Most people do not have time to consider the security of their own home network, but this is why they are so easy to hack

Why secure your home network? Because often you won’t even know you have been infiltrated and this can lead to identity theft, keyloggers, financial losses, corrupted devices, what else can you think of? These are criminals looking for anything that will lead to a prize.

Most homes have fully integrated all sorts of IoT devices which can include:

  • Wi-Fi access points
  • IP Cameras
  • Mobile devices, phones, tablets, etc
  • LapTops
  • Smart TV’s
  • Bluetooth devices
  • Thermostats, lights, kitchen appliances, etc

More are on the way, IoT is the future and is already here. Since we are not going into complex security actions, because you are most likely NOT a high value target like a billionaire or country leader, we will stick to basic hardening strategies to keep the automated WAN ping scanners and brute force attacks stopped dead at your gateway router, or rather wireless router.

Turn Off All WPS settings

Most routers come installed with WPS for ease and convenience. There is a flaw in the WPS action of authentication when using the PIN code, which is in the router’s web interface settings. Turn off all WPS modes and disable the PIN, of possible.

Create a Basic SSID

Do not make anything that sticks out and do not leave it the factory default model and make of your router. Do not hide your SSID, this does not work and is old school.

Rename Your Router

Rename your router to a unique name in the web interface settings. Just do not leave it the default name as hackers know the details of that specific router and any weaknesses it may have, especially in the firmware

Segment Your Wireless and Wired Networks

Some more advanced routers have the VLAN capabilities. I recommend that you create a new isolated network segmentation for your wireless devices, streaming devices, and leave a dedicated computer connected to a dedicated wired network (Remember what an ethernet cable is?) on its own private IP address for highly sensitive stuff you do like logging into bank accounts, trading online, or paying credit card bills. You do not want to be doing these activities on your wireless network.

Keeping things separated by logical network addressing makes it incredible hard to hop if not impossible for “average hackers”, and they would have to penetrate your network in the first place by hacking your gateway router or switch interface.

Lower The Power Transmission Signal

Do not set your wireless signal to strong that people on the street can always see it. Believe it or not there are still “War Drivers” out there the survey high value neighborhoods and businesses.

Set Up MAC Filtering on Your Wireless Router

In your router’s interface, you have the option to turn on MAC filtering. This will prevent any device from connecting that is not listed in the MAC table. The best way to do this is to set it to DENY ALL, except your list of allowed devices. That way, nothing you are not aware of, can connect to your wireless router unless it’s physical address (MAC) is listed in the table.

FYI, MAC addresses can be spoofed so this is not fully a secure method, but is just another good layer to include, since this is just basic hardening.

Gateway Router Security Settings

Be sure to have your basic router firewall on, DoS protection on and flood guard on. Most routers have these options in the web interface. You want these on always, due to the non-stop ping scans and brute force attacks on the Internet hitting your public WAN IP address. If you check your router’s logs you will see these scans and pings on a daily basis.

Install A Firewall Appliance Between Your ISP and Your Home Network

Firewalls and routers are cheap these days, you can easily find a home firewall, routers and VLAN switch all in one to install at your Demarc. However this is overboard for most homes, so if you know how to configure a basic firewall router, you can install one that does stateful inspection, has ACL’s and application filters.

Update the Router’s Firmware

Most routers allow you to check for firmware updates in the web interface. Some also do not, so you would have to Google your make and model to see if there is a firmware update available for download. This is very important as out dated firmware has vulnerabilities and can be susceptible to penetration and infected. If your firmware gets compromised, your whole network will be at risk

Change Your Router’s Default Login and Password

75% of all homes do NOT do this! Log into your router’s web interface and create a unique admin name and password for logging into your web interface, then create a WIRELESS password (PSK) that is at least 10-20 characters long with a combination of symbols, numbers and capitalizations! The better your password is, the harder it will be to crack it and compromise your wireless network.

A hacker can ping your router interface login status by hitting your Public WAN IP with the common port added in after the WAN, especially if your router’s security settings are low.

Most people are not aware that passwords can be easily cracked currently. Processing power has dramatically increased, so simple passwords like “chicagohome33” can be cracked really fast! You do not even need to be a programmer to crack passwords, the tools and applications are freely available to anyone who wants to download and learn how to use them (EX: Windows Cain and Abel, Kali Linux suite of tools, Aircrack-ng, etc).

Turn Off NETBIOS and File Sharing on Your Hosts Computers

In Windows, NETBIOS is still used with file sharing in Windows. Using your printers wirelessly to print or other IoT device usage presents some security risks. We recommend simply turning off netbios in your network adapter settings on your host devices, blocking ports 137, 138, 139 and 445. You can block ports and services in your anti-malware application, HOST FIREWALL or security settings. In Windows, which comes with a firewall by defaults, simply open the firewall, go to advanced settings and add in new rules for INCOMING rules. Block the ports associated with NETBIOS.

You Can check if these ports/services are off by opening a Command Prompt and typing in ” netstat -a” and see if those ports show up under “waiting, established or listening” if they do you may want to go even further and configure settings in the Windows Registry to turn off ALL NETBIOS ports.

You can also check in Command Prompt if NETBIOS is disabled by typing “ipconfig /all” and the readout will display each interface on the computer and whether or not NETBIOS is enabled or disabled.

