0

Are there any security benefits of shutting down a modem router when it is not in use?

It is now widely known that devices such as D-Link have been insecure. Assuming that this remained undisclosed, are there any added advantages of shutting down an insecure device when it is not in use?

If a device is known to be secure e.g configuration, firmware and the like, are there any benefits of shutting it down from a security perspective?

Motivated
  • 1,523
  • 1
  • 15
  • 30
  • 3
    Yes, of course.attacking a modem that is switched off is very hard (requires physical access). Please elaborate why there would be any doubt about this. – Ljm Dullaart Oct 27 '19 at 21:42
  • @LjmDullaart - I am keen to understand the benefits of shutting down a modem versus the modem being switched on. For example, if the modem is already vulnerable, does shutting it down offer any additional advantage? Second, if the modem is being switched off at particular times, I would imagine that the timing at which the devices are switched off would shift the time at which attacks are carried out. – Motivated Oct 27 '19 at 21:50
  • @Motivated If you already understand the answer, why are you asking? Do you mean modem/router combo? Typically, standalone consumer modems can't be seen or reached directly from the internet. Of course, shutting down a device may decrease the probability of it being compromised, but it does not make it any less vulnerable. – multithr3at3d Oct 27 '19 at 22:22
  • @multithr3at3d - I am mindful of some of the advantages however I may not have considered all of the possible benefits or potentially the disadvantages or no change. For example, I am curious to understand why consumer grade modems cannot be reached or seen directly from the internet? Is the assumption that it isn't a gateway device? – Motivated Oct 27 '19 at 22:51
  • It would be helpful to understand why this question is considered to be broad since it is focused on the security risks and benefits of a connected and powered modem. – Motivated Oct 28 '19 at 00:00
  • @Motivated yes, if it is not a router, then it isn't likely exposed to the internet. It may have a local IP address it can be accessed with, and there will be protocols it can speak with the ISP. But unless the attack is using your ISP's internal comms or the attacker is able to do CSRF, I wouldn't say it's exposed. – multithr3at3d Oct 28 '19 at 00:03
  • @multithr3at3d - How does this compare to devices that are a combination of a modem and router? – Motivated Oct 28 '19 at 03:20

1 Answers1

2

Disconnecting internal devices from the internet when no connection is desired has the benefit that these devices are no longer externally accessible and thus attackable. While on the surfacet this seems "more safe", your devices are not really vulnerable unless they are either in direct communication with something or you forwarded some ports.

The risk to regular consumer devices from attacks over the internet is very small these days, assuming no risky behaviour from the user (e.g. downloading "free_M$_offic_[no_virus_100%_gurarantee].exe").

The downside is obviously you can't connect to your devices if you don't turn your modem on. This might now be a downside for you, if this is not a functionality you use.

I'll elaborate a bit on the points brought up in the comments:

What does it mean for a device to be in direct communication or have ports forwarded?

In a normal home network, your devices are not directly reachable from the internet. Someone externally can connect to your home router (or router/modem/wifi-access point hybrid), but not directly to your home computer.

The router uses something called NAT, which basically means that your home computer can connect to a remote server and that server can reply, but once that communication is done, the remote server can't reach your home computer anymore. That's a gross oversimplification, but it illustrates the concept that others can only reply to you - they can't initiate a connection to your home PC.

In order for them to be able to do that, you need to configure port forwarding, which basically gives everyone a way to talk to your home computer (as long as that is turned on as well).

This means that if your computer does not have any active connections and no port forwarding is configured, it's essentially not reachable from the internet.

What is the risk to regular consumer devices these days?

This would be a full question in it's own right, but I would wager that the average risk is rather small. A regular desktop PC, for instance, running a modern, up-to-date OS, will probably not have any publicly available exploits.

Even with other hardware you're likely to be safe, even if an attacker could remotely connect to them in some way. This includes smartphones, game consoles, smart watches, etc.

I'm not saying there is no way that these could have an exploit, because history has shown that there are plenty of exploits for modern operating systems. I'm saying the likelihood that an up-to-date product has a publicly available exploit is very low.

But what if the vendor does not care?

Usually, if a vendor really does not care, the security community likes to make them care. Imagine you buy a router from GreedyTech, who only cares about profit and not about security. Some security researcher sees that router, and knowing GreedyTech's reputation, he buys it to analyze it. A week later, he finds an exploit and - like a responsible security researcher - he contacts GreedyTech. GreedyTech is not interested in spending any money to secure their products, so they kindly tell him to go away.

The security researcher tries again, explaining at what high risk they put their customers. GreedyTech does not budge, and again tells the researcher in no uncertain terms to "go away".

The security researcher then publicizes the vulnerability, hoping that it becomes as publicly known as possible. Why so? The researcher does this in order to:

  1. Make customers of GreedyTech aware to buy a replacement as soon as possible.
  2. Gather attention from the media, hoping that the bad publicity will force GreedyTech to improve their product or suffer from a bad reputation (and thus less money).

So in a sense, even if a product is highly insecure, it'll probably not stay insecure for that long.

  • Can you elaborate on "your devices are not really vulnerable unless they are either in direct communication with something or you forwarded some ports"? Also I am interested in learning why you believe "The risk to regular consumer devices from attacks over the internet is very small these days" given that not every vendor e.g. DLink considers the security of the devices. – Motivated Oct 27 '19 at 21:48
  • @Motivated I edited my answer and I hope that answers your question. –  Oct 27 '19 at 22:14
  • Thanks for expanding on the answer. The update opens up a whole bunch of questions.The use of GreedyTech for example suggests that this isn't always the case. DLink is a good example of this. This suggests that whilst the devices remain vulnerable, the methods in which LAN devices connect to the internet are also at risk. If yes, does shutting down the device offer any real advantage? – Motivated Oct 27 '19 at 22:56
  • 1
    I don't understand why you use D-Link as an example for I assume bad security practices, but if you know (or have reason to assume) that D-Link's products are insecure, then you know not to buy D-Link. The system is working as intended. And if you assume your modem is compromised, shutting it down is not a feasible solution - replacing it completely is. –  Oct 28 '19 at 09:22
  • The example of D-Link is that the insecurity of the device was only recently published. Up to that point, it remained unknown. I would imagine that the vast majority of users remain unaware. In the scenario that a modem and/or router is potentially insecure, is there any added advantage of shutting it down? I am assuming no. – Motivated Oct 28 '19 at 17:43
  • After reading all of this, I'm still struggling with why you keep asking is there any added advantage of shutting it down? when the answer is obvious - you can't attack a device that is shut down. What exactly are you trying to ask? – dwizum Oct 28 '19 at 20:08
  • @Motivated What do you mean "advantage of shutting it down"? It's powered off, that's it. Once you power it on it's vulnerable again. –  Oct 28 '19 at 20:51
  • @dwizum - Given the confusion, I'll ask the question differently. Let's assume for the moment, I am unaware if the modem and router is vulnerable or open to attack. Are there security benefits or advantages in shutting down the device when it is not in use? The next use case is when a device is considered to be secure, are there security benefits in shutting it down? Other than it cannot be attacked remotely, should modem/routers be shutdown (on the understanding it isn't required to be running 24/7/365)? – Motivated Oct 29 '19 at 02:37
  • @MechMK1 - See my feedback to dwizum – Motivated Oct 29 '19 at 02:38
  • 1
    @Motivated The answer remains the same: If it's off, it can't be attacker, but it can't be used either. If it's on, it's vulnerable. –  Oct 29 '19 at 08:47