Safer Internet: Connection: Encrypt Wi-Fi

Safer Internet: Connection: Encrypt Wi-Fi webadmin Fri, 01/30/2015 - 16:50

Why?

  • maslow hierarchy+ Protect unencrypted traffic from hackers and eavesdroppers -- at least part of the way
  • + Block unauthorized users (slowdowns, datacaps, illegal activity)
  • - Some admin setup required
  • - Provide password to your users

Quotes

Connection Problems

  • If your Wi-Fi connection seems 'stuck', first try toggling Wi-Fi connection off/on; check that expected router reconnects
  • macOS: (Wi-Fi icon) > Turn Wi-Fi Off/On
  • iOS: Settings > Wi-Fi: off/on -- note: disabling via iOS11 Control Center does not completely turn off!
  • [Refs:iOS]: "EFF: iOS 11's Misleading 'Off-ish' Setting for Bluetooth and Wi-Fi is Bad for User Security"
  • If just one app not working, e.g., browser ok, but not email, close/reopen app
  • [2] Reset/get new device IP address
  • iOS: Settings > Wi-Fi > (current network "i" icon) > Renew Lease
  • macOS: System Preferences > Network > Advanced > TCP/IP > Renew DHCP Lease
  • Reboot device
  • Turn off power to cable/DSL modem and router; turn on modem; wait ~60 seconds; turn on router; wait until Wi-Fi connection reappears
  • [3] [Refs:Mac]: "Fix Wi-Fi Problems in macOS Sierra"

Wi-Fi Encryption

  • playgroundIf you use HTTPS: for web browsing and SSL/TLS for email (and both you and server have latest security updates), much of your important traffic will already be encrypted.
  • However, this isn't always possible for all sites & situations, and there are other reasons to protect your router and connection.
  • Encrypt Wi-Fi networks you control with WPA2 (Wi-Fi Protected Access)
  • Weak/no password could create problems if neighbors use your connection (& IP address) for illicit activities or excessive downloads -- not an issue if your WiFi range does not extend outside, or for hard-wired devices (via Ethernet cable)
  • relativesWEP (Wired Equivalency Protocol) is easily cracked, barely better than no encryption
  • WPS (Wi-Fi Protected Setup) lets you use WPA without having to enter a long password; however, you may be vulnerable if you have not changed the pre-shared WPA key from the factory default setting, and PIN feature is enabled -- one reason why WPA is less secure than WPA2
  • What should you do about recent (10/16/2017) WPA2 protocol vulnerability (KRACK: Key Reinstallation Attacks)?
  • Install software upgrades for your devices -- and any firmware upgrades for your router -- as soon as they become available; ensure that your router is using WPA2 instead of WPA2/WPA or WPA; also router should be using AES rather than TKIP encryption
  • In the meanwhile, assume any Wi-Fi connection (esp. away from home) is vulnerable, and treat as an open (unencrypted) network, i.e., if you can't connect to a critical site via HTTPS:, use a VPN
  • [Refs:Wi-Fi]: "Severe flaw in WPA2 protocol ('KRACK') leaves Wi-Fi traffic open to eavesdropping"
  • [Refs:Wi-Fi]: "The Difference Between WEP, WPA, and WPA2 Wi-Fi Passwords"
  • [Refs:Wi-Fi]: "Wi-Fi Protected Setup (WPS) is Insecure: Here's Why You Should Disable It"
  • wpaNetwork figures
  • with no encryption (Wi-Fi, SSL/HTTPS): {Figure 1. TCYOP-3: 44; TCYOP-2: 39; TCYOP-1: 39}
  • with Wi-Fi encryption: {Figure 3. TCYOP-3: 46; TCYOP-2: 41; TCYOP-1: 41}
  • Netgear WPAChange encryption level to WPA2 -- not WPA or WPA2/WPA combo
  • Use AES rather than TKIP encryption (note: Netgear figure shows incorrect settings)
  • consult your router manual (download .pdf from manufacturer) to locate settings
    and local IP address, e.g., http://192.168.1.1 router is a local self-contained web server!
  • Use web browser to connect locally to router, or use manufacturer configuration app
  • Apple Airport {Figure 2. TCYOP-3: 45; TCYOP-2: 40; TCYOP-1: 40}
  • Netgear: Wireless Settings > Security Options > WPA2
  • TP-Link: Wireless (freq) > Wireless Security > WPA2 [screenshot]
  • Check encryption level from client: none?, WEP?, WPA? WPA2?
  • warningmacOS: menubar > [option-click] Wi-Fi icon: current network stats displayed; other networks: hover to display stats
  • iOS: Settings > Wi-Fi insecure connection warning (right)
  • iOS9: there doesn't appear to be a built-in way to see security details of any routers, whether connected or not
  • Android, macOS, Windows: How to Check WiFi Security Encryption Type 1/24/2014
  • die tombstoneDon't connect automatically to open (insecure) Wi-Fi networks -- unless using a VPN.
  • By default, macOS & iOS connect automatically only to "known" networks, i.e., open or password-protected networks that you've connected to before
  • Automatic connections might occur in older systems or on other platforms?
  • For a new, unknown network, you can be prompted to join it, or to select it manually. it won't connect automatically
  • macOS: System Preferences > Network > Wi-Fi > Ask to Join New Networks : "on" (prompt you when a new network is avail) or "off" (you'll select manually)
  • high altitude dolomitesiOS: Settings > Wi-Fi > Ask to Join Networks (same as macOS)
  • iOS: Settings > Wi-Fi > (select network > 'i' > Auto-Join -- customize for individual networks
  • iOS: If a friend's iOS 11 device tries to connect to your Wi-Fi network, you’ll receive a prompt that lets you send over the password by tapping Send Password
  • To remove a network from the list of automatically connecting "known" networks (that you've connected to previously)
  • macOS: System Preferences > Network > Wi-Fi > Advanced > W-Fi > (select network) > "-"
  • iOS: Settings > Wi-Fi > "i" (for network) > Forget This Network
  • [2] To make your network freely available to others, e.g., during a disaster, setup a separate guest network (with no password), rather than disabling security on your regular network [screenshot]
  • [Refs:Wi-Fi]: "How (and Why) to Safely Open Your Wi-Fi Network During a Disaster"
  • keep calm[2] Consider using a Virtual Private Network (VPN) (covered in next section) if
  • no password; in a public area, attacker might provide access point, e.g., "Free WiFi"; or greedy ISP might inject ads
  • weak password: WEP, WPS
  • widely known password, e.g., coffee shop
  • [Refs:Wi-Fi]: "The Dangers of Unsecured Wifi Hotspots"
  • [Refs:Wi-Fi]: "Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk"
  • If you setup your smartphone to share its data connection via Wi-Fi (aka 'Personal Hotspot' or 'tethering'), be sure to set a password for security and to avoid others using your data allocation.
  • iOS: Settings > Personal Hotspot (if Cellular Data on) > On (Wi-Fi,Bluetooth,USB); Wi-Fi Password: ???

