Router and Local Area Network Security
- 1 Introduction
- 2 The State of Router Insecurity
- 3 Suitable Hardware and Router Configurations
- 4 Accessing Router Settings
- 5 Recommended Router Settings
- 6 References
If Whonix-Gateway ™ is ever compromised, it can theoretically access any computer in the local area network (LAN).
Based on the threat posed by a Whonix-Gateway ™ compromise, users who have administrator control over the home network are strongly recommended to lock down the web interface of the home router and apply the strictest settings possible.
The State of Router Insecurity
Most routers provided by ISPs and those widely available in electronics stores are profoundly insecure, have outdated software and firmware, enable settings by default that open exploit opportunities, and remain vulnerable if users fail to take appropriate steps. 
Many experienced users who are concerned about computing security overlook these problems and instead focus on general operating system and networking solutions, rather than this weak endpoint frequently targeted by attackers, including state-level adversaries. Compromised routers can easily spy on a user's activities, conduct man-in-the-middle attacks, alter unencrypted data, or send the user to websites that masquerade as webmail or on-line banking portals. 
Suitable Hardware and Router Configurations
Experts routinely advise that low-grade routers should be avoided. Cheap models often fail to notify of firmware updates that patch security vulnerabilities, have limitations on password length for administrator access, and typically come as a less-secure, combined modem/router unit.
Users should consider upgrading to a commercial-grade router that is normally intended for small businesses as a sensible investment in security. Further, it is safer to have a personally owned routing device that connects to an ISP-provided modem/router in order to maximize administrative control over routing and wireless features of the home network.
Before purchase, check the router has firewall capabilities and that it supports Network Address Translation (NAT), so internal systems cannot be directly accessed from the Internet. Also check whether the router can be configured off-line, which is an advantage. Disconnect or turn-off routers/modems when they are not in use.  
Accessing Router Settings
To access and change router settings, the router's IP address must be typed into the web browser address bar. Next, enter the administrative login and password when prompted. If the default login credentials are unknown, check the following list and search by manufacturer and model.
Routers usually have a common address like:
192.168.1.1, but there are many variations depending on the make and model. Check the router manual to determine the correct address or alternatively research the manufacturer's website to discover it.  If it is still not possible to identify the relevant router address for access, terminal commands can be used to trace the IP route or various networking tools can be accessed to discover it.
On Linux operating systems, run the following command in a terminal. In Qubes-Whonix ™, this command is run in the NetVM terminal.
The output starting with "default via XXX.XXX.XXX.XXX" is the relevant router IP address for changing settings.
Another alternative is to utilize the network icon, which is available on most Linux desktops:
Right-click the network icon →
Select "Connection Information" or similar.
The IP address displayed next to "Default Route" or "Gateway" is the relevant address required. 
In a terminal, run. 
This command will show all the interfaces and their respective IP and MAC addresses.
Alternatively, look for the relevant network settings under:
System Preferences →
TCP/IP (hardwired) or
Wi-Fi (wireless) section. 
To find the router IP address in Windows, open a command prompt:
Search box →
In the terminal, run.
The output should reveal the relevant IP address next to the "Default Gateway."
Alternatively, look for the relevant network settings under:
Control Panel →
Network and Internet →
View network status and tasks →
Left-click on the appropriate connection →
Left-click on "Details".
The router's IP address is to the right of the IPv4 Default Gateway. Further network and router configuration information can be found here.
Recommended Router Settings
Many router models do not allow the user to change specific settings discussed in this section.
General Router Settings
The following settings are recommended to lock down the router.
Use the browser's incognito or private mode when accessing the administrative interface so the URL is not saved in the browser history. Avoid:
|Firmware||Keep router firmware up-to-date at all times for better security. Set the self-updating firmware option if it is available.|
|Logging||Set logging to on, if the feature is available. This allows for a record of unsolicited incoming connection attempts, attempted logins and so on.|
|Port Forwarding||If port forwarding is necessary, it should be limited to a source IP address and/or source IP address subnet.|
|Router Test||Use Gibson Research Corp.'s Shields Up port-scanning service to test the router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.|
|SSID Service Set ID||Change the Service Set ID (SSID) which often leaks router information. Do not use personally identifying information like the apartment number you live in.|
|Username and Password||Change the default router username and password to something suitably long and random using a Diceware passphrase. |
|Web Interface||Disable the HTTP interface and enable the HTTPS interface instead, preferably on a non-standard port. For example: |
Wireless Network Router Settings
Contemporary research has discovered a number of faults with the WPA2 and WPA3 security protocols. For instance:
- This 2016 paper found faults with WPA2 encryption due to flawed 802.11 random number generation (generating insufficient entropy), downgrade attacks on group keys transmitted in the 4-way handshake (forcing usage of RC4 encryption), decryption of the 128-bit group key, and injection of group traffic into unicast traffic. This meant unicast wifi traffic could be decrypted. 
