Home Network Security Audit

ContextNavigate to router admin > Advanced > Firmware Update (exact path varies by brand and model). Note the version currently installed. Visit the manufacturer's support page and search your exact model for the current stable release. Firmware updates are the primary mechanism manufacturers use to patch security vulnerabilities — an unpatched router may have known, publicly disclosed vulnerabilities that automated scanners search for across the entire internet. Also check your manufacturer's security advisory page (search '[brand] security advisories') for any listed CVEs affecting your model specifically.

ContextMost routers allow you to update directly from the admin panel — click 'Check for Updates' or 'Update Firmware'. Alternatively, download the firmware file from the manufacturer's website and upload it manually. Do not interrupt power during the update; a failed flash can brick the router. The router will restart automatically after a successful update, taking 2–5 minutes. After reconnecting, navigate back to the firmware page and verify the new version number matches what you intended to install.

ContextAsus, Netgear Orbi, Eero, and Google Nest routers all offer automatic firmware updates in their settings. If yours does, enable it — auto-updates ensure critical security patches are applied promptly without requiring you to manually check. If your router does not support auto-updates, add a calendar reminder to check manually every 3 months, since manufacturers release security patches on unpredictable schedules.

ContextSearch '[your router model] end of support' on the manufacturer's website or look for a product lifecycle page. Router manufacturers typically support models for 3–5 years after release. Once a model reaches end-of-life, it stops receiving security patches — any vulnerability discovered afterward will never be fixed regardless of how thoroughly you complete this audit. If your router is end-of-life, plan replacement as a priority action, not an optional future step.

ContextIf you use a mesh Wi-Fi system (Eero, Netgear Orbi, TP-Link Deco, Google Nest), each node may need to be updated independently. Check the companion app or admin panel for all nodes — a single outdated satellite node creates a vulnerability that bypasses the security of an updated primary router. Most mesh systems update all nodes simultaneously through the companion app, but verify the version number on each node individually to confirm.

ContextGo to Wireless > Security settings. WPA3 is the current gold standard and prevents offline dictionary attacks against your Wi-Fi password — a class of attack that WPA2 is vulnerable to even with a strong passphrase. If all your devices were purchased in the last 4–5 years, WPA3-only is appropriate. For older devices that do not support WPA3, use WPA2/WPA3 mixed mode, which offers WPA3 to capable devices while maintaining compatibility. WPA2-AES is the acceptable minimum. WPA (TKIP) and WEP are cryptographically broken — if either is present, disable it immediately and do not use it as a fallback mode.

ContextUse a passphrase of 20 or more characters — a string of 4–5 unrelated words with separators is both strong and memorable (e.g., 'tangerine-orbit-shelf-morning'). Avoid passwords containing your street address, surname, router brand, or ISP name — these are among the first guesses in targeted local attacks. Store the new passphrase in your password manager before saving it to the router. You will need to reconnect every device in your home after this change, which takes 20–30 minutes in households with many devices — plan accordingly.

ContextDefault SSIDs like 'NETGEAR_5G_2847' or 'ASUS_RT-AX88U' immediately reveal your router's model number to anyone scanning nearby networks. With that information, an attacker can look up known vulnerabilities for your exact model in seconds. Change the SSID to a neutral name that does not identify your address, household name, or router brand. Avoid names that imply high-value contents ('HomeOffice', 'SecurityCameras') or include any address detail.

ContextWPS was designed to simplify device connections via an 8-digit PIN or physical button press. Its PIN implementation has a fundamental cryptographic flaw: the PIN is verified in two 4-digit halves, reducing possible combinations from 100 million to roughly 11,000. Tools like Reaver and Bully exploit this to determine the correct PIN via brute force in 4–10 hours, then derive your full Wi-Fi password — regardless of how strong it is. Disabling WPS in your wireless settings eliminates this attack vector entirely. You lose only the convenience of button-press pairing, which no device actually requires for normal operation.

ContextEach frequency band is a technically separate network with its own security settings — both (or all three, for Wi-Fi 6E routers) must use the same strong encryption mode and passphrase. Some routers silently default to weaker encryption on the 2.4 GHz band for backward compatibility. If your bands have different SSIDs, ensure each is inventoried in this audit. Verify that the password and security mode are consistent across every active band — a secured 5 GHz network does not protect you if the 2.4 GHz band runs WPA with a weak password.

