The WiFi router is the most important device at home, connecting all the computers and gadgets in our home network to the Internet, keeping us online. Yet few of us care about the router, only remembering its existence when we need to restart it, because we only appreciate something when we lose it. This lack of care for the router, the main gateway to your network, makes it a prime and easy hacking target. If an attacker breaks in your router, they can use it to perform illegal activities, slow down your internet, and monitor and tamper with your devices and online activities.

At Netonomy we love routers, we have hundreds of them at our labs, and we want you to love and care for them too. So this Wednesday’s Cyber Hygiene post will provide tips to implement basic security settings. These are not hacker-proof settings, but bare minimum cyber hygiene practices. They are easy to set-up, so follow along!

First you will need to access your router’s web interface, to do that you will need to find your router’s IP address, which is written as four numbers separated by periods (e.g. 192.168.1.1). Sometimes this number is written at the bottom of your router, otherwise, search for it online or try this handy list. Once you have the IP address, connect your computer to the router with a LAN cable, and type the router IP address on your web browser. You will be redirected to the Router’s Settings page. That was the hardest part, now it only gets easier.

Under the Security Settings, look for the following options:

Password: Default passwords are a huge problem with digital devices and routers are no exception; make sure to create a unique password, with a combination of letters, numbers and symbols. Change it periodically.

Encryption: Depending on your router, you will have a few options for encryption, these are the most common ones in declining order of effectiveness:

  • Wired Equivalent Privacy (WEP): The oldest and most popular form of router encryption available, also the least secure of them all.
  • Wi-Fi Protected Access (WPA): An improvement to WEP’s shortcomings.
  • Wi-Fi Protected Access 2 (WPA2): The most secure encryption available at the moment. Select WPA2 if available.
  • Advanced Encryption Standard (AES): Use AES on top of WPA2 or WPA. This is the same type of encryption used by the federal government to secure classified information.

Note: for compatibility with some older devices, such as gaming consoles, TiVo, and other network devices, WEP may be the only security option possible to use. Using WEP is still better than no security at all.

Firewall: While this setting is usually enabled by default, make sure that it’s activated for an added layer of cyber hygiene.

WiFi Protected Setup (WPS): If available, this setting is usually turned on. Originally created to make it easier to setup an encrypted wireless connection without passwords, its very nature made it quite easy to crack, and we recommend turning it off. Please note even turning it off might not be enough, with WPS continuing to work despite having been disabled.

SSID name: This is the name that identifies your router. Avoid leaving a default SSID name, such as the name of your router model, as this information makes it easier for attackers to break in. Also avoid using your family’s name or any other personally identifiable information. Be creative!

SSID broadcast: Your router is always broadcasting its name publically to make it easy to find. However, if you wish to make it harder for snoops to find your network, disable SSID broadcast. This will require that you manually enter your SSID name when connecting new devices to the network.

MAC Filter: When enabled, this option allows devices to connect only if their MAC addresses have been pre-entered in the filter list. A nice tip when setting this up is to have your devices connected prior to enabling MAC filter, open the DHCP client table (often found in the Status or Local Network section) and copy-paste all their MAC addresses into the filter.

Remote administration: This setting is usually found in the Administration Settings.
Unless you intend to remotely configure your router, disable remote access to the settings, you will still be able to configure your router via a wired connection.

Firmware update: Lastly, like all digital devices, make sure you check for firmware updates frequently to stay up to date with the latest security patches and reduce your vulnerability.

 

As aforementioned, these are not hacker-proof security settings, but basic cyber hygiene tips to add a layer of security. If you want true network security and control, you must install solutions like Netonomy’s, or buy an expensive router with a security-focus. However, these easy-to-implement cyber hygiene practices are a first step in the right direction, and we recommend implementing them to make it harder for would-be-attackers to break into your network.

 

Tune in every Wednesday for more cyber hygiene tips you can implement in your network!

 

 

In this week’s IoT cyber security and cyber hygiene podcast, we had the pleasure of interviewing Omer Shwartz, a Ph.D student at the prestigious Information Systems Engineering Department at Ben Gurion University of the Negev, and an active member of the Implementation Security and Side-Channel Lab under Dr. Yossi Oren.
His latest published paper is titled, Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices, in which him and his team analyzed the practical security level of 16 popular IoT devices and discuss how to improve their security without significantly increasing their cost.

This interview is <20 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Could you explain a bit about the work being done at the Implementation Security and Side-Channel Lab at Ben-Gurion University?
We are a relatively new lab, but with very exciting work: investigating all kinds of side channel leakage models and implementing security. My field is mainly around hardware security, but we research and work on all kinds of metrics to get information in and out of devices that are not meant to broadcast information. Some research I’ve done under Dr. Yossi Oren include a phone case that can exfiltrate phone data (location and conversations) while the user is unaware, and a project on how replacement touch-screens could be malicious and used to harm or spy on users.

