Your Home Network Security: Countering the Threats
In a world where we’re all more connected than ever, keeping our home networks safe is super important for keeping our personal details and money secure. Our home routers are the key to all of this. They connect all our devices to the huge online world, but they also help keep out lots of online dangers. Still, even these smart devices can have weak spots. Things like out-of-date software, weak protection codes, and easy-to-guess passwords can all be taken advantage of by crafty online crooks looking for a way in.
Looking into these weak spots and how they can hurt us isn’t just for tech experts. It’s a really important part of understanding the big risks we face every day. By shining a light on these dangers, we want to get people thinking ahead about how to keep their home networks safe. Here, we suggest taking a closer look at these vulnerabilities to better understand what these weak spots are and why they can be so risky, equipping you with the knowledge to tackle these issues.
Getting under the hood
To fully grasp the magnitude and implications of router vulnerabilities, we first need to define what we mean by “vulnerabilities”. In the context of cybersecurity, a vulnerability is a weakness or flaw in a system’s design, implementation, or operation that could be exploited to compromise the system’s confidentiality, integrity, or availability. When talking about routers, it often relates to the router’s firmware, hardware, or configuration settings. Exploiting these soft spots, an attacker could potentially gain unauthorized access to the network, intercept or manipulate data, or disrupt network services.
To manage and prioritize the mitigation of these vulnerabilities, they are usually classified based on their severity: Critical, High, Medium, and Low. These labels are often derived from a scoring methodology known as the Common Vulnerability Scoring System (CVSS). The CVSS provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
Let’s now explore a few firm examples – focusing specifically on WiFi routers. Keep in mind, these instances represent just a fraction of potential risks. They serve to highlight the diverse nature of cybersecurity issues that can arise in WiFi router setups.
These are the most severe types of vulnerabilities that, if exploited, could result in a total compromise of the router, leading to the loss of confidentiality, integrity, and availability of data and services. There are the top 5 critical vulnerabilities, based on statistical severity and potential danger:
Occurs when a WiFi router’s software fails to manage memory allocation accurately, leading to an overflow of data beyond buffer boundaries. This overflow can overwrite adjacent memory spaces, potentially enabling the execution of malicious code or causing a system crash. A buffer overflow was discovered in TP-Link routers, specifically the TP-Link WR-940 model. This vulnerability allowed malicious third parties to remotely control the device. The issue arose in the System Tools/Diagnostic tab of the control panel, where users could send Internet Control Message Protocol (ICMP) echo requests/response packets via ping. Although the panel’s security controls limited character type and number, nothing prevented a user from intercepting requests with a Burp Suite proxy and malforming them, leading to a buffer overflow issue. Similarly, Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls had a buffer overflow vulnerability in the notification function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected device.
A security flaw arises when security measures aren’t correctly implemented, allowing attackers to circumvent authentication and gain unauthorized access to a router’s administrative interface. This could lead to alterations in security settings or data manipulation. For instance, a vulnerability was discovered in Arcadyan routers, including certain Buffalo models. This flaw allowed users to bypass authentication to the web interface by exploiting a bug in the bypass_check() function. The function was designed to allow unauthenticated access to certain URLs, like the login page. However, an attacker could access other pages without authentication by appending additional path information to these URLs. By requesting /images/../info.html, an attacker could access the info.html page, which normally requires authentication. Also, Cisco Systems’ MAC Authentication Bypass feature, designed to authenticate devices based on their MAC addresses, could potentially be exploited if not properly secured.
Command Injection is a security vulnerability that arises due to insecure input validation. If user-generated data is directly incorporated into a command executed by the system, it can be manipulated by attackers to execute any command on the router’s operating system. Several models in the Linksys E-Series WiFi routers were found to be prone to remote OS command injection vulnerabilities due to improper validation of system command parameters passed via the web administration interface. An attacker could exploit this vulnerability by appending malicious commands after a valid IP address using two ampersand characters, leading to the execution of arbitrary commands. A major vulnerability in several high-end Netgear routers allowed remote attackers to commit command injection attacks. The attacks involved tricking victims using Netgear routers into visiting a malicious link, which then infected their routers and allowed the execution of highly privileged commands.
