Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Router and Local Area Network Security

Introduction[edit]


Based on the threat posed by a Whonix-Gateway ™ compromise, users who have administrator control over the home network are strongly recommended to lock down the web interface of the home router and apply the strictest settings possible.

The State of Router Insecurity[edit]

Most routers provided by ISPs and those widely available in electronics stores are profoundly insecure, have outdated software and firmware, enable settings by default that open exploit opportunities, and remain vulnerable if users fail to take appropriate steps. [1]

Many experienced users who are concerned about computing security overlook these problems and instead focus on general operating system and networking solutions, rather than this weak endpoint frequently targeted by attackers, including state-level adversaries. Compromised routers can easily spy on a user's activities, conduct man-in-the-middle attacks, alter unencrypted data, or send the user to websites that masquerade as webmail or on-line banking portals. [2]

Suitable Hardware and Router Configurations[edit]

Experts routinely advise that low-grade routers should be avoided. Cheap models often fail to notify of firmware updates that patch security vulnerabilities, have limitations on password length for administrator access, and typically come as a less-secure, combined modem/router unit.

Users should consider upgrading to a commercial-grade router that is normally intended for small businesses as a sensible investment in security. Further, it is safer to have a personally owned routing device that connects to an ISP-provided modem/router in order to maximize administrative control over routing and wireless features of the home network.

Before purchase, check the router has firewall capabilities and that it supports Network Address Translation (NAT), so internal systems cannot be directly accessed from the Internet. Also check whether the router can be configured off-line, which is an advantage. Disconnect or turn-off routers/modems when they are not in use. [2] [3]

Accessing Router Settings[edit]

To access and change router settings, the router's IP address must be typed into the web browser address bar. Next, enter the administrative login and password when prompted. If the default login credentials are unknown, check the following list and search by manufacturer and model.

Routers usually have a common address like: 192.168.1.1, but there are many variations depending on the make and model. Check the router manual to determine the correct address or alternatively research the manufacturer's website to discover it. [4] If it is still not possible to identify the relevant router address for access, terminal commands can be used to trace the IP route or various networking tools can be accessed to discover it.

Linux[edit]

On Linux operating systems, run the following command in a terminal. In Qubes-Whonix ™, this command is run in the NetVM terminal.

ip route

The output starting with "default via XXX.XXX.XXX.XXX" is the relevant router IP address for changing settings.

Another alternative is to utilize the network icon, which is available on most Linux desktops: Right-click the network iconSelect "Connection Information" or similar.

The IP address displayed next to "Default Route" or "Gateway" is the relevant address required. [5]

macOS[edit]

In a terminal, run. [6]

ifconfig

This command will show all the interfaces and their respective IP and MAC addresses.

Alternatively, look for the relevant network settings under: System PreferencesNetworkTCP/IP (hardwired) or Wi-Fi (wireless) section. [7]

Windows[edit]

To find the router IP address in Windows, open a command prompt: StartSearch boxType cmd

In the terminal, run.

ipconfig

The output should reveal the relevant IP address next to the "Default Gateway."

Alternatively, look for the relevant network settings under: Control PanelNetwork and InternetView network status and tasksLeft-click on the appropriate connectionLeft-click on "Details".

The router's IP address is to the right of the IPv4 Default Gateway. Further network and router configuration information can be found here.

Recommended Router Settings[edit]

General Router Settings[edit]

The following settings are recommended to lock down the router.

Table: Router Access, Configuration, Management and Service Recommendations [1] [2] [8]

Category Recommendations
Browser Access

Use the browser's incognito or private mode when accessing the administrative interface so the URL is not saved in the browser history. Avoid:

  • Administrating the router with a smartphone application.
  • Mesh router systems that deny local administrative access.
Firewall
  • Reconfigure the router firewall rules to drop all relevant incoming packets.
  • Firewall ports should be set to "stealth" rather than "closed". This way no response is given to unsolicited external communications from attackers probing the network.
Firmware Keep router firmware up-to-date at all times for better security. Set the self-updating firmware option if it is available.
Logging Set logging to on, if the feature is available. This allows for a record of unsolicited incoming connection attempts, attempted logins and so on.
Port Forwarding If port forwarding is necessary, it should be limited to a source IP address and/or source IP address subnet.
Remote Access
  • Disable remote administrative access and administrative access over Wi-Fi. Set administrator access only via wired ethernet connections (not possible with mesh routers).
  • Disable all other remote-access protocols like PING, Telnet and SSH.
  • If offered, disable cloud-based router management because trust is shifted to another person between the user and the router.
Router Test Use Gibson Research Corp.'s Shields Up port-scanning service to test the router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.
Service Disabling
SSID Service Set ID Change the Service Set ID (SSID) which often leaks router information. Do not use personally identifying information like the apartment number you live in.
Username and Password Change the default router username and password to something suitably long and random using a Diceware passphrase. [9]
Web Interface Disable the HTTP interface and enable the HTTPS interface instead, preferably on a non-standard port. For example: https://192.168.1.1:82 instead of http://192.168.1.1

Wireless Network Router Settings[edit]

Wi-Fi Warning[edit]

Contemporary research has discovered a number of faults with the WPA2 and WPA3 security protocols. For instance:

