In the remote and hybrid work age, organisations are grappling with many challenges to secure their digital assets. One common problem that most IT and security teams face is the informational black hole that is the home router.
These devices, often overlooked, are increasingly becoming targets for malicious threat actors. The risks are manifold, ranging from unchanged default admin credentials to the false assumption that routers automatically update themselves to address known security threats.
The Threat Landscape
Here’s the bottom line: routers are much less secure than one might think. Two recent real-world examples: Trellix discovered a Remote Code Execution (RCE) vulnerability in DrayTek routers, which could allow attackers to execute arbitrary code on the device[^1^]. Similarly, hackers have been found to infect TP-Link router firmware to attack EU entities[^2^].
These are not isolated incidents; they are part of a growing trend targeting routers, and, most importantly, they (and many others) are in the public domain for anyone to take advantage of.
Why Routers?
The broad answer is, “Why not?”. With ever-increasing numbers of threat actors (‘hackers’), everything becomes fair game for someone.
Routers are the gateway to your digital world. They connect your local network to the internet, making them a prime target for attackers. Gaining control of a router can give an attacker access to all the devices on a network, making it a lucrative target or just something to brag about, neither outcome being good!
The Informational Black Hole
The challenge for IT and security teams is that home routers are personal property, making them difficult to audit, assess, and keep records of. This is further exacerbated when employees work from public locations, where the routers are entirely out of the organisation’s control.
The Scale of the Problem
Imagine an organisation with hundreds or thousands of employees working remotely or in a hybrid environment. The sheer number of routers that IT and security teams need to keep track of is staggering. It’s a logistical nightmare that most organisations are ill-equipped to handle, even if they only have tens of people working remotely.
The Assumptions We Make
Many assume that their Internet Service Providers (ISPs) supply routers that are secure and automatically update themselves. This is often not the case. A 2019 Wired UK article highlighted that many routers have outdated firmware and security settings that make them vulnerable to attacks[^3^], and little has materially changed since then.
The False Sense of Security
The assumption that “it won’t happen to me” is dangerous. While routers supplied by ISPs may have some level of security, more is needed to protect against attacks, both sophisticated and publicly known exploits that succeed because they’ve never been updated.
Playing Russian Roulette with Security
It’s a numbers game; the more devices that touch your network, the higher the risk. Each router is a potential entry point for an attacker, and the more you have, the more chances an attacker has to get lucky.
While it’s true that in the vast majority of cases, routers probably won’t get attacked, this is not a sound security strategy.
The adage “attackers only have to get lucky once; IT and security teams need to be lucky all the time” is particularly relevant here. With hundreds, if not thousands, of devices connecting to corporate systems daily, the odds are not in favour of the defenders.
The Real-World Impact
Proof-of-concept exploits have been released for vulnerabilities in Netgear Orbi routers[^4^], and TP-Link Archer WiFi routers have been exploited by Mirai malware[^5^]. These are not theoretical risks; they have real-world implications. The NCSC UK, NSA, and partners have even issued advisories about APT28 exploitation of Cisco routers[^6^]. A recent UK NCSC report highlighted the dangers of people connecting to company systems and data from their home routers [^7^] and the need to address these.
What Can Be Done?
- Education: The first line of defence is always the user. Educate your staff about the risks and how to mitigate them.
- Regular Audits: While it may be challenging, try to conduct regular audits of the devices that connect to your network, even if they are personal property.
- VPN: Ensure the use of VPNs when connecting to the corporate network. This adds an extra layer of security that can mitigate some of the risks.
- Multi-Factor Authentication (MFA): Implement MFA wherever possible to add an additional layer of security.
- Collaborate: Work with your staff to get them to use ISPs that provide secure and up-to-date routers as part of their service.
- Firmware Updates: Work with your staff to ensure their home routers run the latest firmware. This is the best way to fix known vulnerabilities.
- Network Separation: Create separate networks for work and personal devices so that if another device on a home or remote network is compromised, it doesn’t mean that work data is at risk.
The risks are real, and they are growing. It’s time for organisations to take the security of their remote employees’ home routers seriously, lest they become the weakest link in their cybersecurity chain.
Sources
[^1^]: Trellix – RCE in DrayTek Routers
[^2^]: Bleeping Computer – Hackers Infect TP-Link Router Firmware
[^3^]: Wired UK – Router WiFi Security Settings
[^4^]: Bleeping Computer – PoC Exploits for Netgear Orbi Router
[^5^]: Bleeping Computer – TP-Link Archer WiFi Router Flaw
[^6^]: NCSC UK, NSA – APT28 Exploitation of Cisco Routers
[^7^] NCSC – Cyber Threat Report: UK Legal Sector