So you think your router is secure?

Long presentation, he definitely could learn presentation skills from David Sparks
But the content is great and might be disturbing for some of us…

https://www.youtube.com/watch?v=wagCC2H5HVU

Time to get the paranoia on…
I thought in these days where security is such a big topic, that routers would be better.

I am in the market for a new router, instead of my Time Capsule. This is certainly going to be my go-to guide for something secure.

Thanks for sharing this little gem. Too bad the uploader did horrible job of it.

He recommends my favorite router brand “Peplink”

The Peplink SoHo is still affordable for the consumer and small office network.

2nd is the Synology RT2600AC as long as you turn on the automatic updates

Wifi has been fundamentally broken for a very long time and really should not be considered secure at all, which is why everyone has been pushing https for over the wire communications.

I can buy or make hardware to break almost any wifi network for sub $100 and a lot of people are still not patched from that wpa2 crack a few years back.

It is August and thus the season for security issues as all the hacker conferences are on, I would highly recommend checking out many of the deacon talks on YouTube from years gone by, elevator hacking is still one of my favourite topics

Doesn’t really matter what the manufacturers do, electronics shipments have been intercepted to install snooping hardware and firmware. The assumption would be that this is a targeted interception, but I’m sure mistakes are made and bugged devices get into the hands of innocent people, making them vulnerable.

Given enough time and resources, anything can be compromised. Question is how big of a target you are to make it worthwhile.

For 99% of us its sufficient to change the darn username and password on the admin account on the router and keep the firmware up-to-date. Unfortunately, almost nobody does it… :-/

I have started to implement WPA2 Enterprise.
Thankfully Synology can run the Radius Server locally.

Also looking into cloud-based Radius SaaS which is a bit of an oxymoron for the problem we are trying to solve but I guess its better than the status quo.

Experimenting with IronWiFi but I have not been able to make it work with my Peplink router. I have a call with them on Thursday will see if they support hardware that is not on their list.
I have one big reservation about this service, and that is that they don’t offer 2FA. Also, the password reset procedure was a way to easy. By email, they promised to add 2FA in the next few weeks. However, given the fact that this appears to be an afterthought for what I think is a crucial point in the network security give me a pause about trusting this service.

Any alternatives out there?

This scared the c**p out of me! So far I’ve mostly managed to stay under the radar, but I wonder how long that will continue. More and more I’m feeling that the underlying protocols we use on the internet are fundamentally broken, and we need to tear it all down and start over.

Before we go off the deep end and start wearing a tinfoil hat its all about how much of a target you are and want to keep things private.

Basic measures as using a good router and locking it down go a long way.
For the rest use a plugin like Ghostry, use the various email account for different purposes etc you are way above the masses.

Further, I highly recommend encrypting the DNS traffic trough the ISP’s can’t see where you are going on the web makes a big difference in increasing your privacy.

Use DNS Crypt to shield your DNS traffic from the ISP.

I would agree that things are broken at some fundamental levels, that said, I also agree that a few small changes go a long way. Internet security is in many ways the same game as physical security, you just need to be more effort then the next guy to get.

For the most part I agree about keeping a low target profile, but you hear about those kind of users being hacked every day. I’ve been a victim of identity theft (albeit on a small scale - so far) and I am absolutely small potatoes.

