Week 5: Secure your home network from unauthorised access

06.02.2024 - The NCSC was recently notified of a case where hackers managed to break into a person's home network. After encrypting family photos and other personal data, they issued a ransom note demanding a substantial sum of money.

Modus operandi with a home router

Most people accessing the internet at home do so via a router, the box connecting their home network to the internet. This is typically supplied by the internet provider. Routers manage the internet traffic and data between devices in different networks and make it possible for several devices on the home network to use the same internet connection. This allows different household members to use the same internet connection for their own devices. If the router is in 'router mode', the network it creates is private, and any devices connected to it – PCs, tablets, mobile phones, etc. – cannot be directly accessed or even seen from the internet. The same goes for any connected NAS (Network Attached Storage) devices.

Unfortunately, some providers still supply routers in 'bridge mode'. This means there is no actual router functionality, so all devices running on the home network are directly connected to the internet and exposed to all kinds of cyberattacks. This is a situation you should avoid at all costs, so make sure your provider configures your router in router mode. The only exception is if you are using a second router between your main router and online devices, but this is really only recommended for experienced users.

Hacked NAS device

In this particular case, the victim's router was actually in the recommended router mode. So how and why was it still hacked? The answer lies in 'port forwarding', also known as Network Address Translation (NAT), depending on the device. With port forwarding, a device on the home network makes a particular service available outside the network. This is useful if, for example, you need to access a file server, surveillance camera or heating control system from outside your home network. Opening individual ports does not directly expose the entire network – only this specific service. However, if this service is not adequately secured (e.g. weak password) or is otherwise technically vulnerable, it may be accessed by unauthorised parties – with potentially disastrous consequences. This is what happened in this case. A vulnerability in the NAS device meant that hackers could take it over, access the home network and encrypt personal data, including family photos. As recommended by the NCSC, the victim refused to pay the ransom and filed a complaint with the cantonal police. Unfortunately, the photos remain encrypted.

When the router protects – and when it doesn't

A router in router mode can only protect its home network if it is updated with the latest security patches and no port forwarding is configured, i.e. no services can be accessed from outside.

In particular, the router admin panel must not be visible from the outside. Most standard devices nowadays support deactivation or are already deactivated by default.

However, it is important to note that a router does not protect against phishing or malware. In general, all connections to the outside (i.e. the internet) are permitted, and this is a feature abused in phishing and malware campaigns. So additional security measures must always be taken (e.g. anti-virus software).

Ways to secure your home network

Despite the warnings and the danger this entails, if you need to make an internal service visible from the internet, there are ways to minimise the risk.

Updates and strong passwords
First, make sure that all devices using your home network have the latest updates. Also, avoid passwords that are too short or easy to guess. The NCSC recommends that passwords for exposed services should be at least 12 digits long

Protect your accounts

Not everything on the same network
Ideally, services visible to the outside world should not be on the same part of the network (or network segment) as other home devices. Some home routers have this feature, known as a DMZ, which stands for 'demilitarised zone'. The idea is that even if the exposed device is compromised, the rest of the internal network will remain protected.

Restrict network access
Think carefully about whether you really need access to be possible from anywhere in the world. 'Geofencing' is a way of restricting access from certain countries only. Some router manufacturers include this option in their devices. Also, to prevent password lists from being tried out, some routers let you specify a maximum number of failed attempts before access is blocked.

Use a VPN
The NCSC recommends the use of a VPN (virtual private network). This gives you authenticated, encrypted access to your home network without having to expose any services directly. Most routers support at least one of the commonly used VPN protocols, such as IPSec, OpenVPN or WireGuard.

If possible, exposed services and VPN access should be secured with two-factor authentication (2FA).

If you are unsure about the security of your home network, we recommend you seek advice, for example from a specialist company or an experienced friend.

Last modification 06.02.2024

Top of page