Actions

Router and Local Area Network Security

From Whonix


Introduction[edit]

Ambox warning pn.svg.png If Whonix-Gateway ™ is ever compromised, it can theoretically access any computer in the local area network (LAN) [archive].

Based on the threat posed by a Whonix-Gateway ™ compromise, those who have administrator control over the home network are strongly recommended to lock down the web interface of the home router and apply the strictest settings possible.

The State of Router Insecurity[edit]

Most routers provided by ISPs and those widely available in electronics stores are profoundly insecure, have outdated software and firmware, enable settings by default that open exploit opportunities, and remain vulnerable if appropriate steps are not taken. [1]

Many experienced users who are concerned about computing security overlook these problems. Instead, they focus on general operating system and networking solutions, rather than this weak endpoint frequently targeted by attackers (including state-level adversaries). Compromised routers can easily spy on activities, conduct man-in-the-middle attacks, alter unencrypted data, or redirect connections to websites that masquerade as webmail or on-line banking portals. [2]

Suitable Hardware and Router Configurations[edit]

Experts routinely advise that low-grade routers should be avoided, since cheap models often come with these limitations:

  • Notification failures regarding firmware updates that patch security vulnerabilities.
  • Restrictions on password length for administrator access.
  • The less-secure, combined modem/router devices are common.

As a sensible investment in security, give consideration to purchasing a commercial-grade router that is normally intended for small businesses. It is also safer to have a personally owned routing device that connects to an ISP-provided modem/router because this maximizes administrative control over routing and wireless features of the home network.

Before the final purchase, check the router has firewall capabilities and that it supports Network Address Translation (NAT), so internal systems cannot be directly accessed from the Internet. Also check whether the router can be configured off-line, which is an advantage. Disconnect or turn-off routers/modems when they are not in use. [2] [3]

Accessing Router Settings[edit]

To access and change router settings, the router's IP address must be typed into the web browser address bar. Next, enter the administrative login and password when prompted. If the default login credentials are unknown, check the following list [archive] and search by manufacturer and model.

Routers usually have a common address like: 192.168.1.1, but there are many variations depending on the make and model. Check the router manual to determine the correct address or alternatively research the manufacturer's website to discover it. [4] If it is still not possible to identify the relevant router address for access, terminal commands can be used to trace the IP route or various networking tools can be accessed to discover it.

Linux[edit]

On Linux operating systems, run the following command in a terminal. In Qubes-Whonix ™, this command is run in the NetVM terminal.

ip route

The output starting with "default via XXX.XXX.XXX.XXX" is the relevant router IP address for changing settings.

Another alternative is to utilize the network icon, which is available on most Linux desktops: Right-click the network iconSelect "Connection Information" or similar.

The IP address displayed next to "Default Route" or "Gateway" is the relevant address required. [5]

macOS[edit]

In a terminal, run. [6]

ifconfig

This command will show all the interfaces and their respective IP and MAC addresses.

Alternatively, look for the relevant network settings under: System PreferencesNetworkTCP/IP (hardwired) or Wi-Fi (wireless) section. [7]

Windows[edit]

To find the router IP address in Windows, open a command prompt: StartSearch boxType cmd

In the terminal, run.

ipconfig

The output should reveal the relevant IP address next to the "Default Gateway."

Alternatively, look for the relevant network settings under: Control PanelNetwork and InternetView network status and tasksLeft-click on the appropriate connectionLeft-click on "Details".

The router's IP address is to the right of the IPv4 Default Gateway. Further network and router configuration information can be found here [archive].

Recommended Router Settings[edit]

Info Many router models do not allow changes to the specific settings discussed in this section.

General Router Settings[edit]

The following settings are recommended to lock down the router.

Table: Router Access, Configuration, Management and Service Recommendations [1] [2] [8]

Category Recommendations
Browser Access

Use the browser's incognito or private mode when accessing the administrative interface so the URL is not saved in the browser history. Avoid:

  • Administrating the router with a smartphone application.
  • Mesh router systems that deny local administrative access.
Firewall
  • Reconfigure the router firewall rules to drop all relevant incoming packets.
  • Firewall ports should be set to "stealth" rather than "closed". This way no response is given to unsolicited external communications from attackers probing the network.
Firmware Keep router firmware up-to-date at all times for better security. Set the self-updating firmware option if it is available.
Logging Set logging to on, if the feature is available. This allows for a record of unsolicited incoming connection attempts, attempted logins and so on.
Port Forwarding If port forwarding is necessary, it should be limited to a source IP address and/or source IP address subnet.
Remote Access
  • Disable remote administrative access and administrative access over Wi-Fi. Set administrator access only via wired ethernet connections (not possible with mesh routers).
  • Disable all other remote-access protocols like PING [archive], Telnet [archive] and SSH [archive].
  • If offered, disable cloud-based router management because trust is shifted to another person between the user and the router.
Router Test Use Gibson Research Corp.'s Shields Up port-scanning service [archive] to test the router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.
Service Disabling
SSID Service Set ID Change the Service Set ID (SSID) [archive] which often leaks router information. Do not use personally identifying information like the apartment number you live in.
Username and Password Change the default router username and password to something suitably long and random using a Diceware passphrase. [9]
Web Interface Disable the HTTP interface and enable the HTTPS interface instead, preferably on a non-standard port. For example: https://192.168.1.1:82 [archive] instead of http://192.168.1.1 [archive]

Wireless Network Router Settings[edit]

Wi-Fi Warning[edit]

Contemporary research has discovered a number of faults with the WPA2 and WPA3 security protocols. For instance:

  • This 2016 paper [archive] found faults with WPA2 encryption due to flawed 802.11 random number generation (generating insufficient entropy), downgrade attacks on group keys transmitted in the 4-way handshake (forcing usage of RC4 encryption), decryption of the 128-bit group key, and injection of group traffic into unicast traffic. This meant unicast wifi traffic could be decrypted. [10]
  • The KRACK attack [archive] family of vulnerabilities demonstrated a fatal flaw in the way WPA2 handshakes were negotiated allowing an attacker to decrypt (but not modify) data on the Wi-Fi LAN. The efficacy of the fixes are platform dependent and were mitigated provided that the devices received updates after it was announced. Suggestions have been made to the Wi-Fi Alliance standard body to guard against it in the future.
  • In 2019, five vulnerabilities were announced in the Wi-Fi WPA3 standard [archive] as well by the same researchers behind the KRACK attacks; two downgrade attacks, two-side channel information leaks and one denial of service attack. Consequently, adversaries in range of the user's network can discover the Wi-Fi passphrase for infiltration purposes. These attacks also work against the Extensible Authentication Protocol that is supported in the previous WPA / WPA2 Wi-Fi authentication standard. [11] [12]

Although various countermeasures are reported and software is available which corrects these problems, they also require firmware updates from Wi-Fi product vendors. These may be rare or impossible depending on the product in question. The researchers still view WPA3 as an improvement over WPA2, but criticize the opaqueness of the standardizing bodies in making flawed decisions that have been considered beforehand.

Recommendations[edit]

Table: Wi-Fi Configuration, Services and Protocol Recommendations [2] [4] [8]

Category Recommendations
DHCP Leases Limit the number of Dynamic Host Configuration Protocol (DHCP) [archive] leases (connects) to the Wi-Fi network to match the number of personal devices owned.
Guest Access If the Wi-Fi network will be accessed by visitors, set up a guest network that turns itself off after a set period.
MAC Filtering Enable MAC Filtering so only specific devices may connect to the network.
Network Availability If possible, schedule Wi-Fi networks to turn off at night and then turn on in the morning.
Protocols
Services/Daemons It is safest to assume data transferred between devices on a Wi-Fi LAN is available to attackers. Most FLOSS services have a robust encryption option implemented in their settings which needs to be toggled/used to ensure data security.
SSID Broadcasting Do not bother disabling SSID broadcasting since it is trivial to guess.
WAN Requests Enable the "Block WAN Requests" option to conceal the network from other Internet users.
Wi-Fi Band If possible, use the 5-GHz band for Wi-Fi instead of the standard 2.4GHz band -- the 5 GHz band does not travel as far.

Router Firmware[edit]

Strong consideration should be given to flashing the wired/wireless router with an open-source GNU/Linux distribution. Solutions such as OpenWrt [archive] and DD-WRT [archive] provide firmware that is suitable for a large variety of wired and wireless routers and embedded systems.

The strengths of this approach are openness, regularly updated firmware images, greater functionality (fully-featured options), less bloat and more control over router behavior. The downside is that open-source firmware is not free of bugs; careful research is required before attempting this procedure. Check the online guides for instructions on how to proceed and whether the home router is compatible with the available firmware.

References[edit]

  1. 1.0 1.1 https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-18-Heffner-Routers.pdf [archive]
  2. 2.0 2.1 2.2 2.3 https://www.tomsguide.com/us/home-router-security,news-19245.html [archive]
  3. https://www.usar.army.mil/Portals/98/Documents/Slicksheet_BestPracticesForKeepingYourHomeNetworkSecure.pdf [archive]
  4. 4.0 4.1 https://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html [archive]
  5. https://www.howtogeek.com/233952/how-to-find-your-routers-ip-address-on-any-computer-smartphone-or-tablet/ [archive]
  6. https://apple.stackexchange.com/questions/20547/how-do-i-find-my-ip-address-from-the-command-line [archive]
  7. http://osxdaily.com/2011/10/05/find-router-ip-address-mac/ [archive]
  8. 8.0 8.1 https://routersecurity.org/checklist.php [archive]
  9. It may be sensible to tape this on the router so it is not lost in the future.
  10. We tested this attack against an Asus RT-AC51U and a laptop running Windows 7. The group key was obtained by exploiting the weak random number generator as discussed in Section 3.4.1. In order to successfully perform the ARP poisoning attack against Windows, we injected malicious ARP requests. First, we were able to successfully inject the ARP packets using the group key. This confirms that the group key can be used to inject unicast packets. Once we poisoned the ARP cache of both the victim and router, they transmitted all their packets towards the broadcast MAC address. At this point we were able to successfully decrypt these broadcast packets using the group key, and read out the unicast IP packets sent by both the victim and router.

  11. https://www.zdnet.com/article/dragonblood-vulnerabilities-disclosed-in-wifi-wpa3-standard/ [archive]
  12. Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard's Dragonfly key exchange --the mechanism through which clients authenticate on a WPA3 router or access point.

    In a downgrade attack, WiFi WPA3-capable networks can be tricked in using older and more insecure password negotiation schemes, allowing attackers to retrieve the network passwords using older flaws.

    In a side-channel information leak attack, WiFi WPA3-capable networks can trick devices into using weaker algorithms that leak small amounts of information about the network password. With repeated attacks, the full password can eventually be recovered.

  13. Usually the WPA2 Personal standard is fine; the WPA2 Enterprise version is only required for businesses.


Did you know that Whonix could provide protection against backdoors [archive]? See Verifiable Builds [archive]. Help is wanted and welcomed.

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png