Cross-Site Request Forgery
A CSRF attack misleads victims into making unintended requests, manipulating their identity and privileges. In a router context, CSRF can lead to unexpected alterations in router settings, thus opening the network to further attacks. From February to March 2019, over 4.6 million CSRF web-based attacks were detected and blocked by Avast’s Web Shield. These attacks aimed to silently modify DNS settings on routers. If successful, the routers were reconfigured to use rogue DNS servers, redirecting victims to phishing pages when they accessed sites like banking platforms or Netflix. In the same year, the GhostDNS exploit kit was particularly active. This kit also sought to alter the DNS settings of routers, with a primary focus on specific models such as TP-Link TL-WR340G, TP-Link WR1043ND, and D-Link DSL-2740R.
Inadequate Encryption Strength
Weak or outdated encryption algorithms in Wi-Fi routers can compromise data transmission security, making it easier for attackers to decode intercepted data. This vulnerability was evident in D-Link DIR-865L routers, where attackers could sniff network traffic and steal session cookies, leading to unauthorized access and potential data manipulation. A similar scenario was observed with Zyxel’s ATP, USG FLEX, VPN, and ZyWALL/USG firewalls, where inadequate encryption strength allowed attackers to conduct a brute force attack completely offline. Even the WPA2 protocol, widely used by many Wi-Fi routers, was not immune to such threats. The “KRACK” attack exploited weaknesses in the protocol’s handshake process to decrypt network traffic.
This vulnerability type represents significant security risks and can lead to substantial harm if exploited, such as unauthorized access or denial of service. However, it typically requires specific conditions to exploit or may not affect the core functionality of the system:
Also known as Hard-coded Credentials, it is a significant vulnerability in router software that can provide attackers with an effortless entry point. This vulnerability arises when manufacturers embed a default username and password into the device’s firmware. The TN-4900 series routers had a vulnerability where an attacker could gain privileges if an embedded credential was used and has been identified in firmware v1.1 or lower. Similarly, Zyxel firewalls and AP controllers had a hardcoded credential vulnerability in the “zyfwp” user account, designed to deliver automatic firmware updates to connected access points through FTP.
Missing Data Encryption
Some routers might not encrypt data during transmission or storage. Without encryption, sensitive information can be intercepted or accessed by attackers. A notable case is the Mirai malware attack in 2016, which exploited routers with default or easily guessable credentials. Mirai infected a multitude of devices, from routers to video cameras, creating a botnet of around 400,000 devices. The malware then launched a massive Distributed Denial-of-Service (DDoS) attack, disrupting major internet services. This was possible because the data transmitted by these devices was not encrypted, allowing the malware to easily intercept and manipulate it. Another instance is the “Evil Twin” attack, where an adversary impersonates a legitimate Wi-Fi access point. The attacker broadcasts a stronger signal, enticing users to connect to it instead of the real access point. Once connected, the attacker can read any unencrypted data the victim sends over the internet, including credit card numbers and login credentials.
Vulnerabilities in outdated router firmware can be exploited in a multitude of ways by cyber attackers. For example, an attacker could utilize an unpatched vulnerability to illicitly gain access to a router’s internal configurations. In doing so, they can manipulate the router’s functions, including the potential to reroute all network traffic through a server under their control. This tactic facilitates the monitoring, alteration, or disruption of this traffic, a stratagem known as a Man-in-the-Middle (MITM) attack. Further, unauthorized network access enables cybercriminals to pilfer sensitive information, execute data breaches, or even co-opt the router into a botnet to conduct a Distributed Denial of Service (DDoS) attack. In such an attack, a multitude of compromised devices, known as bots, inundate a target system such as a server with traffic, subsequently rendering it inaccessible to its legitimate users. In 2022, a study revealed that popular routers from Netgear, D-Link, Linksys, TP-Link, and others were running outdated firmware, leaving them susceptible to known vulnerabilities. The worst offender was TP-Link’s Archer AX6000 router, found to have 32 security issues due to outdated firmware. In another case, routers from Asus and Synology were also found to be running outdated firmware, exposing them to potential attacks.
