

Ask HN: How do I know if my home router is secure? - andrewstuart


======
brudgers
Security is relative. No matter how your router is configured, a burgler can
walk off with your hardware and the data it contains. Sure you can put bars on
the windows, but it's not cost effective to protect against shaped charge wall
breaching. For a bit of security, I'd look at upgrading any consumer grade
router firmware to dd-wrt or openWRT to get rid of factory default service
accounts and obtain finer grained control of the device than typically ships
in the box.

From there it then just comes down to how much effort you enjoy putting into
security. For some people UPnP is a feature, for others it's a horror. And of
course if you really are concerned with security, don't use Wifi because it
doesn't just leak information, it broadcasts it. Of course, wiring up the
house with Cat-x is a big job compared to typing in a WPA pass-phrase.

Secure against what? is what you need to decide. The neighbor's dog is one
thing, the NSA another.

Good luck.

------
PeekPoke
Turn it off. It's now secure. Turn it back on. It's now insecure (to some
level).

------
ryanmcdonough
You don't.

Lock it down as best you can: [http://www.tomsguide.com/us/home-router-
security,news-19245....](http://www.tomsguide.com/us/home-router-
security,news-19245.html)

But as for the software being immune to vulnerabilities - no chance. Read
[http://www.devttys0.com/2015/04/hacking-the-d-link-
dir-890l/](http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/) which
lists huge security issues and then D-LINK putting out a patch which doesn't
even fix what they said it did.

------
eridal
I guess for "router" you meant your "internet modem", and how to be sure that
no one is accessing it from outside.

Well it's a risk, so you can spend a lot of money to minimize the risk, but
you can't get rid of it.

You can try to minimize the attack vectors at WAN side:

\- drop incoming connections from WAN, firewall

\- no ICMP answers

\- no admin interface, being it html, telnet, ssh (some routers bypass the
firewall on these services)

\- no default password!

\- no uPNP, so malware at LAN cannot bypass your firewall (but they can still
phone home)

what else?

------
chatmasta
Direct outbound traffic through a mitmproxy instance you control, and watch
what goes over the wire.

------
honest_joe
How do i know that the compiler that compiled my software was/is secure ? Will
I ever find out ?

------
db48x
It isn't.