  • This 2016 paper found faults with WPA2 encryption due to flawed 802.11 random number generation (generating insufficient entropy), downgrade attacks on group keys transmitted in the 4-way handshake (forcing usage of RC4 encryption), decryption of the 128-bit group key, and injection of group traffic into unicast traffic. This meant unicast wifi traffic could be decrypted. [10]
  • The KRACK attack family of vulnerabilities demonstrated a fatal flaw in the way WPA2 handshakes were negotiated allowing an attacker to decrypt (but not modify) data on the Wi-Fi LAN. The efficacy of the fixes are platform dependent and were mitigated provided that the devices received updates after it was announced. Suggestions have been made to the Wi-Fi Alliance standard body to guard against it in the future.
  • In 2019, five vulnerabilities were announced in the Wi-Fi WPA3 standard as well by the same researchers behind the KRACK attacks; two downgrade attacks, two-side channel information leaks and one denial of service attack. Consequently, adversaries in range of the user's network can discover the Wi-Fi passphrase for infiltration purposes. These attacks also work against the Extensible Authentication Protocol that is supported in the previous WPA / WPA2 Wi-Fi authentication standard. [11] [12]

Although various countermeasures are reported and software is available which corrects these problems, they also require firmware updates from Wi-Fi product vendors which may be rare or impossible depending on the product in question. The researchers still view WPA3 as an improvement over WPA2, but criticize the opaqueness of the standardizing bodies in making flawed decisions that have been considered beforehand.

Recommendations[edit]

Table: Wi-Fi Configuration, Services and Protocol Recommendations [2] [4] [8]

Category Recommendations
Services/Daemons Perhaps the most important implications of this is to assume availability of data transferred between devices on a Wi-Fi LAN to attackers. Most FLOSS services have a robust encryption option implemented in their settings which need to be toggled or used to ensure data security.
DHCP Leases Limit the number of Dynamic Host Configuration Protocol (DHCP) leases (connects) to the Wi-Fi network to match the number of personal devices owned.
Guest Access If the Wi-Fi network will be accessed by visitors, set up a guest network that turns itself off after a set period.
MAC Filtering Enable MAC Filtering so only specific devices may connect to the network.
Network Availability If possible, schedule Wi-Fi networks to turn off at night and then turn on in the morning.
Protocols
  • Disable Wi-Fi Protected Setup (WPS) because it allows any device to connect to the network with the relevant eight-digit PIN.
  • Do not rely on the WEP and WPA standards which are cryptographically weak and have known security weaknesses. Use the WPA2 standard so only authorized users can use the network. [13]
  • Use routers that exclusively use WPA2, preferably with the AES standard (CCMP) and not TKIP which is less secure.
SSID Broadcasting Do not bother disabling SSID broadcasting since it is trivial to guess.
WAN Requests Enable the "Block WAN Requests" option to conceal the network from other Internet users.
Wi-Fi Band If possible, use the 5-GHz band for Wi-Fi instead of the standard 2.4GHz band -- the 5 GHz band does not travel as far.

Router Firmware[edit]

Strong consideration should be given to flashing the wired/wireless router with an open-source GNU/Linux distribution. Solutions such as OpenWrt and DD-WRT provide firmware that is suitable for a large variety of wired and wireless routers and embedded systems.

The strengths of this approach are openness, regularly updated firmware images, greater functionality (fully-featured), less bloat and more control over router behavior. The downside is that open-source firmware is not free of bugs; careful research is required before attempting this procedure. Check the online guides for instructions on how to proceed and whether the home router is compatible with the available firmware.

References[edit]

  1. 1.0 1.1 https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-18-Heffner-Routers.pdf
  2. 2.0 2.1 2.2 2.3 https://www.tomsguide.com/us/home-router-security,news-19245.html
  3. https://www.usar.army.mil/Portals/98/Documents/Slicksheet_BestPracticesForKeepingYourHomeNetworkSecure.pdf
  4. 4.0 4.1 https://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html
  5. https://www.howtogeek.com/233952/how-to-find-your-routers-ip-address-on-any-computer-smartphone-or-tablet/
  6. https://apple.stackexchange.com/questions/20547/how-do-i-find-my-ip-address-from-the-command-line
  7. http://osxdaily.com/2011/10/05/find-router-ip-address-mac/
  8. 8.0 8.1 http://routersecurity.org/checklist.php
  9. It may be sensible to tape this on the router so it is not lost in the future.
  10. We tested this attack against an Asus RT-AC51U and a laptop running Windows 7. The group key was obtained by exploiting the weak random number generator as discussed in Section 3.4.1. In order to successfully perform the ARP poisoning attack against Windows, we injected malicious ARP requests. First, we were able to successfully inject the ARP packets using the group key. This confirms that the group key can be used to inject unicast packets. Once we poisoned the ARP cache of both the victim and router, they transmitted all their packets towards the broadcast MAC address. At this point we were able to successfully decrypt these broadcast packets using the group key, and read out the unicast IP packets sent by both the victim and router.

  11. https://www.zdnet.com/article/dragonblood-vulnerabilities-disclosed-in-wifi-wpa3-standard/
  12. Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard's Dragonfly key exchange --the mechanism through which clients authenticate on a WPA3 router or access point.

    In a downgrade attack, WiFi WPA3-capable networks can be tricked in using older and more insecure password negotiation schemes, allowing attackers to retrieve the network passwords using older flaws.

    In a side-channel information leak attack, WiFi WPA3-capable networks can trick devices into using weaker algorithms that leak small amounts of information about the network password. With repeated attacks, the full password can eventually be recovered.

  13. Usually the WPA2 Personal standard is fine; the WPA2 Enterprise version is only required for businesses.

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Please help us to improve the Whonix Wikipedia Page. Also see the feedback thread.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.