- The KRACK attack family of vulnerabilities demonstrated a fatal flaw in the way WPA2 handshakes were negotiated allowing an attacker to decrypt (but not modify) data on the Wi-Fi LAN. The efficacy of the fixes are platform dependent and were mitigated provided that the devices received updates after it was announced. Suggestions have been made to the Wi-Fi Alliance standard body to guard against it in the future.
- In 2019, five vulnerabilities were announced in the Wi-Fi WPA3 standard as well by the same researchers behind the KRACK attacks; two downgrade attacks, two-side channel information leaks and one denial of service attack. Consequently, adversaries in range of the user's network can discover the Wi-Fi passphrase for infiltration purposes. These attacks also work against the Extensible Authentication Protocol that is supported in the previous WPA / WPA2 Wi-Fi authentication standard.  
Although various countermeasures are reported and software is available which corrects these problems, they also require firmware updates from Wi-Fi product vendors which may be rare or impossible depending on the product in question. The researchers still view WPA3 as an improvement over WPA2, but criticize the opaqueness of the standardizing bodies in making flawed decisions that have been considered beforehand.
|Services/Daemons||Perhaps the most important implications of this is to assume availability of data transferred between devices on a Wi-Fi LAN to attackers. Most FLOSS services have a robust encryption option implemented in their settings which need to be toggled or used to ensure data security.|
|DHCP Leases||Limit the number of Dynamic Host Configuration Protocol (DHCP) leases (connects) to the Wi-Fi network to match the number of personal devices owned.|
|Guest Access||If the Wi-Fi network will be accessed by visitors, set up a guest network that turns itself off after a set period.|
|MAC Filtering||Enable MAC Filtering so only specific devices may connect to the network.|
|Network Availability||If possible, schedule Wi-Fi networks to turn off at night and then turn on in the morning.|
|SSID Broadcasting||Do not bother disabling SSID broadcasting since it is trivial to guess.|
|WAN Requests||Enable the "Block WAN Requests" option to conceal the network from other Internet users.|
|Wi-Fi Band||If possible, use the 5-GHz band for Wi-Fi instead of the standard 2.4GHz band -- the 5 GHz band does not travel as far.|
Strong consideration should be given to flashing the wired/wireless router with an open-source GNU/Linux distribution. Solutions such as OpenWrt and DD-WRT provide firmware that is suitable for a large variety of wired and wireless routers and embedded systems.
The strengths of this approach are openness, regularly updated firmware images, greater functionality (fully-featured), less bloat and more control over router behavior. The downside is that open-source firmware is not free of bugs; careful research is required before attempting this procedure. Check the online guides for instructions on how to proceed and whether the home router is compatible with the available firmware.
- It may be sensible to tape this on the router so it is not lost in the future.
We tested this attack against an Asus RT-AC51U and a laptop running Windows 7. The group key was obtained by exploiting the weak random number generator as discussed in Section 3.4.1. In order to successfully perform the ARP poisoning attack against Windows, we injected malicious ARP requests. First, we were able to successfully inject the ARP packets using the group key. This confirms that the group key can be used to inject unicast packets. Once we poisoned the ARP cache of both the victim and router, they transmitted all their packets towards the broadcast MAC address. At this point we were able to successfully decrypt these broadcast packets using the group key, and read out the unicast IP packets sent by both the victim and router.
Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard's Dragonfly key exchange --the mechanism through which clients authenticate on a WPA3 router or access point.
In a downgrade attack, WiFi WPA3-capable networks can be tricked in using older and more insecure password negotiation schemes, allowing attackers to retrieve the network passwords using older flaws.
In a side-channel information leak attack, WiFi WPA3-capable networks can trick devices into using weaker algorithms that leak small amounts of information about the network password. With repeated attacks, the full password can eventually be recovered.
- Usually the WPA2 Personal standard is fine; the WPA2 Enterprise version is only required for businesses.
No user support in comments. See Support.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)