The WiFi router is the most important device at home, connecting all the computers and gadgets in our home network to the Internet, keeping us online. Yet few of us care about the router, only remembering its existence when we need to restart it, because we only appreciate something when we lose it. This lack of care for the router, the main gateway to your network, makes it a prime and easy hacking target. If an attacker breaks in your router, they can use it to perform illegal activities, slow down your internet, and monitor and tamper with your devices and online activities.

At Netonomy we love routers, we have hundreds of them at our labs, and we want you to love and care for them too. So this Wednesday’s Cyber Hygiene post will provide tips to implement basic security settings. These are not hacker-proof settings, but bare minimum cyber hygiene practices. They are easy to set-up, so follow along!

First you will need to access your router’s web interface, to do that you will need to find your router’s IP address, which is written as four numbers separated by periods (e.g. 192.168.1.1). Sometimes this number is written at the bottom of your router, otherwise, search for it online or try this handy list. Once you have the IP address, connect your computer to the router with a LAN cable, and type the router IP address on your web browser. You will be redirected to the Router’s Settings page. That was the hardest part, now it only gets easier.

Under the Security Settings, look for the following options:

Password: Default passwords are a huge problem with digital devices and routers are no exception; make sure to create a unique password, with a combination of letters, numbers and symbols. Change it periodically.

Encryption: Depending on your router, you will have a few options for encryption, these are the most common ones in declining order of effectiveness:

  • Wired Equivalent Privacy (WEP): The oldest and most popular form of router encryption available, also the least secure of them all.
  • Wi-Fi Protected Access (WPA): An improvement to WEP’s shortcomings.
  • Wi-Fi Protected Access 2 (WPA2): The most secure encryption available at the moment. Select WPA2 if available.
  • Advanced Encryption Standard (AES): Use AES on top of WPA2 or WPA. This is the same type of encryption used by the federal government to secure classified information.

Note: for compatibility with some older devices, such as gaming consoles, TiVo, and other network devices, WEP may be the only security option possible to use. Using WEP is still better than no security at all.

Firewall: While this setting is usually enabled by default, make sure that it’s activated for an added layer of cyber hygiene.

WiFi Protected Setup (WPS): If available, this setting is usually turned on. Originally created to make it easier to setup an encrypted wireless connection without passwords, its very nature made it quite easy to crack, and we recommend turning it off. Please note even turning it off might not be enough, with WPS continuing to work despite having been disabled.

SSID name: This is the name that identifies your router. Avoid leaving a default SSID name, such as the name of your router model, as this information makes it easier for attackers to break in. Also avoid using your family’s name or any other personally identifiable information. Be creative!

SSID broadcast: Your router is always broadcasting its name publically to make it easy to find. However, if you wish to make it harder for snoops to find your network, disable SSID broadcast. This will require that you manually enter your SSID name when connecting new devices to the network.

MAC Filter: When enabled, this option allows devices to connect only if their MAC addresses have been pre-entered in the filter list. A nice tip when setting this up is to have your devices connected prior to enabling MAC filter, open the DHCP client table (often found in the Status or Local Network section) and copy-paste all their MAC addresses into the filter.

Remote administration: This setting is usually found in the Administration Settings.
Unless you intend to remotely configure your router, disable remote access to the settings, you will still be able to configure your router via a wired connection.

Firmware update: Lastly, like all digital devices, make sure you check for firmware updates frequently to stay up to date with the latest security patches and reduce your vulnerability.

 

As aforementioned, these are not hacker-proof security settings, but basic cyber hygiene tips to add a layer of security. If you want true network security and control, you must install solutions like Netonomy’s, or buy an expensive router with a security-focus. However, these easy-to-implement cyber hygiene practices are a first step in the right direction, and we recommend implementing them to make it harder for would-be-attackers to break into your network.

 

Tune in every Wednesday for more cyber hygiene tips you can implement in your network!

 

 

For our fourth and last podcast of the year, we are very happy to have Aviram Jenik, who has been involved in the fields of encryption, security vulnerabilities detection and research from the early days. Aviram is the founder of Beyond Security, a cyber security company that develops vulnerability assessment tools used by governments and companies worldwide to secure their networks, applications and hardware.

This interview is ~15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Why did you decide to get involved in cyber security?
If I have to trace back what was probably the trigger for me, it would be a movie from the early 1990s, called Sneakers – about ethical hacker’s work. Ethical hackers doing social engineering and going into organizations to show them how they can hack in, pointing out the vulnerabilities, both physical and in computers. Of course at that time there was no internet, so if you had to hack a computer, you had to first get into the building. They were doing all of that and it was just awesome, so I watched it and thought: “wow how amazing would it be to do this for a living, to try to hack stuff or to find vulnerabilities in organizations by actually doing the attacks?”
So my really young self is looking at my old self and hopefully is really impressed, because that’s what we do today – ethical hacking, and I think that’s pretty awesome. That was maybe the seed that directed me toward cybersecurity, and specifically hacking.

