Router and Local Area Network Security
Based on the threat posed by a Whonix-Gateway ™ compromise, those who have administrator control over the home network are strongly recommended to lock down the web interface of the home router and apply the strictest settings possible.
The State of Router Insecurity
Most routers provided by ISPs and those widely available in electronics stores are profoundly insecure, have outdated software and firmware, enable settings by default that open exploit opportunities, and remain vulnerable if appropriate steps are not taken. 
Many experienced users who are concerned about computing security overlook these problems. Instead, they focus on general operating system and networking solutions, rather than this weak endpoint frequently targeted by attackers (including state-level adversaries). Compromised routers can easily spy on activities, conduct man-in-the-middle attacks, alter unencrypted data, or redirect connections to websites that masquerade as webmail or on-line banking portals. 
Suitable Hardware and Router Configurations
Experts routinely advise that low-grade routers should be avoided, since cheap models often come with these limitations:
- Notification failures regarding firmware updates that patch security vulnerabilities.
- Restrictions on password length for administrator access.
- The less-secure, combined modem/router devices are common.
As a sensible investment in security, give consideration to purchasing a commercial-grade router that is normally intended for small businesses. It is also safer to have a personally owned routing device that connects to an ISP-provided modem/router because this maximizes administrative control over routing and wireless features of the home network.
Before the final purchase, check the router has firewall capabilities and that it supports Network Address Translation (NAT), so internal systems cannot be directly accessed from the Internet. Also check whether the router can be configured off-line, which is an advantage. Disconnect or turn-off routers/modems when they are not in use.  
Accessing Router Settings
To access and change router settings, the router's IP address must be typed into the web browser address bar. Next, enter the administrative login and password when prompted. If the default login credentials are unknown, check the following list [archive] and search by manufacturer and model.
Routers usually have a common address like:
192.168.1.1, but there are many variations depending on the make and model. Check the router manual to determine the correct address or alternatively research the manufacturer's website to discover it.  If it is still not possible to identify the relevant router address for access, terminal commands can be used to trace the IP route or various networking tools can be accessed to discover it.
On Linux operating systems, run the following command in a terminal. In Qubes-Whonix ™, this command is run in the NetVM terminal.
The output starting with "default via XXX.XXX.XXX.XXX" is the relevant router IP address for changing settings.
Another alternative is to utilize the network icon, which is available on most Linux desktops:
Right-click the network icon →
Select "Connection Information" or similar.
The IP address displayed next to "Default Route" or "Gateway" is the relevant address required. 
In a terminal, run. 
This command will show all the interfaces and their respective IP and MAC addresses.
Alternatively, look for the relevant network settings under:
System Preferences →
TCP/IP (hardwired) or
Wi-Fi (wireless) section. 
To find the router IP address in Windows, open a command prompt:
Search box →
In the terminal, run.
The output should reveal the relevant IP address next to the "Default Gateway."
Alternatively, look for the relevant network settings under:
Control Panel →
Network and Internet →
View network status and tasks →
Left-click on the appropriate connection →
Left-click on "Details".
The router's IP address is to the right of the IPv4 Default Gateway.
Recommended Router Settings
General Router Settings
The following settings are recommended to lock down the router.
Use the browser's incognito or private mode when accessing the administrative interface so the URL is not saved in the browser history. Avoid:
|Firmware||Keep router firmware up-to-date at all times for better security. Set the self-updating firmware option if it is available.|
|Logging||Set logging to on, if the feature is available. This allows for a record of unsolicited incoming connection attempts, attempted logins and so on.|
|Port Forwarding||If port forwarding is necessary, it should be limited to a source IP address and/or source IP address subnet.|
|Router Test||Use Gibson Research Corp.'s Shields Up port-scanning service [archive] to test the router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.|
|SSID Service Set ID||Change the Service Set ID (SSID) [archive] which often leaks router information. Do not use personally identifying information like the apartment number you live in.|
|Username and Password||Change the default router username and password to something suitably long and random using a Diceware passphrase. |
|Web Interface||Disable the HTTP interface and enable the HTTPS interface instead, preferably on a non-standard port. For example: |
Wireless Network Router Settings
Contemporary research has discovered a number of faults with the WPA2 and WPA3 security protocols. For instance:
- This 2016 paper [archive] found faults with WPA2 encryption due to flawed 802.11 random number generation (generating insufficient entropy), downgrade attacks on group keys transmitted in the 4-way handshake (forcing usage of RC4 encryption), decryption of the 128-bit group key, and injection of group traffic into unicast traffic. This meant unicast wifi traffic could be decrypted. 