ContextPMF protects Wi-Fi management frames — the low-level signals used to connect, disconnect, and authenticate devices — from being forged by an attacker. Without PMF, an attacker within radio range can send crafted deauthentication frames to forcibly disconnect your devices. PMF is required for WPA3 and optional for WPA2. Enable it if all your devices support it (most devices from 2015 onward do). If enabling PMF on 'Required' mode causes older devices to fail to reconnect, switch to 'Optional' mode, which still protects capable devices while allowing older ones to connect.

ContextTransmit power controls how far your Wi-Fi signal extends beyond your home. An unnecessarily high setting broadcasts your network into neighboring properties and public spaces, expanding the pool of people within range who can attempt connections or passively monitor traffic patterns. Find the setting under Wireless > Advanced (may be expressed as a percentage or dBm value). For most single-family homes, medium or 75% power is sufficient. In apartment buildings especially, this setting meaningfully reduces your network's exposure to adjacent units.

ContextA guest network connects visitor devices to the internet without giving them access to your main network, shared drives, NAS devices, printers, or other connected hardware. Enable it under Wireless > Guest Network and assign a distinct password separate from your main Wi-Fi. Set the guest network to 'Internet access only' and disable any option that allows guest devices to communicate with the main LAN. The practical benefit: a visitor's malware-infected laptop cannot reach your home server, shared storage, or other computers — it can only reach the internet.

ContextAP Isolation (also called Client Isolation or Device Isolation) prevents devices on the guest network from communicating directly with each other or reaching the main network. Without this, two devices on the guest network can communicate freely — and a compromised IoT device could use another guest network device as a stepping stone. This setting is typically under Wireless > Guest Network > Advanced. Verify it is explicitly enabled, not merely implied by the guest network being active — the two settings are independent.

ContextSmart TVs, video doorbells, security cameras, smart speakers, thermostats, smart bulbs, robot vacuums, gaming consoles, and connected appliances should all live on the guest or IoT network — never on the same segment as computers and phones holding sensitive data. IoT devices frequently have weak security architectures, infrequent firmware update cycles, and sometimes hard-coded credentials embedded in firmware. A compromised smart TV on an isolated network cannot communicate with your laptop or NAS; on a flat network, it can probe every other connected device freely. This single change has the highest security-to-effort ratio in this entire checklist.

ContextSome router firmware incorrectly allows guest network clients to access the admin panel. Test this explicitly: connect a device to your guest network and attempt to navigate to your router's admin URL (192.168.1.1 or similar). The admin panel should be completely inaccessible. If you can reach it from the guest network, your router has a firmware misconfiguration — search for an update that addresses this, or use a properly isolated VLAN for IoT devices instead of relying on the guest network feature.

ContextNavigate to router admin > Connected Devices, Device List, or DHCP Client List (label varies by brand). This shows every device with an active connection. Take a screenshot before making any changes — this is your audit baseline. Households with many smart home devices routinely see 30+ entries. Each entry shows at minimum a MAC address (a hardware identifier unique to each network interface) and usually a device name or hostname. If your router shows only MAC addresses with no names, you will need to cross-reference with each physical device's settings.

ContextMatch each listed device to a physical device you own. On Android, find your MAC address under Settings > About Phone > Status > Wi-Fi MAC Address. On iPhone, go to Settings > General > About > Wi-Fi Address. On Windows, run 'ipconfig /all' in Command Prompt and look for 'Physical Address'. On macOS, go to System Settings > Network > Wi-Fi > Details. Devices with generic hostnames like 'android-4f7a2c' or 'ESP_2A8F' are normal but require extra investigation — the 'ESP' prefix typically indicates a cheap smart home device using an Espressif microcontroller chip. Flag any device you cannot positively identify within 5 minutes.

ContextAn unrecognized device could be a neighbor connecting to your network (particularly if WPS was previously enabled), a device you forgot about, or an unauthorized user. The most reliable resolution: change your Wi-Fi password, which disconnects every device simultaneously, then reconnect only your known devices one by one — time-consuming but definitive. For a less disruptive approach, use MAC address filtering to block a specific device, though be aware that MAC addresses can be spoofed, making this a softer barrier than a password change.

ContextSome routers maintain a DHCP lease table showing devices that connected recently but are not currently active. Review this list for unfamiliar entries. A neighbor's device that connected once when WPS was enabled may appear here even if it is not currently online. This historical list gives a more complete picture than the active-only devices view and can surface devices that connect intermittently rather than continuously.

