I imagine by now most households have at least one wireless router. Heck, my mom and dad have one and they are 70 year olds in rural Wisconsin. While Wi-Fi greatly increases convenience in the modern world, consumers should be aware that setting up a wireless router (and other devices) straight out of the box using factory settings poses security risks.
In February of 2016, ASUS settled charges with the Federal Trade Commission (“FTC”) stemming from “critical security flaws in its routers [which] put the home networks of hundreds of thousands of consumers at risk.” ASUS touted its routers as “including numerous security features that the company claimed could ‘protect computers from any unauthorized access, hacking, and virus attacks’ and ‘protect [the] local network against attacks from hackers.’” Instead of the robust security measures advertised by ASUS, the routers allegedly contained “pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge” and more egregiously, the routers were manufactured with the “same default login credentials on every router: username ‘admin’ and password ‘admin’.”
On January 5, 2017, the FTC issued a release announcing it had filed charges against another prevalent wireless router manufacturer, D-Link, based on poor default security measures in its routers and webcams. According to the complaint, the security flaws exposed consumers to the hacking of confidential information and live video feeds. The primary security flaws alleged by the FTC include default “hard-coded” login credentials such as “guest”; public exposure of private key codes; and leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices.
The security flaws alleged against ASUS and D-Link are significant and, frankly, egregious. First, there is no way that, for example, these default login credentials constitute “reasonable” security, let alone “robust” security. Second, there is absolutely no reason that manufacturers cannot ship their products with more secure, randomly generated 12-14 digit login credentials. Why ASUS and D-Link (allegedly) did not defies comprehension.
Now, the common consumer reaction is that security is not all that important because “I won’t be hacked.” The first flaw in that reasoning is that the underlying premise is not true. There is no reason to think that you will not be hacked. As discussed in the FTC’s complaint, hacking a router provides hackers with multiple avenues of unauthorized use. For example, they can: (1) obtain documents and information from the router’s onboard storage; (2) redirect users to fraudulent websites; and (3) attack or compromise devices connected to the Wi-Fi network.
Secondly, hacks don’t always involve stealing passwords and identity theft. As demonstrated in 2016, hackers will infiltrate systems to commandeer connected devices as part of a larger agenda to attack specific targets. The unprecedented distributed denial of service (“DDoS”) attacks against the website of security analyst Brian Krebs and Internet performance management company Dyn in October 2016 were conducted by use of the Mirai botnet. In these attacks, Mirai enslaved hundreds of thousands of connected devices by scanning the Internet for devices with vulnerabilities and then infecting them with malware.
Thirdly, once a hacker gets in to the consumer’s home network, they have an open door to come back any time they like. So, even if a hacker does not steal any consumer information the first time, that does not mean they won’t steal information the next time. Most consumers will be completely unaware that their network has been compromised.
Whether to protect their own information and privacy, or whether to avoid being used by a malefactor for other nefarious purposes, consumers must be aware of potential security flaws with their wireless routers, webcams, and other connected devices. At the very least, consumers should change all login credentials for routers and connected devices to secure, randomly generated 12-14 character usernames and passwords.