Dec
6
Keeping Your Home Broadband Connection Secure
Filed Under Computers & Tech, Security on December 6, 2007 at 5:07 pm
Note: This articles was written for, and first published in, the NUI Maynooth student news paper The Maynooth Advocate.
With the recent Eircom controversy the security of our home networks has at last come to the attention of the press. That attention has focused mainly on one particular flaw in Eircom wireless routers but all broadband users could do with giving their broadband connection a quick security once-over.
Because wireless networks don’t respect property boundaries but instead permeate out onto the street and into your neighbours gardens and houses they are obviously more at risk than wired home networks. That’s why I’m going to mostly concentrate on wireless security in this article but before I do I just want to point out two simple security concerns that affect just about all broadband routers, wireless or not.
Firstly, most routers are configured via a web interface. You need to take steps to protect this interface from attack because it basically controls access to your home network. You need to make sure that this interface is not being served out to the world but instead restricted to access from just your home network. Different routers use different wording to describe this option but you want to be sure to disable anything called “remote administration” or which mentions allowing access to the configuration pages from the “WAN” interface, the “external” interface, or the “public internet” or similar. If you leave this on anyone on the planet can potentially access those pages and reconfigure your router for their own nefarious ends. Even if you have a password set you should still block this, there are ways to get by such passwords. If the interface is not accessible at all then it can’t be hacked!
Speaking of passwords, what ever you do make sure you have one set on your router and make sure it is not the default one that came with the router. If you can access the configuration pages for your router without entering a password then you have a problem. Some routers come with no password set, others with a simple default like all zeros or something equally insecure. If you leave this password as-is your router can be taken over EVEN IF REMOTE ADMINISTRATION IS TURNED OFF. This can be done in many ways but the most common method is to trick you into visiting a web page which contains malicious JavaScript code. This code will not be picked up by virus scanners because it is doing something JavaScript is designed to do, call a web page from within a web page (AJAX). This is generally not a problem but in the case of these attacks the web page that JavaScript is interacting with behind the scenes is your router configuration! If it has no password set then it’s trivially easy for such a JavaScript program to re-program your router to let attackers into your network. This would happen behind your back and without anything obvious happening on screen. What I’m describing here is not a hypothetical attack, incidents been reported out in the real world.
Finally, before we move on to talking about wireless security I also want to advise you to turn off a feature called Universal Plug and Play, or UPnP, if it is turned on in your router’s configuration. This lets programs on your home network silently and invisibly re-program your router behind your back without needing a password or any form of confirmation. This feature is an absolute God-send for any virus or other piece of nasty software that may make its way into your network. If you turn off UPnP you may have to manually configure port forwarding on your router for some games to work but you will be a lot safer for it. When it comes to deciding what to do about UPnP it’s a trade-off between security and ease of use for a limited number of games and programs. Most people don’t need UPnP yet many routers ship with it on by default.
OK, so now we come to wireless networks. I’ll cut straight to the core of the issue, it is absolutely vital that you encrypt the traffic that flows through your wireless network. If you don’t your neighbours or any passers-by can access your home network, intercept and read all your internet traffic, and steal your bandwidth. What’s worse, any criminal activity they might potentially get up to would be traced back to you, not them. Leaving your wireless network open is just asking for trouble.
Before discussing the different ways of encrypting your network I just want to squash a few urban legends. If you don’t know what these things mean ignore this paragraph. Firstly, MAC locking your network provides you no actual protection, it is trivial to bypass. Secondly, turning off SSID broadcasting is equally as pointless. Neither of these things provide any actual security and can be gotten around with even the most trivial hacking tools Google could point you to. These techniques should not be used in place of encryption, they are just pretend security, not actual security.
OK, so on to encryption. The way this works is that you choose an encryption scheme and then you set a key or a pass-phrase that all the computers that wish to use your wireless network will need to have. It is vitally important that this key be long and random. If it’s less than 30 characters long you’re wasting your time, short passwords can be easily cracked with freely available hacking tools. The simplest thing to do is to get a randomly generated password from a service on the web like the excellent one from GRC (http://www.grc.com/passwords) and then to save this password in a text file on a pendrive. When you want to add a machine to your network just insert this pendrive and copy and paste the key.
Having a strong password is only half the battle, your choice of encryption scheme makes a huge difference too. The first common form of wireless encryption used was called WEP which stands for ‘Wired Equivalent Privacy’. WEP is fundamentally flawed. It is broken. No matter how good your password it can be cracked in minutes using freely available tools. There are some devices which only support WEP. The most likely one you will have in your house is a Nintendo DS or a PC with a version of Windows before Windows XP. If you have devices which only support WEP then you have a hard choice to make, you can either have a secure network, or you can have these devices on your network, you can’t have both.
WEP was followed by WPA and later WPA2. WPA stands for ‘Wi-Fi Protected Access’ and comes in two different flavours, one for large corporate networks and one for small and home networks. The version of WPA or WPA2 which you want in your home is WPA-PSK, the PSK bit stands for ‘Pre-Shared Key’. WPA operates in the same way as WEP, you generate a key, add it to your router and then add it to each computer you want to connect to your network. If your router has WPA2 installed and all your computers support WPA2 then that is definitely your best choice. If not then WPA is still a very good choice. It is vulnerable to some attacks but if you use a long password you are still substantially safer than you would be using WEP. With WPA the length of your pass-phrase is really important, a network with a short key is about as insecure as a network running WEP.
So, in summary, no matter how you connect to the internet you need to make sure your router has remote administration disabled, that you’ve set a custom password on your router and that you’ve turned off UPnP if you don’t need it. If you have a wireless router you need to do all that as well as making sure you have wireless encryption enabled, are using a long and random passphrase and are using WPA2 or WPA if at all possible.
hey,im wondering how i could get one of these passwords?
Hi Ian, I’m not really sure what you mean. You generate your own passwords. If you like you can use services to generate them for you like http://www.grc.com/passwords
The way it works is that you set any password you like on the router and then you have to enter that same password on each machine connecting to your network.
Hope that helps, if not please feel free to ask a more specific question.
Bart.