Securing Your Router, Part 2

In an earlier post I addressed, in a very simple manner for non-technical users, the topic of securing your home router, or Wifi Access Point, against intruders. In this follow-on article, I attempt to elevate the discussion just a bit. While still aimed at the non-technical user, the target audience is presumed to have spent some time considering the issues raised in the previous article, spent some time playing with their router, and developed a little more of a comfort level with the topic. This article is still aimed very much at the non-technical user, but a non-technical user who now knows just a little more about this very technical topic, and wishes to expand their knowledge a bit further.

The previous article was intended to motivate the non-technical audience to do SOMETHING, ANYTHING to secure their wireless LAN. Many, if not all routers come from the factory in a deplorable configuration from a security standpoint, and leaving them in that default state is very risky. The goal is to help even the most non-technical user understand how to secure their system over and above that default level. We hope to give the very slightly more advanced user a more complete prescription for keeping their network secure.

Before addressing the specifics of security let us indulge a bit of discussion as to the WHY of security. There is a school of thought that says a basic level of Wi-Fi access should be freely available. Many places of business offer free Wi-Fi as an enticement to bring in customers. Do you really care if someone parks in front of your house for a few minutes and checks their email? Obviously not, at a simplistic level, but there are good reasons to not permit such free and easy access.

• Perhaps your internet service places a usage cap on your service. AT&T for example has planned to set a 150 GB/Month cap on their broadband service. That sounds like a lot, but with the advent of video services such as Netflix, one can easily blow through such a level in a month. Someone casually checking their email is not likely to impact your cap, but if instead they take advantage of your hospitality to download a couple of pirated movies from some file sharing service the volume of data is obviously higher. If this happens every night while you are asleep, then the amount of excess data charged against your account can be significant. If you are on a satellite service, or other similarly metered service, excess data can become quite expensive indeed. An unsecured MiFi connection at $10 per GB, can cost hundreds, if not thousands of dollars in a short time.

• We live in an age of massive copyright violations. File-sharing sites such as Demonoid routinely host all manner of material of questionable legality. From time to time there are high-profile busts of downloaders who have been tracked, including cases where unsecured wireless connections have been used. Do you really want to risk having your door kicked in at 3AM because someone unknown to you downloaded questionable material over your connection from half a block away?

• Even if you do not care about others using your connection to the Internet, do you want some stranger connecting onto your LAN and scanning your own personal computer for vulnerabilities and sensitive data?

The are many more examples, but I think most people will agree that taking reasonable steps to secure one's Internet service is highly desirable. If you do in fact feel that some basic level of free access is a good idea, there are ways we can provide that without taking the risks that unfettered access allows. In a future article I will address that topic, but for now let us simply focus on keeping unwanted intruders out.

There are three terms to absorb if one wishes to discuss Wireless routers.

• The first is the “Pre-Shared Key” (PSK) often also referred to as the Network Key. This is the password that both the router and the computer connecting to it must know. It must be a minimum of eight, and a maximum of 64 characters. All too many users configure something short, trivial and easy to remember. Network Keys of “Secret”, “Password” and even “12345678” are common. Don't do this. In “Safe Computing #1” and “Safe Computing #2” I discussed how to make good passwords. Treat the Network Key as any other password, and use a good one.

• The “Cryptographic Key” is used to secure the actual wireless data. You do not supply this, the router and computer do, but they do so based on information you give them.

• The “Service Set Identification” (SSID) is the name that the router broadcasts to the world to announce it's presence. Such broadcasts can be turned off, but out of the box all routers shout their SSID to the world on a regular basis. All routers come from the factory with a default SSID, and all too many users never bother to change it. You SHOULD change it. It is far more important than is obvious to the casual observer. It should be almost treated as a password, in that a good, unique, and long SSID should be used. The SSID can be a maximum of 32 characters, and longer is better. Unique is even better.

The first opportunity to secure your network lies in the choice of Network Name, or SSID. This seems an innocuous, even frivolous item. Countless routers simply broadcast the default factory ID, and many others broadcast names made famous by movies and popular culture. Countless network connections boast the name “Skynet” from the Terminator movies, to revisit one all too common case. If you must advertise your fandom, pick something related but randomized and unique, like “Skynet_FMTS_Node_792580935” for example.

