Wifi Insecurity- Tips for Securing Home Wireless Networks

As seen on Alaska's KTUU Channel 2 News.

As a public service, members of the Digital Securus security team spent the day with Channel Two News Director, John Tracy. We showed him that in only a couple of hours we managed to located over 1600 wireless networks with over 1200 of them either completely open or easily compromised. With his permission we managed to locate John Tracy's residence after which we proceeded to electronically enter and acquire numerous files from his wireless home network.

Digital Securus works with businesses to ensure the safety of their networks and information. Businesses who wish to discuss their specific Information Security needs are invited to contact us. For individual homeowners wishing to secure their home wireless network the answers are not as complex as in the business arena, however it can take time and effort on the part of the individual to implement. It is up to the individual to decide what is best for their home network and what level of security is best for them.

DISCLAIMER: The information presented here is only a guideline and is meant as a basis for individuals to educate themselves on the various tips and techniques available. Doing one or all of the suggestions will not insure that your network is completely secure. All of the information, instructions, and recommendations on this web site are offered on a strictly "as is" basis. This material is offered as a free public resource, without any warranty, expressed or implied. Digital Securus shall not be held responsible for any direct, indirect, incidental or consequential damages, that may result from anything that is presented here, or anything you do as a result thereof. It is up to the reader to determine the suitability of any directions or information viewed here. Furthermore, it is the responsibility of the reader to determine if any recommendations given regarding the information are appropriate based upon your particular situation. Digital Securus cannot be held accountable for decisions made based upon these free recommendations, which are offered for informational purposes only. The examples shown also assume a level of familiarity with computers, wireless devices, and the Windows Operating System on the part of the reader.

 

How secure do I want my home network to be?

One of the first decisions that a homeowner needs to decide is how secure do I want my home network to be? How valuable is my data? What would happen if my network was compromised, or destroyed?

Think of it in this way. If you have locks on you doors, do you have deadbolts? Do you have bars on you windows? Do you have a home security alarm? The homeowner needs to gauge the amount of time, effort and money they want to put into their home network security just as they put some thought into deciding how much physical home security they have.

For some homeowners locks on their doors and windows is enough for them. Others they might feel better with a more robust and complex solution.

 

The quickest, easiest, and least expensive solution:

Unplug/Removed the Wireless:

Did you install wireless networking for the simple fact that it makes web surfing and emailing from your computers more convenient? If so you may consider unplugging your wireless router and foregoing wireless altogether. Remove the wireless connection and the bad guys simply cannot use it to steal your Internet or break into your home computers. That's not to say that there are other methods that attackers could us, but removing the wireless connection makes it much more difficult for the bad guys to break into your network.

 

Turn off the Wireless Portion of your Router:

Many people use wireless routers which have both wireless connections as well as multiple wired/Ethernet cabling connections. Most wireless routers allow the user to electronically turn the wireless portion off, thus leaving the wired/cabled computers connected to the network and/or the Internet. We cannot show you every step-by-step method for every wireless router available, however here is how to turn off the wireless portion on one of the more popular wireless routers (the Linksys WRT54GS Wireless Broadband Router)

 

Turning off the Wireless Connection

To turn off the wireless connections in the Linksys WRT54GS Router, you must first log into the router.

Logging into the Wireless Router (WRT54GS):

Each wireless router has different methods of logging into it so that changes can be made. Some use web browsers such as Internet Explorer or Firefox. Others use FTP or even Telnet. For the method of changing your specific router settings, please refer to the owner's manual or contact the manufacturer. In our example, we go to a computer which is connected physically to the router (via Ethernet cable, NOT another wireless laptop or other device) and type the router's default Internet Protocol (IP) Address. In this case the default IP address is 192.168.1.1.

 

The default user name is "admin" and the password is "admin" (without the quotes).

 

For a list of the default passwords for your wireless router look here. If you don't know the default password or you forgot it, check with the manufacturer for details on how to reset your wireless router.