Disable IPv6 on the Network Adapters

This one can be a mixed bag seeing as IPv6 is here now and most people are using dual stack appliances. You can still use just IPv4 with most ISP’s so as long as your ISP is compatible fully with IPv4, you can turn off IPv6 in network adapter settings, under properties, which is also where you can disable NETBIOS. Also, this strategy does not fully secure you from IPv6 attacks, but once again, this can be a complex attack and unless you are a high value target, don’t expect it.

IPv6 is not DHCP, it is auto-configured for router advertisement. IPv6 uses Network Discovery Protocol. There are many complex weaknesses in the IPv6 discovery protocol, suffice it to say, can allow a penetration into your home LAN. This doesn’t mean the IPv4 is any more secure, after all a IPv4 network still has the risk of rogue access points, ARP say the least.

ICMP Pings, Echo Responses

In your router settings, be sure the “Respond to ping requests” is off, you don’t want your WAN gateway router responding to Internet ping requests to your public IP address. Also, in your HOST security settings/firewall, block all incoming ICMP ping requests or traffic for an added layer of protection.

Only Use WPA2 / AES-CCMP Security Mode in Wireless Security Settings

Once again, this setting is in your router settings on the web interface, under wireless settings or administration:

  • Do not use WEP – Is can be cracked within minutes.
  • Do not use WPA – It can also be cracked quickly as well.
  • Do not use the WPA/WPA2-TKIP, as this is not the highest security setting available to you and has security flaws with WPA and the TKIP (Temporal Key Integration Protocol).
  • Only use WPA2-Advanced Encryption Standard (AES) 256 with Counter Cipher Mode (CCMP for short).
  • WPA2-Enterprise most is the highest security level, but your need a RADIUS server to authenticate users (EAP). This is for businesses and corporations in general, but if you know how to set up a RADIUS server, then this would be ideal but is overkill for simple home networks.

Segment Your IP Camera Networks and Use UN-Common Ports

When setting up IP cameras, if you have any, set them up with static ports that are uncommon, like 8080 (Common), and also create a separate, segmented isolated VLAN network ONLY for your IP cameras. Use a managed simple switch to create VLANS that are actually isolated subnets, don’t use a basic router switch interface unless it has the ability to create VLAN’s that cannot be “crossed over”

Almost ALL IP camera hacks are because the users did not change the default user and password for the device. Hackers scan IP networks and check the common ports for the IP camera device/host is up and use the common credentials to hack them. Do show you how common this is, check out this website where they show hacked IP cameras all over the world:

Wireless Keyboards, Printers and Mouses

These wireless devices on your network can be used as a pathway into your network. It is easy to spood devices as they have static IP addresses and bad actors love targeting these devices if they can find them when scanning your network. Offset these risk using MAC filtering and device segmenting. I recommend to simply NOT use wireless or bluetooth keyboard and mice as they are very hackable, unless you are on a hardened, very secure WIRED network.

Watch Out For “Evil Twins”

Sometimes, if you are targeted, a hacker will set up a Wireless access point with an SSID equal to yours, hoping that your Wireless devices will log into the hackers twin open Access Point.

If you see an evil twin in your WIFI radar scan, get its MAC address from any free WIFI analyzer application (Acrylic or many apps free in Google Play Store) and filter it in your wireless router and, using your mobile phone determine its proximity using the power range, it is highly illegal to hack wireless networks, notify the police of the evil twin, MAC address and where its proximity is. Scanning networks and attempted hacks is a FELONY by default. Just port scanning a IP address is a Felony. That’s why hackers and bots use proxy IP’s from all over the world to do it, yet they be physically be your neighbor.

Note: there are routers than can follow your SSID changes automatically, so if you try to change your SSID the evil twin will automatically follow your new name within minutes.

I recommend that you always scan your residential area for WIFI networks, to see what’s out there and always make note of the SSID’s and when they change, which ones are open , WEP, etc. Any mobile phone or wireless device can show this information.

Use A VPN Router and/or Vendor Service

You could always set up VPN’s (Virtual Private Networks) on your devices and routers. Many routers come with the ability to be connected to VPN’s and/or use VPN applications constantly as well as mobile devices. I recommend simply using a vendor like ProtonVPN or Express VPN, whereby you download their application and install it on your devices and routers.

Remember, VPN’s only encapsulate and encrypt your Internet traffic/packets, if your wireless or wired NETWORK or router is penetrated, a VPN really is no good.

Always Ensure TLS/SSL When Browsing The Internet

When you are submitting data or visiting a website on your home network, be sure the website you are on is always secured 100% with SSL/TLS, in the upper left hand tab it will indicate if the web page is secured with asymmetric encryption (HTTPS) and the public key data will be available to see if you click on the certificate and who the 3rd party vendor is, or who is the certificate authority. Generally Comodo is popular, and many large companies have their own signing.

Not using Secure Browsers puts you at risk for application attacks or Main In The Middle attacks on the web browser application.

Security of your network is a constant process

Hardening a basic Wireless network is an ongoing process and you have to be ever diligent in your awareness of what the threats are out there, especially if you have a lot of wireless devices (IoT) and large family or lots of wireless usage.

These basic steps will ensure you are more protected from basic and automated network scans and script kiddies. These steps in NO way ensure your are totally safe or protected, that is impossible. The bad actors, Malware and cyber attacks grow in amplitude and power every month.

Blue Team Articles-
Dana O.