NCSAM Tip #19: Secure Your Wireless Network!
Real World Consequences:
Let me set the scene, your home with your family sitting on the couch watching TV. When all of the sudden a whole swarm of SWAT officers come busting through your front door on a no knock warrant. You and your family are separated, and you are forced to the ground at gunpoint with the officers screaming at you about your disgusting ways, shouting “We know WHAT YOU ARE, PEDOFILE!”
But that will never happen to you right? You don’t ever visit those types of websites, the very thought of such things turns your stomach. That is just what a resident of Buffalo, New York thought earlier this year, until it happened to him and his wife. Now as it turns out he was completely innocent, but that fact did not save him from having his door broken down or having a weapon held on him while he was being detained and his house searched by the FBI and the Buffalo Police. (And no they did not pay to fix his door.)
What lead to this case of mistaken Identity? An unsecured or weakly secured Wi-Fi network that unknowing to the residents was being used by a man in a local apartment complex to download and distribute child pornography. You may think this is an isolated incident, but just in the last year a similar stories have been repeated numerous times in the USA and throughout the world. I could go on about all the other threat actors out there that are looking to take advantage of unsecured wireless networks as well, but I think you have already gotten my point.
So, the question you need to ask now is, is your network unsecured or weakly secured? A significant percentage of home wireless networks are still fully open today and an even larger percentage are utilizing encryption technology that can easily be broken. Both situations can result in an unauthorized user gaining the ability to utilize your home internet connection as they see fit, leaving you holding the bag as it were.
Why Things Are The Way They Are:
There are a number of excuses that people use when it comes to securing their wireless networks, the first that comes to mind are the claim that it is just too difficult, or I don’t know how. I’ve also had people tell me that it was just too inconvenient, they have friends over all the time who they want to let use their connection and passing out long network passwords is just a pain. And of course there are those people who don’t even know what a Wi-Fi network is. In most of these cases I have found that the users who are making these statements have had a very bad experience in the past trying to get their devices to talk to their wireless router or access point. And in the end, opted to go with the unsecured route because it was the only way they could get it to work. I have also found that almost 100% of those who have had such problems installed their equipment more than 3 years ago.
Fortunately for consumers, the makers of home gateways and access points have started to tackle the complexity issue and have made great strides towards making such devices easier to setup, and to do so securely. Additionally a feature that is becoming very common is the ability to have a secondary or “guest” network that is also serviced by your device. In most cases this feature allows you to set a password that you can remember and pass out to your friends who come to visit and need access to your network. The guest network is also typically separated from the network that your private devices reside on, preventing curious eyes from potentially seeing anything sensitive that may be shared between your internal devices. These connections by your guests can generally be logged, so you have a record of where those guests may have visited. Most devices today also come with a very comprehensive setup utility that will guide you through properly configuring your device.
As mentioned earlier, another weak link in a significant number of home Wi-Fi deployments is the use of outdated encryption technology. And again, in a majority of cases, the primary culprits of this in the home are those users who managed to successfully setup their Wi-Fi networks 3 plus years ago. In most cases such networks have been working with a high degree of reliability. The home administrators of these networks also know that they have “secured” their wireless network, and as such have no need to ever re-evaluate their security posture. Unfortunately, networks secured utilizing Wired Equivalent Privacy (WEP) provides little protection from the real “bad guys” today. And while in most cases it is still sufficient from keeping your non-tech savvy adult neighbor from using your network, it is not sufficient to keep a teenager with access to Google and an hour of time on their hands from tapping in. The WEP encryption protocol is unequivocally broken, and can be cracked by a professional in less than 10 minutes in a majority of cases and as little as 1 in many.
It is Time to Upgrade:
If your personal wireless router or access point is more than 5 years old, it is probably time to invest in new hardware. If you have installed a device in the last 3 years or so, your router or access point probably already supports the newer wireless encryption standards, though it may be in desperate need of a firmware upgrade. In either case, if your network is currently Open or using WEP it is time to make some changes.