How did you first get involved in cyber security and hacking, were you always breaking things?
Yeah, actually (laughing) since I was little I liked looking into things and figuring out how they work. I’ve been in the hacking community for around 15 years and always had an interest in hacking and cyber security before it became a really big and known issue as it is today. Cyber security always interested me, it’s like a hidden thing that really affects our world, and nobody really talked about it until recently, and it has a long way to go. There are so many threats that we have not seen yet, and that’s why I’m a part of this lab and studying towards a PhD, because I think there is so much to discover.

If cyber security has a long way to go, it’s probably because of the exponential growth of IoT devices, right?
IoT devices are a really big part of it. Nobody cared about cyber security before, but now that we have all these phones and IoT devices, everybody suddenly realizes that these things were never designed to be secure -they use infrastructure that was not designed to be secure.
It’s a really good place to be, from an Academic point of view, because there is so much to invest and research everywhere.

Share with us some details behind the research you conducted with Asaf Shabtai, Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices, what was the thought process that went into it?
A friend of mine had hundreds of IoT devices for some cyber security research he was conducting and, out of curiosity he asked me if I could find any vulnerabilities in them, we didn’t think of writing a paper about it.
We began taking devices apart and looking inside and noticed that all the devices were really insecure. Many, if not most, IoT devices sold today can be accessed remotely with a default password, which is usually really simple.
But we also looked into what happens when an attacker has one of your networked devices, using it as a gateway to get network information and access. So we wrote a really comprehensive analysis of the devices’ vulnerabilities and compiled a large array of techniques used, some of them already known, but gathered in such a way as to allow other people to try them and see if their devices are secure.
Other than easily and cheaply cracking the passwords stored in these devices’ hash and creating our own Mirai botnet with them, we found vulnerabilities such as devices holding private communication key in the file system. Anyone that gets that key can listen to the device’s communication. It’s really bad security practice, but it seems that in IoT the most important thing is getting a product to market and not securing it properly.

What would be your recommendations for IoT manufacturers?
I’d start with not having hard-coded easy passwords and completely disabling remote-access. Also, nobody considers attackers with access to your device, but devices should be built in a way that make it harder to reverse-engineer -this is a difficult problem, but at least it shouldn’t be so easy to reverse-engineer. All the devices we used were really easy to reverse-engineer, they have special ports in the board that allows us to connect and communicate with the console quite easily, and that’s something that shouldn’t be on a production board, just on a development board. We were actually able to get all of our information because most of the devices’ debug ports were open, which combined with weak passwords, gave us full access to install our own software. So my recommendation is to disable the debug and WRT ports, and strong passwords hashed with strong algorithms.

What would be your cyber hygiene recommendations for technology consumers?
You know, they always say that humans are the weakest link in the cyber security chain, and this is correct in a way. I would recommend strong passwords, because the current way people use them today is incorrect, they should be long and hard to crack – and one should never reuse passwords to avoid bigger problems.
When it comes to IoT devices, I would recommend staying away from unknown manufacturers. I hope some of my research will lead to consumers and researchers using our techniques to inspect their own devices and realize what is in there, and whether they are secure or not, giving power to the consumers to understand what is being sold.

On February 23rd 2000, Vincent Cerf, one of the fathers of the Internet, stated, “Most of the [Internet] vulnerabilities arise from those who…do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.” The Internet was a very different place back in 2000, only 5% of the global population had access to it, and IoT, smart phones and broadband speeds were things of the distant future. But eighteen years later, this quote couldn’t be more urgent and relevant, when over half of the population relies on Internet connectivity and malicious actors do not rest. As new scenarios continue to emerge, it is imperative for all stakeholders to recognize and be prepared to execute their roles and responsibilities, including governments, service providers, device manufacturers and consumers.

Many recent, major breaches could have been reduced if fundamental principles of cyber hygiene had been followed, but human stupidity is always the weakest link, and consumer cyber hygiene remains a much-needed patch. Cyber hygiene practices include, but are not limited to, setting strong passwords, managing the network and performing security and software updates. Unfortunately, these seemingly simple practices are tedious and difficult to maintain for most, and are often overlooked by the latest, greatest security solutions that promise to keep us safe. Consequently, we are living in an era of Internet of Insecure Things. However, consumer cyber awareness and cyber hygiene can go a long-way to fixing the Internet, even creating the consumer confidence necessary to increase IoT adoption and reach its potential.

