2

Much like the entropy 'myth' of '1337' speak passwords compared to overall password length, it seems that multiple modern 'PC advice' articles on the web still suggest hiding SSIDs and as MAC filtering.

Aside from those dubious points, they suggest using strong encryption (WPA2-PSK), changing the default router admin details (obviously) and the default router IP (to mitigate against drive-by internet exploits) but after reading - multiple - recent - answers, it seems every other bit of knowledge I previously had about router protection is completely wrong. It also seems that most of this knowledge has been known for over a decade...

I see plenty of answers explaining why these are bad, but few suggesting how to effectively remedy them.

What are the modern methods of protecting SOHO routers - from the technical to the social engineering point of view - against internet and wireless attacks?

Are there other methods of encryption that can be used on top of WPA2-PSK? Should NAS devices on such wireless networks be considered compromised? How can router firewalls be used to mitigate such attacks?

myol
  • 133
  • 4

3 Answers3

4

Things that you should do:

  • Update the firmware
  • Use a strong password and WPA2 for wireless connections. Don't use WEP.
  • Change the SSID of the router to something non-standard. This is because the SSID is used as a salt for the wireless password, and having a non-standard SSID protects against an attacker using rainbow tables generated for standard SSIDs.
  • Disable WPS - it is inherently insecure.
  • Disable remote administration. This includes access from any mobile apps - do you really need to remotely change settings on your router from an app?
  • Use a strong password for the router admin webpage, and if possible change the admin username. I use a long random password saved in a password manager.
  • Remember to log out of the admin webpage when finished.
  • If possible, enable HTTPS for admin webpage connections.
  • Disable uPnP. Review any other services that your router may be running (FTP, SMB, telnet, ssh) and disable if necessary.
  • Be very careful about opening up ports for incoming connections.

Things that you may consider:

  • Set up a guest network for visitors to keep them segregated from your main network. If your visitors can only access the internet and not any other machines on your network this should prevent them from infecting any of your devices with malware. This also means that you don't have to share your main WPA2 key.
  • Use a non-standard network range (i.e. not 192.168.0.x or 192.168.1.x). This may help against a scripted attack that uses a default network range and it will help in future if you ever need to set up VPN connections.
  • Turn on logging and review the logs.

Things that are a probably waste of time:

  • Hiding the SSID. This is security by obscurity, and finding a hidden SSID is an easy task
  • Use MAC filtering. A determined attacker can easily spoof a MAC address.
JonnyWizz
  • 1,961
  • 1
  • 15
  • 34
  • 2
    "update the firmware" is a joke with several vendors because the device is already out of support or they are unable to fix the bugs as fast as others find them. And of course they don't let you know if they have updates for you with critical fixes. That's why it is important to choose already a device from a vendor with a good security record. – Steffen Ullrich Nov 26 '15 at 15:16
  • @SteffenUllrich do you have an example of such a vendor/device? – JonnyWizz Nov 26 '15 at 16:46
  • For affected vendors and devices see http://www.computerworld.com/article/2930554/security/new-soho-router-security-audit-uncovers-more-than-60-flaws-in-22-models.html, https://nakedsecurity.sophos.com/2014/04/23/the-soho-router-backdoor-that-was-fixed-by-hiding-it-behind-another-backdoor/,.. or simple google for "soho router backdoor". See also http://www.routerpwn.com/ or just follow http://packetstormsecurity.com where there is no month without new vulnerable devices. It is actually very hard to find a vendor which cares about security and has long term support. – Steffen Ullrich Nov 26 '15 at 17:09
  • 1
    And for a good vendor: several large ISP's in germany include AVM Fritz!Box with their internet access, even if it is more costly than all the other boxes. But you get 5 year warranty from the vendor, firmware updates for lots of years which include even new features and an excellent security record. There was once a bigger bug but got quickly fixed and since a while the boxes default to automatically update the firmware. At the end it causes less problems and that's why the ISP probably include the seemingly more costly device. – Steffen Ullrich Nov 26 '15 at 18:32
  • Just a nitpick, but it's not just `192.168.1.x` and `192.168.0.x`. It's all of `192.168.0.0/16`. – forest Mar 13 '18 at 03:00
1

To deny local attackers access to the network use good encryption: WPA2-PSK is good while WEP is not. But, WPA2 might be cracked brute-force so use an adequate password. And since many vendors do not implement WPS properly better disable it.

To protect against accessing or changing the configuration of the device by either an attacker in the same network or by a remote attacker (using CSRF or similar or by accessing the device from the internet):

  • Choose a router model with a good security record. Google for exploits related to the device and vendor before you buy. Unfortunately there are only very few devices were the vendor actually cares about security. Don't expect security from the cheap devices.
  • Use a strong password to protect the administrative interface.
  • Make sure the device is not reachable from the internet, i.e. not by default, not by enabling it, not by adding a port forwarding and not through any of the known backdoors (see: choose a model with a good security record).
  • If possible enable auto-update of firmware. If your router does not offer this it might not be the best choice.
  • If you get guests make sure your router offers a guest WLAN with separate ESID, password and also separate network.
  • Changing the IP address of the device might help, but if there is a CSRF vulnerability or so it will not help much because the attacker can easily scan the local network from inside the browser.
Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
0

Most routers are insecure as they're made by hardware companies who don't care about keeping the router's software up to date, and given that a router is actually a small Linux-based computer wide open to the Internet, it's a pretty serious issue.

It doesn't matter if you secure the router by using a strong Wi-FI PSK, change the admin password to something strong, etc... if there's a vulnerable or backdoored SSH/telnet server that will happily give root privileges to anyone who connects, and from there you've already lost as the attacker can then reset the web interface admin password, or directly change the settings without touching the web interface as to not raise any suspicions, and even write to the flash memory device nodes as to persist resets or even firmware reinstalls (the bootloader itself can be overwritten, which means you can load malicious code as early as possible and thus thwart every software-based method of reinstalling the router, only physical rewriting of the memory chips using a known clean machine - thus not even executing the malicious bootloader - will save the router).

I recommend using an old desktop computer with a general-purpose Linux or *BSD distribution as a router and keeping that machine secure and updated just like you would with any other server.

André Borie
  • 12,736
  • 3
  • 40
  • 76