Many Wireless Routers Lack Basic Security Protections, Consumer Reports' Testing Finds

Our router testing program looks at several factors, including security, privacy, and performance.

We evaluate routers in the lab on a long list of characteristics. For instance, we check whether a router protects against known security vulnerabilities and whether certain questionable networking protocols are turned off by default. We examine the routers’ privacy policies to see whether manufacturers explain how they handle consumer data.

Of course, we also measure how quickly routers transmit data over a variety of distances. After all, a safe and secure router won’t do you much good if it’s too slow to reliably stream Netflix. We also evaluate ease of setup and other characteristics.

Modern routers for the home come in two basic types, and we evaluate both.

For our current ratings, we tested 20 traditional routers, which create a WiFi network using a single device, and also evaluated nine mesh routers, which use multiple units to cover larger homes. Mesh routers tend to be more expensive because you typically buy multiple pieces of equipment in the same package.

Consumer Reports is now recommending nine routers: six traditional units and three mesh models.

Consumer Reports uses some sophisticated security tests to evaluate routers. But we also check for basic security practices, and our recent tests uncovered several shortcomings.

“Many of the problems we found were simple but meaningful—and they should be easy for manufacturers to fix,” Richter says.

For example, 20 routers let you change only the password, but not the username, of their web apps. The web apps are used for changing all kinds of settings on your router, including your WiFi password (which is separate from the router’s own password).

Twenty routers don’t protect against multiple failed login attempts, unlike your phone or email account. That means a determined hacker could use software that rapidly cycles through passwords over and over again until it breaks in.

We also found problems with the passwords themselves.

Eleven routers let you set very weak passwords. These may have fewer than eight characters or just lack any complexity (think “aaaaaaaa”). Further, a number of models don’t even let you create great passwords—you can't use long strings of characters, and special characters aren't always supported. And one router doesn’t require you to change the default login credentials of "admin" and "password."

Consumers can and should create unique, strong passwords if the router permits it. However, many people fail to do so. In a nationally representative survey of 1,006 American adults we conducted in May 2019, only 38 percent say they or someone in their household had changed their current router's default password.

Many routers, roughly two-thirds of them, had a networking protocol called Universal Plug and Play, or UPnP, turned on by default. Unless you have a device or some software that specifically asks for it, it’s smart to turn this off, because UPnP has a history of serious security vulnerabilities. But our recent survey found that most people who buy a router don’t adjust the settings, and even fewer may think to turn off UPnP.

Our ratings reward routers that arrive in people’s homes with the safest default settings turned on.

We also found important differences in how routers handled firmware updates, which are vital for your home network’s security: New malware and hacking techniques are always coming on the scene, and hardware makers need to put out firmware updates to fight them. Consumer Reports recommends that people protect themselves by turning on automatic updates for as many devices as they can, from phones to laptops to routers. But 11 routers don’t support automatic software updates.

In the May survey, two-fifths of Americans who own their own router said they're unsure when it was last updated. And 11 percent said their router has never had a firmware update. (See router security tips below.)

Similarly, just a few router companies explicitly state how long they will provide firmware updates, leaving consumers in the dark about how long the device will be safe to use.

CR's router testing includes the companies' privacy policies, because so much sensitive data flows through the devices.

Our privacy experts analyzed every router manufacturer’s documentation. We gave better scores to routers—including some models from Eero, Google, and Netgear—that spell out what information their manufacturers might collect from users, such as network speeds, the name of the internet service provider, and how much data you're transmitting to the web.

“As part of the Digital Lab, we’re scrutinizing as many products as we can with respect to their privacy practices,” Richter says. “We are finding similar results across product categories and, in fact, the entire tech industry.”

Today’s wireless routers vary a lot in how well they follow good security practices, but they are generally more consistent when it comes to pure performance.

Many of today’s traditional, one-unit routers do a good job of blanketing even big homes with fast internet access. Of the 20 traditional wireless routers in our ratings, 18 earned a score of Good or better for throughput over distances of around 28 feet, which we consider typical for many homes. (We also measure throughput at shorter and longer ranges.)

However, if you regularly deal with dead spots in your home, it may be worth paying more for a mesh router system, which comes with multiple units—you place them around your home, and they all talk to each other to distribute coverage.

All nine mesh routers we tested earned a Good score or higher for midrange throughput. Mesh routers also performed uniformly well for far-range throughput, at a distance of between 44 and 100 feet.

Only a few routers we tested did well across the board, on security, privacy, and performance.

Among traditional wireless routers, standouts include the Synology RT2600ac and Netgear Nighthawk X10 AD7200. For people who need a mesh router, both the Netgear Orbi and Eero were solid performers.

By contrast, a number of routers that did very well on performance suffered in our ratings because of lackluster scores on other measures. For instance, the TP-Link Archer C1900 and Archer C7 AC1750 were penalized for factors such as letting people set poor passwords.

In response to those findings, a TP-Link spokesperson said by email that the company “prefers to give its customers full control and freedom when it comes to their security settings. When you create a password for your router, it does indicate how secure it is—low, middle, high—in order to encourage customers to use stronger, more secure passwords.”

Other router manufacturers earned better security scores for some models than for others.

For instance, though the Netgear Nighthawk mentioned above got high scores across our of all tests, the Netgear Nighthawk AX8 RAX80 did well in terms of performance but lagged behind for security and privacy. And the Netgear AC1000 R6080, scored poorly on measures of both performance and security.

“We at Netgear are regularly updating our security features and requirements to improve the security of our products, [and] at any point of time you will find differences in product features depending on when the product was released and the last firmware update done,” Sandeep Harpalani, Netgear vice president of product management for connected home products, told us by email. “We roll out these new security features as part of firmware rollouts, but [the] exact time of rollout might vary by product.”

If you’re using an older router, you can take several steps to improve both performance and security, says Richard Fisco, who oversees electronics testing at Consumer Reports.

First, to boost coverage, try to place your router as close to the center of your home as possible. Then go into your router settings, using the router’s mobile app or web interface, and check the settings to protect your security.

Start by setting a strong password. Then take these steps:

Disable features you don’t use. These include Universal Plug and Play (UPnP), mentioned above. You should also turn off Remote Administration (also known as Remote Management or web access from WAN).

Turn on automatic updates. If that’s not an option, periodically check for new software yourself. (Older routers don't make that easy.) “If you find your router is no longer getting updates,” Fisco says, “it's too risky to keep using it.”

Security protocols for routers improve over time, which means the old ones get outdated. The newest protocol is called WPA3, but not many devices support it yet (though the Synology RT2600ac does). Its predecessor, WPA2, provides the best network security that’s widely available.

Make sure in your router settings that you have WPA2 turned on and an older protocol called WEP turned off. (Ten routers we tested still support WEP encryption as an option.) If you have a really old device, it may not support WPA2, but only WEP or WPA.

“In that case,” Richter says, “it’s time for a new router.”

Online privacy and security are huge issues facing a lot of people today. On the "Consumer 101" TV show, Consumer Reports expert Maria Rerecich explains why it's not just phones and computers that people should be concerned about.