Menu
homeBreakdowns

How to protect your Wi-Fi from your neighbors. There is no absolute protection, but you don't need it. More complex actions

Security in Wi-Fi networks has been constantly improved since its inception. wireless technology. IN Lately it has developed so much that almost all modern routers are protected from possible attacks by strong passwords, complex methods encryption, built-in firewalls and many other means of protection against intruders. But what happens if the encryption algorithms that have so far made Wi-Fi one of the most secure protocols are broken?

This is exactly what happened in the fall of 2017, when Belgian researchers from the University of Leuven found several critical vulnerabilities in the WPA2 protocol and published a detailed report about it. The WPA2 protocol is used to secure most Wi-Fi networks in the world and is considered the most reliable security tool available for mass use.

Content

How to protect your data if Wi-Fi no longer guarantees security?

The fact that WPA has been hacked is alarming news that affects many electronic devices, but there is no cause for alarm.

Essentially, researchers have found a vulnerability in the Wi-Fi protocol that makes wireless traffic potentially eavesdropping on attackers. In other words, anyone can use this flaw in network security to spy on other people's actions on the Internet, steal numbers credit cards, passwords, intercept messages in instant messengers, etc.

Fortunately, manufacturers of many gadgets have already managed to improve and finalize their devices, eliminating the found vulnerability. And besides, WPA2 is far from the only wall protection between the hacker and the personal data of users.

To hack someone else's Wi-Fi, the attacker, firstly, needs to position his receiving antenna within the range of the radio channel, and secondly, most of the information on the Internet is transmitted in an already encrypted form, and the hacker will not be able to read it in any case.


The https protocol, which most web servers run on, adds an extra layer of security to your connection, just like using a VPN service.

That's why you should always remember the padlock icon in your browser's address bar. If the small padlock is not displayed there, it means that the site does not use the https protocol, and all information entered into forms, including passwords, may be accessible to third parties.

That is why, before sending yours somewhere home address or payment details, you should always make sure there is a padlock in the address bar.

All Lead Developers software almost immediately after the news about the vulnerability Wi-Fi protocol have released appropriate patches for their products. For example, Microsoft released an update for Windows in October 2017. Apple also fixed its operating macOS systems and iOS around the same time.

Google released an update for Android in November, so every owner of a device running this platform should check the About section in their phone or tablet's settings to find out when it was released. Last update security systems. If it was run before November and your phone is running Android 6 or higher early version OS, then you need to update it.

Which wireless security standard should you prefer?

Wireless routers can use big set various protocols for data encryption. Here are the three main standards that most home and office routers work with:

1.Wired Equivalent Privacy (WEP): This protocol was introduced in 1997 immediately after the development of the 802.11 Wi-Fi standard; Currently, WEP is considered insecure and since 2003 it has been replaced by WPA information security technology with the TKIP encryption method.

2. Temporal Key Integrity Protocol (TKIP). This standard is also obsolete and is gradually falling out of use. But unlike WEP, it can still be found in the firmware of many models of modern equipment.

3.Advanced Encryption Standard(AES). This standard was introduced immediately after TKIP in 2004, along with the updated and improved WPA2 connection certification system. Routers that work specifically with this technology should be given preference when choosing a new one. network equipment. Gadgets connected to a wireless network must also support AES in order to interact properly with such routers. Despite the vulnerability mentioned above, WPA2 is still considered the best method Wi-Fi protection. Currently, router manufacturers and ISPs typically use WPA2 as a standard; some of them use a combination of WPA2 and WPA to do possible job with the widest range of wireless gadgets.

IN technical documentation You can also sometimes see the letters PSK attached to routers, which stand for Pre-Shared-Key or Personal Shared Key. When given a choice, it is always better to give preference to models with WPA2-PSK (AES) instead of WPA2-PSK (TKIP), but if some older gadgets cannot connect to the router, then you can go for WPA2-PSK (TKIP). TKIP technology uses modern method WPA2 encryption, leaving older TKIP-dependent devices able to connect to wireless routers.

How to secure your Wi-Fi

Disabling WPS

WPS stands for Wi-Fi Protected Setup, it is a standard and at the same time a protocol that was created to make customization wireless connections easier. Despite its practicality and functionality, this solution contains a serious flaw: the eight-digit PIN code, consisting only of numbers, is easily broken by primitive guessing methods, and this creates a convenient starting point for hackers who want to take over someone else's Wi-Fi.