Router Password, Updates

  • p-a-s-s-w-o-r-d routerSet a strong admin password -- this is for router itself, different from the Wi-Fi password you use or supply to guests
  • if required to be short, also change admin user name
  • Netgear: Maintenance > Set Password
  • TP-Link: System Tools > Password [screenshot]
  • xkcd[2] Check if an update (usually infrequent) is available for your router's firmware (i.e., low-level software), automatically upon login, or manually.
  • Netgear: Maintenance > Router Upgrade
  • TP-Link: System Tools > Firmware Upgrade [screenshot]
  • If you rent a router from your ISP, check with them about updates.

[2] Router/Device DNS

  • Netgear DNSChange DNS (Domain Name System) name servers; e.g., Netgear (right)
  • free: OpenDNS; Google Public DNS; Recursive DNS
  • benefits: speed; security; non-existent domains (ad redirection)
  • Netgear: Basic Settings > DNS Address
  • TP-Link: DHCP > DHCP Settings [screenshot]; Network > WAN [screenshot]
  • If you have no router (or it's someone else's), you can change DNS directly on device via "Network > DNS settings"
  • config atomiOS: Settings > WiFi > (network: "i") > Configure DNS
  • macOS: System Preferences > Network > Advanced > DNS > DNS Servers
  • macOS: If possible, create separate network profile, e.g., Home, Travel?
  • [Refs:DNS]: "7 Reasons to Use a Third-Party DNS Service"; "Pharming Attack Targets Home Router DNS Settings"
  • kindergarten[3] Encrypt DNS lookups -- either via VPN or via a utility, e.g., DNS Crypt
  • benefits: privacy; security (spoofing and man-in-the-middle (MiTM) attacks)
  • e.g., DNS Crypt from OpenDNS (now Cisco): article, download free for macOS, Win, Unix and rooted/jailbroken Android, iOS devices
  • macOS: [menubar] > "DNSCrypt"

[3] Advanced

  • Netgear remoteDisable remote administration -- hopefully it was already off by default
  • Netgear: Advanced > Remote Management
  • TP-Link: Security > Remote Management [screenshot]
  • If you change many admin settings, consider making a backup.
  • Netgear: Maintenance > Backup Settings
  • TP-Link: System Tools > Backup & Restore
  • On some devices, e.g., iPhone, iPad*, you can lock your SIM card so that cellular data can't be used without entering a PIN -- whenever you swap SIM cards or restart. To enable, disable or change your SIM PIN:
  • iPhone: Settings > Phone > SIM PIN
  • iPad: Settings > Cellular Data > SIM PIN (*Wi-Fi + Cellular models)

References

Android

DNS, IP Addresses

iOS

macOS

Modem, Router

Wi-Fi

Windows