ContextMost modern routers display device hostnames alongside MAC addresses. If yours shows only MAC addresses, check router settings for options to enable mDNS or hostname resolution. Alternatively, a network scanning app (Fing for iOS/Android) can identify devices by manufacturer using MAC address prefix lookups — each manufacturer is assigned a unique OUI prefix, making it possible to determine that an unknown device is made by Belkin, Amazon, or Samsung without a readable hostname. Proper device naming makes every future audit significantly faster.

ContextFor computers, NAS drives, and printers, use DHCP reservation to assign a fixed local IP address — done in router admin > DHCP Settings > DHCP Reservation using each device's MAC address. Fixed IPs make firewall rules, port forwarding, and device monitoring far more reliable. A device that receives a different IP after a restart can silently break a firewall rule you created for it, leaving a security gap that looks correct on paper but has no effect in practice.

ContextGo to Security or Firewall in router admin. The Stateful Packet Inspection (SPI) firewall analyzes incoming traffic and blocks packets that are not part of an established, legitimate connection originating from inside your network. It should be enabled by default but verify explicitly — some configurations disable it for gaming performance, and firmware updates occasionally reset this setting. This is your primary barrier against unsolicited inbound connections from the internet, separate from software firewalls on individual devices.

ContextUPnP allows devices on your network to automatically open ports in your router's firewall without your knowledge or approval. It was designed for convenience with gaming consoles and media servers but is routinely abused by malware to create persistent backdoors that survive even after the infected device is cleaned — because the port forwarding rule remains in the router. Disable UPnP in Security or Advanced settings. If a gaming console or Plex server stops working, manually configure only the specific port forwarding rules that application needs rather than re-enabling UPnP globally.

ContextNavigate to router admin > NAT > Port Forwarding (or similar). List every active rule: the external port, protocol (TCP/UDP), and the internal device IP it points to. For each rule, confirm you understand why it exists and that the destination device still occupies that IP. Port forwarding rules create direct pathways from the public internet to specific devices inside your home network. An outdated rule pointing to a device that was replaced or assigned a new IP is an open door leading somewhere unpredictable.

ContextMost routers maintain a system log accessible under Administration > Log or System > Log. Look for patterns rather than individual entries: repeated failed login attempts to the admin panel, sustained connection attempts on closed ports from the same source IP, or unexpected outbound connections to unfamiliar external addresses at regular intervals. Blocked admin login attempts using default usernames are common background noise; dozens of attempts per hour from a single IP indicate active credential stuffing. Export the log and save it alongside your audit documentation.

ContextSome routers allow command-line administration via Telnet (completely unencrypted — credentials are visible in plaintext to any packet sniffer on your network) or SSH (encrypted). Unless you are actively using these for advanced administration, disable both in Advanced or Administration settings. An open Telnet port is a significant exposure: any device on your network can intercept Telnet session credentials without special privileges or tools.

ContextMany modern routers support running a VPN server (OpenVPN, WireGuard, PPTP). PPTP is cryptographically broken and should be disabled regardless of use. If you configured an OpenVPN or WireGuard server but no longer use it actively, disable it — an unused, potentially misconfigured VPN service is an attack surface that gains you nothing. If you actively use a home VPN server, verify it uses current certificates, strong pre-shared keys, and was not left on default configuration after initial setup.

ContextIf your ISP provides IPv6 connectivity, verify that your router's firewall applies equivalent rules to IPv6 traffic. Many home router firewall configurations were designed primarily for IPv4, and IPv6 traffic can sometimes bypass rules set up with only IPv4 in mind — giving IPv6-addressed devices unexpected direct internet exposure. Check your firewall settings explicitly for IPv6 coverage. If you do not use IPv6 and your ISP does not require it, disabling it in WAN settings simplifies your firewall configuration.

ContextYour ISP's default DNS servers log every domain lookup from your household — every website, app, and connected service any device contacts. This data is collected, retained, and in many jurisdictions shared with or sold to data brokers. Set DNS in router admin > WAN Settings > DNS to: Cloudflare (1.1.1.1 / 1.0.0.1) for speed and privacy; Quad9 (9.9.9.9 / 149.112.112.112) for privacy plus automatic blocking of known malicious and phishing domains; or Google (8.8.8.8 / 8.8.4.4) for maximum reliability. Quad9 is the best default for households with children — it silently blocks malware distribution and phishing domains before any device on your network can reach them.

ContextStandard DNS queries — even to privacy-respecting servers — travel unencrypted between your router and the resolver, meaning your ISP and any network eavesdropper can see every domain lookup in transit. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt these queries end-to-end so only the DNS resolver you chose can see the content. Check your router's WAN or DNS settings for DoH or DoT options — Asus routers support this natively, as do Eero and some TP-Link models. Both Cloudflare (1.1.1.1) and NextDNS support encrypted DNS resolution.

