Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for SSID

Securing the Home Network – Wi-Fi® Protected Setup™

By Leave a Comment

Almost every modern day Wi-Fi® Router and Access Point supports Wi-Fi® Protected Setup™ which is an optional hardware method for quickly enabling security on a Wi-Fi® network.  As you may recall, you have the option of manually naming your network with an SSID (Service Set Identifier) and specifying the specific password to be used by devices to connect. (See my article on “Securing the Home Network – Wi-Fi® Security.”)

Using the hardware based Wi-Fi® Protected Setup™ can be much faster than going in to the setup pages of the Router or Access Point.  It is far simpler and easier to “press a button” than to have to navigate through the configuration screens or even use a vendor provided setup program.  This does assume that all of the Internet enabled devices that you want to connect to your Wi-Fi® network support the Wi-Fi® Protected Setup™ feature.

To create a secure connection using Wi-Fi® Protected Setup™, you press a button (appropriately marked on the Router or Access Point), it usually flashes for a short period of time and then you press the equivalent Wi-Fi® Protected Setup™ button on your Internet enabled device or click on a soft button in the configuration screen of your Internet enabled device. Either way, in a matter of minutes, you have created a random SSID (network name) and random passphrase using WPA2 secure encryption to create a connection between your Router or Access Point and your Internet enabled device.

An alternative implementation of the Wi-Fi® Protected Setup™ is a predetermined “Personal Identification Number” (PIN) code that is usually printed on a sticker on the Router or Access Point.  If the Internet enabled device you want to connect does not have a Wi-Fi® Protected Setup™, you can enter in the PIN code from the sticker on the Router or Access Point in to the appropriate setup screen and accomplish the same automated setup.

In some cases, especially with Verizon FiOS Wi-Fi® Routers, both the SSID (network name) and Password (Passphrase) are written on a sticker attached to the Router.  No additional configuration of the Router is necessary.  You simply enter in the predefined SSID and Password to your Internet enabled device (Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and other Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets), and you will be securely connected to your new Wi-Fi® network.

Security Note:  Unfortunately, in December 2011 a gentleman named Stefan Viehböck determined that the Wi-Fi® Protected Setup™ PIN could be guessed in a brute force attack of a Wi-Fi® Protected Setup™ Router or Access Point in an average of four hours.  This is due to a design flaw that enables an attacker to know when the first half of the eight digit PIN is correct.  Since there is no lockout after failed attempts at guessing the PIN, the attacker can more easily determine that the first half of the eight digit PIN is correct.  In addition, the fact that the last digit is checksum for the other seven digits, it takes only approximately 11,000 attempts to crack the PIN code completely.  For more details, read the United States Computer Emergency Response Team (CERT) Vulnerability Note: VU#72355 and Alert (TA12-006A) “Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack”

It is for this reason that CERT recommends that Wi-Fi® Protected Setup™ NOT be used and that it be specifically “disabled” in the affected Routers and Access Points.  A few manufactures have corrected the design flaw and updated the firmware (programming) in their Routers and Access Points but many have not.

Keep in mind that your Wi-Fi® Router or Access Point would have to be the target of a specific attack for this to be an issue.  More likely, you would be the target of someone randomly testing their hacking skills than of someone specifically trying to gain access to your home Wi-Fi® network.  The risk of your Wi-Fi® Protected Setup™ is minimal.  To be absolutely safe, turn off the “Wi-Fi® Protected Setup™” completely and manually configure your Wi-Fi® Network Security.  (See my article on “Securing the Home Network – Wi-Fi® Security.”)

Securing the Home Network – Show me your MAC ID please

By Leave a Comment

Every network device has a MAC (Media Access Control) address.  This unique twelve hexadecimal digit identifier is similar to either a phone number or social security number for your network equipment.  No two should ever be identical.  This number is usually stored permanently in the device.  It is usually displayed on a label on the device in the form of: 00:23:6C:7F:38:43 or it can be displayed in the network information screen of the device.

If you want added assurance that only devices with “proper id” are allowed on to your Wi-Fi®  network, you can explicitly enter the MAC address of each of your Wi-Fi®  connected network devices in to your Wi-Fi® Router or Access Point, such as your Wi-Fi® (or Wired) Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets.

Even if a user has the proper SSID (Wi-Fi® Network Name) and Password, if the MAC address is not listed in the table in your Router or Access Point of “permitted MAC addresses” access will be denied and the device will not be able to connect.

The ability to configure MAC address restrictions is usually in the “Advanced Security Setup” area of your Router, Access Point, or Switch.  Almost all Wi-Fi® Routers and Access Points support MAC Address connection tables and restrictions.

Only higher end Wired Routers and Switches offering some form of Management have the MAC Address restriction capability.  Not to worry, the likelihood that someone you don’t know is directly plugging in via a “Wired” connection to your network in your home without your permission or knowledge is very small.

Technical Note:  In some cases, there are legitimate reasons why a network device would broadcast a MAC address different from the one permanently assigned.  This is called MAC Spoofing.  Some earlier Internet connection types required that the Cable or xDSL modem, the device that converts the signal from outside your home to Ethernet, be in “bridge” mode, or for all practical purposes, invisible.  In these situations, the Cable or xDSL modem would actually broadcast the MAC Address of your Computer instead of its’ own MAC Address.

Security Note:  MAC Spoofing can also be used for bad purposes and is not a fool proof security method.  It is just an added layer of security.  Even if you have a MAC Address permission table set for both your Wi-Fi® Router and any Access Points, almost anyone, with a reasonable amount of skill, can Spoof, or duplicate a legitimate MAC address which could allow them access to your Wi-Fi® network PROVIDED THAT they also know the correct SSID (network name) AND Password.  That is three layers of security instead of two.