To find out whether it is used or not wireless router WPS protocol, you need to take a closer look at the box in which it comes: WPS support is indicated by the presence of a special logo on the packaging and a separate physical button on the device body. From the point of view of protection against hacking, it is better to disable this protocol and never use it.

19.10.16 62 705 0

How to protect home router from hackers and neighbors

Why being big can cost you money

Evgeniy did not set a password for Wi-Fi in his apartment. Why bother? You can forget your password. And the fact that neighbors can use it is not a pity, the Internet is still unlimited. That’s what Evgeniy thinks, and he’s seriously mistaken.

Nikolay Kruglikov

young hacker

Let's figure out why open internet at home - a bad idea and what it can mean for you.

Listening

Access points without a password are also called open, and it’s not just about the password. At such points, data via Wi-Fi is transmitted without encryption, in open form. Since Wi-Fi is the same as radio waves, it is very easy to intercept traffic: just set the antenna to the desired frequency and you will hear everything that is transmitted between the router and the computer. Without a password on the router, you simply broadcast to the entire neighborhood what you are currently doing on the Internet.

If you are on a porn site, any of your neighbors will be able to find out which video you are watching. If you send a letter, there is a high probability that it can be intercepted at the moment of sending. If you have VKontakte without encryption, then any neighbor can read your private messages.

Wifi without a password is easy to listen to

How to protect yourself

You need to set a password for Wi-Fi. Of course, connections to some sites are encrypted using HTTPS, and you can also enable a VPN, but it is still much more reliable to protect the entire communication channel at once.

Exercise: set a password for Wi-Fi

  1. Open your browser and enter address bar numbers 192.168.0.1. If nothing happens, try 192.168.1.1 and 10.0.0.1. A window will appear with fields for login and password.
  2. Enter login admin and password admin. If you don't like it, take a look standard password in the instructions for the router. Most likely it's something simple. Sometimes the login and password are written directly on the router body.
  3. Find the link on the page that says Wi-Fi or Wireless. A screen will open where you can change your password.

If all else fails, call a professional. The master’s task is to password protect your Wi-Fi.

Set a Wi-Fi password of at least ten characters consisting of numbers and letters. Password 12​345​678 is the same as no password.

All instructions are designed for a home router. They are unlikely to work at work or in a cafe, because network administrators disable access to router settings for outsiders

There may be several encryption options in the settings. Each router has a different set of options, so choose the option that is most similar to WPA2-PSK (AES). This is the most secure encryption protocol available today. In combination with good password it will give you the greatest possible protection.

A strong encryption protocol is important. Bad protocol, just like bad password, makes it easier to hack. For example, the legacy WEP protocol can be cracked in a few hours.

Selecting an encryption algorithm in the router settings. WPA2-PSK - the best option from this set

Make sure you have WPS turned off. This technology allows you to connect to the router using an eight-digit pin. Unfortunately, after mass implementation WPS has been shown to be extremely insecure: it takes only 10 hours to hack a connection even with the most secure protocol. WPS Settings somewhere in the same place as the Wi-Fi settings.

Manipulating router settings

When hackers connect to your Wi-Fi, they gain access to the router's control panel and can reconfigure it in their own way. To get into your router, you just need to connect to Wi-Fi - you don’t need to be in the apartment. Some nasty schoolboy might be tinkering with your router’s settings right now.

Usually getting into the router settings is not so easy: you need to enter your username and password. But most people have a standard login and password on their router - admin / admin. If you did not change this setting on purpose, there is a high probability that any hacker will be able to break into the router.

Having gained access to the control panel, hackers can easily carry out a man-in-the-middle attack: they will make sure that between you and the site there is a malicious service that steals passwords. For example, the address tinkoff.ru will open not a real, but a fake site that will send them everything you enter. You won’t even know that you have accessed a malicious service: it will look exactly like a real online bank and will even let you in using your username and password. But in this case, the login and password will be in the hands of hackers.

Router with standard settings easy to redirect to a fake site

How to protect yourself

Change the standard administrator password in the router settings to your own. It should be no less secure than the Wi-Fi password, and at the same time it should be different.

