The abrupt transition to near-universal work from home that was brought on by the COVID-19 pandemic has vastly changed the security threat landscape. One of the greatest threats to the security of our networks is something that was barely even a consideration just a year ago: home Wi-Fi routers. And, while there is hope that things will get better with the rollout of COVID-19 vaccines, it will take time before we reach a semblance of life as we knew it. And, even then, many workers will likely continue to work remotely even in a post-pandemic world.
IT organizations, therefore, must be thinking not only about Wi-Fi router security vulnerabilities and what can be done to mitigate them, but also about what all of that looks like as we move through the year ahead.
There are any number of reasons why home Wi-Fi router security is an issue. For starters, the average person probably gives very little thought to the security of his or her home router. This is evidenced by the fact that many home Wi-Fi routers are accessed via the factory default administrative password. Likewise, most home users probably don’t even know that manufacturers periodically release firmware updates, or understand how and why those firmware updates should be applied.
Of course, the people looking to breach Wi-Fi router security know all of this only too well. As such, large-scale attacks against consumer-grade Wi-Fi routers have become quite common.
This poses a really interesting problem with regard to the security of the corporate network. Security-conscious organizations go to great lengths to detect attacks that occur within their own network. However, the mechanisms that are used internally are generally unable to detect a compromised router in someone’s home. After all, that router isn’t a part of the network. In fact, the router might not even have been tampered with. The compromise could be something as simple as an attacker using a default administrative password to gain access to the router for the purpose of traffic sniffing.
Regardless, if users connect to the corporate network through compromised routers, they are putting the business’s security at risk. And, as remote work goes from pandemic-induced contingency plan to the norm for many employees, organizations need to put more concrete plans in place for hardening--to the best of their abilities--home Wi-Fi router security.
Because so much of this is out of the IT organization’s hands, one of the most important priorities should be end user education--about both the dangers of having an insecure Wi-Fi router and the steps that should be taken to tighten Wi-Fi router security.
You might, for instance, publish a memo advising users to change their router passwords from the default and to install the latest firmware updates. I have even heard of some organizations going so far as to provide users with detailed instructions for hardening some of the more popular types of home routers.
Of course, this type of end user education also has its disadvantages. Some users will inevitably require help, so you run the risk of overwhelming your helpdesk. Conversely, there will probably be some users who don’t want to be bothered with something that they see as being the IT department’s responsibility. You have to assume, therefore, that some of the Wi-Fi routers in user’s homes will always be insecure.
Because you have to assume some level of insecurity, it’s important to consider the level of access to your network that home users actually require. When the pandemic first set in, many organizations quite naturally gravitated toward providing network access to home users by way of a VPN. Even so, it’s entirely possible that not every user truly needs VPN access.
Suppose that a particular user needs access to his or her mailbox, videoconferencing and a couple of line-of-business applications. Rather than giving that user VPN access to your network, it may be better from a security standpoint to allow the user to directly connect to SaaS applications such as Zoom, Office 365 or Salesforce. This would allow the user to gain access just to the resources that he or she needs, but without gaining direct access to your network through an insecure Wi-Fi router.
Keep in mind that this approach does not completely mitigate all of the risks. If a user’s home Wi-Fi router is compromised, then the data that the user accesses may be at risk, regardless of how the user actually gets to that data. Even so, this approach helps to minimize the blast radius. If a user only has access to Office 365 data, for instance, then an attacker has no way of compromising other resources on your network because the user is not actually connecting to your network.
Wi-Fi router security has been a critical concern since the start of the pandemic and the resulting rise in remote work. With many organizations seemingly poised to continue to support the remote work model, it will be important for IT to extend and evolve the precautions they put in place and the education they provide to end users to help ensure that home Wi-Fi routers do not represent an easy entry point into the corporate network.