Most protocols are very old and I agree, probably tearing down the Internet and creating a “new Internet” is what we need. Just think of this task: I have a huge file (video, 1GB) and want to send it to you. Email? Not possbile. Dropbox? No, I don’t want to use third-party services. So, how do I send this from my computer to your computer? If we are in the same room: sneaker-net (USB flash drive). OK, in the same room/company you could still use AirDrop, CIFS or whatever, but what if you are a few blocks away? FTP? You need a server. If you are knowledgable with IT, you will find a way, but what about the “average user”? No cross-platform, secure and easy to use protocol to get that huge file from A to B.
Username/password authentication is a joke. Sure, with 1Password it becomes easy. But why is not something like SSH key authentication (with revokal) out there. I generate a huge key (4096 bit) and this is my “digital ID”. I join a service with my public key and authenticate with my secret key. I use it for every server, but it’s not easy to do (upload key to .authorized-keys via SSH).
I have a government issued “digital ID/signature”. I can use it to: do my taxes and check my social security. Not much more. And it’s kind of “90ies implementation”. So, to get back to the 1GB file use case, how can I prove to you it’s me who is sending this file? Send you an email, which is easily spoofable. I can use my govermnet digital ID to sign PDFs, but it’s a pain. So don’t expect me to do that every time. In fact, I only did that one. But what about email? I can sign with PGP/GPG but nobody is using that. Or with an SSL certificate, which would be better, because at least it’s implemented in most email clients, but getting/installing a certificate is a hassle. I know how to do it, but what about the average user? And why can’t a go to the next post office or whatever with my physical ID and get a high quality (=verified) certificate? Easy to install and easy to use.
Then think about setting up the router (find in the crappy manual: “log into 192.168.0.1, go to settings, go to username,…”). A router out of the box should just display one page: “Hi! I am your new router and I am NOT READY TO WORK FOR YOU, UNLESS YOU ENTER NEW PASSWORD”. Option: upload you SSH key.). And all those add-ons that cause trouble, as mentioned in the video (UPnP and so on) are there because WiFi is 90ies technology. Sure, we got away from WPA, but let’s not pretend WiFi is great. What happened to IPv6?
/rant end

Commercial routers/firewalls are updated several times a year. As a network manager monitoring & patching them was part of my job for many years.

Now I choose to have experts do it for me. One reason I switched to Eero routers, for my home, is they are constantly being updated by the company. In addition, I pay for Eero Plus which adds additional security features and software (like 1Password).

We like Apple products because they (for the most part) “just work”. Hopefully, I’ve chosen a home network that does that too.

I wish Apple had bought Eero or evolved the Airport product line to something similar. Together with an iCloud integration, it would have been a great backbone of our Apple product user experience.

I think it goes waaay deeper. It’s obvious, from the number of hacks we see in USA Today every week (it seems), that the existing infrastructure is just too simplistic, it wasn’t designed with security in mind. This is a huge hole in the system. Furthermore, from what I read, breaking SSL is just around the corner. We know there are problems with SSL, but where are we without it?

I’m willing to throw in the towel if physical security is compromised, but beyond that it’s too easy for the bad guys to break in, and I think that’s the fault of our internet.

Well if you really want to have sleepless nights you should listen to the “Security Now Podcast”. Every week almost 2 hours going soo deep into this stuff it makes your head spin…

There was so much misinformation on that one, I stopped listening to it. Steve Gibson is a “security researcher” with no publications, no conference contributions, no accomplishments in the security community, etc. Self-proclaimed expert. And the Laporte guy is just…impossible to listen to.

Yeah we are all still eagerly awaiting for his secure login system and upgrade of Spinrite…

That strange SQRL thing that would revolutionize internet security? Together with the uninformed fear-mongering? That was around the time I stopped listening to that podcast. Spinrite, the fairy-dust DOS snake-oil tool that saves everything from NASA magnetic tapes to future quantum storage units?
No, not waiting for any of those.
If there’s a compliment for the MPU guys: I listen to many podcasts, have a very active BS detector and they are top-notch, worth listening, accompished professionals and not trying to sell us whatever stuff they want to make money of (Spinrite, the magical tool which doesn’t even boot on current PCs…). I am often very critical and a writer of “angry emails”, but MPU is among the best podcasts out there. If you compare to the Laporte podcasts with him hilariously laughing at his own sleazy jokes/comments for 1/4 hour…no, MPU is great!

I’ve always been skeptical of spinrite’s claims too. I’ve worked for 4 HDD manufacturers and am aware of the proprietary commands they each use for doing diagnostics and manufacturing. I very much doubt that he or anyone can reverse engineer that kind of information, to be able to make spinrite do its magic.