In the office, we adopt wireless security controls including Wireless IPS, strong authentication, often with the use of digital certificates and client isolation. At home, we skip many of these primarily because consumer-hardware does not support them. This leaves the pre-shared key as the weakest link which we commonly find weak, and often easy to guess passwords protecting your network.
Selecting a password for your wireless network is one of the most crucial steps to ensure the security of your home network. A combination of lowercase and uppercase letters and a couple of numbers is not enough to protect your privacy while connecting to your wireless network. An attacker that is persistent enough can and will obtain unauthorized access to your home network.
Two of our security analysts were invited to the Hackable? Podcast. In the episode titled “Remote Control”, two of our security consultants demonstrated a compromise of a smart TV through an insecure WiFi network; you can listen to it the podcast here.
In the podcast, our consultants were tasked to tamper with an IoT device belonging to the producer of the Hackable team. This device happened to be a smart TV that is connected to the home WiFi network. In order to connect to the smart TV, they first had to figure out a way to connect to the WiFi network of the victim. This was done by capturing the authenticated handshake between a device on the target network and the WiFi access point, which is possible without being connected to the target network. The handshake then underwent password cracking using brute-force and dictionary-style attacks to reveal the plain-text password. After a few minutes, they were able to recover the password to the victim’s WiFi and connect to the smart TV.
In brief, our consultants were able to gain control of the TV, change channels and choose what is being displayed on the TV. This is just one example of many to bring awareness and demonstrate how an attacker is capable of utilizing different devices once they are connected to your home WiFi network.
The security of your WiFi network is essential, and there are a number of considerations to ensure that your WiFi network is more secure.
- Do not use the default password: Using a default password will increase the risk of compromise. Attackers often go for the “lowest hanging fruit,” and default passwords are one of the very first things that they will try against your WiFi home network.
- Change the default SSID: Setting a new name for SSID helps make it more difficult to break into your WiFi network. Default SSIDs may be attacked using “rainbow tables” which are essentially pre-computed keys that dramatically increase the speed of obtaining unauthorized access to your network.
- Use strong passwords: Using a strong password increases the difficulty an attacker faces when attempting to crack your password. Using uncommon/unique passwords will help against brute force and dictionary attack; use different combinations of uppercase and lowercase letters, numbers, and special characters. For more guidance on secure passwords, click here.
- Use stronger encryption method: Do not use WEP or WPA. For now, it is best to use WPA2. WEP and WPA are no longer a secure algorithms because they can be cracked within minutes. On the other hand, WPA2 uses AES block cipher which is significantly more secure than WEP/WPA.
- Change router admin credentials: If an attacker obtains unauthorized access to your wireless network, their next steps may be to cover their tracks, or open up firewall rules which may put your network at risk. Change your password from it’s default, and avoid using the same one as your pre-shared key used to connect.
- Configure and enable firewall: A more technical solution would be to enable and configure the firewall settings of the router. Most if not all routers should come with a built-in firewall. To keep your network secure, restrict inbound and outbound traffic wherever possible.
- Keep router firmware up to date: Keeping your router up to date helps mitigate publicly-known vulnerabilities which may be used to obtain unauthorized access or bypass authentication entirely.
- Create a separate SSID for Guest: If your router supports it, it is best practice to create an isolated guest network to ensure their devices are not able to interact with your home network. This reduces the likelihood of malware spreading, and enables you to keep your main pre-shared key safe.
There are many other ways to ensure the security of your home WiFi and above are only some of the crucial steps to take to secure it. If you are interested in an attack demonstration and what an adversary could do once they have gained access to your home WiFi, the Hackable podcast is now available here.