In general, if you are extremely concerned about securing the access to your Wi-Fi® enabled network, setting the MAC Address of each Wi-Fi® enabled device in your Wi-Fi® Router and/or Access Points for your Primary (“Private”) Wi-Fi®  network will provide an added level of assurance that only legitimate, authorized devices are connecting to your network.  (For a discussion on Primary/Private vs. Secondary/Guest Wi-Fi® networks, see my article, “Securing the Home Network – Guest Wi-Fi® Networks”)

Securing the Home Network – Guest Wi-Fi® Networks

By Leave a Comment

The newest Wi-Fi® Routers support both a Primary “Private” and a Secondary “Guest” Wi-Fi® network.  This allows you to have two separate SSID’s, (the names of your Wi-Fi® networks), at the same time.  Specifically, the Primary Private Wi-Fi® network would be for your exclusive use and connect all of your Wi-Fi® or Wired Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets to each other and the Internet.

The Secondary Guest Wi-Fi® network would connect visiting Internet enabled devices, like Tablets, Notebook Computers, Smartphones, and Gaming Computers ONLY to the Internet.  After all, you have no idea where those Internet enabled devices have been nor can you be sure they have been practicing “Safe Computing” with proper Antivirus and Firewall software installed.

Guests are given a different SSID and password to access the alternate, dedicated Wi-Fi® “Internet Only Access” network in your home.  You may be wondering, “If it is a Guest Wi-Fi® network, why do I need to set a password at all?”  Answer:  You do not want to be providing “Free” Internet access to your neighbors and more specifically, anyone who just happens to be passing by.

If you already have a Wi-Fi® Router installed and it does not support both Primary Private and Secondary Guest networks, you have two options:  upgrade your Router or purchase an Access Point.  The advantage of purchasing a new Wi-Fi® Router that supports both Primary and a Secondary network is that most likely it will also be Dual Band.  This means that it operates at both the 2.4Ghz and 5Ghz spectrums.  (See my article on “Understanding the Wi-Fi® 802.11 Network Standard” for more details.)  The 5Ghz spectrum is less crowded and may give you better Wi-Fi® performance in your home.

If you purchase an Access Point to create a Secondary Guest Wi-Fi® network, most support the option to configure in “AP Isolation Mode.”  This means that Wi-Fi® connected devices cannot see other Wi-Fi® connected devices on the same Wi-Fi® (SSID) network but they can see all of the devices on the Wired network.   For example, with AP Isolation Mode enabled, two Wi-Fi® connected Notebook computers will not see or be able to connect to each other to share files but both would be able to see a Printer physically connected with an Ethernet (wired) cable to the Network Router.   If every device in your home is connected via Wi-Fi® to your Primary Private Wi-Fi® network, then adding an Access Point is a good solution to create a Secondary Guest Wi-Fi® network.

If you have devices in your home attached to your Primary Private Wi-Fi® Network and you also have devices connected via Ethernet (wired) cables, then you need to configure the specific physical Ethernet port that your Guest Access Point is connected to on the Local Area Network side of the Router to only connect to the Internet/Wide Area Network of the Router.  This completely isolates Guest Wi-Fi® connections through the Access Point exclusively to the Internet.  Otherwise, your Guests will be able to see any device that is connected via an Ethernet (wired) cable to your network.

Securing the Home Network – Wi-Fi® Security

By Leave a Comment

Most Cable and Phone Company Internet providers are installing Routers with Wi-Fi® capability.  Unfortunately, not all Carriers take Wireless Security seriously.  Many early Carrier Wi-Fi® Router installations did not set any network security at all.   To be fair, many early Wi-Fi® enabled Computers did not properly support the newly defined security methods so it was easier to just leave the Security Features off.  Modern day Internet Enabled devices no longer have these issues so you should make sure that your Wi-Fi® Router has its’ Security Features enabled.

Public Wi-Fi® HotSpots are great and extremely convenient.  Your Home or Office should not be one as this could allow anyone who connects to your Wi-Fi® network to potentially access your computers and their files without your knowledge or permission.

The best and easiest way to secure your Wireless Router’s Wi-Fi® network capability is to set strong and complex password [See my article on “A Complex Password may not be a Strong Password”] and to select the highest grade of encryption supported.  For most modern day Wi-Fi® Routers, that is WPA2 or WPA encryption.  Older Wi-Fi® Routers may only support WEP Encryption, which is sub-optimal as any determined hacker can break the encryption fairly quickly using readily available tools found on the Internet.

An important security tip is to make sure that the SSID, (the name of your Wi-Fi® network), does not personally identify your home or small office.  Try to select a name that completely not associated with your family, likes, favorite vacation spots or anything else that might identify your Wi-Fi® network to someone who might be trying to locate and access your network without authorization.

The logic is simple:  If the hacker cannot see or find you, it makes it that much more difficult to compromise your network.  Instead of selecting an SSID name like “Palmer-Home” select something for like “Butterfly.”  Someone passing by and scanning for Wi-Fi® Routers broadcasting SSID’s would have no reason to believe that the Wi-Fi® network named, “Butterfly” is associated with me.  (And neither does anyone reading this article at that is not an SSID that I use.)

An even more secure option is to turn off the broadcasting of the SSID completely.  To a user “Scanning for Wi-Fi® Networks”, your network will be invisible.  Anyone who wants to connect to your Wi-Fi® network will need to explicitly enter the SSID Network Name and Security Key provided by you.