5

A strong password is always better than a weak password, but even after reading this answer I am confused why a device password is needed in addition to the Wifi network's security key.

Assuming that no remote access features are enabled, I believe an attacker would need to be joined to the network locally in order to access the router. An obscure SSID and strong security key should prevent that.

Am I thinking about this incorrectly?

Chris Ullyott
  • 53
  • 3

1 Answers1

2

I assume you're talking about a couple bsumer level router (router+switch) with a web GUI for configuring it.

All the traffic on your network passes through your router. This includes DNS queries

Eg. What is the IP for google.com

Is anyone on your network has malware on their device, that could connect to the router, and use a default password (or guess easy ones) to change your DNS setrings, port forwarding settings, etc.

This means they could set a malicious DNS server, which would respond to your query with a malicious IP, effectively rerouting your traffic through the attacker.

They can also modify your port forwarding settings to allow future intrusion, or to use your system as a command and conquer teol for a larger attack.

Default passwords on routers allow malware and attacks to spread through the rest of the network.

An even more advanced attack would be to modify your routers firmware by uploading a hacked copy that speed out spam, attacks other people, or just siphonss your data.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
  • 1
    I understand the dangers of an unsecured router, but my question is about why this matters if an attacker is not actually on the network in the first place. Even with remote access features turned off and a strong Wifi key, is it still feasible for an attacker (or war-driver) to get connected? – Chris Ullyott Oct 10 '18 at 20:20
  • 2
    If the attacker isn't on the network, and you have WPA2 with a strong password then I don't see any risk. With that said, I would remind you that security is about defense in layers. It's not a good idea to rely on just perimeter defense, because if an attacker gets inside they could do real damage. Do you trust every guest, every phone, etc. To never be compromised? Having a secure router helps limit the damage to other devices. – Daisetsu Oct 10 '18 at 20:24
  • 1
    Agreed. I'm thinking about it like this now—on a network, there are devices. The services run by those devices have (or should have) their own security protocols. For that reason, it does not make sense to leave the configuration settings for the router unprotected even if it's unlikely anyone will access them from the outside. It would be like using my laptop on a network but making my entire hard drive public for no real benefit. – Chris Ullyott Oct 11 '18 at 21:25