Security Review: My Linksys Router

By justine at 10:09 pm on February 6, 2009Comments Off on Security Review: My Linksys Router

This morning, my power for some reason switched off, crashing something in my router and killing my laptop battery. For the rest of the day, wireless was down at my house and my roommate and I were physically plugging in (I know! Cables!). However, we (illegally?) share our wireless with our neighbors downstairs, and they came up to ask where the webbernets had gone to. Frustrated, I simply hit the reset button on my router and decided to just set it up again. Working through it, I realized that the user interface is a huge hindrance to the average user setting up a secure home network – a situation which I already know leads zillions of people to insecurely transmit sensitive info over the web.

Assets and Security Goals

  • The assets at stake here include anything people do over the internet – which today seems to include everything. For me, the most sensitive information I transmit is my online banking, followed up by my student information on MyUW as well as online sales. Also included is a lot of stuff I don’t usually think about needing to secure – but that could be exploited by an attacker – like my email and my Facebook account.
  • The goals then are to protect my transmissions from being read, tampered with, or spoofed. I don’t want anyone to know what I am doing on the internet, to change anything I am doing on the internet, or to be able to pretend to be me on the internet. Also, I don’t want anyone to be able to use my internet to do illegal things (except for me)!

Adversaries and Threats

  • Identity theft has become a huge issue in recent years, and so the adversary I am most fearful of is someone who would want to steal my identity, money, credit history, etc.
  • My roommate works for Amazon.com, and often has to use her work laptop on our wireless connection. Although she uses a VPN with a one-time use RSA token, we’d really like to keep a potential corporate spy as far away from her machine as possible.
  • What about my roommate herself? Or those innocent looking neighbors downstairs? Well, I hope I can trust all of these ladies…

Potential Weaknesses

  • Without any defense at all, our wireless is wide open. I’ve already seen what can be done with easily downloadable tools online – they even come with GUIs. In fact, in my opinion, these tools  are easier to use than the security setup for my router.
  • Even with security, an attacker could discover our passwords either by reading them off the whiteboard in my kitchen, or by sniffing our encrypted packets and trying to guess it.
  • If someone could connect to my network and also guess my high-security administrator password, they could also mess with my router to redirect me places I don’t want to go to, or otherwise manipulate my web access.

Defenses

  • The most important thing here is having your router set up properly – encrypted with good passwords (and NOT WEP), don’t leave the administrator password to default. However, this is not that easy – I am pretty sure my mom could not figure out to do it, nor my web-savvy teenage sisters. Linksys should have all the most important settings on one primary page – and it should lock people out of the web until they have changed the administration password (or, even better, have a different password for each box and include the pwd in the packaging).
  • Having a good password is important. People don’t have enough training in this!
  • I often will check my router to see what machines are connected to my wireless – if there is one I don’t recognize I will freak out. But I’ve never seen one 🙂
  • It is also important to practice safe web browsing regardless of the wireless setup. Assuming that you are on an unsecure conncection provides one extra layer of security. Https, encryption, all of these things are still necessary.

In sum, I am worried about the world. I had to dig through a long series of menus to find what I needed – and I already knew what I needed. For those who don’t, I’m afraid their information is at risk!

Filed under: MiscellaneousComments Off on Security Review: My Linksys Router

Comments are closed.