- The KRACK attack [archive] family of vulnerabilities demonstrated a fatal flaw in the way WPA2 handshakes were negotiated allowing an attacker to decrypt (but not modify) data on the Wi-Fi LAN. The efficacy of the fixes are platform dependent and were mitigated provided that the devices received updates after it was announced. Suggestions have been made to the Wi-Fi Alliance standard body to guard against it in the future.
- In 2019, five vulnerabilities were announced in the Wi-Fi WPA3 standard [archive] as well by the same researchers behind the KRACK attacks; two downgrade attacks, two-side channel information leaks and one denial of service attack. Consequently, adversaries in range of the user's network can discover the Wi-Fi passphrase for infiltration purposes. These attacks also work against the Extensible Authentication Protocol that is supported in the previous WPA / WPA2 Wi-Fi authentication standard.  
Although various countermeasures are reported and software is available which corrects these problems, they also require firmware updates from Wi-Fi product vendors. These may be rare or impossible depending on the product in question. The researchers still view WPA3 as an improvement over WPA2, but criticize the opaqueness of the standardizing bodies in making flawed decisions that have been considered beforehand.
|DHCP Leases||Limit the number of Dynamic Host Configuration Protocol (DHCP) [archive] leases (connects) to the Wi-Fi network to match the number of personal devices owned.|
|Guest Access||If the Wi-Fi network will be accessed by visitors, set up a guest network that turns itself off after a set period.|
|MAC Filtering||Enable MAC Filtering so only specific devices may connect to the network.|
|Network Availability||If possible, schedule Wi-Fi networks to turn off at night and then turn on in the morning.|
|Services/Daemons||It is safest to assume data transferred between devices on a Wi-Fi LAN is available to attackers. Most FLOSS services have a robust encryption option implemented in their settings which needs to be toggled/used to ensure data security.|
|SSID Broadcasting||Do not bother disabling SSID broadcasting since it is trivial to guess.|
|WAN Requests||Enable the "Block WAN Requests" option to conceal the network from other Internet users.|
|Wi-Fi Band||If possible, use the 5-GHz band for Wi-Fi instead of the standard 2.4GHz band -- the 5 GHz band does not travel as far.|
Strong consideration should be given to flashing the wired/wireless router with an open-source GNU/Linux distribution. Solutions such as OpenWrt [archive] and DD-WRT [archive] provide firmware that is suitable for a large variety of wired and wireless routers and embedded systems.
The strengths of this approach are openness, regularly updated firmware images, greater functionality (fully-featured options), less bloat and more control over router behavior. The downside is that open-source firmware is not free of bugs; careful research is required before attempting this procedure. Check the online guides for instructions on how to proceed and whether the home router is compatible with the available firmware.
- https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-18-Heffner-Routers.pdf [archive]
- https://www.tomsguide.com/us/home-router-security,news-19245.html [archive]
- https://www.usar.army.mil/Portals/98/Documents/Slicksheet_BestPracticesForKeepingYourHomeNetworkSecure.pdf [archive]
- https://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html [archive]
- https://www.howtogeek.com/233952/how-to-find-your-routers-ip-address-on-any-computer-smartphone-or-tablet/ [archive]
- https://apple.stackexchange.com/questions/20547/how-do-i-find-my-ip-address-from-the-command-line [archive]
- http://osxdaily.com/2011/10/05/find-router-ip-address-mac/ [archive]
- https://routersecurity.org/checklist.php [archive]
- It may be sensible to tape this on the router so it is not lost in the future.
We tested this attack against an Asus RT-AC51U and a laptop running Windows 7. The group key was obtained by exploiting the weak random number generator as discussed in Section 3.4.1. In order to successfully perform the ARP poisoning attack against Windows, we injected malicious ARP requests. First, we were able to successfully inject the ARP packets using the group key. This confirms that the group key can be used to inject unicast packets. Once we poisoned the ARP cache of both the victim and router, they transmitted all their packets towards the broadcast MAC address. At this point we were able to successfully decrypt these broadcast packets using the group key, and read out the unicast IP packets sent by both the victim and router.
- https://www.zdnet.com/article/dragonblood-vulnerabilities-disclosed-in-wifi-wpa3-standard/ [archive]
Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard's Dragonfly key exchange --the mechanism through which clients authenticate on a WPA3 router or access point.
In a downgrade attack, WiFi WPA3-capable networks can be tricked in using older and more insecure password negotiation schemes, allowing attackers to retrieve the network passwords using older flaws.
In a side-channel information leak attack, WiFi WPA3-capable networks can trick devices into using weaker algorithms that leak small amounts of information about the network password. With repeated attacks, the full password can eventually be recovered.
- Usually the WPA2 Personal standard is fine; the WPA2 Enterprise version is only required for businesses.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)