What security trends or technologies get you excited or, alternatively, afraid of the future?
I’m really excited about getting rid of passwords; authentication is getting a lot better, much more than people realize. We’ve had a problem authenticating and preventing others from stealing passwords since the first login page, and it’s been a cat and mouse game ever since. But today it’s very difficult for someone to break in your phone, the FBI has a difficult time, yet it’s very easy for you to open it -you probably do it 50-100 times a day, for sure.
Think about that quantum leap: passwords were inconvenient to authenticate and the attacker had lots of ways to go around them. Today we are almost at the stage were one can easily authenticate against so many things, devices, and apps everyday, in a really reliable way. Soon we will get to a point were, just like we got rid of phone numbers, we are going to get rid of passwords, so that’s pretty exciting.

What gets me worried is how fast we are closing the distance gap. In the past, if you wanted to hack my car you would have to come physically close and do something in the car, or stand within close distance to try and duplicate the signal of my key. But today, you can hack my car from anywhere in the world, you can seat in a cyber café in Africa and hack my car in CA, now that’s scary. And its not just cars, but webcams, refrigerators, smart TVs, light bulbs, AC … and who knows what’s going to happen next, that is scary. That closing of the distance gap is scary. Because that means living in a safe neighborhood doesn’t mean anything anymore, because there is some bad guy in the world somewhere that can do bad stuff to me.

So tech is making our lives more convenient, but should we be paranoid about all these connected devices that we are bringing into our home?
Depends on who is “we”. If I’m a consumer, I would not be paranoid, at least not yet. I think we are still doing a reasonably good job at providing relatively secure consumer devices. There are attacks that we hear about, but they are not in a huge devastating scale yet, and we are doing a fair job at fixing them relatively quickly. Think about the recent Mac OS root password problem, that was fixed in 24 hours, so it doesn’t happen a lot and then we fix it quickly, so as an end user I wouldn’t be too paranoid.

On the other hand, as a vendor or if you are involved in security, be very paranoid – because if we screw up, the damages could be catastrophic. I’m old enough to remember the Y2K bug in 2000, back then nothing happened, but that kind of thing might happen again if we are not diligent about security. So if we miss something, some bad guy out there could take over a billion IoT devices around the world and maybe kill millions of people.

I’m not saying that to scare people, as vendors and security professionals, we have to make sure we are diligently keeping the internet safe, making sure devices are reasonably secure and fixing stuff quickly. So as a security professional, yes I’m definitely paranoid, as an end user – you know, I got all these digital gadgets, so I’m not paranoid.

What are some good cyber hygiene practices you would recommend to consumers?
Just like we try to find quality products whenever we buy electronics or things for our home., similar heuristics apply for security. Before bringing any product with a chip and connectivity into your home, try to find a brand with a good reputation, check for reviews online, think of worst-case scenarios if it got hacked, and act accordingly. I’m a little more comfortable if the device is from Google, Amazon or Apple, but if it’s an unnamed company from nowhere, I want to read the reviews. Don’t be paranoid about it, just think about those options, if you put a device that records your voice: what other things will it record? If you bring something with webcam ability: where will you place it?
By the way: being hacked is not the end of the world, right? Think about the worst-case scenarios, maybe it’s not so bad and that’s ok.

 

For this week’s podcast we had the honor of interviewing none other than Ted Harrington, executive partner at Independent Security Evaluators (ISE) – security researchers and consultants widely known for being the first company to hack the iPhone. Ted drives thought leadership initiatives at ISE and is one of the organizers of IoT Village, the popular new hacking concept focused on connected devices, he is also an`organizer of SOHOpelessly Broken, the first ever router hacking contest at esteemed security conference DEF CON.

We recommend you visit their website and check out their amazing “knowledge” center, full of great case studies, papers/publications, presentations and an updated blog. This interview is ~15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Would you say you live in a connected home, with 9 or more connected devices?
I would say pretty much everybody does, because when you start talking about routers, laptops, smart phones, wearables…things of that nature, it all adds up pretty quickly. So even people that would not consider themselves to be in a smart home, would definitely qualify as living in a connected home.

