Hopefully, by making this kind of exploitation common knowledge for the more tech-oriented crowd, we will be able to bring about change in the companies that manufacture the devices. You're right that the vast majority of people do not realize why they need to secure their infrastructure and would not know how to do it if they did. For that kind of person, the default needs to change to something more secure.

This kind of "change through widespread knowledge of exploitation" strategy saw some success in changing the default encryption schemes of WiFi routers. So, we're already kind of in the same area.

> What can be done? Are we reduced to just securing our friends' and families' infrastructure, all the while standing by idly while others outside of our direct sphere of influence suffer the consequences of naïvety?

No. We can write articles similar to this one which, instead of clearly explaining step-by-step procedures for exploiting weaknesses, clearly explain step-by-step procedures for REPAIRING weaknesses.

I think you give way too much credit to the average person. It's easy to lose sight of how scary technical things are to normal people when you're in it day in and day out, but to ask the average person to change something in their router is kind of like asking me to replace a cylinder in my car.

There's a reason things like the Geek Squad are around and can charge as much as they do...

I think you are complementing your own technical prowess.

But the truth is, replacing a cylinder in a car is so much harder than reading and following these instructions, and even if you don't understand either task the car cylinder task takes longer, requires more tools, makes a mess, etc.

An average person who has no intuition for passwords could just turn their router off when they aren't using it.

I agree with Oxdeadbeefbabe; you are complementing your own 'technical' (computer-related) ability, and overstating the task of configuring a router. Also, not to be pedantic, 'to replace a cylinder' hardly describes a task that can be undertaken on a motor.

The variance in technical ability of the 'average person' nowadays is pretty wide. There are still pop-up clicking grandmothers on IE7 out there, but there are also plenty of baby-boomers with the ability to set the clock on their VCR's, which is a much more fair analogy to the task of router configuration.

I think the important thing is getting the message out that such configuration is much more important than having the clock on your VCR right, which is probably how important the average person thinks router configuration is. As you said in another comment, routers are effectively shipping to average people broken. I think if this were more commonly known, people would take the time to learn and configure their networks. Not ALL people, but more average people than do today. The real problem is not that people are not technically capable of doing the task, but they do not know that it is a task that is really necessary; it's not common knowledge that a brand new router is a security risk.

It is relatively easy to change a cylinder on a horizontally opposed air-cooled VW motor (think '60s beetle) or the Lycoming/Continental engines popular in light aircraft.

Writing simple instructions about how to configure the router safely will not produce a ready-made solution for EVERYONE, but it will certainly help for SOME PEOPLE. And the question was whether anything could be done to assist those "outside of our direct sphere of influence" (i.e. not friends and family). This clearly would help.

If a random stranger can remotely hack your router, I wouldn't be confident that any settings change will secure it. The router is garbage and needs to be replaced, which is easily within the understanding of an average person.

That view is a bit naive. If the problem with a router is that the router is shipped by default with a known back-door or with insecure settings, that does not mean that "the router is garbage". It points to a deplorable lack of wisdom on the part of the vendor, but does not necessarily imply that the only solution is the pay for a replacement.

I often wonder the same thing. Other things that require the same level of expertise typically tell you that you need to do something by actively breaking. I know I need to call my heating and cooling guy because my air conditioning stops working, but nothing breaks to tell you to change your router settings. Technically, it's already broken.

As usual there's actually one effective way: Education.

You could also try scaring people about the end of the Internet, their money stolen and their pets kidnapped if they don't secure their router, but that would still be education.