We often neglect our routers. Most of us use the one we get from our Internet service provider, or an average consumer-grade router: We plug it in, and then we never look at it again for years, except to occasionally reboot it when our internet stops working. Hi I’m your router Oh hi router, I don’t see you much Yeah, it’s kind of an issue. Why do they always forget about me?/ The router is the gateway between your devices and the internet at large. If it’s compromised, it’s like leaving the front door to your home network wide open, allowing malicious actors to enter. If you don’t pay attention to your router, it can create a serious hole in your security and privacy.
So we’re putting together a series of videos that talk about home networks, and how to make them safer. This first video is about how to give your hardware and software a major overhaul. We’ll discuss the 4 different technologies that are actually inside one of these boxes that we generally think of as just a “router” We’ll talk about the major security weaknesses of these devices And finally we’ll walk you through a step-by-step tutorial of how to upgrade your setup So what’s actually in one of these boxes? You're buying four technologies that are in one package. There's a switch, there's a router, there's a firewall, and there's an access point.
Brent Cowing is the founder of Protectli, and an expert in securing home networks, and he explained to me the role that each of these 4 technologies plays in your home network. First, the switch. It's made to allow very fast, very efficient communication between devices on the same network. So you might have a printer, a couple of computers, a storage system all on your local network. They most efficiently talk to one another through a switch. It’s like an internal postman that delivers
packages just inside an apartment building. What if one of these devices wants to connect with something outside of their local network, like the internet? You don't want all of your private devices to just be sitting out on the public internet. So you use a router, that’s the second technology in this box. You can think of the router like a doorman, that your devices have to go through to connect to the broader internet, and that the internet has to go through to get to your local devices.
The router has a public-facing IP address, which you can think of like a street number for a building, that lets internet traffic know where to reach you. And the router assigns the devices on your local network a private IP address, which You can think of like an apartment number inside the building. It looks something like this and usually starts with 192.168.
The router receives traffic from the internet, and routes it to the right place on your local network, and it takes traffic from your local devices, and sends it out to the broader internet through the public IP address. Now there’s certain traffic that you don’t necessarily want coming into your private network, So that’s why we have a firewall, which is the third technology in this box. What a firewall does is, it is the barrier that is keeping the public internet out and your private network in. You can think of it like a bouncer at the building It's gonna let traffic out depending on the rules of your firewall. And it's gonna block unsolicited traffic from coming in, but allow traffic that you've requested to come in. The internet can be a pretty hostile place, so your firewall is an important layer of protection that hides devices on your private network, away from these bad actors. And finally in a “router” box,
you have a wireless access point. Basically it’s what allows you to create a wifi network, so that your devices can connect to each other and your router wirelessly. It turns out that the security of these 4-in-one, consumer-grade devices is pretty bad for 2 big reasons: costs, and ease of use. Because they're trying to sell as many of those things as possible, they make them as cheap as possible, which means they put as little effort as possible into security. And they try to make it as easy to use
as possible, which means usually they remove as much security as possible, cuz security's hard. You definitely don’t want to skimp on security when it comes to the gateway between the hostile internet and your computer, and yet there are countless software and firmware security weaknesses in one of these typical “routers”. Usually these things are deployed by the thousands from, uh, some distribution center, uh, and they might have firmware on them that's months, if not years old, that has proven to be vulnerable. Router vendors usually don’t bother patching
these devices despite being aware of critical vulnerabilities. In a 2020 report nearly all of the routers they tested had security flaws, and some were very severe. These included outdated versions of Linux software with known vulnerabilities, or even hardcoded credentials like admin passwords coded directly into the firmware that were accessible to hackers.
If the firewall is no longer able to block unsolicited traffic from coming into your network, if there's a vulnerability that exists and outside actors are able to gain access to that device. That's a particularly dangerous thing, cuz that means that they can see all the traffic that goes through that device and they can then get access to all the devices that are on your private network. There’s also been a rise in the number of router vulnerabilities in recent years, with one report saying more than half of the vulnerabilities discovered were high priority, and 18% were critical. Hackers are well aware of these router vulnerabilities and find them by constantly scanning all ports and public IP addresses.