Remote access

Hackers are rarely interested in you specifically unless you are a top manager large company. More often ordinary people fall under automated attacks when a hacker program searches for potential victims and tries to apply a standard hacking algorithm.

Some routers have the ability to connect to the web interface from external network- that is, you can go into the router settings from any place where there is Internet, and not just from home.

This means that your router can be attacked not only by mischievous schoolchildren. The attack may not be targeted: just some hacker in Peru scanning a certain range of addresses for open routers. His program sees your router. Connects. The hacker doesn't even know who you are or where you are - he just sets up a redirect and goes back to his business. And your Facebook login, for example, falls into his hacker program.

Is the most important electronic device in their lives. It connects most other devices with outside world and that is why it is of maximum interest to hackers.

Unfortunately, many home and small business routers come with insecure default configurations, have undocumented management accounts, use outdated services, and run on old firmware versions that are easy to hack using well-known tricks. Unfortunately, users themselves will not be able to fix some of the problems listed above, but they can nevertheless be taken whole line actions to protect these devices from at least large-scale automated attacks.

Basic steps

Avoid using routers provided by ISPs. Firstly, they are often more expensive. But this is not the most a big problem. Such routers, as a rule, are less secure than those models sold by manufacturers in stores. Very often they contain hard-coded remote support credentials that users cannot change. Updates for modified firmware versions often lag behind releases for commercial routers.

Change the default administrator password. Many routers come with generic admin passwords (admin/admin), and attackers constantly try to log into devices using these well-known credentials. After connecting to your router's management interface via a browser for the first time - its IP address is usually found on a sticker on the underside or in the user manual - the first thing you need to do is change the password.

In addition, the management router's web interface should not be accessible from the Internet. For most users, there is simply no need to manage the router from outside the local network. However, if you still have a need for remote control, consider using a VPN to create a secure connection channel to local network and only then access the router interface.

Even within a local network, it is worth limiting the range of IP addresses from which you can control the router. If this option is available on your model, it is better to allow access from a single IP address that is not part of the pool of IP addresses assigned by the router via DHCP. dynamic configuration hosts). For example, you can configure the router's DHCP server to assign IP addresses from 192.168.0.1 to 192.168.0.50, and then configure the web interface to only accept the administrator from 192.168.0.53. The computer must be manually configured to use this address only when it is necessary to administer the router.

Enable access to the router interface via https protocol, if there is support for a secure connection, and always log out, closing the session when the setup is complete. Use your browser in incognito mode or private mode so that Cookies are not stored in automatic mode, and never allow the browser to save the username and password of the router interface.

If possible, change the router's IP address. Most often, routers are assigned the first address in a predefined range, for example, 192.168.0.1. If this option is available, change it to 192.168.0.99 or some other address that is easy to remember and that is not part of the DHCP pool. By the way, the entire range of addresses used by the router can also be changed. This helps protect against cross-site request forgery (CSRF), where an attack occurs through users' browsers and using the generic IP address typically assigned to such devices.

Create a complex Wi-Fi password and choose reliable protocol protection. WPA2 (Wi-Fi Protected Access 2) is an improvement over older WPA and WEP, which are more vulnerable to attacks. If your router provides this option, create a guest wireless network, also protecting it with WPA2 and complex password. Let visitors or friends use this isolated segment of the guest network rather than your main network. They may not have malicious intent, but their devices may be hacked or infected with malicious software.

Disable the WPS function. This rarely used feature is designed to help users set up Wi-Fi using the PIN code printed on the router's sticker. However, several years ago, a serious vulnerability was found in many implementations of WPS versions provided by various vendors that allows hackers to break into networks. And since it will be difficult to determine which specific router models and firmware versions are vulnerable, it is better to simply disable this function on the router, if it allows you to do this. Instead, you can connect to your router via wired connection and through the web management interface, for example, configure Wi-Fi with WPA2 and user password(no WPS at all).

The fewer services on your router that are exposed to the Internet, the better. This is especially true in cases where you didn't enable them and perhaps don't even know what they do. Services such as Telnet, UPnP (Universal Plug and Play), SSH (Secure Shell) and HNAP (Home Network Administration Protocol) should not be enabled on an external network at all, as they have potential security risks. However, they should also be turned off on the local network if you are not using them. Online services like Shields UP from Gibson Research Corporation (GRC) can simply scan your router's public IP address for open ports. By the way, Shields Up is capable of conducting separate scanning specifically for UPnP.