The Wi-Fi Protected Access (WPA) protocol was released as a replacement for WEP, implements a majority of the 802.11i standard, and should be supported on any hardware that has been produced since circa 2004. This upgrade to WEP was intended as a stopgap measure that could be implemented on most current hardware at the time. The protocol is often referred to as WPA-PSK, WPA-Personal, or WPA-TKIP; these refer to the Key Distribution Mode or Encryption method utilized by the protocol. Until 2010, WPA-PSK with TKIP was both an endorsed and cryptographically secure choice for most home networks. But as so often happens with encryption technology, a whole lot of very smart people have started to demonstrate the weaknesses of WPA. It is not yet considered as “broken” as WEP is, but it is starting to fall out of favor with many security professionals.
While the ball was rolling on WPA, the Wi-Fi Alliance continued to work on 802.11i, which was eventually ratified as 802.11i-2004, commonly referred to as WPA2. As of March 16th, 2006, all new products that carried the Wi-Fi Alliance Certified mark were required to support the WPA2 protocol. The WPA2 protocol is commonly referred to as WPA-AES, WPA2-Personal, or confusingly WPA-PSK or WPA-Personal. These last options are often used in conjunction with a secondary encryption option; when selected with the AES or CCMP encryption options, an access point or router will utilize WPA2. Today WPA2 is preferred over WPA when available; all hardware manufactured within the last 3 years should support WPA2.
What You Should do:
This list below is a checklist of actions that you should take to secure your new or existing wireless network. Some of the items bellow reflect good security practice and are not directly related to the strength of the encryption that you are implementing for your network.
- Change the password on your router or Access Point!
- Choose a password that cannot be easily guessed by an attacker. A good password will contain both Upper and Lower case characters and numbers. Surprisingly a large number of personal routers and access points do not support the use of special characters such as !@#$%.
- Don’t worry so much about losing your password, set it to something you can remember or record it and store the password in a secure location. In just about every case your device will contain a hardware reset option that will allow you to reset the device to its factory defaults should you lose this information. It really is better to lose it than to have an easily guessable value.
- Utilize WPA2 or WPA-Personal with AES to protect your network
- Use a GOOD passphrase. Just enabling WPA2 will not protect you from those who may be wishing to utilize your network. A secure encryption protocol with a weak password can quickly result in a compromised network.
- If WPA2 or WPA-Personal with AES is not available on your device, choose WPA-TKIP or WPA-Personal with TKIP. If the only option you have is WEP, I’m sorry to say, but it is time to buy a new router or Access Point.
- When choosing a passphrase, you should aim to utilize at least 20 characters, WPA passphrases may be up to 63 characters.
- Your passphrase should include both Upper and Lower case characters, as well as numbers and special symbols. You may consider utilizing one of the many passphrase generators provided by reputable sites on the web to help you generate a unique value. The folks at whatsmyip.org have a pretty good selection of tools that can be used to generate passwords and passphrases. (The tools do all the work on your local browser, and no information is sent back to whatsmyip.org.) The password tool can be found here: passwordgen
- Change the Service Set Identifier (SSID or “Network Name”)
- Your SSID can tell an attacker a lot about your network. If you leave the default value of say “Linksys”, “2WireXXX”, or “MotorolaXXX” you have told your attacker what type of device you have and let them know what default password to try or where to begin their social engineering attack.
- Use an SSID that is unique but not too descriptive of your location.
- Do NOT disable your SSID. While this may seem counter intuitive, if you commonly travel with a mobile device outside your home that utilizes your home Wi-Fi network, you may be constantly broadcasting the networks you are willing to connect to everywhere you go. It is like shouting out to everyone you meet that you are willing to connect to their access point if they will only respond with the name you are asking for. Additionally, use of this practice in areas that have a number of Wi-Fi networks can result in channel congestion, as access points and automated configuration utilities cannot perform a proper evaluation of the surrounding networks the select the most appropriate channel. This can directly result in slow or unreliable wireless networks.
- Disable Remote Administration
- By disabling remote administration you help reduce the potential attack surface of your router. This prevents a remote attacker from trying to brute force their way in by guessing your router’s password or leverage a known vulnerability in the web administration interface of your device to gain access
- Disable Wireless Administration
- When you disable wireless administration you are ensuring that no client that is connected to your network via a Wi-Fi connection can access the administration interface of your Router or Access Point. This again reduces the potential attack surface and helps provide defense in depth protections should someone that gains access to your Wi-Fi network either lawfully or unlawfully cannot manipulate the settings on your device.
- This can be a bit troublesome for those who utilize Wi-Fi exclusively and do not have easy access to a wired connection.
There are a few additional steps bellow that can be taken for additional hardening of your network.