2018-09 Show Notes

Topic - Is your home wireless router safe?


The vulnerability is called KRACK and affects all versions of the current most common wireless encryption known as WPA2.  It affects both personal and enterprise variations of this protocol.

Product Recommendations

https://www.tomsguide.com/us/best-wifi-routers,review-2498.html

Practice Recommendations

Easy Stuff

Don't use your ISP's wireless router.

Always use websites with HTTPS

Change the administrative credentials from the default username and password. They're the first things an attacker will try. Your router's instruction manual should show you how to do this; if it doesn't, then Google it.

Change the network name, or SSID, from "Netgear," "Linksys" or whatever the default is, to something unique — but don't give it a name that identifies you.

"If you live in an apartment building in apartment 3G, don't call your SSID 'Apartment 3G,'" Horowitz quipped. "Call it 'Apartment 5F.'"

Enable WPA2 wireless encryption so that only authorized users can hop on your network.

Disable Wi-Fi Protected Setup, if your router lets you.

Set up a guest Wi-Fi network and offer its use to visitors, if your router has such a feature. If possible, set the guest network to turn itself off after a set period of time.

Do not use cloud-based router management if your router's manufacturer offers it. Instead, figure out if you can turn that feature off.

Harder Stuff

Install new firmware when it becomes available — this is how router makers install security patches. Log into your router's administrative interface routinely to check. With some brands, you may have to check the manufacturer's website for firmware upgrades. Newer routers, including most mesh routers, will have automatically update the firmware. But have a backup router on hand if something goes wrong.

Set your router to use the 5-GHz band for Wi-Fi instead of the more standard 2.4-GHz band, if possible — and if all your devices are compatible.

"The 5-GHz band does not travel as far as the 2.4-GHz band," Horowitz said. "So if there is some bad guy in your neighborhood a block or two away, he might see your 2.4-GHz network, but he might not see your 5-GHz network."

Disable remote administrative access, and disable administrative access over Wi-Fi. Administrators should connect to routers via wired Ethernet only. (Again, this won't be possible with many mesh routers.)

Use a personal VPN service.

Advanced tips for more tech-savvy users

Change the settings for the administrative Web interface, if your router permits it. Ideally, the interface should enforce a secure HTTPS connection over a non-standard port, so that the URL for administrative access would be something like, to use Horowitz's example, "https://192.168.1.1:82" instead of the more standard "http://192.168.1.1", which by default uses the internet-standard port 80.

Disable PING, Telnet, SSH, UPnP and HNAP, if possible. All of these are remote-access protocols. Instead of setting their relevant ports to "closed," set them to "stealth" so that no response is given to unsolicited external communications that may come from attackers probing your network.

"Every single router has an option not to respond to PING commands," Horowitz said. "It's absolutely something you want to turn on — a great security feature. It helps you hide. Of course, you're not going to hide from your ISP, but you're going to hide from some guy in Russia or China."

Finally, use Gibson Research Corp.'s Shields Up port-scanning service at https://www.grc.com/shieldsup. It will test your router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.

Links

https://www.krackattacks.com/

https://www.popsci.com/kracks-wifi-problem

https://www.tomsguide.com/us/home-router-security,news-19245.html

https://www.theverge.com/2017/10/16/16484824/krack-wifi-encryption-bug-vulnerability-install-patch

https://heimdalsecurity.com/blog/the-krack-wi-fi-vulnerability/


Comments