the basics of security hygiene to a non-technical audience. I have failed, that much is clear, as changing your router’s default admin password should be the first thing you do upon powering the device up.
“Leaving the password as the default is the easiest way for someone to gain access to your router and, therefore, your network and connected devices,” Alex Toft, Broadband Genie’s resident broadband expert, warned. “It’s an open invitation to nefarious characters to snoop around and take what’s yours.” If you choose a suitably strong password, there’s no need to change it again unless it has been compromised.
The change it now advice is less urgent if your router is a newer model that at least comes with a unique admin password rather than a standard default that is the same for all users. If this password is too short or easily guessable, however, then it still makes sense to delve into the admin settings and change it, in my never humble opinion. The survey revealed equally poor results when it came to chasing the Wi-Fi password, something that 72% of users said they never do. Although there is an argument to be made that, for most people, most of the time, this is not a huge security issue, it remains something I always recommend doing as it’s good practice anyway. “Similar to the router admin password, default Wi-Fi passwords are well known,” Toft said, “and it would take seconds for a knowledgeable hacker to gain access.”
Passwords Are Not The Only Low-Hanging Security Fruit
Almost nine out of ten (89%) of those asked also said that they never updated their router firmware. In many ways, this is the most shocking revelation from a security perspective. Once again, it’s a (very) slight increase in the number from the 2022 survey, which suggests the security message isn’t being heard loudly enough. “Failing to update can leave routers vulnerable,” Toft warned, “which is why this result isn’t the one we wanted to see.” Of course, trying to update router firmware can be something of a Herculean task for most users, although newer routers are making it easier with some implementing automatic updates.
“Cybercriminals take advantage of bugs and vulnerabilities in firmware, to gain access to your online information,” Oliver Devane, a senior security researcher at McAfee, said, “keeping the firmware up to date with the latest security patches will prevent this from happening.”
Actions All Broadband Router Users Need To Take Now
Broadband Genie researchers recommend that all internet router users should do the following, using the vendor provided instructions (a search of your router model or broadband provider on Google will usually come up trumps) or reaching out to your internet service provider if necessary:
- Disconnect your internet and perform a full factory reset of the router.
- Change your router admin password, Wi-Fi password and network name to something unique immediately.
America’s Cyber Defense Agency Issues Router Zero-Day Exploit Warnings
America’s Cyber Defense Agency, more formerly known as the Cybersecurity and Infrastructure Security Agency, has issued an official directive requiring federal agencies to apply update mitigations for two security vulnerabilities known to be exploited in the wild by hackers attacking two different types of router. Although the CISA mandate legally applies only to federal employees, the security agency warns that every organization should use the Known Exploited Vulnerabilities catalog to keep pace with threat activity and advise their vulnerability management frameworks.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation by hackers and subject to a mandatory Binding Operational Directive, which requires Federal Civilian Executive Branch agencies to remediate the zero-days within a maximum period of 60 days and a lot less for critical-rated vulnerabilities.
The vulnerabilities being exploited are related to two different router manufacturers, D-Link and DrayTek, but are both of the same general type: operating system command injections. These types of vulnerabilities “pose significant risks” and are “frequent attack vectors for malicious cyber actors,” according to CISA.
CVE-2023-25280 is an OS command injection vulnerability in D-Link DIR-820 routers that could allow a remote and unauthenticated attacker to escalate their privileges to root level by the use of a maliciously-crafted payload. CISA said that the use of this exploit in ransomware attacks is currently unknown, and as the impacted router is end-of-life or end-of-service, discontinuation and replacement are recommended. Security advice is available from D-Link.
CVE-2020-15415, meanwhile, impacts Vigor3900, Vigor2960, and Vigor300B routers from DrayTek. The vulnerability allows for remote code execution via shell metacharacters within a filename when a text/x-python-script content type is used. CISA recommends applying mitigations as instructed by the vendor. Further security advice is available from DrayTek.
