How to Secure a Home Wi-Fi S. Roy Acknowledgement In preparing the presentation slides and the lab setup, I received help from • Professor Simon Ou • Professor Gurdip Singh • Professor Eugene Vasserman • Alex Bardas 2 What is a home Wi-Fi? • Provides a wireless access point (AP) via which household machines (e.g. laptops, tablets and smart phones in an apartment) can connect to the Internet • The access point is also known as home router. More about Home Wi-Fi • The router (also called AP) is connected with the Internet via a modem. AP • Any wireless-capable computer or smartphone in the house communicates with the router. • Note: typically, the same router also supports wired connection at home as shown in the figure. Risks in a Home Wi-Fi • An insecure home Wi-Fi has all problems of using a free public Wi-Fi – A neighboring (e.g. nextdoor) attacker can launch similar attacks on the computers of a home Wi-Fi. • And an additional concern: the admin responsibility – The intruder may use your network as a stepping stone for doing DoS, SPAMing, downloading music, and so on. – The home owner has to deal with the law enforcement agency for any wrong doing rooted at his/her network – Well before the police comes, the mobile intruder can flee away while the home owner will stay Abusing a Home Wi-Fi network 1. The attacker M intrudes your home network 2. M uses it as a stepping stone for bad activities 3. You (the home owner) face FBI Pentagon Server Mallory (M) Alice DoS attack AP download pirated items A Home Wi-Fi with a user and an attacker P2P Server Internet Securing a Home Wi-Fi: Task 1 Stop the intruder from joining the network – The AP employs an access control mechanism to authenticate the legitimate computers – Each legitimate computer may share the same key with the AP while the intruder does NOT have the key hello Alice hello; proof of the key authenticated AP Mallory Access denied Bob A Home Wi-Fi with two users; an attacker M is denied access Securing a Home Wi-Fi: Task 2 Stop the intruder from eavesdropping – Encrypt the traffic (i.e. communicated messages) between the AP and each legitimate computer Malary Encrypted mesg Alice Encrypted mesg AP Bob Mallory should NOT be able to decrypt the airborne traffic. Outdated Algorithms for Wi-Fi Security • Wired Equivalent Privacy (WEP) algorithm has numerous flaws. – You should NOT use WEP in your home Wi-Fi. An attacker can easily break into the network. – Available attack/monitor tools: aircrack-ng, CommView • The algorithm WPA (Wi-Fi Protected Access) is stronger than WEP – But, WPA still has some serious weakness – So, you should avoid WPA Current Standard for a Wi-Fi Security: An overview • The current standard WPA2 has replaced WPA • Its Pre-shared Key (PSK) mode (also known as Personal mode) is designed for home network • Caution: WPA and WPA2 remain vulnerable if users rely on weak password or passphrase – available attack/monitor tools: aircrack-ng, kismet – a passphrase longer than 13 characters is probably secure Wi-Fi Protected Setup(WPS) • A standard that attempts to allow establishment of a secure Wi-Fi (WPA) in an easy way • But WPS has serious security flaws – We should not use the WPS • An attacker can recover the WPS PIN in a few hours – and thus the network's WPA/WPA2 pre-shared key. Acknowledgement: wikipedia.org Configuring a Router (AP) with WPA2 • Walking through the setup procedure 1. 2. 3. 4. 5. 6. 7. Connect a computer to one of the LAN ports on the back of the router Open a web browser and type http://router-IP-address (e.g. 192.168.0.1. It should be available in the router manual) to get the configuration page of the router. Then do the following. Change the router’s administrative default password Choose a SSID name (otherwise, the default one will be used) Select WPA2-PSK among the available security algorithms Set a password/passphrase for the WPA2-PSK protocol to use. Give each user (each computer at home) the same passphrase. • Check / ensure that WPA2 is ON on the router at the end of the above steps. Configuring Computer More on Router Configuration • Enable the built-in NAT/firewall in the router – the router has two sides i.e. the outside world (the Internet) and the inside network (home) – the outside world sees only the router public address (globally unique IP address) – multiple computers inside your home get local addresses (e.g. IP address like 192.168.1.3) • The DMZ option – router exposes some specific internal computer – router forwards incoming traffic to the specific host – this is an unsecure option; so, avoid DMZ More on Router Configuration • The router can be configured with remote access option – this option allows to access your router configuration page from the outside world – instead of using the router’s LAN IP Address you have to use the router’s Internet IP Address. • Remote access can cause security problems – disable the remote access of the router as soon as it is installed. Case Study: A Linksys Router • E1200 is a Wireless router – It also has 4 Ethernet ports – the default IP address is 192.168.1.1. – the admin username and the default password is “admin”. – the default SSID of the E1200 is CiscoXXXXX – supports security protocols e.g. WPA2, WPA, WEP – the WPS is Enabled by default; disable it Acknowledgement: Linksys E1200 manual A Hands-On Activity: Configure a Router A few additional security measures: Tradeoff b/w usability and security 1. Disable the SSID broadcast – – 2. Assign static IP addresses to all computers at home; turn off DHCP – – – 3. SSID broadcast attracts the attacker. But disabling it means each of your computer needs to remember the SSID If DHCP (dynamic addressing) option is ON, the attacker may get a valid IP address from the AP. Turn off DHCP; configure each connected device with a unique static IP. Use a private IP address range (like 192.168.x.x or 10.0.0.x) to prevent computers at home from being directly reached from the Internet. Use access control for any computers offering files and services. Wireless Intrusion Detection Tools We should monitor our home Wi-Fi network whenever possible. The available tools are: – Wireshark : captures the wireless network’s all communications; analyzes the traffic to detect possible intrusion attempts – AirSnare: monitors for unfriendly MAC addresses and alerts us; also monitors DHCP requests from clients. Case Study: The Att Wireless Router • Discuss why this is an advanced router Summary • We discussed common security threats of an open Wi-Fi at home • We presented a few standard countermeasures to mitigate the risks • Remainder: – the next homework is due before the next class (1pm on February 21) – the next class will be held in Room 128 20