The private sector is best suited to the creation and maintenance of lightweight and simple solutions to facilitate cyber hygiene at home, but the government’s convening power to enforce standards is what will incentivize all stakeholders. We are happy to report that there are loud signals that this is already happening. Following an executive order signed in May of 2017 by US President Donald J. Trump to strengthen the cyber security of federal networks and critical infrastructure, a first draft has already been published recommending, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees. Also, in November of 2017, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) began to actively seek proposals by technology vendors to provide an example solution to mitigate IoT-based DDoS attacks.

Consequently, service providers, router manufacturers, and technology vendors are now rushing to market with innovative products and solutions aimed at increasing consumer cyber hygiene. In a way, secure devices and services are a marketing opportunity for companies to differentiate themselves and add value in the Smart Home and IoT marketplace, because nobody wants their devices to be easily hacked. The Wi-Fi alliance is leading this industry trend by announcing that it will be rolling out WPA3 this year to set new security and privacy standards. We believe that cyber hygiene starts at home, but because it is impractical to hold consumers responsible if their devices are used in a botnet or if they’re not secure, we welcome the current industry trend to facilitate consumer cyber hygiene by designing devices with security in mind.

The average number of connected devices at home is increasing exponentially, and the IoT discussion should not be about gloom and doom, but rather about the massive opportunities afforded by this revolution.  Yes, there are risks, but they can be significantly mitigated by the application of proper cyber hygiene by each of us. For its part, Netonomy is joining this fight by providing a lightweight agent-based solution that can be deployed over-the-air and at scale to all home routers, including legacy, at a low cost. Our agent boosts the router –the gateway to all your devices, with Artificial Intelligence and Machine Learning to provide network visibility, security and management controls in an easy to use and friendly white-label app. Securing the Internet of Insecure Things will be no easy task and we all have a role to play.

 

Tune in every Wednesday for cyber hygiene tips you can implement in your network!

For this week’s IoT cyber security and cyber hygiene interview, we had the pleasure of interviewing Aditya Gupta, the founder of Attify -a global leader in IoT pentesting and security training, with learning kits and hardware for IoT exploitation for sale at their store. Gupta has spoken and taught classes at a number of security conferences (BlackHat, Def Con, OWASP AppSec, Syscan, Toorcon) and at private training engagements for organizations worldwide.

This interview is <15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Do you live in a connected home, with 9 or more devices connected?
When I was getting started with IoT security, I had a couple of IoT devices in my home, but I started removing them from my network as I realized how open and insecure they are. You can’t live in a home where you have a lot of vulnerable devices that can invade your privacy.
Now I have like 3 devices that have been extremely vetted and the security is pretty strong.

What led you to create Attify?
I started Attify around 5 years ago, with the initial plan being to help companies secure their mobile applications – which was pretty big back then. But as we evolved further, we realized that IoT was going to be a real beast, with tons of extremely insecure devices. My academic background was on electronics and telecommunications, focusing on how hardware embedded devices and communications work, and doing research on hardware security. Based on that experience, we started our IoT security offering, figuring out different IoT security threats and later offering a training course called Offensive IoT Exploitation to help people figure out how to assess or find vulnerabilities on their own IoT devices.
There are tons of materials available online for people getting started in any generalized topic of security, from blogs to tutorial videos and trainings. But two or three years ago there was not a lot of content available online for those interested in learning IoT security, and that’s why we created a systematic and methodological approach to learn IoT security in an intensive 3 or 5 day class.

In addition to creating great content, Attify sells IoT hacking tools and learning kits for researchers and makers… is this a shift in the company to focus on training the next generation of information security professionals over consulting?
There is definitely a huge need of awareness in terms of IoT security for all companies interacting with IoT devices; they definitely need IoT security education. I would say that we are gradually focusing more on the training aspect of the business, because that is where the entire industry is paying more attention to, they want to learn how to figure out the security issues in these kinds of devices.

Tell us a bit about The IoT Hackers Handbook, who is the book written for?
The book was written for anyone who wants to get started with IoT security with absolutely no previous background in it, giving them an in-depth introduction to each of the various IoT components.

Good cyber hygiene practice recommendations: What can users that have smart things do to stay protected?
This is pretty much the need of the time now because a lot of consumers are introducing so many new devices, but there are not that many things that consumers can do at this point to secure themselves from IoT security threats, which is kind of scary. But there are definitely a few steps which they can take to make themselves secure:

  • Network segmentation: making sure that the new IoT devices are in a different network.
  • Making sure the new IoT device does not have any public vulnerability online, which anyone can look up and attack your device.
  • Making sure that the company making the device is proactive when it comes to security.
  • Invest in solutions that can help analyze and monitor the home network traffic (i.e. Netonomy) and alert you when something wrong is going on.