What percentage of connected devices would you say are vulnerable to hacking, is it all of them?
One should never make generalizations about anything. But what we’ve seen through our security research and assessment practices, as well as the events that we’ve organized, is that security flaws really are systemic across the connected device industry. The data suggests that these security issues aren’t necessarily relegated to a particular device type -it’s not just that light bulbs are a problem, it’s basically all of the devices that we have been looking at through different channels. And we’ve also seen it across pretty much all of the manufacturers that we’ve looked at, from large enterprises to small startups that people haven’t heard of yet.

In brief, it would probably be irresponsible to say that all devices in the connected home are vulnerable. But the research has shown that, in the current market, many connected devices really do have some security challenges to them. The likelihood is high that one or more devices in a given home have some security vulnerabilities.

Why do you think this is the current situation?
I believe it’s primarily due to market forces. When you think about the evolution of any technology that is transformative, you see a similar trend.

In the first stage, someone innovates – the idea of making traditionally analogue devices to communicate, and spawns a movement. That creates the second stage, where there’s a rush to the market, and companies provide solutions because the marketplace is thirsty for the solution. So it’s truly driven by economic factors, because people want to buy these things, and companies will supply these things. That rush is so powerful right now that it is really omitting security in many cases as part of it. That’s not to say it’s true in all cases, and I do want to make that point really clear, there definitely are connected device companies taking security very seriously, doing a great job at it. But in the aggregate, most are really rushing to market without adequate security to supply solutions to satiate demand.

Do you expect this trend to continue?
I think it will get worse before it gets better. Eventually I think things will get better because of this progression that I was describing before, when transformative technologies are introduced. And there’s a third stage. The first stage is the innovation that creates an explosion that creates a marketplace, the second stage is the rush into the market where solutions are introduced and security is not a development priority, and the third stage (which is a very long stage) is where security experts eventually get their message hammered into the operating principles of the companies in these marketplaces, and they start to implement security. Overtime the marketplace overall gets to a place where it has a much better security posture.

However, that takes a really long time to happen. We are in a rocket ship of adaption right now, more and more companies and people are going to buy more and more connected devices, more and more different types of things are going to start having connectivity to them where they might previously not have had, and that’s going to lead to a very expanded attack surface. Meaning, there are just going to be more and more ways for attackers to attack whatever it is that they are trying to go after. And we’re going to have to go through that, unfortunately, before the marketplace really starts to shift. So it will get better, I hope, but it’s going to get worse before it gets better.

A great initiative by Independent Security Evaluators (ISE) to increase cyber awareness is the IoT Village event, could you tell us a bit about that?
Security research conferences have what’s known as a village concept, which basically focus on different topics to get security researchers focused on an issue. We’ve been working with DEFCON for a few years now to organize the IoT Village, and we take it beyond DEFCON to a number of conferences throughout the US, and are in discussions right now to bring it to a few places around the world (Tel-Aviv coming soon). What we do at IoT Village is to try and get together a number of security researchers and manufacturers and really collaborate on these security issues that we are seeing. We have security researchers come and present research that they are publishing, have contests where we buy a bunch of devices and we say: ok everyone, let’s hack away at these and lets find some vulnerabilities, and we’ll do contests of a more traditional Capture-the-Flag style. Basically what we are really doing is shining a spotlight on cybersecurity as an important topic in this tech domain, which is IoT. And then, of course, we work with our friends in the press and media to publish it so that we can hopefully be that catalyst for change to shorten the lifecycle from where we are today, to that future [3rd] stage where hopefully we’ll be in a more secure and resilient posture.

You also organize SOHOpelessly broken, were the focus is router security
Yes, SOHOpelessly broken was the first router hacking contest ever at DEFCON, and it actually spawned out of some router hacking research that we had done immediately prior to that. SOHOpelessly broken has grown in its scope to cover other connected devices, but its root is around router hacking. We have a paper that we published that’s available as a free download from our website and it analyzes the research that we did that was the impetus for SOHOpelessly broken. Basically, we looked at all of the major popular SOHO routers and tried to see whether they were vulnerable to remote and/or local attack, and we found that every single router that we looked at was vulnerable to at least one of the two. It was about 56 different security vulnerabilities across thirteen different router models. So SOHOpelessly broken is now getting a community of people to poke at routers and other devices, and it usually runs right alongside the IoT village.

What are some heuristics you would give to the average consumer when it comes to network security?

First and foremost: Change the default passwords.
When you get a router, either from your ISP or your own, it’s going to come with default credentials which are usually pretty basic – and even if they look complex, you want to change those passwords, because those default credentials are basically publically available information. All someone has to do us is a quick Google search and they can know based on a given model what the default credentials are. There’s a tool known as SHODAN, which is a search engine for connected devices, so an attacker can just research and find these devices online, and by knowing the default credentials, can start attempting to use those and in a huge percentage of cases they’ll be successful because people don’t change the default passwords.

