June 19th, 2018
During the recent Russia-linked malware threat, home routers with security flaws were hacked into, allowing attacks ranging from monitoring network traffic, downgrading HTTPS to HTTP, and even completely wiping routers, rendering them useless. What particularly struck me about this is when I noticed that I had an update available to my home router’s firmware. The firmware update caused the router to reset to factory settings, but when signing in I first noticed that the router didn’t require me to change the default username and password. After this I noticed that the router’s software enabled me to turn off the password, and didn’t have any other requirements outside of a length of 8-64 characters. Not only did I find this shocking, but troubling when it comes to the general populace.
While some may argue that the lack of a password can be used for small commercial purposes, the lack of security standards surprised me. Since nothing in the setup gave me much warning about the risks I would be undertaking if I gave up any of these features, I realized that for most people nothing besides common sense prevents a user from throwing caution to the wind in favor of ease of access. With so many different brands and software choices, there fails to be a standard of strong security practices mandated. People are free to put themselves and others at risk of a hacking attempt, all without knowing the consequences to their actions.
In addition to the problems I had noticed on my own router, I thought back on routers that my family has had in the past. Not once do I ever remember changing passwords after initial setup, as routers don’t require updates. Many people simply take the method of “set it and forget it,” even though the little machine that protects so much of the data they use is left to it’s own devices to hold off potential attacks. Critical firmware updates that protect from events such as the recent malware threat have to be manually updated, possibly leading to infection and the spread of infected routers. So much of what we do is at risk, and unless you buy something fancy or do something yourself, little can be done about it as of now.
When it comes to router security, 3 main questions need to be addressed: what security measures are currently protecting routers, what are their vulnerabilities, and what can be done to improve router security?
When home routers were first introduced in 1999, the world was introduced to a whole new world of Internet usage (). With the introduction of wireless connection in a home setting, people could now connect their devices without the need of a cable or a nearby Ethernet outlet. Connection to multiple computers from a single outlet became possible, allowing more users to join the network than was previously possible. While this was a huge benefit for users it also opened up users to more risk then before, especially because of wireless routers. Where before hackers would need to tap into a line directly to gain access to sensitive information, it was now possible to gain access from anywhere within the reach of the wireless signal. The most obvious answer was implementing passwords to keep hackers from gaining easy access, but data transferred in the network would still be visible to anyone observing the network from the outside. The answer to this problem was encryption.
Network data passed to the router is generally protected by encryption, and because of different compatibility there is a few options to pick from. Most routers give you the option to encrypt your network traffic via WEP, WPA, or WPA2. These options may be presented as equals by most router software, but this is far from the case. So what are the differences between these options, and why do people select them?
Wired Equivalent Privacy (WEP) was the first in the line of wireless security standards that we currently use to protect home routers. While it can still be used to encrypt wireless networks, it is highly regarded as a weak and unsuitable protection method. As the first standard introduced it provided a better protection than using no encryption, but it falls short of other encryption methods for two primary reasons: key management and recycling initialization vectors (IVs). Keys within WEP are rarely changed because many nodes within the system are a single shared key, and due to the difficulty the method has synchronizing these keys and a lack of an overall management protocol keys are generally left unchanged. IVs on the other hand are limited in number, and because of this can be easily determined by a hacker. In 2007 brute forcing could crack WEP in under a minute due to this using brute forcing, and with the increase of processing power like is stated in Moore’s law this time only becomes smaller and smaller as time goes on (Book). The WEP standard is still used by some, and generally for a few main reasons. At times it is selected because it shows up first in the list of wireless security methods since it is the first alphabetically, some use it for the slight edge in terms of speed it provides due to less encryption calculations required, some because of older routers that don’t support other encryption methods, and some simply use it as a “better than nothing” approach.
In 2003 Wi-Fi protected access (WPA) replaced WEP as the standard for Wi-Fi routers, boosting the security of router encryption by targeting the weaknesses of WEP. While WPA introduced methods to combat key reuse and weak IVs, it still fell short of best practice as it was intended to fix problems while still working with existing network components. As such it could be considered a stopgap in between WEP and a stronger encryption standard that had yet to be developed – what we would later know as WPA2. While a stronger encryption option is available and should be selected if possible, there are still routers and network cards that won’t accept WPA2 encryption, so it should only be selected when there is no other option.