Insecure default settings in routers, such as open network ports or weak Wi-Fi Protected Setup (WPS) pins, can be exploited by attackers. Like in the case when the Slingshot APT targeted MikroTik routers, exploiting the router’s Winbox Loader management suite, the attackers placed a malicious component on the router, which was downloaded by the Winbox Loader, infecting the router’s administrator. This sophisticated attack replaced a legitimate Windows library with a malicious one, capable of interacting with a virtual file system. The malicious library downloaded other harmful components, leading to unauthorized access and data exfiltration.
Exposed Sensitive Information
A significant vulnerability in some routers leads to improper protection of sensitive data, such as encryption keys or passwords. This can be due to storing sensitive information in clear text, poor data handling practices, or insecure data transmission methods. For example, the Netgear R6400 router had a flaw in its password recovery mechanism, failing to implement proper user verification. This allowed an attacker to trigger the password recovery process, intercept the communication, and reset the admin password, gaining full control over the router’s settings. Also, the Linksys WRT54GL router was found to store Wi-Fi encryption keys in plain text within its configuration settings. An attacker gaining access to the router’s administrative interface could easily read the Wi-Fi encryption keys, decrypt Wi-Fi traffic, and gain unauthorized access to the network.
Medium and Low
At the low end of the risk spectrum, we have soft spots that, though not easily exploitable, can have a relatively small impact. While both medium and low vulnerabilities may be more challenging to exploit than high-risk ones, they still can potentially result in significant consequences like service disruptions or data loss if not properly managed:
Absence of Multi-Factor Authentication
Multi-Factor Authentication (MFA) enhances security by requiring multiple identity verification forms. Verification can take the form of something the user knows (such as a password), something the user has (like a smartcard or token), or something inherent to the user (like biometric data, or fingerprints). When MFA is not in use, the system becomes more susceptible to breaches. A compromised password alone can enable unauthorized access.
Weak Access Management
Access Control Lists (ACLs) determine which users or system components can access specific network parts. They do this by cross-checking user credentials against a predefined list before granting or refusing access. If an ACL is not properly configured, it could unintentionally permit unauthorized users or systems to access restricted network areas. This can lead to data breaches, unauthorized changes, or even system takeovers.
Restricted User Account Control
A robust network system assigns different roles, such as admin, user, or guest, with varying access levels. If a breach occurs, this role-based system limits the intruder’s powers, which aligns with the compromised account’s role. However, if a router does not differentiate user roles, unauthorized users who gain access could have full administrative power. This could lead to significant data theft, damage, or modification.
Wi-Fi Protected Setup (WPS) aims to simplify network access but has notable security flaws. If WPS is active, it may allow unauthorized network access by exploiting these vulnerabilities, such as the well-known WPS PIN brute-force attack. A secure router should disable WPS to strengthen its defenses.
Poorly Secured Guest Network
Guest networks are often set up for temporary users to keep them from accessing the main network. However, if the guest network is not effectively isolated from the primary one, it might unintentionally serve as a gateway for unauthorized users to access the main network’s resources.
The concept of vulnerability severity is not a hard-and-fast rule. Rather, it’s a shifting measurement relative to its surrounding circumstances and environment. For instance, a vulnerability that’s labeled as ‘medium’ within a home setting could very well escalate to a ‘high’ severity level in a business context. This increase is due to the amplified potential consequences that such a threat could cause in a business setting.
Strengthening WiFi router security: What you can do right now
Understanding and implementing WiFi security measures might seem overwhelming but we will introduce real and practical actions that you can execute immediately to protect your router from a variety of potential threats.
Step 1. Consistent and timely firmware updates
Firmware updates serve as a primary line of defense against numerous critical vulnerabilities, such as Buffer Overflow, Command Injection, Path Traversal, and Server-Side Request Forgery (SSRF).
The following steps will guide you through the process of updating your router’s firmware. These instructions are general, as the specific process may vary based on your router’s model and manufacturer:
1) Access your router’s administrative interface: This is usually done by opening a web browser on a device connected to your network and entering your router’s IP address into the browser’s address bar. Common router IP addresses include “192.168.1.1” or “192.168.0.1”. If you are unsure of your router’s IP address, you can consult your router’s user manual or the manufacturer’s website. If you’re unable to access the router’s interface, ensure you are connected to your network and recheck the IP address. If the issue persists, you may need to reset your router or contact your Internet Service Provider (ISP) or the router’s manufacturer for assistance.