That’s actually how the Mirai botnet was successful last fall, by exploiting the fact that people don’t really change default passwords. So first and foremost: change the default credentials, because it’s basically like not having a password if you don’t.

Next would be really thinking about the need for certain elements of connectivity. I do not mean to say that someone should not adapt these emerging solutions. I’m a huge advocate of were IoT is going, I want to have connectivity in all kinds of things. But when you are buying a device, it’s important to think if you are buying it for the purposes of its connectivity, because otherwise…that would be a case where you might want to think: do you need the connected version of this?

If you are not actually going to benefit from the connectivity, all that you are doing is introducing new ways to be attacked, without capturing any of the benefit.

 

For this week’s podcast we had the pleasure of interviewing Cate Lawrence, a technology journalist for ReadWrite and DZone, as well as a freelance writer for various startups. Cate is a big fan of IoT, wearables, robots, AI, biohacking and other trending technologies which she likes to chat about on her podcast. This interview lasts 15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Do you live in a connected home with 9 or more connected devices?
Yes, I have some wearables, connected pet products to review, Amazon Alexa, and also RFID and NFC implants… so I guess I’m somewhat connected.

Could you expand on the connected pet IoT devices?
It’s a battery-powered toy for cats, shaped like an egg with a feather, so it looks a bit like a sex toy unfortunately. Basically how it works is that you can make it change noises (bird, frog, etc) through an app, and when you are not home it rolls around your house and makes noises to entertain your pet. I tried it a few times because I was going to review it, and after a couple uses the cat hated it because it was too noisy and would wake her up when she was sleeping. So the UX experience was pretty bad.

You mentioned RFID implant, is this for payments or what do you use it for?
You can’t use them for payments at the moment; I got them at a wearables tech conference because I’ve been covering biohacking for a few years. I got some health data stored on them, but besides that I’m not using them much in terms of connectivity. In an ideal world you’d be able to do pretty much anything you can do with a swipe card, but it can be a little bit harder to implement depending on where you live.

As a tech. journalist that’s always researching the market, what is an IoT startup that personally gets you excited or afraid of the future?
My favorite is one called ShotSpotter, acoustic sensors that enables the police to detect gunshots through acoustic surveillance. Basically 15-20 sensors are deployed per square mile to triangulate gunshot activity and detect time and location of shootings because a lot of the time people don’t call the police. It just shows that there are a lot of social and community-based problems that technology will have a place in solving; this one example has been very successful, and the funny thing is they are also using it in Africa to prevent rhino poaching and blast fishing.

Taking it back to the consumer side, we have not seen much innovation…how far do you think we are from this sort of groundbreaking technologies that can take us closer to a Jetsons future?
I know exactly what you mean, at the moment a lot of it is kind of in prototype stage or POC-stuff. But if you think of kitchen products, like ovens and refrigerators, a lot of the big retailers are doing things, like an oven I saw earlier this year that could perfectly cook a fish in a piece of ice by using sensors. There are all kinds of -sometimes bizarre, sometimes really interesting, use cases. I think it’s coming but right now there’s a small number of really innovative products offered at a higher cost, so in terms of scale that’s not going to happen until the prices drop. And the prices are dropping, the cost of sensors technology has dropped exponentially over the last few years, so we will gradually see more and more products.

Cybersecurity is also related to the lack of adoption, do you feel that the lack of consumer IoT endpoint security is a real fear, or are these fears greatly exaggerated?
I don’t think they are exaggerated at all. Researchers have triggered most of the cases we hear about in the media, but we have cybercriminals deliberately committing attacks and the vulnerability of products already in the market is pretty appalling. There are no standards or records, I still hear people telling me: the industry should regulate itself, but I don’t think it should because it’s showing no ability to do that, let’s be honest. Introducing laws is a problem itself; they could be too vague trying to cover every eventuality or so niche that they miss a lot. It’s going to take a really multi-faceted approach, a lot of it is going to be consumers being cyberaware and potentially not buying things if they believe they are insecure.

What are some good cyberhygiene practices that you would recommend to our listeners who live in a connected home?
The first one is to know what devices you got connected to the Internet, it’s amazing, I hear scenarios all the time where people have connected home products but they have no idea how many and therefore have no means or plans to update them when they need. A lot of this stuff is “power is knowledge”, knowing about risk management, knowing how to identify an email you shouldn’t open, making sure you have multiple passwords and two-factor authentication, making sure your device is not publicly accessible through services like Shodan, and just really questioning the products you get. If you are getting the cheapest products from parts of Asia and they are connected, you might want to check them out a bit, take some care and be vigilant with this stuff. Unfortunately we are in an era where you can’t install once and leave it, things always need updating, so if you see a vulnerability or if you see an alert…update your stuff, stay informed, you don’t need to be hysterically fearful, it’s about making judicious decisions on what you should accept.