If you have some technical background, its always good to do some research on the device before introducing it home. This is something I always do, even though it takes a lot of time, you get the assurance that your device is not recording or spying on you.
If you are a company, its always good to have an internal pentest before introducing a connected device, smart coffee machines can leak your WiFi credentials. We have to wake up and smell the coffee; I’ve seen so many IoT devices leaking sensible information. And it’s going to get much worse unless enough attention is paid to these kind of device in the future.

For our fourth and last podcast of the year, we are very happy to have Aviram Jenik, who has been involved in the fields of encryption, security vulnerabilities detection and research from the early days. Aviram is the founder of Beyond Security, a cyber security company that develops vulnerability assessment tools used by governments and companies worldwide to secure their networks, applications and hardware.

This interview is ~15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Why did you decide to get involved in cyber security?
If I have to trace back what was probably the trigger for me, it would be a movie from the early 1990s, called Sneakers – about ethical hacker’s work. Ethical hackers doing social engineering and going into organizations to show them how they can hack in, pointing out the vulnerabilities, both physical and in computers. Of course at that time there was no internet, so if you had to hack a computer, you had to first get into the building. They were doing all of that and it was just awesome, so I watched it and thought: “wow how amazing would it be to do this for a living, to try to hack stuff or to find vulnerabilities in organizations by actually doing the attacks?”
So my really young self is looking at my old self and hopefully is really impressed, because that’s what we do today – ethical hacking, and I think that’s pretty awesome. That was maybe the seed that directed me toward cybersecurity, and specifically hacking.

What security trends or technologies get you excited or, alternatively, afraid of the future?
I’m really excited about getting rid of passwords; authentication is getting a lot better, much more than people realize. We’ve had a problem authenticating and preventing others from stealing passwords since the first login page, and it’s been a cat and mouse game ever since. But today it’s very difficult for someone to break in your phone, the FBI has a difficult time, yet it’s very easy for you to open it -you probably do it 50-100 times a day, for sure.
Think about that quantum leap: passwords were inconvenient to authenticate and the attacker had lots of ways to go around them. Today we are almost at the stage were one can easily authenticate against so many things, devices, and apps everyday, in a really reliable way. Soon we will get to a point were, just like we got rid of phone numbers, we are going to get rid of passwords, so that’s pretty exciting.

What gets me worried is how fast we are closing the distance gap. In the past, if you wanted to hack my car you would have to come physically close and do something in the car, or stand within close distance to try and duplicate the signal of my key. But today, you can hack my car from anywhere in the world, you can seat in a cyber café in Africa and hack my car in CA, now that’s scary. And its not just cars, but webcams, refrigerators, smart TVs, light bulbs, AC … and who knows what’s going to happen next, that is scary. That closing of the distance gap is scary. Because that means living in a safe neighborhood doesn’t mean anything anymore, because there is some bad guy in the world somewhere that can do bad stuff to me.

So tech is making our lives more convenient, but should we be paranoid about all these connected devices that we are bringing into our home?
Depends on who is “we”. If I’m a consumer, I would not be paranoid, at least not yet. I think we are still doing a reasonably good job at providing relatively secure consumer devices. There are attacks that we hear about, but they are not in a huge devastating scale yet, and we are doing a fair job at fixing them relatively quickly. Think about the recent Mac OS root password problem, that was fixed in 24 hours, so it doesn’t happen a lot and then we fix it quickly, so as an end user I wouldn’t be too paranoid.

On the other hand, as a vendor or if you are involved in security, be very paranoid – because if we screw up, the damages could be catastrophic. I’m old enough to remember the Y2K bug in 2000, back then nothing happened, but that kind of thing might happen again if we are not diligent about security. So if we miss something, some bad guy out there could take over a billion IoT devices around the world and maybe kill millions of people.

I’m not saying that to scare people, as vendors and security professionals, we have to make sure we are diligently keeping the internet safe, making sure devices are reasonably secure and fixing stuff quickly. So as a security professional, yes I’m definitely paranoid, as an end user – you know, I got all these digital gadgets, so I’m not paranoid.

What are some good cyber hygiene practices you would recommend to consumers?
Just like we try to find quality products whenever we buy electronics or things for our home., similar heuristics apply for security. Before bringing any product with a chip and connectivity into your home, try to find a brand with a good reputation, check for reviews online, think of worst-case scenarios if it got hacked, and act accordingly. I’m a little more comfortable if the device is from Google, Amazon or Apple, but if it’s an unnamed company from nowhere, I want to read the reviews. Don’t be paranoid about it, just think about those options, if you put a device that records your voice: what other things will it record? If you bring something with webcam ability: where will you place it?
By the way: being hacked is not the end of the world, right? Think about the worst-case scenarios, maybe it’s not so bad and that’s ok.