ContextNextDNS and Pi-hole block known malicious domains, phishing sites, ad networks, and trackers at the DNS level for every device on your network — before any connection is made. This protects devices that cannot run browser extensions: smart TVs, gaming consoles, IoT devices, and phones. NextDNS offers a free tier (300,000 queries per month, sufficient for most households) configured via a single URL pasted into your router's DNS settings. Pi-hole requires a dedicated device (Raspberry Pi or similar) but offers granular control over blocklists and per-device query logging.

ContextA factory reset — performed by holding the reset button for 10–30 seconds — erases all your configuration changes and restores default credentials in under a minute. This takes less time to perform than reading this sentence aloud. A router accessible to visitors, service workers, or children during gatherings is a router that can be reset and reconfigured by anyone with brief physical access. Place it in a utility room, home office, or enclosed cabinet.

ContextThe sticker on your router contains the model number, MAC address, serial number, and factory default credentials — everything required for a factory reset and fresh reconfiguration. Take a clear photograph and store it in your password manager as an attachment or in an encrypted notes app. Do not store this in an unsecured photo album or a cloud gallery that syncs automatically without encryption. This photograph becomes essential if you ever need to recover from a reset during a stressful outage.

ContextEven after disabling WPS in the software settings, many routers can have it temporarily re-enabled by pressing the physical button on the device. Check your firmware settings for an option specifically to disable the physical button's WPS function — this is a separate control from the software WPS toggle. Particularly relevant if your router is in a shared or accessible area where someone might press it without understanding what it does.

ContextWindows Defender Firewall and macOS Application Firewall (System Settings > Network > Firewall) should both be enabled. The router firewall protects against external inbound threats from the internet. Device-level firewalls protect against lateral attacks originating inside your own network — for example, a compromised smart home device probing your laptop's file sharing or RDP ports. Both layers serve distinct purposes and neither substitutes for the other.

ContextA fully secured router is undermined the moment a device with unpatched vulnerabilities connects to it. Enable automatic updates on Windows (Settings > Update & Security > Advanced Options), macOS (System Settings > General > Software Update > Automatic Updates), iOS (Settings > General > Software Update > Automatic Updates), and Android (Settings > Software Update). Security patches for critical vulnerabilities are often released within days of public disclosure — manual update cycles leave a window of exposure that automated attackers are calibrated to exploit.

ContextOpen the companion apps for Ring, Nest, Arlo, Philips Hue, SmartThings, Amazon Alexa, and any other smart home platform. Check device settings for firmware updates — these are separate from app updates and are rarely surfaced prominently. Smart home manufacturers do release security patches, but unlike smartphones, they do not notify users in an obvious way. Check each app manually at least twice per year. A compromised camera on your IoT network is still a camera inside your home with audio and video capture.

ContextEvery smart home hub, NAS drive, IP camera, network printer, and smart home controller has its own web admin interface — typically accessible via the device's local IP address found in your router's device list. Default credentials ('admin/admin', 'admin/1234', or printed on a sticker) are published in product manuals and searchable online in seconds. Access each device's admin panel and change the password to a unique credential stored in your password manager. A NAS drive with default credentials and file sharing enabled is functionally a public server accessible to every device on your network.

ContextCreate a dedicated entry in your password manager or an encrypted notes app — not a plain text file or sticky note. Record: firmware version number after the update, references to where each new credential is stored (not the credentials themselves in plain text), which devices were moved to the IoT or guest network, and any items flagged as 'Needs Attention' with planned resolution dates. This documentation is essential for the next audit and for any emergency where someone else needs to manage the router.

ContextCreate a single organized entry containing: router admin URL, admin username and password, main Wi-Fi SSID and passphrase, IoT or guest network SSID and passphrase, factory reset procedure for your specific router model, and the location of the router sticker photograph. At least one other trusted adult in your household should know this entry exists and how to access it. An internet outage that requires a factory reset should not escalate into a crisis because the credentials are inaccessible.

ContextSet a recurring calendar reminder for 12 months from today for a routine re-audit. Additionally, create separate reminders to run an immediate review if any of the following occur: acquiring a new router or mesh system, changing ISP or moving to a new home, adding a significant number of new smart home devices, a household member's device being infected with malware, your ISP reporting unusual outbound traffic from your IP address, or your router model appearing in a security advisory or news story about a vulnerability.