Wi-Fi security – the new ‘bulletproof’ router (and how to toughen yours)

A new project aims to protect homes and small businesses from the security failings of Wi-Fi routers, a problem which has repeatedly hit the headlines over the past year as security researchers and law enforcement warn of the Wi-Fi security problems posed by the devices – and by shared Wi-Fi networks in general.

The Open Wireless Router project, launched by the Electronic Frontier Foundation, aims to develop software which offers a higher level of Wi-Fi security than current router models – and also offer a safe way for users to share their networks with guests.

The firmware is not ready for use by home users, the EFF warns, and is aimed at “people prepared to deal with the bleeding edge.”

Wi-Fi security – a new solution?

The Inquirer reports that the organization has released source code for a secure, open router firmware, running on a popular Netgear model – and asked for help from the hacker and security researcher community.

“The software aims to do several things that existing routers don’t do well—or don’t do at all,” the organization says.

“Allow small business and home users to easily enable an open network, so guests and passers-by can get an Internet connection if they need one, while keeping a password-locked WPA2 network for themselves and their friends or coworkers.”

The project also aims to address problems with the security of common home routers – and the fact that their firmware is often updated slowly, or in some cases not at all. Some models even ship with known vulnerabilities - easy prey for attackers.

ESET Senior Research Fellow David Harley says that for many users, a few simple steps could enhance security – without having to grapple with complex software, or buy a new router. “Taking a few simple precautions  would enhance security for quite a lot of home WiFi users – though I don’t have any statistics to say how many networks are relatively insecure.”

“The EFF project isn’t a bad idea – it proposes some useful measures – but right now it addresses a very small part of the problem and a small subset of knowledgeable users. In particular, it’s currently focused on a single router model, which isn’t going to save the world, though it probably won’t do Netgear any harm.”

Wi-Fi security – steps you can take now

A We Live Security video guide offers basic tips on how to secure home routers - and offers a good starting point for ensuring a Wi-Fi network isn’t vulnerable to snoopers and other unwanted ‘guests’.

Harley says, “Firstly, ensure your firmware is kept updated.” Firmware is the code and data which allows routers to function – similar in some ways to a computer operating system, but with the crucial difference that updates (to protect against bugs) often have to be installed manually.

Many users may be unaware that this is something they have to do – and routers tend to be long-lived devices, which can compound the problem. To update, you’ll need to find the routers model number (usually marked on the unit), visit the manufacturer’s website, and see if there is a newer version. Download this to your PC or Mac, then access your router’s controls via its internal IP address (this is usually standard for each manufacturer, and available either in your manual, or via the manufacturer’s site).

Advanced users may want to try some of the existing replacements for router firmware.  ESET Malware Researcher Olivier Bilodeau says “For the relatively advanced consumer: install an alternative open source firmware on your router.” These are replacement versions of the official firmware – and often more secure. This is not for beginner PC users, but clear instructions can be found online as to how to install.

Check your settings again

Changing passwords is an essential first step – but it’s worth checking back that your router’s settings haven’t changed, as this can be a problem with some models.

Harley says that users should always, “Change default router administrator usernames and passwords, and change the default SSID.” The SSID is the name of the network – which is broadcast to anywhere within Wi-Fi range. Leaving it as a default can broadcast information that is useful to an attacker – such as the model of router you are using, or whether you are using one supplied by your ISP. When choosing a new network name, avoid any personally identifying information such as your name or house number.

It’s worth considering making yours a “hidden network” – disabling the broadcast of the SSID’s name. That way you’re less visible to attackers – and to connect new devices, simply type in your network’s name on the gadget.

Harley warns that these precautions can be wasted if your router’s software is updated – which can occasionally revert settings to the default. “After any update, check these settings have not reverted,” he says.

WEP is not your friend

If your family or business has had the same router for  a long time, you may be using WEP – an outdated form of encryption that can be cracked easily, even by unskilled hackers. Most new routers will use the more secure WPA2 standard – but if your router has been around for a while, it’s possible family members may have chosen WEP to connect older devices such as Nintendo’s first DS handheld. “Don’t use WEP encryption, if anyone still is,” Harley says. “If the router doesn’t allow anything else, time to change it. WPA2 is reasonably secure.”

Even if you’ve had trouble connecting mobile devices to a network, leaving it “open” is always a bad idea. Harley says, “ If you’re not using encryption at all, fix it.”

Know who is connecting to your network

Harley says that controlling which devices can connect to a network offers another layer of reassurance. “MAC filtering reduces the risk from intruder machines using your network,” he says.

Any PC or mobile computing device has a unique identifying number known as a MAC address. If you access your router’s settings, you can select which devices can and cannot connect to your network – meaning for instance, a neighbor couldn’t log in, or a teenage visitor could not access unsuitable sites via a smartphone.

Add the MAC addresses of all authorized devices in the home – iPhones, tablets, laptops etc. – to the router’s authorized list. No other device will then be allowed on the network. You can find the MAC addresses of mobile phones and other portable devices under their network settings, though this will vary for each device. Check with the manufacturer.

The organization hopes to develop a means to deliver updates to routers automatically, with firmware signatures fetched via the privacy-focused Tor service to prevent targeted attacks.

The project was launched by privacy and security group the Electronic Frontier Foundation, and is currently under test – the organization has invited hackers and researchers to “test, develop, improve and harden” the software, which will run on a popular Netgear Wi-Fi router.

Author Rob Waugh, We Live Security

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.