Previously, I advised picking a name that is unique, but not too specific. I advised against using popular, or default names, but did not explain why a unique name is really desirable. Perhaps I should have been more forthcoming, but did not do so in the interest of not overloading the target audience.

The wireless data stream is encrypted against snooping. WP2 encryption is quite secure, proof against most casual snooping. The cryptographic key is used to ensure that security, and without that key, one really cannot unlock the radio connection. However that cryptographic key itself is often vulnerable. If one knows how it is constructed, one can make educated guesses as to the likely key, and given a little time can probably unravel the encryption. We want to make that as difficult as possible.

The user supplied element of the Cryptographic Key is of course the PSK, which is one reason why we need a good, strong password for this. However since users are notoriously ineffective in this area, often opting for simple words such as “Password”, we do not simply compute the Cryptographic Key from the PSK. “Key Stretching” is the technical term applied to the simple technique of using additional information to strengthen a cryptographic key. This additional information has to be something obviously known to both the router and the computer connecting to the router.

Clearly part of this additional information used to create the cryptographic key must in fact be the SSID itself, which is why it needs to be unique. You can be sure that if your router is a common one, and it is broadcasting the default or even merely a common SSID, interested parties have already computed the cryptographic keys for thousands and thousands of common Network Keys and these precomputed keys are widely shared. If your router is broadcasting an SSID of “LINKSYS” and you have set your Network Key to something simple like “Secret”, “Password” or “MyHouse”, it may as well be shouting to the world, “Come Take me, I'm yours!”.

The reason a unique SSID is desirable is the existence of something called “Rainbow Tables”. A Rainbow Table is simply a list of pre-computed cryptographic keys. Using a common SSID and a trivial Network Key makes your WP2 Encryption effectively an open book to anyone with the requisite dark skills. If you make the SSID something unique, something that is not likely to be in anyone's Rainbow Tables, then there is no handy list of pre-computed cryptographic keys for the dark lords to use in cracking your security. It could still be cracked, and if your Network Key is simple, it might well be. A good strong password for the Network Key will prevent that.

My critics say I dropped the ball in Safe Computing #6 by advising the user to disable the SSID broadcast, or “Enable Hidden Wireless”. I did describe this as “Gilding the Lilly” and did explain that at best it would only hide the network from a casual observer.

What I had failed to explain in the interest of simplicity is that when you have a client, a laptop or tablet configured to connect to a hidden SSID, when not connected it will beacon constantly to see if that SSID is available. This means that if you carry that laptop or tablet to a public location and leave WiFi on, it will tell the world what your “hidden SSID” is. Someone who passes by your home may not easily see your SSID, but the guy two seats over from you at the local McDonald's can easily find out what your home's hidden SSID is. Do not be under any illusion that by turning off your SSID broadcast you have materially enhanced your security. At best you have added one more very trivial obstacle in the path of an attacker, one that is easily side-stepped, at some inconvenience to yourself every time you need to configure a new device. The lack of any real security enhancement plus the inconvenience when connecting a new device argue that one should not bother to disable the SSID broadcast.

Disabling the SSID broadcast is almost worthless in protecting your network from attack, however there is a slight advantage to making your network less visible to the casual passerby, so I do recommend it, with caveats. However one must understand the limited security enhancement this brings, and not rely on it in any meaningful way.

There are numerous other techniques for enhancing the security of your installation, all of diminishing effectiveness, and increasing inconvenience. For example, there is a table in most routers whereby you can place a list of allowed hardware devices, effectively creating a “white list” of allowed devices on the LAN. This will in theory prevent outsiders from accessing your connection, at the inconvenience of making it more difficult to connect a new device of your own. Unfortunately such whitelists are tricky for the non-techie to set up and a knowledgeable practitioner of the black arts can fairly easily defeat them. There are more techniques, things called “honeypots” and additional authentication schemes such as something called Radius, and much more. For the moment I consider the complexity and inconvenience of these and other such techniques as beyond what one can reasonably expect a non-technical home user to employ. Perhaps a future article will address some of these advanced techniques, but for now rest assured that if you do three things, you will be protected from all but the most determined intruders. These are:

(a) Use a good password on the management interface as discussed in Safe Computing #6

(b) Use a unique, long SSID

(c) Use a good strong PSK / Network Key

Good security is not difficult. It requires no arcane technical knowledge. Just a few common sense steps, and you are well protected against 99.9% of real-world threats.