A new survey of 2,205 UK internet users (conducted between 22nd Feb to 22nd March 2018) warns that 82% of respondents have never changed the default admin password for their broadband ISP router and 86% have never updated its firmware. This could make them more vulnerable to hackers.
The Broadband Genie survey also asked respondents for the main reason why they had not made any of these changes. In response, almost half (48%) said they didn’t know why they would need to modify settings on their router and 34% said they did not know how. This is hardly surprising since most consumers will have received their router in a very simple plug-and-play package as part of a broadband bundle from their ISP.
Gagan Singh, SVP & GM Mobile at Avast Software, said:
“The reality is that many smart devices can be compromised, including thermostats, streaming boxes, webcams and digital personal assistants all through the router – and consumers and small businesses are among the most vulnerable users. The first step is to ensure the gateway into the home, the router, is secure. Otherwise, it can offer cybercriminals an easy way to get into our homes and access our personal information.”
As usual there are a few caveats that the survey does not appear to have considered. Firstly, the majority of broadband routers supplied by ISPs tend to be setup so that they can be automatically and remotely updated by the provider, which means that in most cases end-users may never need to consider doing a manual update (unless it’s a third-party device).
Secondly, the bulk of modern routers sold today – whether bundled by an ISP or via a third-party retailer – tend to be issued alongside randomly generated admin passwords. Admittedly some of those passwords aren’t particularly strong but this does at least make it harder to exploit (most manufacturers seem to have become wise to the obvious risk of shipping hardware with a universal admin password), even though you should still change it ASAP.
Some routers also give you the option of restricting administrative changes to only those made via wired (LAN) connections, which helps to remove some of the concern about remote WiFi (WLAN) access. Nevertheless we have in the past seen hackers exploit 0-day vulnerabilities to breach even ISP supplied routers, irrespective of such settings. As ever, there’s no such thing as 100% security.
One final point is on the issue of password strength. Many people still think that a good password is one that’s a short jumble of different numbers and characters, which is very hard for a human to remember. In reality the mathematical process needed to brute force a password is best tackled by creating a long password, albeit one using seemingly random words that are a lot easier for you to remember.
For example, rather than something complicated like “4352lkn2d9_B“, you might instead be better off with a nonsensical sentence, such as: “discontent_trade_Rubber_coin_tremble_rough_7” (ideally picking a grouping of words that would make more sense to yourself than anybody else). Now rather than taking days to crack it could take many.. many years.
Obviously none of this will help if you have a dumb device that limits password length to around 8-12 characters, which remains one of the most idiotic restrictions we’ve ever seen and is sadly still very common with a fair few online services.
Lloyds Bank, I couldn’t login one day and their technical support forced me to shorten my 16 character password to 15 characters because they had changed something in their system that made 15 characters the most you could have.