People really don’t get home router security, who knew?
According to a recent survey by UK-based broadband watcher Broadband Genie we have a problem. OK, I guess none of the survey’s findings really come as a surprise, but still, it’s grounding to realise the extent of general home users’ lack of basic security awareness when it comes to their routers.
The router in a typical home is the link to the wider internet, and as such, is a major potential attack vecto. While it is easier to target vulnerabilities on user PCs and devices through their activity on the internet, a router exposure is both remotely exploitable, and of great value given that it provides an open door into the home network. This level of access exposes many more potential device vulnerabilities which would otherwise be cordoned off from the outside, and often ones which are less visible or manageable by the owners.
The survey asked a sample of a little over 2200 adult home user whether they had ever done a number of basic security tasks on their routers.
51% of those surveyed had performed precisely zero of the tasks, ever, while 69% had never changed their administrator password from the default. That’s a big one as the default router passwords are generally public knowledge, and can be easily exploited either through a remote admin login (if enabled) or by jumping in through another vulnerability inside the network.
Less surprising is the number of people who had not done a firmware update at 65%, given many routers do not make this obvious, or even indicate if one is available.
The results confirm that most people are completely unaware of these tasks or their importance. Indeed, many internet users simply accept that the box their ISP sent them is just an appliance needed to make the internet work, and that it’s innner working have nothing to do with them.
Ignorance is a key factor in these results, given the top reason provided by the respondents was “I don’t know why I would need to” at 48%. This is closely followed by number 2 with “I’m not sure how to do these things” coming in at 34%.
Addressing that knowledge gap is a challenge, most people simply have other things to worry about, and it if ain’t broke, why fix it? Explaining the risks of internet exposure in terms that matter to everyday folks is something the industry needs to continue to do, but a better fix is for router manufacturers and ISPs to take some responsibility to protect their customers better.
Higher end routers already do this effectively, by managing updates automatically, and providing easy app-based setup that guides the user through setting up strong passwords and WiFi settings, in addition to providing phone notifications of things that need attention. The problem is that ISPs are generally not interested in supplying decent routers, only cheap ones.
The irony, though, is that accessing home network devices through shoddy routers isn’t actually likely to harm the owner all that much directly, because the money shot for attackers is to infiltrate quietly and enlist any vulnerable devices into botnets. The growing threat of these ever larger botnets is a problem for us all. Perhaps it’s time governments took steps to hold manufacturers accountable for poor security.