Protecting your home network is as daunting a task as you make it. If your home network consists of a wireless router and a laptop, then it’s pretty easy to lock down. If your wireless network consists of a router, several computers and mobile devices, a slew of wirelessly networked printers and smart TVs, and a wi-fi enabled security system, then the task will be much more difficult. As a general rule, the more connected your home is, the harder it will be to secure – for now at least, though I suspect all of these connected things are going to be more streamlined as we venture deeper into the Internet of things.
For the sake of sanity, let’s assume your home network is fairly straightforward and consists of a router, a couple computers and smartphones or tablets, maybe a networked printer or two, and, just for fun, a smart TV and an Xbox or other wirelessly connected gaming console.
The most likely scenario is that all these things are going to connect to the web wirelessly through your router. Your router is therefore the hub for all the internet comunication going on inside your home. By extension, if your router is unprotected, then so is everything else. You could always hardwire everything into your router through a complex system of ethernet cables. That would be pretty secure but totally inconvenient (not to mention messy).
Let’s begin with the router. You obviously want to password protect your wireless network with a unique and not easily guessable passphrase. Most new routers will offer you the ability to set up a guest network. Do it. Give the guest network its own unique password and let visitors log into this network if they want to access the Internet from your house. In this way you can you can have a bit more control over the devices that are allowed on the network that you use regularly, essentially quarantining unknown machines to a separate network that you don’t go on.
Just password protecting the wireless Internet connection produced by your router isn’t enough. Pretty much every router you can buy has an administrative panel. You can reach the admin panel by entering one of a handful of IP addresses into your browser’s address bar. You can figure out that IP address by searching Google or any other search engine for “[your router model] + IP address”. If you enter that IP address into the address bar and wait a few seconds, you will be prompted to enter a username and password. The username is probably “admin” and the password is probably “admin” as well. Again, if you don’t know the username-password combo, look it up on a search engine. You’ll find it; believe me.
Once you’re in the router’s back-end you want to be careful. I don’t recommend messing with too much in there. So, your wireless network has a password, but it is different from your router’s administrative panel password. Once you get in the router’s back-end, you can go to the wireless security section and view the wireless access password in plain text. To connect the dots: this means that – even without knowing your wireless network password – an attacker could potentially access your router with a default password and username and then view your wireless access password in plain text and even change it. Changing that administrative panel access password is therefore something you must do.
Some routers require that you go into the back-end to do so. In my router, there is an administration tab in the back end user interface. If I click on that tab, I will see there are two fields, one says “Router Password” and the other says “Re-enter to Confirm”. All I have to do is enter a strong, unique password in the field that says “Router Password” and then re-enter the same password in the second field and click the save settings button and I am good to go. A lot of routers will also come with a set-up wizard that prompts to do this when you initially set up their router.
While you are still in the back end, there should be a tab that says “wireless”. You should go in there and dig around a little until you find the wireless security section. This is where you can view your wi-fi access password in plain text. It is probably also where you can see the kind of encryption you are using. Most new routers will come out of the box using WPA/WPA2. This is good. However, if you have an older router, it may use or be set to use WEP, which is easily breakable and could let an attacker monitor your traffic. If it is set to WEP, then you should change it to WPA or WPA2. If you can’t change it from WEP, then you should buy a new router.
You can also disable wireless administration access altogether: meaning that in order to access the backend, you would need to connect an ethernet cable directly into the router to access the admin panel. We are working on a post that will go into more detail on all the things you can do to lock down your router, so check back in on Kaspersky Daily for that.
Next we’ll move onto the computers and the mobile devices connected to your network. An infection on one computer could impact the network into which that computer is connected in any number of ways. In theory and depending on the relationship between your various computers and the network itself, it is possible for an infection to cross over the network onto other machines. Beyond that, a keylogger – a piece of malware that records key strokes – could allow an attacker to figure out your wireless password and access your network and router to perform man-in-the-middle-type attacks.
In fact, I lived in an apartment building a few years back in which a Massachusetts teacher was uploading and downloading child pornography. Unfortunately for the guy living next door, this teacher somehow figured out his neighbour’s wireless password and was connecting to the Internet through the neighbour’s wireless network. Either the neighbour had a weak password or the teacher sniffed it off him in some other way. At any rate, one day the DHS and FBI came knocking on the innocent neighbour’s door with a search warrant, cuffed this kid, dragged him out of his apartment, and interrogated him while they raided his space and everything in it. They analysed his network and his computers and quickly realised that the malicious traffic was not coming from any of his machines and actually belonged to the teacher next door.
That’s a bit of an extreme example, but on a similar note, if one of your machines is infected with malware and contributing to a botnet, there is no way of knowing what that computer is up to. That botnet could be using your IP address and your computing power to perform all sorts of sordid and illegal actions that could draw the attention of law enforcement – thinking that it is you, not the botnet, generating all this malicious traffic.
For these and a million other reasons you have to make sure the computers on your network are protected as well. While it’s true that a network is only as secure as its router, it is equally true that your router is only as secure as the computers that connect to it. On the simplest level, you probably used your computer to configure that router in the first place. On another level, if your computer is compromised then someone is already on your network no matter how secure the router itself is. So make sure you’re running a solid security product. Not only on your computers but on your mobile devices as well.
Install hardware and software updates on computers, phones, tablets, printers, routers (if there ever are any and you know about them), TVs, gaming consoles, and anything else that might receive updates. Nearly all the malware and exploit kits I read and write about target known and patched vulnerabilities. Let me repeat that, almost all the malware I know of exploits vulnerabilities that the affected vendors have already patched, meaning that you are largely protected against these threats if you install updates. The problem is that people like you and me and everyone else refuse to update their software. If I could give you one piece of advice to stay secure, it would be to install updates. In order for a home network to be secure, everything on it needs to be secure.
In fact, for smart TVs and gaming consoles and networked printers, I’m not sure there is a whole lot you can do other than to install updates. I sat in on some talks and press conferences at the Black Hat security conference in Las Vegas last month where researchers demonstrated compromise after compromise on smart TVs. No one is really making security products for these yet, so the best you can do is assume that the vendors are paying attention to the research and fixing the bugs and pushing out patches to affected devices. The good thing here is that most of these researchers are giving their findings to the vendors before they publicly release the details. It is becoming more normal than it used to be for the security researchers and the technology companies to work together so that product-bugs are fixed before researchers publish their data.
The real truth here is that you want to make sure that you are following all the best security practices on the things you connect to your network, as it is only as secure as its weakest link: password protect, update, run security products, and – as always – be smart by staying abreast of the threats by reading this and other security blogs.