Portuguese English German

Defending Your Wifi Network

In the previous post, I talked about setting up a wifi hacking environment. That will be useful even for this phase: defending your own network for both laymen and tech-savvy users. This explanation is broken into two steps: one for laymen and tech-savvy users, and another for tech-savvy users only.

For Laymen and Tech-Savvy Users

  • Log into your router's admin page (usually routers are on http://192.168.0.1).
  • Make sure your router is using WPA2 instead of WEP because WEP is extremely vulnerable, and even a strong password [1] won't help you.
  • Choose a strong password for your router admin user. The default is admin/admin in the majority of routers, so it's a good idea to change the defaults. Even malware would try this combination to exploit your router.
  • Choose a strong password for your network.
  • Disable a feature called "WPS" in your router admin. The purpose is to prevent an attack called "Reaver," which is the same name as the tool used to perform this attack. Reaver brute forces all PIN combinations of your Wi-Fi setup, which can eventually leak the network password, even if it is a strong password.
  • Monitor, from time to time, which devices are connected to your Wi-Fi. Usually, there is a page in your router's administration web interface that displays the MAC addresses connected to the network.
  • When not using your router, consider turning it off to save electricity and stay safe at the same time.

[1] A strong password is an uncommon word/phrase that won't be found in any dictionary. It should be made up of a mix of lowercase/uppercase letters, numbers, and special characters. Yes, those annoying special characters. You may even use the "space" character. It's extremely important to choose a strong password because breaking WPA2 basically boils down to password brute-forcing. The easier a password is to be found in a wordlist (a file containing many common words or previously leaked passwords from site breaches), the easier it is to crack. Using only digits reduces the number of possible characters in a password, leading to a faster brute-force attack that tests all digit combinations. It can be done in a few hours. Unfortunately, as the minimum password length in WPA/WPA2 is 8 characters, which is the same length as a date (mmddaaaa), people tend to use a date in their passwords, which is not secure.

For Tech-Savvy Users Only

  • Your router may not allow you to disable WPS, so you can verify if it has another control not commonly mentioned: throttling control. Many routers nowadays detect brute force attempts on WPS PIN and block further attempts for a significant amount of time. Some routers may still be vulnerable if the attacker changes the MAC address, for example, or inserts some noise into the network. However, it's a test that you should do, and it's worth your time and security. If your router doesn't allow you to disable WPS or doesn't have a built-in throttle control mechanism, you should change your router. If it's borrowed from the ISP, call them and ask for a new router.
  • Leveraging what I posted in my previous article, I recommend trying to hack your own Wi-Fi and see if you are successful. It's always a good habit to test your own security before bad hackers do.
  • In case you want to make things harder, your router probably has a feature to configure a MAC Address whitelist that you can use to whitelist only your devices. This way, different MAC addresses will be blocked. It's one more step for the attacker to clone the MAC address. However, from an attacker's perspective, cloning a MAC address is trivial. Also, updating the MAC whitelist very often can be very annoying, so I don't really use it. But it's good to know that you have more tools available. To perform the clone, attackers keep listening to the network until they identify the stations connected to the network and capture their MAC addresses. For that, of course, the attacker must be nearby, and there must be a device connected to the network. Even if you are not there, if any device, e.g., a printer, is connected to your Wi-Fi, it's enough for an attacker to collect a MAC address.
  • You can use either aluminum or a special paint to isolate the Wi-Fi signal beyond your house. This way, attempts to reach your Wi-Fi from outside would be physically denied. This is defense by design. Technically speaking, if no one can reach your network, even if your password is '12345678,' there would be no problem. Of course, you should not give an opportunity for bad things to happen, but that's the best defense.
  • Also, check from time to time if your router has a new firmware available that could potentially fix any security bugs that have been disclosed.

Bonus

Even if your network is secure, you need to protect yourself from the devices within your network. If there is an infected PC, watch out, as it may try to infect other devices. Here is a real example. So, upgrade your own system from time to time, make sure your firewalls are up, and that's all I have for today.

If you enjoyed this post, please subscribe below :)

Share on Twitter Share on Facebook Share on LinkedIn Share on Hacker News

Popular Posts

Newsletter