We are honored to inaugurate our weekly podcast with Andrew Tierney, a consultant at PenTestPartners, one of the world’s leading authorities on IT security consulting and penetration testing. They don’t just test and break systems, they go after what’s really important to protect: data. They test how long it would take to get valuable data and how quickly the systems and people can spot the attack -giving clients a true measure of how effective their security is, and where it needs work. If you are not familiar with PenTestPartners, we recommend you visit their website and check out their amazing weekly content on cybersecurity. This interview is <15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Do you live in a connected home with 9 or more connected devices?Certainly, but the number of them that would classify as IoT devices is fairly low… over the last few years I’ve reduced the amount of devices connected to the network, largely due to my probing and poking, and starting to trust them less and less.

Interesting! So you are concerned about the expanding threat landscape in connected homes?
My primary concern is that consumers (and I put myself in that group) don’t understand what these devices are doing. We can’t just pick up a device and understand how it operates, what risks it places you at by putting it in your network. Even if you have other controls in place, like segregated networks and firewalls, you are still not truly sure what that device is doing. We just don’t have the time to look at everything we buy to work out if it’s secure or not, and what we’ve learned by performing tests across different devices is that, generally, there will be some security problems.

Could you take a random guess, based on your experience, of what percentage of IoT devices out there are vulnerable to hacking?
Given enough time and effort you’d probably be able to break into any device. If you got Mossad after you, any IoT device will present a risk to you. But if you are a general consumer considering what devices will put you at risk, I’d say around 50% of the devices we have looked at had very serious security problems in them. It’s a scary proportion.

Why do some companies perform their cyber security due diligence and others don’t?
I wish we knew the answer to that. I think it’s about the motivation within companies to research IoT security and the impact it can have. One of the problems we see very often is that companies don’t budget (in time or money) for security in projects; they feel [security] is like a bolt-on that you get for free, so it does not get put into the system and they end up with an insecure product.

So this cyber security challenge is an opportunity for organizations like PenTestPartners to consult with clients and companies like Netonomy to provide network security. Do you think there are other market entrants that could address this problem?
What we’d like to see are guidelines, frameworks and standards allowing companies to do the basics of security, so when they come to us for Pen Testing, or start using a third party system to improve security, they’ve already covered the basics to minimize the system.

What are the most common penetration methods you’ve used that succeed in breaking a device?
It’s quite hard to group them into the most common ways, but I’d say the primary cause of breaking into devices is not minimizing the system: default development passwords, telnet FTP web services and open ports. When it comes to cloud services, they often don’t validate the device’s identity, so we can pretend to be another device and access data that we shouldn’t be able to. There is no one method in penetration testing to compromise all devices connected to the cloud, pentesting is time restricted, so we may not be able to compromise everything, but we might find lots of little problems along the way, and it’s really key that vendors fix them to prevent them being chained together and become really big problems.

Do you feel that the risks moving from the cyber realm into the physical are increasing?
Certainly. We are starting to see IoT impacting the real world. One of the most common products in the UK is an IoT thermostat, and one might not think that has much of an impact, but if you control 100,000 heaters and turn them on or off at the same time, you can have an impact in the electrical grid or the gas distribution network. But IoT is moving into other physical areas, we’ve seen over the last few years significant vulnerabilities found in cars, defibrillators and pace makers, SCADA systems, and more. I think over the coming years we are actually going to see more and more attacks that take impact in the real world.

What can the consumer do when it comes to cyber hygiene, do you have any heuristics concerning IoT?
The first thing is to vet the devices you bring to the network, look at the company: do they take security seriously? Don’t bring insecure devices into your network. The second thing is not to treat your network as a safe space, companies and homes alike often fail to do this, and if a device in the network is compromised an attacker can access your data and change things like the configurations in your router. Beyond that, it becomes really difficult to give advise to the consumer, it’s very hard for them to judge if they are putting themselves at risk – they don’t have the insights or technical knowledge to dot it. Whenever I run IoT devices, they are on a completely distinct network (vLAN) from the rest of my computers, completely distinct WIFI network…but all these things are very difficult for the consumer to put in place. We are seeing dedicated routers coming out that allow users to put these functionalities in place to protect themselves and I think that’s probably the way we are going to see IoT security go in the near future.