Portuguese English German

Defending Your Wifi Network

In the previous post I talked about setting up a wifi hacking environment. That will be useful even for this phase, defending your own network for the tech savvy users part. This explanation is broken into two steps: for laymen and tech savvy users and for tech savvy users only.

For Laymen and Tech Savvy Users

  • Log into your router admin page (usually routers are on http://192.168.0.1);
  • Make sure your router is using WPA2 instead of WEP, because WEP is extremely vulnerable and even a strong password [1] won't help you;
  • Choose a strong password for your router admin user. The default is admin/admin in the majority of routers, so it's a good idea to change the defaults. Even a malware would try this combination to exploit your router;
  • Choose a strong password for your network;
  • Disable a feature called "WPS" in your router admin. The purpose is to prevent an attack called "Reaver", which is the same name as the tool used to perform this attack, that brute forces all PIN combinations of your wifi setup that ends up leaking the network password. Even if it is a strong password;
  • Monitor, from time to time, which devices are connected to your wifi. Usually there is a page in your router administration web interface that tells the MAC addresses connected to the network;
  • When not using your router, consider turning it off to save electricity and stay safe at the same time.

[1] strong password is an uncommon word/phrase that won't be found in any dictionary, is made of a mix of lower case / upper case / numbers and special characters. Yes, that annoying special chars. You may even use the "space" character. It's extremely important to choose a strong password because break WPA2 basically boils down to password brute forcing, and guess what? It's costly and time consuming for attackers. The easier a password is to be found in a wordlist (a file containing many common words, or previous leaked passwords in site breaches), the easier it is cracked. Digits only reduces the number of possible characters in a password, leading to a fast brute force of the entire keyspace, that is, test all digits combinations. It can be done in a few hours. And, unfortunately, as the minimum password length in WPA/WPA2 is 8 chars, it has the same length as a date (mmddaaaa), so people tend to use a date in their passwords, which is not good.

For Tech Savvy Users Only

  • Your router may not enable you to disable WPS, so you can verify if it has another control not commonly mentioned: throttling control. Yes, many routers nowadays detect brute force attempts on WPS PIN and block further attempts for a significant amount of time. Some may still be vulnerable if the attacker change the MAC address for example, or insert some noise into the network, but it's a test that you should do and is worth your time and security. If your router doesn't allow you to disable WPS or whether it hasn't a built in throttle control mechanism, you should change your router. If it's borrowed from the ISP, call them and ask for a new router;
  • Leveraging what I posted on my previous article, I recommend you to try to hack your own wifi and see if you get success. It's always a good habit to hack yourself first before bad hackers do;
  • In case you want to make things harder, your router probably has a feature to configure a MAC Address whitelist that you can use to whitelist only your devices, so different MAC addresses will be blocked. It's one more step for the attacker to do, clone the MAC address. However it's trivial from an attacker perspective to clone. Also updating the MAC whitelist very often can be very annoying, so I don't really use it, but it's good to know that you have more tools available. To perform the clone, attackers keep listening to the network until they identify the stations connected to the network and capture their MAC address. For that, of course, the attacker must be near and something must be connected to the network. Even if you don't be there, if any device, e.g., a printer, be connected to your Wifi, it's enough for an attacker to collect a MAC address;
  • You can use either aluminum or a special paint to isolate the Wifi signal beyond your house, so attempts to reach your Wifi from outside would be physically denied. This is defense by design. Technically speaking, if no one reaches your network, even if your password be '12345678', there would be no problem. Of course you should not give opportunity for bad things to happen, but that's the best defense;
  • Also check from time to time if your router has a new firmware available that could fix eventually disclosed security bugs.

Bonus

Even if your network is secure, you need to protect yourself from the devices within your network. If there is an infected PC, watch out, it may try to infect the other devices. Here is a real example. So, upgrade your own system from time to time, make sure your firewalls are up and that's all I got for today.

If you enjoyed this post, please subscribe below :)

Share on Twitter Share on Facebook Share on Google Plus Share on LinkedIn Share on Hacker News

Popular Posts

Newsletter


Twitter