Once you have correctly entered the username and password, the wireless router will present you with a menu of options. The main menu for our Linksys WRT54GS router looks like this:

 

To turn off the wireless portion of this router select the "Wireless" menu and then click on the "Basic Wireless Settings". The menu should look like similar to this:

 

Disabling the Wireless

To disable the wireless completely. select the pull-down menu named "Wireless Network Mode" and select "Disabled" as shown below:

To save this setting press the "Save Settings" button. Your wireless is now off and the rest of your wired router traffic should function without it.

 

Changing the Default Admin Password

If you decide that you still have to have a home wireless network there are several things you should consider. The first thing is to change some of the wireless network's settings. Changing these setting will make it more difficult for bad guys to gain entry (but not impossible).

You should immediately change the default admin/administrator password. If you do not change the default password, anyone with a little bit of knowledge can enter your wireless router and lock you out or your own network (or worse).

To change the default password on our sample router (Linksys WRT54GS), enter the router as shown above and from the main router menu select the "Administration" menu. Under "Management" there is a Local Router Access Password section.

Enter a new password and re-enter the same password to confirm. Press the Save Settings button near the bottom of the page to save the new router password. please choose a password that is not easily guessable and yet is one that you will remember. You will need to enter the router's password every time to access the router to make changes.

 

Changing the Wireless Network Name, Channel, and the SSID

If you are still determined to have wireless networking in you home, here are several more items that you should implement in your home network. From the main menu, select the "Wireless" menu. The basic settings page will appear as seen below.

The default Wireless Network Name for Linksys Routers is of all things, "linksys". Changing the name won't prevent bad guys from seeing your wireless network's name, but changing it can help.  Enter a new name for your wireless network. Don't choose your family name, home address, your social security number, or anything else that would help an attacker figure our who the network belongs to (and in case you are wondering we have seen home wifi networks named after their owners, their addresses, and your social security numbers!). Here we picked the name of "ipa2tfotusoa". We also set the "Wireless Channel" to something other than the default setting of channel 6. Changing the channel does really help hide your wireless network, but it does help your network's efficiency if you aren't on the same channel as the rest of your neighbor's wifi networks.

We also turned off the Wireless SSID Broadcasting by selecting the "Disable" function. Turning off the SSID Broadcast means that your wireless network will no longer be broadcasting its existence to everyone within wireless range. Again it doesn't mean that a determined bad guy won't find you, but it will help hide you from most attackers. The downside of disabling the BSSID is that you will have to manually enter the name of the wireless network (in this case "ipa2tfotusoa") in each of your wireless networking computers and/or devices. Press the "Save Settings" button to save these new settings.

 

Setting Up Wireless Encryption

Placing encryption on your wireless network is a very good thing to do. Encryption helps scramble the information between the wireless router and the wireless devices, thus making it difficult (but not impossible) to decipher. Setting up encryption seems to be difficult for many people, which is why most people don't bother. Like changing your Wireless SSID Broadcasting (see above), using encryption means that you have to manually setup each wireless computer or device manually, and again its another reason that many people don't bother. The upside is that once you setup encryption, it will help deter most people from gaining wireless access.

Types of Encryption:

The there are several flavors of encryption, some are more popular than others. Each method has its own benefits and disadvantages. You need to weigh the risks and decide what type of encryption is best for your situation and budget.

WEP (Wired Equivalent Privacy): WEP encryption is the most popular form of encryption found in most wireless systems. It is a system based on a key which is entered on the wireless router and again on each computer or device. In a simplified explanation, WEP works when the WEP enabled devices connect to the WEP enabled router. The WEP keys are compared. If the key matches, the communication is allowed and the data is encrypted and deciphered between the two devices. If the keys do not match, no communication is allowed.

For the sake of this article, WEP key encryption comes in two flavors, 64 bit and 128 bit keys.

As one can imagine, 128 bit keys are longer and are more secure than the smaller, 64 bit keys.

A 128 bit hexadecimal key looks like this "039AE0144C61DA54B7499EA54C"

A 64 bit hexadecimal key looks like this "039AE0144C"

A 128 bit WEP encryption is more secure than 64bit WEP, however neither encryption method is as secure as the next form of encryption that we will discuss, which is WPA. If you use 128 bit WEP encryption, all of your wireless computers must be 128 bit capable. The same thing applies if you are using 64 bit WEP encryption. You may need to research your various wireless cards in your various computers to determine which level of WEP encryption they are capable of using.