Make sure your router firmware is up to date. Some routers allow you to check firmware updates directly from the interface, while others even have a function automatic update. But sometimes these checks may not occur correctly due to changes in the manufacturer's servers, for example, after several years. Therefore, it is worth regularly checking the manufacturer’s website manually to see if there is a firmware update available for your router model.

More complex actions

You can use network segmentation to isolate it from the risky device. Some consumer routers provide the ability to create VLANs(virtual local networks) within a large private network. Such virtual networks can be used to isolate devices from the Internet of Things (IoT) category, which can be full of vulnerabilities, as researchers have repeatedly proven (Bird Kiwi reviewed this problem in the previous issue of PC World - editor's note). Many IoT devices can be controlled using a smartphone through external cloud services. And since they have access to the Internet, such devices after initial setup should not interact with smartphones directly over the local network. IoT devices often use insecure administrative protocols for the local network, so an attacker could easily hack such a device using an infected computer if they are both on the same network.

Thanks to MAC address filtering, you can prevent dangerous devices to your Wi-Fi network. Many routers allow you to limit the list of devices that have the right to enter the Wi-Fi network by their MAC address - unique identifier physical network card. Enabling this feature will not allow an attacker to connect to the Wi-Fi network, even if he manages to steal or guess the password. The downside to this approach is that manually managing the list of allowed devices can quickly become an unnecessary administrative burden for large networks.

Port forwarding should only be used in combination with IP filtering. Services running on a computer behind the router will not be accessible from the Internet unless port forwarding rules are defined on the router. Many programs try to open router ports automatically via UPnP, which is not always safe. If you disable UPnP, these rules can be added manually. Moreover, some routers even allow you to specify an IP address or a whole block of addresses that can connect to specific port to gain access to a particular service within the network. For example, if you want to access an FTP server on your home computer while at work, you can create a port 21 forwarding (FTP) rule in your router, but only allow connections from your company's block of IP addresses.

Custom firmware can be more secure than factory firmware. There are several Linux-based, community-supported firmware projects for a wide range of home routers. They tend to offer advanced features and settings over those found in stock firmware, and the community is quicker to fix their shortcomings than the router manufacturers themselves. Because these firmwares are marketed to enthusiasts, the number of devices that use them is much smaller than devices running OEM firmware. This significantly reduces the likelihood of extensive attacks on custom firmware. However, it is very important to keep in mind that downloading firmware to a router requires good technical knowledge. It is likely that you will void your warranty, and if there is an error, the device may be damaged. Keep this in mind, you were warned!

How to protect yourself

Check if the remote access feature is enabled on your router. It is often included in devices provided by communication providers. For providers remote access needed for business: this makes it easier for them to help users set up the network. However, providers may leave the default password in the web interface, making you an easy target hacker programs.

If you can log into the web interface with the standard login and password admin / admin, be sure to change the password and write it down. When your provider configures your router remotely, simply say that you changed the password for security reasons and dictate it to the operator.

Instructions for protecting your router

  1. Put it on Wi-Fi strong password.
  2. Change the default administrator password.
  3. If the router is not from your ISP, disable remote access.
  4. If you don't know how to do this, call computer technician, whom you trust.

Today, wireless networks play an important role in the lives of users. If 10 years ago it was considered common to carry an Internet cable behind a laptop, today every phone connects to the Internet via wi-fi. Computers, laptops, netbooks, tablets, smartphones, printers - all this equipment can be connected to the network and interconnected simply over the air. And naturally, not only you, but also those around you have such equipment. Therefore, it is extremely important to be able to protect your wireless network.

1. Protection of the Wi-Fi network itself.

Must select reliable type security and install a difficult-to-guess security key. We recommend choosing WPA2-PSK and a security key of 8-10 characters.

Often it would also be a good idea to hide wi-fi network. To do this, check the box Enable hidden Wireless(see picture above)

In some cases, it makes sense to adjust the transmitter power so that the access point covers your apartment, but does not reach your neighbors.

2. Protect your access point (or router)

On D-Link example DIR-300:

Go to the section MAINTENANCE, select subsection Device Administration, in setting Admin Password Enter the new password twice:

And in the setting Administration uncheck the box Enable Remote Management what will he do impossible entry to the device’s web interface from the Internet.