BNMC Blog
FOUR LESSER-KNOWN WI-FI SECURITY THREATS AND HOW TO DEFEND AGAINST THEM
You’ve hardened your network against all the common weaknesses, now we’ll show you how to take your wireless security to the next level.
It’s common knowledge that the best way to protect your home Wi-Fi network is by using a strong password. This will keep uninvited guests away and protect your network so eavesdroppers can’t intercept your communications. And we’ve known for more than a decade now that the old Wired Equivalent Privacy (WEP) is so insecure that cracking it is practically child’s play.Once you’ve protected your network with Wi-Fi Protected Access 2 (WPA2), here are four other vulnerability scenarios you should guard against.
According to Eric-Geier these are the 4 things that you need to keep in mind
1) Change your default wireless settings
With the default settings, a gateway’s SSID is clearly advertising the exact gateway model. A hacker could do some easy research to find known security holes. Secondly, the remaining portion of the default password is the last 6 digits of the gateway’s MAC address for 5GHz, marked as CMAC on my gateway’s label. This MAC address is also broadcast and can be picked up by anyone with a Wi-Fi analyzer as simple as a free Android or Windows app.Now that we know how the default Wi-Fi password is structured on these devices, we can likely connect to other people’s networks that have the same gateway model. A neighbor of mine actually has the same exact SSID as me, but it would likely be illegal for me to attempt to connect to it. So let’s assume for the sake of this argument that my neighbors didn’t change their default password and I could connect if I tried. Your neighbor (or a hacker driving by) might not be so nice, so take a few seconds to change your router’s and/or gateway’s default SSID and Wi-Fi password.
2) Lost or stolen Wi-Fi devides can be security threats
You can lock down your Wi-Fi with the most stringent security, but if you lose your smartphone, tablet, laptop, or any other device that you’ve connected to your Wi-Fi network, whoever recovers it will be in a position to access to every network you’ve connected to in the past, since those passwords will have been saved to that device by default. Depending on who recovers the device, where they found it, and how much info they can glean from it, they might even be able to figure out where those networks are physically located.If you lose a mobile device, see if you can remotely lock or even wipe it (you do back it up on a regular basis, right?) to prevent any unauthorized person from gaining access to the Wi-Fi passwords and any other data you have on it. Secondly, it’s a good idea to change the Wi-Fi password of all the networks you connected it to in the past. Some private networks might not be in your control, so you should notify the parties who are responsible for them—especially your employer.If you’d been using the simple personal Wi-Fi security modes of WPA or WPA2—technically known as pre-shared key (PSK)—you’ll need to change the password on the gateway or router and then enter that new password on all your other network devices the next time they connect. That will be a moderate inconvenience for the typical home with just a handful of Wi-Fi devices. For a business with dozens of devices on its wireless network, it could be a major pain.There is a means of mitigating the disruption of compromised passwords, but its complexity and infrastructure requirements put it outside the reach of the typical consumer. This version of WPA or WPA2 is typically called “enterprise mode,” and it works like this: Instead of everyone using the same Wi-Fi password to connect to the network, each user is assigned a unique user ID and password. Any user account that becomes compromised can be changed individually or revoked entirely without impacting anyone or anything else.Keep in mind, there’s another mode of WPA and WPA2 Wi-Fi security, typically called enterprise mode, which delivers better protection against incidents like this. Instead of everyone using the same Wi-Fi password for the network, each user would receive their own username and password, which could always be individually changed or revoked if a device becomes lost or stolen.
3) Your router's WPS button can be a threat vector
The Wi-Fi Protected Setup (WPS) feature that many wireless routers come with is supposed to help make it easier to secure your Wi-Fi nerwork and connect devices with a quick push of a button or the entry of a PIN {personal identification number). Security holes in this protocol discovered many years ago, however, can allow hackers to gainn access to the network without their needing to crack the router’s Wi-Fi password. Since this vulnerability has been known for so long, I assume at least some vendors have patched this hole, but I’m equalsure there’s many vulnerable routers out there still.To be on the safe side, I recommend disabling the WPS feature on your gateway or router—if you can; unfortunately, some routers actually don’t allow this. If you don’t want to purchase a new router just because of this threat, you should check if there are any firmware updates for the router that could possibly patch this and other security holes.
4) Disabling SSID broadcasting can do more harm than good
One security tip that has circled the web since the beginning of Wi-Fi suggests disabling SSID (Service Set Identifier) broadcasting of your network, which is still possible on most wireless routers. Some say this will hide your network and keep people off, since they have to know the SSID in order to attempt a connection. There is a nugget of truth there, but it can do more harm than good.When you configure your router to not broadcast your network’s SSID, you’re only removing the SSID from the beacons the Wi-Fi router sends to notify nearby Wi-Fi devices of the presence of that network. Those beacons are what populates the list of available networks on your laptops, smartphone, tablets, and other Wi-Fi devices. If the SSID isn’t included in the beacons, Windows devices these days will still indicate the presence of a network, it will just identify its name as “Hidden Network.” Other devices might show a blank name, or not show the network at all.
CLICK HERE To see Eric Geier's full article
Comments