NOTE: We strongly suggest that the home user consider using WPA in all of your home computers and network devices. WPA (and the newer WPA2) are much more secure than either 64 or 128 bit WEP, however the same principle applies. All of your wireless devices, laptops, computers, routers, etc. must be capable of speaking WPA. You don't want to, or in most cases you can't, mix different encryption schemes (WPA with WEP 128 bit or WEP 64 bit). This may mean that in order to use encryption you may need to upgrade your equipment, including, but not limited to your router (or router software, called firmware), your wireless card, and/or all of your wireless devices.

WPA (Wifi Protected Access): WPA was developed to add a more robust form of encryption than WEP. The flavor of WPA that we see in most home wireless networks uses a temporal key integrity protocol (TKIP). TKIP encodes the keys using an algorithm and, by adding an integrity-checking feature, ensures that the keys havenít been tampered with. It is more secure than WEP, however it too can be compromised given the right set of circumstances and level of sophistication by the bag guys.

Setting up 64bit WEP encryption on your wireless router:

To setup your wireless router to allow only 64 bit WEP encrypted traffic on your network, connect to your wireless router as shown above and select the "Wireless" menu. Next click on the "Wireless Security" submenu. You should see the menu as shown below.

To setup 64 bit WEP we would enter a pass phrase. The pass phrase could be anything but in this case we entered the text "onesmallstepform". Press the "Generate" button and a series of 4 keys with hexadecimal 64 keys are generated. You only need one. In this case we will use key 1: "A3106DE662".

 

Setting up 128 bit WEP encryption on your wireless router:

To setup a 128 bit WEP key we would again enter a pass phrase, but then we would select the "WEP Encryption" option and choose "128 bits 26 hex digits". Press the "Generate" button and a series of 4 keys with hexadecimal 128 keys are generated.  In this case we will use key 1: "A3106DE6620373B66F6209446".

 

Once you have selected your 64 bit or 128 bit click on the "Save Settings" button. Your wireless router should now only allow a WEP enable wireless device with the correct key to access the wireless network.

 

Setting up the WEP key on your Windows XP computer:

To manually setup your wireless computer/laptop with the proper WEP key, you must be sure that your device is capable of using WEP. See your devices manual for further details or contact the manufacturer for assistance.

In our sample, the laptop we have has a wireless card that is capable of using WEP encryption. On the laptop we go to the XP control panel and select "Network Connections" (see below) by double-clicking on the network connections icon.

 

The network Connections window should appear. Next we locate our laptop's wireless card (in this case, a Cisco Airocard 350). Your wireless card may be name differently. Right click on the wireless card you wish to setup and select the card's "Properties" from the menu (as shown below).

 

We now are presented with a dialog box entitled "Wireless network properties" like shown below.

 

This is where it is very important that you enter the information EXACTLY as you set it up in your wireless router. We must enter the network name, which in this case we setup earlier as "ipa2tfotusoa". This must match the name of our wireless network name. If it does not match the name ithe router and the computer will not be unable to find each other.

Next select the "Network Authentication:" as Open.

Set your "Data encryption:" to WEP.

Enter either your 64 bit or 128 WEP keys EXACTLY as you set it up in your router. You must then re-enter it again in the "Confirm network key:" box. Make sure the "Key Index (advanced):" is set to "1".

Press the OK button to save.

If you correctly entered everything your router and your laptop needs, you should now be able to access you wireless network from your laptop using WEP encryption.

 

Setting up WPA encryption on your wireless router:

To setup your wireless router to allow only WPA encrypted traffic on your network, connect to your wireless router as shown above and select the "Wireless" menu. Next click on the "Wireless Security" submenu. Click on the "Security Mode" menu and select "WPA personal". Make sure you have the WPA Algorithms set to "TKIP". Use the random WPA Shared Key generated, or supply your own. NOTE: do not select a weak WPA Shared key such as your name, your favorite hobbies or any word found in a dictionary. Doing so would allow an attacker to figure out your WPA Shared Key using brute force and/or dictionary attacks. In this example we will use the supplied random key of "tmfcqs0iauahth2v".

