You won t believe how UNSAFE your home router is

Show video

We often neglect our routers. Most of us use the  one we get from our Internet service provider,   or an average consumer-grade router: We plug it  in, and then we never look at it again for years,   except to occasionally reboot it  when our internet stops working.   Hi I’m your router Oh hi router, I don’t see you much   Yeah, it’s kind of an issue. Why do  they always forget about me?/   The router is the gateway between your devices  and the internet at large. If it’s compromised,   it’s like leaving the front door  to your home network wide open,   allowing malicious actors to enter. If you don’t pay attention to your router,   it can create a serious hole in  your security and privacy.  

So we’re putting together a series of  videos that talk about home networks,   and how to make them safer. This first video is about how to give your   hardware and software a major overhaul. We’ll discuss the 4 different technologies   that are actually inside one of these boxes that we generally   think of as just a “router” We’ll talk about the major security   weaknesses of these devices And finally we’ll walk you through a step-by-step   tutorial of how to upgrade your setup So what’s actually in one of these boxes?   You're buying four technologies  that are in one package.   There's a switch, there's a router, there's a  firewall, and there's an access point.  

Brent Cowing is the founder of Protectli,  and an expert in securing home networks,   and he explained to me the role that each of these  4 technologies plays in your home network.   First, the switch. It's made to allow very fast,   very efficient communication between  devices on the same network.   So you might have a printer, a couple  of computers, a storage system all on   your local network. They most efficiently talk   to one another through a switch. It’s like an internal postman that delivers  

packages just inside an apartment building. What if one of these devices wants to connect   with something outside of their local  network, like the internet?   You don't want all of your private devices to  just be sitting out on the public internet.   So you use a router, that’s the  second technology in this box.   You can think of the router like a doorman, that  your devices have to go through to connect to the   broader internet, and that the internet has to  go through to get to your local devices.  

The router has a public-facing IP address,  which you can think of like a street number   for a building, that lets internet  traffic know where to reach you.   And the router assigns the devices on  your local network a private IP address,   which You can think of like an apartment  number inside the building.   It looks something like this and usually  starts with 192.168.  

The router receives traffic from the internet,  and routes it to the right place on your local   network, and it takes traffic from your local  devices, and sends it out to the broader internet   through the public IP address. Now there’s certain traffic that you   don’t necessarily want coming  into your private network,   So that’s why we have a firewall, which  is the third technology in this box.   What a firewall does is, it is the barrier  that is keeping the public internet out and   your private network in. You can think of it like   a bouncer at the building It's gonna let traffic out depending on   the rules of your firewall. And it's gonna block  unsolicited traffic from coming in, but allow   traffic that you've requested to come in. The internet can be a pretty hostile place, so   your firewall is an important layer of protection  that hides devices on your private network,   away from these bad actors. And finally in a “router” box,  

you have a wireless access point. Basically  it’s what allows you to create a wifi network,   so that your devices can connect to each  other and your router wirelessly.   It turns out that the security of these 4-in-one,  consumer-grade devices is pretty bad for 2   big reasons: costs, and ease of use. Because they're trying to sell as many of those   things as possible, they make them as cheap  as possible, which means they put as little   effort as possible into security. And they try to make it as easy to use  

as possible, which means usually they  remove as much security as possible,   cuz security's hard. You definitely don’t want to   skimp on security when it comes to the gateway  between the hostile internet and your computer,   and yet there are countless software  and firmware security weaknesses   in one of these typical “routers”. Usually these things are deployed by the thousands   from, uh, some distribution center, uh, and they  might have firmware on them that's months, if not   years old, that has proven to be vulnerable. Router vendors usually don’t bother patching  

these devices despite being aware of critical  vulnerabilities. In a 2020 report nearly all of   the routers they tested had security flaws,  and some were very severe. These included   outdated versions of Linux software with known  vulnerabilities, or even hardcoded credentials   like admin passwords coded directly into the  firmware that were accessible to hackers.  

If the firewall is no longer able to block  unsolicited traffic from coming into your   network, if there's a vulnerability  that exists and outside actors are   able to gain access to that device. That's a particularly dangerous thing,   cuz that means that they can see all the  traffic that goes through that device and   they can then get access to all the devices  that are on your private network.   There’s also been a rise in the number of  router vulnerabilities in recent years,   with one report saying more than half of the  vulnerabilities discovered were high priority,   and 18% were critical. Hackers are well aware of these   router vulnerabilities and find them by constantly  scanning all ports and public IP addresses.  

