Hackers love inadequately secured WiFi routers. With our checklist you can make your router attack-proof.
Complete protection for your router
© Aquarius Studio / Shutterstock.com
A Windows computer has it good: You protect it against attacks with an access password and security software. But computers or notebooks are not the only devices that are connected to the Internet in the home network. In addition, smartphones, tablets and networked streaming clients, smart TV, smart home switches and loudspeakers can be found in the network. However, these devices usually lack special protective functions: They have to rely on the Internet router, which brings them online, but reliably fends off dangers from there for WLAN and the home network. However, this only works if the router does not offer any security gaps that attackers can exploit. But that’s what hackers are trying to do all the time, as evidenced by many recent examples and perhaps even your router’s event log. The following tips will help you take the right precautions to fully protect your router.
1. Always install the latest firmware
The router’s basic protection is based on its firmware. If these gaps are present or if it is out of date, its vulnerability to attack increases. Since the firmware is nothing other than the router’s operating system, it also contains bugs and errors like Windows, MacOS or Android and should therefore be updated regularly. However, many manufacturers refrain from regularly programming updated firmware, especially for somewhat older devices. Therefore, when buying a router, you should check how reliably the firmware replenishment works with a certain manufacturer.
Most routers now offer an automatic update function: this installs new firmware immediately on request or notifies you of a new version, provided you regularly check the router menu. The popular Fritzbox router models have been factory-set for many years so that newly available firmware updates are installed independently by the router.
The appropriate setting can be found in the menu of a current Fritzbox from Fritz OS version 7 under “System -› Update – ›Auto-Update”. If necessary, you can adapt this to one of the three specified update “levels”. If you want to decide for yourself when to install updates that are not relevant to security, you can switch from the preset level 3 (III) recommended by AVM to level 2 (II). Make sure you leave the checkmark in front of the option “Updates to new FritzOS versions may be initiated from other devices in the home network without registering”. In this way, you can start an available firmware update directly from a Fritzfon connected to the AVM router without having to log into the router’s web menu. Practical: A flashing signal on the DECT telephone informs you of the newly available firmware update. Alternatively, you can also be informed about new firmware updates by email.
The best routers, mesh systems & repeaters for Turbo-WLAN 802.11ax
2. Secure access to the router menu
The update “stage II” in the Fritzbox ensures that all security-relevant firmware updates are installed automatically. With other updates you can decide for yourself whether you want to install them.
Surprisingly often, the router’s menu offers a large area of attack for hackers: because many users forego protecting it with an individual password, they simply leave the factory setting, which is often “Password” or can be found out quickly on the Internet. Manufacturers who issue a special password ex works and note it on the underside of the router housing or on an enclosed card do it better. However, you should also change this password. Owners of a Fritzbox should also protect access to the router menu not only with a simple password, but with a username-password combination. Please make the corresponding setting in the menu under “System -› Fritzbox user – ›Registration in the home network”. Set the selection to “Login with Fritzbox user name and password”. In addition, make sure that a tick in front of “Confirm execution of certain settings and functions” is activated directly under “Confirm”. With this additional safety precaution, you prevent your Fritzbox from being tampered with remotely: Because you have to be on site here after you have changed an important Fritzbox setting, because you have to confirm this via a connected telephone or pressing a button on the housing.
In addition to the “Log in with Fritzbox user name and password”, you should also leave the “Confirm execution of certain settings and functions (always) additionally” enabled.
3. Adjust user rights for remote access
You should create a new user for access to the Fritzbox menu from the local network. You grant this user account all permissions except for remote access. As soon as you have logged on to the Fritzbox as this new user for the first time, you should deactivate the “admin” user in the account settings. This increases security, because attacks are very often aimed at admin user accounts.
If you also want to access the Fritzbox menu via the Internet, set up your own user account with a particularly strong password. Then activate the option “Access from the Internet” for this user account only and also activate the “Confirmation via the Google Authenticator App”.
4. Provide WLAN and guest access with a password
The Fritzbox 7590 is one of the few WiFi-5 routers that already support modern WPA3 encryption: It is best to set the so-called transition mode, which WPA2 devices also understand.
Although the WLAN of many home network routers is individually encrypted at the factory, you should still change the default WLAN password. The new password should have at least 20 digits and not only consist of numbers, but also upper and lower case letters. Be sure to select WPA2 (-PSK) as the encryption method, not a hybrid form that also includes WPA-TKIP, as this is no longer considered secure. If you have a current Wi-Fi 6 router or an older model with new firmware, it may already offer the newer WPA3 method.
WLAN clients can be brought into the wireless network very conveniently with the push of a button using the WPS function. However, you should only activate this procedure when you need it and otherwise leave it deactivated because it has security gaps. In the Fritzbox you can switch WPS on and off under “WLAN -› Security – ›WPS quick connection”.
As a rule, you should only allow visitors to go online using the WLAN guest access. This is because they can access the Internet, but they cannot access devices in the home network. You do this in the Fritzbox using the “WLAN -› Guest Access “menu. Use at least WPA2 encryption for the guest WLAN. You can easily connect your guests to the guest network via the Fritzbox menu via WPS. Or you can print out the QR code for guest access, which visitors can scan using their smartphones and thus bring the mobile phone into the WLAN. iPhone users read the access data stored in the QR code directly via the iPhone camera and thus establish the connection to the guest WiFi.
More power for your WLAN
5. Use encrypted access to the router menu
The “Let’s encrypt” certificate is a good option to make the warning message in the browser disappear when accessing the Fritzbox using https.
Even if you access your router from a client in the secure home network, it is better to choose the encrypted https connection instead of the unencrypted http protocol. Do not call up the Fritzbox menu via http://fritz.box, but via
https: // fritzbox
. Your browser recognizes a possible security risk because the SSL certificate for this website was generated and signed by the issuer – namely the Fritzbox. For this reason, your browser classifies your router as an “untrustworthy website provider”, which of course does not apply in this particular case. If you get a corresponding message, go to “Advanced” in Firefox and in the next step to “Accept risk and continue”. Alternatively, you can import the Fritzbox certificate into the certificate memory of your PC or browser.
The https connection to your router ensures that your access data is encrypted when you log in to the menu and cannot be read by any other user in your home network without authorization.
If you have set up a Myfritz remote access in the Fritzbox under “Internet -› MyFritz account ”and activate the option“ Use certificate from letsencrypt.org ”, you will receive a trustworthy SSL certificate. Your browser will then no longer complain when you access your Fritzbox remotely.
The Fritzbox allows device-related port releases: This is much more secure than the UPnP release for all devices, which is set in most routers at the factory.
6. Enable important push notifications
With the push services, a Fritzbox has an excellent information and warning function that draws your attention to security-relevant events. The Fritzbox notifies you when an unknown device logs into the home network or guest network, when the Fritzbox is accessed remotely, the telephone connection is interrupted or the router is restarted. The router will also notify you of a new Fritz OS version. To activate this function, go to “System -› Push Service – ›Sender” in the Fritzbox menu. There you enter the access data of a valid e-mail account so that the Fritzbox can send e-mails via the SMTP server of this account. Then switch to the “Push Services” tab and select which events the Fritzbox should inform you about. For information on new (WLAN) clients in the home network, activate the options “WLAN guest access” and “Change notice”. In this way, the Fritzbox also notifies you of all security-relevant changes in your menu. You will also receive the notification e-mails if you change a setting yourself.
If you strive for the greatest possible security, it is best to leave all global filter settings activated in the Fritzbox.