NOTE: Your wireless router and all of your wireless devices (computers, laptops, etc.) must be capable of using WPA encryption. Check with your equipment manufacturer(s) for further details.

Click on the Save Settings button to save your selection:

 

Setting up WPA on your Windows XP computer:

To manually setup your wireless computer/laptop with the proper WPA key, you must be sure that your device is capable of using WPA. See your devices manual for further details or contact the manufacturer for assistance.

In our sample, the laptop we have has a wireless card that is capable of using WPA encryption. On the laptop we go to the Windows XP control panel and select "Network Connections" (see below) by double-clicking on the network connections icon.

 

The network Connections window should appear. Next we locate our laptop's wireless card (in this case, a Cisco Airocard 350). Your wireless card may be name differently. Right click on the wireless card you wish to setup and select the card's "Properties" from the menu (as shown below).

 

We now are presented with a dialog box entitled "Wireless network properties" like shown below.

 

This is where it is very important that you enter the information EXACTLY as you set it up in your wireless router. We must enter the network name, which in this case we setup earlier as "ipa2tfotusoa". This must match the name of our wireless network name. If the network names do not match the router and the computer will be unable to find each other.

Next select the "Network Authentication:" as WPA-PSK.

Set your "Data encryption:" to TKIP.

Enter either your WPA shared key EXACTLY as you set it up in your router. We will enter the WPA key here as "tmfcqs0iauahth2v". You must then re-enter it again in the "Confirm network key:" box.

Press the OK button to save.

If you correctly entered everything your router and your laptop needs, you should now be able to access you wireless network from your laptop using WPA encryption.

 

Other Wireless Security Options to consider:

By changing the router's default administrator password, changing the name of our wireless network to "ipa2tfotusoa",  disabling the network name broadcast (BSSID), changing the wifi channel, and by implementing a form of wireless encryption (preferably WPA), we have made our home wireless network difficult for most bad guys to break into.

There are a couple of other options that the home user might consider implementing in their home network security plan. These additional items include MAC filtering and logging.

 

Mac Filtering:

Mac Filtering is function that some wireless routers allow, depending on the manufacturer and the model of router. Every wireless card (and wired for that matter) comes with a built-in specific number that is unique to it. This number was put there by the manufacturer and is designed to allow the network to tell one wireless card from another. Think of it as a unique number for every card. The network can use this unique number, called a MAC address, to tell one card from another and thus one device or computer from another.

 

Mac Filtering allows a person to enter the unique MAC address for every device on your wireless network into the wireless router. This means that your router would then have a list of devices that it is allowed to talk to. If a device has a different MAC address and it is not on the approved list, it would in theory not be allowed on  the network. Although there are ways that some attackers can get around MAC filtering, it is another option for home users to help protect their wireless networks from unauthorized access.

 

Logging:

Many wireless routers have the ability to log which computers are on the wireless network and when. Most wireless routers come with logging turned off. Depending on your system, one can turn on logging and manually look to see who is on the network at any given time. This usually requires that the user take the time to look at the logs routinely and to know what it is the logs are telling them. If you are comfortable with basic networking concepts and terms, checking your log files on a regular basis can give you an added edge in maintaining a secure home network.

 

Conclusion:

As you can see in the examples above, creating a secure wireless home is not a quick nor easy thing, which is why most people don't take the time. They simply "plug and pray" that everything is going to be alright. By taking the time and effort to secure your wireless network you make it much more difficult for most attackers to gain entry. If a bad guy has to work too hard or risk the possibility of being detected, they will most likely go onto other more vulnerable targets.

We hope that you have learned something about securing your home wireless network and that you take the time and effort to secure your network from unauthorized access.

 

Digital Securus, LLC
Copyright 2005. All Rights Reserved.
info@digitalsecurus.com
907-762-6035