This article by Mison Riggins was originally published at InspiredeLearning.com on September 14, 2017. It is being republished here with the publisher’s permission through syndication.
Protecting Your Home Against Cyber Attacks
If you’ve recently purchased a smart TV, a smart fridge, a smart washer and dryer, a smart garage opener, a smart thermostat, a smartwatch, a talking teddy bear, a Roomba, or smart light bulbs, then be sure to read on as we guide you in thwarting home invasion attempts.
IoT, or Internet of Things, has been a buzz word for the last couple of years. And, we’re sure to hear more of it in the years to come as the ideal of “interconnected devices” becomes reality. Recent studies have shown that most systems are not compromised through sophisticated or device-specific vulnerabilities, but rather because of a lack of basic security controls.
So, instead of focusing on IoT hacks of an individual product, we will cover some basic security steps that everyone should take in order to minimize cyber threats in the most intimate places of our lives—our own homes. Granted, there are a number of kinks that still need to be ironed out in regards to secure design and implementation of IoT devices. In the meantime, here are some quick and easy steps you should take before plugging any device into your home network.
But first, some basic concepts on how this all works:
- IoT devices use Wi-Fi to connect to your network and the Internet.
- A wireless router enables Wi-Fi signals to broadcast throughout your home.
- Routers act as traffic police, directing traffic in and out of your network and the Internet.
- Routers also connect multiple computer networks together.
- Routers are often set up with default passwords and controls to allow ease of access.
Bottom line: Securing your router will help shore up your defenses against a possible breach into your home.
9 Steps To Take to Protect Your Home from Hackers
When configured properly, routers can keep all but the most determined bad guys out and keep in the good guys. But an improperly configured router is like having a dummy lock on your front door. So let’s lock up tight and secure our homes! From TechTarget’s Chris Cox, a few quick and easy steps even for a rookie…
1. Go To Your Router Configuration Center
Access your Router Configuration Center by typing the following numbers into your browser: 192.168.1.1
Most routers use this default IP address, some may use 192.168.0.1 or 192.168.2.1. To find your router IP, follow these instructions.
2. Login Using Default Credentials
Log in by using the default credentials located in your router handbook or written down for you by your Internet Service Provider (ISP).
If you do not have the handbook, a simple google search of your router, eg. “Linksys router login,” and the default user name and password will appear.
3. Change the Default Password!
Navigate to Settings and change the default password before you do anything else.
According to CERT/CC at Carnegie Mellon University, 80% of security incidents are caused by weak passwords. Extensive lists of default passwords are available online for most routers, and you can be sure that someone, somewhere knows your birthday.
4. Disable IP Directed Broadcasts
Your router is obedient. It will do what it’s told, no matter who’s doing the telling. Consult your router’s documentation for information on how to disable IP directed broadcasts. For instance, the command “Central(config)#no ip source-route” will disable IP directed broadcasts on Cisco routers.
5. Disable HTTP Configuration for the Router, if Possible
As outlined in a Cisco TechNote, “The authentication protocol used for HTTP is equivalent to sending a cleartext password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords.”
Although it may be convenient to configure your router from a remote location (from home for example), the fact that you can do it means that anyone else can as well. Especially if you’re still using the default password! If you must remotely manage the router, make sure that you are using SNMPv3 or greater, as it supports hashed passwords.
6. Block ICMP Ping Requests
The primary purpose of a ping request is to identify hosts that are currently active. As such, it is often used by hackers as part of reconnaissance activity preceding a larger, more coordinated attack. By removing a remote user’s ability to receive a response from a ping request, you are more likely to be passed over by unattended scans or from “script kiddies,” who generally will look for an easier target.
Note that this does not actually protect you from an attack, but will make you far less likely to become a target.
7. Disable IP Source Routing
The IP protocol allows a host to specify the packet’s route through your network, instead of allowing the network components to determine the best path. The only legitimate use that you may come across for this feature is to troubleshoot connections, but this is rare. It’s far more common to be used to map your network for reconnaissance purposes, or when an attacker is attempting to locate a backdoor into your private network. Unless specifically needed for troubleshooting, this feature should be disabled.
8. Close Unnecessary Ports
Determine your packet filtering needs—there are two philosophies to blocking ports, and which one is appropriate for your network depends on the level of security that you require.
For a high-security network, especially when storing or maintaining confidential data, it is normally recommended to “filter by permission.” This is the scheme in which all ports and IP address permissions are blocked, except for what is explicitly required for network functions. For instance, port 80 for web traffic and 110/25 for SMTP can be allowed to come from a dedicated address, while all other ports and addresses can be disabled.
Most networks will enjoy an acceptable level of security by using a “filter by rejection” scheme. When using this filtering policy, ports that are not used by your network and are commonly used for Trojan Horses or reconnaissance can be blocked to increase the security of your network. For instance, blocking ports 139 and 445 (TCP and UDP) will make your network more difficult for attackers to map out the network, and blocking port 31337 (TCP and UDP) will make you more secure from Back Orifice, a hacking tool.
Check out this extensive list of ports with their normally associated uses.
9. Establish Ingress and Egress Address Filtering Policies
For the tech-savvy, you can take an additional step to secure your network by establishing policies on your border router to filter security violations both outbound (egress) and inbound (ingress) based on IP address. Except for unique and unusual cases, all IP addresses that are attempting to access the Internet from the inside of your network should bear an address that is assigned to your LAN. For instance, 192.168.0.1 may have a legitimate need to access the Internet through the router, but 220.127.116.11 is most likely to be spoofed, and part of an attack.
Inversely, traffic from the outside of the Internet should not claim a source address that is part of your internal network. For that reason, inbound addresses of 192.168.X.X, 172.16.X.X, and 10.X.X.X should be blocked.
And lastly, all traffic with either a source or a destination address that is reserved or unroutable should not be permitted to pass through the router. This can include the loopback address of 127.0.0.1 or the class E address block of 240.0.0.0-254.255.255.255.
Even if you stop at Step 3, you will have made the difference between bolting your door against intruders and leaving it unlocked for anyone to invade your home. Just as you would want to know who is staying over, you also need to do your homework on what devices you are allowing into your home. Be sure to read up on the key questions you should ask before any IoT purchase.
More on this topic: Staying Safe and Connected: The Future IoT Cyber Security Dilemma