WPA2 encryption is the standard most of us are now familiar with. As of 2006 WPA2 has become the industry standard for Wi-Fi devices, becoming a mandatory option in all new routers. Along with WPA2 came the addition of AES based encryption, which is much stronger than earlier methods ().
WPA2 may be the best option that most of us have now, but that doesn’t mean it’s foolproof. As recently as October 2017 WPA2 was broken by KRACKs (Key Reinstallation AttaCKs) which targeted the “four-way handshake” performed when a device is connected to an access point, such as a router. The attack begins by convincing the user that they need to reinstall a key, and doing so allows the hacker to forge messages to send to the access point. These messages being sent are designed to be sent multiple times as the message may not make it to the client attempting to connect. When the message is sent the encryption key is reinstalled in the device, and the incremental transmit packet number (nonce) along with the receive packet number (replay counter) are reset, which allows a hacker to replay packets, decrypt them or even forge and inject new packets into the stream. While this has been patched by both client devices and routers with firmware updates, it still shows there are flaws that can be exploited within WPA2’s protocol ().
Announced in January 2018, the new WPA3 protocol has been developed to pick up where WPA2 leaves off. Routers with this protocol will have the added benefit of protecting weak password better and having much higher security on public networks. As of now, someone attempting to gain access to a router can guess as many times as they would like, but by utilizing SAE (Simultaneous Authenticity of Equals), a password attempt will require communication with the network and will time out after a certain number of guesses, blocking a hacker from implementing a brute forcing dictionary attack until the password is found. Another key improvement is the “Wi-Fi Enhanced Open” program, which provides individual encryption to devices on the network (). By using this type of encryption even public networks – currently known for being a hotbed for privacy issues – can have relatively strong protections. This can help justify the option currently available on routers to have no password, which can be risky at best under current standards.
As we take a look back at home routers, there are there are glaring issues that leave them vulnerable to unwanted access. There are two main categories of vulnerabilities: those that are features that can be exploited and those that are unintended.
Passwords are integral to security, so it isn’t a surprise that they are a major feature on home routers. What is more surprising however is the lack of standards that these routers have for password, and the lack of documentation about the risks involved. As things are, a home router is able to use common passwords, weak passwords, or even no password should they choose not to. Passwords are seldom if ever changed, as there is no need to update them unless the user decides to on their own accord. When signing on to your router you may even find that the username and passwords are set to default settings, as some manufacturer’s don’t require you to change this information. Until WPA3 becomes the widely used standard, weaknesses like this can create a myriad of issues. A hacker may use brute forcing, dictionary attacks, or other methods to gain access to the router’s network, giving them access to sensitive information. While it seems like passwords can be the answer to keeping people out, if not given due care it may also be how they get in.
The WPS (Wi-Fi Protected Setup) is a key features available on home routers. Unlike business routers, home routers generally come with both a WPS button and a WPS PIN number, both of which are insecure methods of admission to a network. These features are included to make getting on to a network easy, which benefits the user but can also benefit anyone attempting to gain access to network data. Of the two options the WPS button is the more secure method of the two. By pressing a WPS button on the router, a device can connect without knowing the password by detecting the device and providing the proper credentials automatically. This method has a relatively short timeout period, so while connection is possible it needs to be done in a relatively short time period to gain access. WPS PINs provide a much higher risk however. The PIN number is an 8-digit numeric code most often located on a sticker on the outside of a home router when purchased. This code is made up of two sets of digits, as the router checks the first 4 digits and the last 4 digits to ensure the PIN matches up with the entry. Because only numbers are used and the code is only 8 digits long it is highly susceptible to brute forcing, and since the code is set by the manufacturer the PIN can’t be changed (). Unlike the WPS button there is no timeout function for the PIN, so attacks can be launched whenever the function is left enabled. Turning this feature off requires the user to go on to their router’s software or sign in to the manufacturer’s website, and if a user doesn’t know it’s an issue they are unlikely to do anything about it.Furthermore, a device needs to install the patched firmware, which can be missed by user’s who don’t regularly check for updates and can leave devices and access points vulnerable to attacks.
Problems with current security
Weaknesses of WPS PIN numbers
Russian Malware attacks
Options provided by different routers and brands
Low price, low security
Higher price, higher security
Business routers and how they differ from home
What can router manufacturers do?
Requiring passwords and security
Requiring complex passwords (Implementing data dictionaries)
Auto updating firmware
Information on the risks of low security
What can consumers do in the mean time?
Creating more complex passwords
Update passwords and firmware
Update routers or purchase high security/small business routers