2) Locate the firmware update section: Once you’ve accessed the administrative interface, you need to find the firmware update section. This is often found under sections titled “Firmware,” “Router Upgrade,” “Software,” or “System Update”. The interface can differ significantly between manufacturers and even between different models from the same manufacturer. If you can’t find this option, consult your router’s user manual or the manufacturer’s website. If the option is missing, your router might not support user-initiated updates. In such cases, the router usually updates itself automatically, but you should confirm this with the manufacturer.
3) Check for updates: After locating the update section, you can check for available firmware updates. This is usually a matter of clicking a button labeled “Check for Updates” or something similar. If the check fails or takes too long, ensure your router has a stable internet connection. If your router does not have an automatic update check feature, you may need to manually download the firmware update file from the manufacturer’s website.
4) Download and install updates: If an update is available, an option to download and install the update will typically be displayed. Before starting the update, double check your router is connected to a reliable power source to avoid accidental shutdowns during the update process. Such shutdowns could render your router non-operational. Once the update starts, do not interrupt it by closing the browser window or turning off the router. Doing so might cause the update to fail and could potentially damage your router. The update process may take several minutes to complete, during which your network might be temporarily unavailable.
Step 2: Employ strong password hygiene
To counter Authentication Bypass and Weak Password vulnerabilities, you have to use strong, unique passwords for your router’s login credentials. The first line of defense in password security is the password itself. Here’s a more detailed breakdown of the characteristics of a secure password:
1) Length: Your password should ideally be a minimum of 12 characters long. The longer the password, the more difficult it is for a brute-force attack to succeed. A brute force attack involves systematically checking all possible password combinations until the correct one is found. If your router interface doesn’t allow passwords of this length, aim for the maximum length allowed.
2) Complexity: A complex password includes a mix of different character types – uppercase letters, lowercase letters, numbers, and special characters (like %, $, &, *, etc.). The more diverse your password composition, the harder it is for hackers to predict and crack it. If the system restricts the use of special characters, you can still have a balanced mix of the other types.
3) Uniqueness: Avoid using the same password across multiple platforms or devices. If one account gets compromised, the rest remain safe. Also, refrain from using easily guessable information like your name, date of birth, or common words. These can be easily mined from social media profiles or guessed by those who know you.
4) Change Frequency: Updating your password regularly further reduces the risk of password guessing or cracking. Aim to change your router password every three to six months. Regular changes can seem overwhelming, but remember that each change acts as a reset, potentially invalidating any unauthorized access gained by an attacker.
Keeping track of a unique, complex password can be challenging. If you need help memorizing it, consider using a reputable password manager instead of storing your password in plain text on your computer. Plain text storage is vulnerable to various attacks, like malware, which can easily extract information.
Step 3: Disable redundant services and features
Reducing your router’s attack surface provides a significant boost in protecting it against Direct Access Loopholes and Unsafe Presets vulnerabilities. A large attack surface means more entry points for potential intruders, and disabling non-essential features and services that you don’t regularly use can significantly narrow down this count.
1) Remote Management: This functionality allows you to access your router’s settings from anywhere over the internet. While it might seem convenient, it opens up a potential pathway for cyber-attacks. If you have no pressing need to change your router settings when you’re away from your home network, it’s advisable to turn this feature off.
The option to disable this feature is usually nestled in the “Administration,” “Advanced,” or “Remote Management” sections of your router’s administrative interface. Consult your router’s manual if you encounter difficulty finding it.
However, if disabling this function completely hinders your operations, you should consider restricting remote access to specific IP addresses (preferably a VPN), adding an extra layer of protection. Keep an eye out for any unexpected changes in your router settings, as this might indicate unauthorized remote access.
2) WPS (WiFi Protected Setup): WPS offers a quick and easy way to connect devices to your WiFi. Despite the convenience it offers, it can also provide a direct route for intruders to gain unauthorized access to your network. The WPS feature is designed with ease of use in mind, not security, so it’s safer to disable it if it’s not absolutely necessary.
