Sensitive Data and your Work Computer
Author: Derek Burke, Technical Support Engineer, dburke@cubro.com
In the previous article, we discussed what we can do to protect sensitive data while working remotely as well as good practices to secure our computer systems against malware and exploits. In this section, we will take a look at what could be the most neglected piece of equipment in your home network: your router.
The truth is home networking equipment is designed for convenience rather than protecting the end-user. What we commonly refer to as home routers are multi-function devices that incorporate the roles of a router, firewall, switch wireless access point, and sometimes even network storage, into a single device. The catch is, that in performing all these functions at a consumer-friendly price point, a comprehensive feature set and hardware capabilities are sacrificed leaving the end-user with little control over how the device operates.
Fortunately, we can make some tweaks to drastically improve the network’s resilience to attack; let’s review the major issues and what we can do about them. The first step is to make sure your router is running the latest firmware. It’s probably not a stretch to say most home users have never updated the firmware on their router.
Only new firmware can address these issues which means, and here’s the bad news, this is the ultimate limiting factor of how secure your home network can be. Go to your router manufacturer’s website, locate the support and/or downloads section and search for your router model (found on a sticker on the device).
Look for the most recent firmware release; if it is older than, say, six months this is a red flag and if it is over a year old your router has effectively been abandoned by the manufacturer. If this is the case, you need to seriously consider replacing the device. Which router to then buy is a tricky problem as no home router review is likely to discuss the issues we are talking about here, though, some suggestions I will point out in the next article may be of help. In any case, get the latest firmware image and apply it to your router if it is newer than the version you currently have. This can usually be found by logging in to your router and looking for a menu item titled ‘Firmware’ or ‘Firmware Upgrade’ which may be located under a broader menu such as ‘Administration’ or ‘System’. Specific instructions are probably available with a few internet searches or in a manufacturer manual that can be downloaded from the support site.
Now that we (hopefully) have a recent firmware image we need to secure access to the router. Make sure that the administrator username is changed from the default and it is secure with a strong password (more on that later). Also, look for any settings related to Administrative access. Disable any settings that allow login from the WAN (Wide-Area Network; the Internet) or over Wi-Fi. Though inconvenient, if you can limit access to a hardwired connection, you should do so (how often do you log in to your router anyway?). Look for a service called Telnet and if it is enabled, disable it. You can even disable SSH which should be found in the same place. To be clear, SSH is a secure protocol, but if you don’t plan on using it then having it enabled only serves to expand the potential attack surface.
The next “feature” we want to disable is WPS (Wi-Fi Protected Setup). This allows you to pair a device to Wi-Fi within a specific window of time by pushing a button on the router and using the corresponding connection option on the device. It also severely undermines the security of your wireless network. Even if you use a stunning 30+ character random password for your Wi-Fi, WPS will reduce to the barrier to entry to an 8-digit numeric PIN. A common hacker tool called Reaver will crack this PIN in a few hours or less and, from that, expose your Wi-Fi password placing it in the attacker’s hands.
The next feature we want to disable may cause some controversy as it is likely to affect the connectivity of devices on your network and that is UPnP. UPnP stands for Universal Plug and Play; this is entirely a convenience feature that allows any device or software on the inside of your network to open holes in the firewall and allow certain traffic in and out. It’s probably fairly obvious why this is a security risk but allowing any internal service to arbitrarily open and close ports (these are the “holes” that are mapped to specific types of traffic and services) makes it impossible to fully know what your firewall is allowing and what it is blocking. Additionally, vendors have a history of flawed implementations of the protocol further exacerbating the issue. At the very least, this allows an outside attacker more opportunities for ingress into the network and at its worst, allows malicious devices and software free reign over your firewall. Disabling UPnP is widely regarded as security must but could also cause many devices, such as game consoles, to stop working as intended. To remedy this, you will need to create manual port forwards (UPnP is basically dynamic and automatic port forwarding).
I won’t get into port forwarding here but there are many walkthroughs online that will take you through the steps and, fear not, it really isn’t difficult. I should note here that routers supplied by your ISP will be even more limiting and probably lack transparency in settings. These devices are built more to serve the interests of the ISP than yours and, in my humble opinion, you would be far better off getting your own hardware. This could be a good time to even consider some of the more advanced options I will point out later.
Let’s take an aside for a moment and talk about why we are doing all of this. I’m sure the thought of “OK, but what am I protecting myself against; who is after me?” has already occurred. That’s a valid question and I’ll touch on it periodically throughout the following articles. While targeted attacks are very much a thing, and possibly part of your “threat model” depending on who you are, it’s important to understand that you aren’t necessarily being actively targeted. Attackers have created many avenues of automating exploitation.
There are multiple systems out there whose sole purpose is to continuously scan the internet for the presence of any known vulnerabilities and exploit them. If you have ever heard of shodan.io this serves as a perfect example to illustrate just how many compromised and unsecured systems are on the internet, most of these are being accessed because default credentials were never changed, and the device was never properly firewalled. I invite you to create a free account and just browse the site, you may be very surprised at what you find. Someone who can gain access to your router essentially controls the border to your network. They can enumerate the devices inside your network and assess them for vulnerabilities. They can modify firewall rules to suit their needs.-
An insidious and subtle attack is DNS Hijacking, in which they change your routers DNS to point to a server they control. In doing so they place themselves between you and any site you try to access and can substitute a site of their own design for the legitimate one you think you are going to. This article from ZDnet shows that this is being actively exploited right now to redirect people searching for Covid-19 information to imposter sites that distribute malware. These are indeed very real threats and in the case of DNS Hijacking, unless you are in the habit of verifying your DNS settings, you would never know. To bring an end to this installment, here is a good summary of steps to take in securing a home router: https://routersecurity.org/checklist.php.
In the next section, we will discuss our wireless network and how we can better secure it against eavesdroppers whether it be a targeted attack or just the nosy would-be hacker kid next door.