Hackers are absolutely automating this scouring. It is prevalent, it's widespread. It happens every single day. It’s targeting everyone indiscriminately, so it’s something we all need to protect ourselves against. They might be trying to gain access to your home network so they can exploit whatever data they can find on your home network or more often they're trying to gain access to your device to add it to a botnet so that they can monetize a botnet to launch denial service attacks on various other devices on the internet. This is a, a very persistent threat and something that people should be aware of. It's not personal though. It's just the nature of the internet. So what can you do?
You want to be very careful about keeping your firewall up to date and you wanna be aware of what's happening, uh, at that barrier between your home network and the internet. Our primary focus in this video is to give you a more secure router setup, We’ll take your existing router and change the settings to disable most of its functionality. Then we’re going to add a new device called a protectli vault, that runs much better software and firmware, to handle your router functionality and firewall. Now if you upgrade your home network by making these changes, You're augmenting what your ISP has provided and you’re stepping up your level of security significantly.
This new protectli vault will have 3 upgraded components. First the software that we’ll use to run our new router and firewall. We’re going to use software called pfsense, which is open source and will give you more control over what our firewall is doing, and allow all kinds of things that just aren’t possible in consumer-grade software. The firmware is the code that sits between the hardware and the operating system and allows them to interface with each other. most firmware is opaque so you can’t tell what it’s really doing, and is also notoriously buggy . If a hacker can compromise this in your router and firewall, it puts all the devices on your network at risk. We’re going to use firmware called “Coreboot”,
which is open source, and maximizes security, transparency, and auditability of this code. Finally, you can’t just put coreboot on any hardware. You need hardware that has been specifically designed to be compatible with coreboot. We’re going to use the protectli hardware, where Brent is the CEO.
We first heard about protectli from privacy and security expert Michael Bazzel, and his book “extreme privacy” is linked in the video description for anyone interested. The first step is to choose the protectli vault you’d prefer. Ours is a 4-port device, with 8GB of memory, and 120GB of SSD storage, but 4GB RAM and 32GB SSD are more than enough to run pfSense. You can determine which specs are right for you. We got it without a wifi card, and will explain why in a moment. We ordered one with coreboot preinstalled on it as the firmware.
Now let’s install pfsense onto our protectli vault. Take a blank USB thumb drive, and have a monitor and keyboard ready. Go to pfSense.org/download/. From the dropdown menus select: AMD 64 for architecture, which is the processor that protectli uses, For installer select USB For console select VGA And for Mirror select the location closest to you Then click download, and save the image somewhere on your computer harddrive.
Now go to balena.io/etcher/ and download the software onto your computer. open it, select Flash from File, and choose the disk image you just downloaded Under target choose your USB stick Click FLASH Once the flash is complete, remove the thumb drive. Now take your protectli vault, make sure it’s powered down, and plug in a keyboard and monitor to it. Insert your usb stick to protectli, and then turn the protectli vault on. It should boot the pfsense installer automatically, but if it doesn’t, while it’s powering up, press f11 which should show you the boot options, and you can select boot from USB. Press ENTER to install PFSense ENTER for default keymap, ENTER for auto ZFS ENTER to Install ENTER for Stripe ENTER to select the Protectli Device for where to install the image And Y to confirm your choice one last time Once the install is complete, select NO when asked to make changes And finally, press R to restart the device.
Once that’s rebooted you can remove the thumb drive, the monitor, and the keyboard! Now we’re going to configure our pfsense settings Plug the protectli vault into your computer using an ethernet cable. In a browser on your computer, go to 192.168.1.1, and you’ll come to a pfsense log in page. Your default username is probably admin, and the default password is probably pfsense Oh hi computer! Just a quick tip, you might want to change that default password at some stage Oooh noted. Now this is the default URL that you currently go to in order to access your router and firewall settings. We’re going to change it to something else. You're adding a little obscurity to your network, right. By not using the defaults, which is always good. Select Interfaces, LAN,
and then scroll down to Where it says “static ipv4 configuration” Delete what’s there and add in some other arbitrary number in the 192.168 space. For the purposes of this video we’ve chosen 137 for our 3rd octet. You could just as easily choose .143, or .216 or any preferred number
So for example you’ll Type in to ipv4 address 192.168.137.1
2022-11-05