To disable WPS, locate the option in your router’s interface. This is usually found under the “WiFi” or “Wireless” section. If you cannot find it, check your router’s manual or online resources from the manufacturer.
If your wireless devices struggle to connect after disabling WPS, verify the entered password for accuracy. A common mistake after disabling WPS is mistyping the WiFi password, as you’re no longer using the simplified WPS connection method.
3) UPnP (Universal Plug and Play): UPnP is designed to ease the connectivity of devices by automatically opening ports on your router, allowing devices to communicate seamlessly with the external world. However, this “open-door” policy can lead to vulnerabilities as it can also allow unwanted traffic through.
If you’re not actively using applications or devices requiring UPnP, it’s worth disabling it. This option can usually be found under “NAT,” “Port Forwarding,” or “Gaming” settings in your router interface.
In case you encounter connectivity issues with certain devices after turning off UPnP, you might have to manually set up port forwarding for those devices. This requires more technical know-how, so be prepared to consult device-specific documentation or online resources for guidance.
In the case of forgotten passwords or locked access, most routers have a reset button. Pressing this button restores factory settings, allowing you to set up a new password. However, this also resets your entire configuration, so use it as a last resort. Always have a backup of your configuration settings to avoid starting from scratch after a reset.
Step 4: Guest network and access management
Establishing a separate network for guests and enforcing rigorous access control protocols are good measures for addressing potential weaknesses such as Weak Access Management, Restricted User Account Control, and Poorly Secured Guest Network vulnerabilities.
1) Assemble a secure Guest Network: Crafting a separate network specifically for guests or non-regular users is a highly effective measure to limit exposure to your primary network and its connected devices. This is particularly useful if your router supports the guest network feature.
- Access your router’s admin console, typically by typing the router’s IP address in a web browser. The exact address should be mentioned in your router’s user manual.
- Search for the “Guest Network” option. This could be located under the “Wireless”, “Security”, or similarly titled section.
- Enable the guest network and assign it a unique SSID (name), distinguishable from your primary network.
- Remember to secure the guest network with a strong password, adhering to the password practices outlined in Step 2.
- Be cautious about unauthorized access attempts. If you notice unfamiliar devices connecting to the guest network, change the network password promptly.
2) Regulate access to your Primary Network: The access control settings in your router allow you to restrict the devices that can join your primary network. This gives you better control over your network’s security.
- Navigate to the “Access Control” or “Security” section of your router’s settings.
- Enable access control – this might be labeled as “Turn on Access Control”, “Enable Access Control”, or something similar.
- Add the MAC addresses of your trusted devices to the access control list. This guarantee that only the approved devices can connect to your network.
- It’s possible that even an approved device may face connection issues. If that happens, verify if its MAC address is correctly entered in the access control list.
Step 5: Use Built-In security measures
Modern routers are equipped with a range of in-built security mechanisms designed to address various vulnerabilities, such as Denial of Service (DoS) and Cross-Site Request Forgery (CSRF) attacks.
1) Activate DoS Protection: DoS protection is designed to mitigate threats where attackers try to flood your network with excessive traffic, resulting in network failure or severe lag. Here’s how you can usually do it:
- Access your router’s admin settings and locate the “Security” or “Firewall” section.
- Look for an option labeled “DoS Protection,” “Enable DoS Protection,” or something similar.
- Enable this feature to prevent your network from becoming overwhelmed by bogus traffic.
While enabling DoS protection generally enhances your network’s security, you have to keep in mind that this may occasionally result in false positives. If legitimate network requests are being blocked, consider adjusting the sensitivity or threshold settings of your DoS protection feature, if your router offers this option.
2) Enabe CSRF: CSRF protection is a key security feature designed to thwart attacks where hackers attempt to dupe your browser into performing unintended actions on your router’s admin page:
- Navigate to the “Security” or similar section in your router’s settings.
- Look for a setting labeled “CSRF Protection,” “Enable CSRF Protection,” or similarly.
- Enable this feature to shield your router’s admin interface from CSRF attacks.
Remember that CSRF might occasionally interfere with legitimate cross-site requests, causing some websites to not function as expected. If you encounter such issues, you may need to whitelist those specific websites within your CSRF protection settings.