Hackers are absolutely  automating this scouring.   It is prevalent, it's widespread.  It happens every single day.   It’s targeting everyone indiscriminately,  so it’s something we all need to   protect ourselves against. They might be trying to gain access to   your home network so they can exploit whatever  data they can find on your home network or more   often they're trying to gain access to your device  to add it to a botnet so that they can monetize a   botnet to launch denial service attacks on  various other devices on the internet.   This is a, a very persistent threat and something  that people should be aware of. It's not personal   though. It's just the nature of the internet. So what can you do?  

You want to be very careful about keeping  your firewall up to date and you wanna be   aware of what's happening, uh, at that barrier  between your home network and the internet.   Our primary focus in this video is to  give you a more secure router setup,   We’ll take your existing router and  change the settings to disable most   of its functionality. Then we’re going to add a new   device called a protectli vault, that runs much  better software and firmware, to handle your   router functionality and firewall. Now if you upgrade your home network   by making these changes, You're augmenting what your ISP   has provided and you’re stepping up your  level of security significantly.  

This new protectli vault will  have 3 upgraded components.   First the software that we’ll use to run our new  router and firewall. We’re going to use software   called pfsense, which is open source and will give  you more control over what our firewall is doing,   and allow all kinds of things that just aren’t  possible in consumer-grade software.   The firmware is the code that sits between the  hardware and the operating system and allows them   to interface with each other. most firmware is  opaque so you can’t tell what it’s really doing,   and is also notoriously buggy . If a hacker can  compromise this in your router and firewall,   it puts all the devices on your network at risk.  We’re going to use firmware called “Coreboot”,  

which is open source, and maximizes security,  transparency, and auditability of this code.   Finally, you can’t just put coreboot  on any hardware. You need hardware   that has been specifically designed  to be compatible with coreboot.   We’re going to use the protectli  hardware, where Brent is the CEO.  

We first heard about protectli from privacy  and security expert Michael Bazzel,   and his book “extreme privacy” is linked in the  video description for anyone interested.   The first step is to choose the  protectli vault you’d prefer.   Ours is a 4-port device, with 8GB of  memory, and 120GB of SSD storage,   but 4GB RAM and 32GB SSD are more  than enough to run pfSense.   You can determine which specs  are right for you.   We got it without a wifi card,  and will explain why in a moment.   We ordered one with coreboot preinstalled  on it as the firmware.  

Now let’s install pfsense onto  our protectli vault.   Take a blank USB thumb drive, and have  a monitor and keyboard ready.   Go to pfSense.org/download/.  From the dropdown menus select:   AMD 64 for architecture, which is  the processor that protectli uses,   For installer select USB For console select VGA   And for Mirror select the location closest to you Then click download, and   save the image somewhere on  your computer harddrive.  

Now go to balena.io/etcher/ and download  the software onto your computer.   open it, select Flash from File, and   choose the disk image you just downloaded Under target choose your USB stick   Click FLASH Once the flash is complete,   remove the thumb drive. Now take your protectli vault,   make sure it’s powered down, and plug  in a keyboard and monitor to it.   Insert your usb stick to protectli, and then  turn the protectli vault on. It should boot   the pfsense installer automatically, but  if it doesn’t, while it’s powering up,   press f11 which should show you the boot options,  and you can select boot from USB.   Press ENTER to install PFSense ENTER for default keymap,   ENTER for auto ZFS ENTER to Install   ENTER for Stripe ENTER to select the Protectli   Device for where to install the image And Y to confirm your choice one last time   Once the install is complete, select  NO when asked to make changes   And finally, press R to restart the device.  

Once that’s rebooted you can remove the thumb  drive, the monitor, and the keyboard!   Now we’re going to configure  our pfsense settings   Plug the protectli vault into your  computer using an ethernet cable.   In a browser on your computer, go to 192.168.1.1,  and you’ll come to a pfsense log in page.   Your default username is probably admin, and the  default password is probably pfsense   Oh hi computer! Just a quick tip, you might want to change   that default password at some stage Oooh noted.   Now this is the default URL that you  currently go to in order to access your   router and firewall settings. We’re going  to change it to something else.   You're adding a little obscurity to your  network, right. By not using the defaults,   which is always good. Select Interfaces, LAN,  

and then scroll down to Where it  says “static ipv4 configuration”   Delete what’s there and add in some other  arbitrary number in the 192.168 space.   For the purposes of this video we’ve chosen 137 for our 3rd octet. You   could just as easily choose .143, or .216 or any preferred number  

So for example you’ll Type in to  ipv4 address 192.168.137.1

2022-11-05

Show video