3) Activate Network Firewall: Most routers come equipped with network firewalls that can effectively filter unwanted incoming or outgoing traffic:
- In your router’s admin interface, navigate to the “Firewall” or “Security” section.
- Look for a setting like “Enable Firewall,” “Firewall Protection,” or similar.
- Activate this setting to enable your router’s firewall protection.
Take note, though, that firewall settings can sometimes block legitimate traffic. If you notice that certain applications or devices are having trouble connecting to the internet, you may need to adjust your firewall’s settings or set up specific rules to allow that traffic.
Some more tips
Maintaining a vigilant eye on your network is a game-changer, especially if you’re accessing corporate resources or working remotely. This practice can help reveal potential vulnerabilities like Exposed Sensitive Information and Programmed Access, keeping your work and home networks secure.
1) The diary of your router: Logs
Develop a routine to review your router logs and the records of your router’s activities. They’re essentially a detailed timeline of your network’s narrative, providing invaluable insights about any anomalies.
These logs track a wide array of events, which might include multiple unrecognized login attempts, unfamiliar device connections, or large, unexpected data transfers. Initially, the plethora of data can seem daunting, but a systematic approach will simplify interpretation. Begin by scrutinizing activity timestamps, especially during periods when no known users were accessing the network. If there’s substantial activity during these off-hours, you might be looking at a potential security breach.
2) The power of network monitoring tools
Next on your agenda should be the implementation of network monitoring tools. Tools like Wireshark and Nmap are really helpful in network monitoring and analysis. While Wireshark allows you to dive deep into the traffic on your network, enabling a microscopic view of data packets’ journey across your network, Nmap is renowned for its network mapping capabilities. It can discover devices on your network and services running on these devices, creating a detailed map of your network ecosystem. Both tools can detect potential anomalies that might escape the naked eye.
While these tools offer extensive insights, they come with a steep learning curve. Start by focusing on common intrusion indicators, like a single IP making an overwhelming number of requests or unusually large data packet sizes. Online resources and tutorials can be your guide in this learning process. However, if it seems too overwhelming, don’t hesitate to seek professional assistance.
3) Boring but helpful: a Security Check routine
Consistency is key in network monitoring. Regular checks for firmware updates, password strength, network activity, and access control settings ensure that your network remains shielded from potential threats. Set reminders or schedule dedicated time to perform these checks. Remember, the world of network security is dynamic, and staying up-to-date is essential for maintaining a strong defense. If anything seems out of place or raises a concern, seek professional advice or investigate further. The aim is to catch and rectify vulnerabilities before they can be exploited.
Why it’s important for our team
In the rapidly evolving digital world, being proactive about security is not optional. It’s essential. At Sirin Software, we don’t just understand this – we live it, making the network infrastructure of our clients remain robust and highly efficient. We’ve recently fortified this commitment by joining Microsoft’s Firmware Security Partner Network as an early adopter of their innovative Defender for IoT product. This new technology has substantially empowered our security measures, enabling us to perform firmware scanning that uncovers otherwise hidden insights and identifies potential vulnerabilities before they can evolve into serious compromises. Through this, we are able to augment the additional security of the hardware products we develop for our clients.
Through the creation of the Multipath Internet Gateway, an SD-WAN solution, we’ve shown our ability to balance load distribution between multiple internet channels, guaranteeing constant connectivity. Addressing high-load stability and user-friendly configurations was challenging but our resolve resulted in a system that not only provides secure and uninterrupted internet access but also optimizes the use of various internet channels. However, our commitment doesn’t end with a single project’s success. In our work with embedded systems and the AWS IoT Core, we have consistently highlighted the significance of meticulous security in the IoT space. Our comprehensive approach in these areas demonstrates our dedication to keeping our solutions secure and up-to-date, given the constantly evolving threats in the tech world.
From the custom Linux kernel optimizations to the user-friendly web interfaces, and from understanding the complexities of network vulnerabilities to leveraging the recent cloud technologies for secure data exchange, our experiences echo our commitment to combating network vulnerabilities. For us at Sirin Software, network security isn’t just part of the job – it’s our mission.