From 19ff6a4ccbad820a021d820a6e3307e7a504c9ca Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Wed, 29 Jul 2020 12:57:21 +0100 Subject: [PATCH] Adds Protection from Router CSRF Attack --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index aa10262..d1aacf5 100644 --- a/README.md +++ b/README.md @@ -233,6 +233,7 @@ This section covers how you connect your devices to the internet securely, inclu **Secure DNS** | Optional | Use [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. Although DoH is [not perfect](https://www.netsparker.com/blog/web-security/pros-cons-dns-over-https/), it does remove the need for trust - see [CoudFlares 1.1.1.1 Docs](https://1.1.1.1/help) for more details **Avoid the free router from your ISP** | Optional | Typically they’re manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't recieve regular security updates. Consider an open source router (such as [Turris MOX](https://www.turris.cz/en/mox/overview/)) or a comercial router with [secure firmware](/5_Privacy_Respecting_Software.md#router-firmware) **Whitelist MAC Addresses** | Optional | You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately connect to your network, even if they know your credentials. Note that a malicious actor may be able to bypass this, by cloning their address to appear the same as one of your trusted devices, but it will add an extra step +**Change the Router’s Local IP Address** | Optional | It is possible for a malicious script in your web browser, to exploit a cross site scripting vulnerability, accessing known-vulnerable routers at their local IP address and tampering with them (known as [CSRF Attack](https://decoded.avast.io/threatintel/router-exploit-kits-an-overview-of-routercsrf-attacks-and-dns-hijacking-in-brazil/)). Updating your routers local IP address, so that it is not the default (usually 192.168.0.1 or [similar](https://www.softwaretestinghelp.com/default-router-ip-address-list/)), can help protect you from some of these automated attacks **Don't Reveal Personal Info in SSID** | Optional | You should update your network name, choosing an SSID that does not identify you, include your flat number / address, and does not specify the device brand/ model. It may be beneficial to avoid something very unique, as services like [Wigle](https://www.wigle.net/)'s WiFi map can link an SSID directly back to your home address. This may also slightly aid in deterring an opportunistic attacker, as it indicates the router is being conscientiously administered. See, [how to update SSID](https://www.lifewire.com/change-the-wifi-name-ssid-on-a-router-818337) **Opt-Out Router Listings** | Optional | WiFi SSIDs is scanned, logged and then published on various websites (such as [Wiggle WiFi SSID Map](https://www.wigle.net/)), which is a serious privacy concern for some. You can [opt-out of many of these listings](https://www.ghacks.net/2014/10/29/add-_nomap-to-your-routers-ssid-to-have-it-ignored-by-google-and-mozilla/), by adding `_nomap` to the end of your SSID (WiFi network name) **Hide your SSID** | Optional | Your routers Service Set Identifier is simply the network name. If it is not visible, it may receive less abuse. However understand that finding hidden networks is a [trivial task](https://www.acrylicwifi.com/en/blog/hidden-ssid-wifi-how-to-know-name-of-network-without-ssid/) (e.g. with [Kismet](https://www.kismetwireless.net/)). See, [how to hide SSID](https://www.lifewire.com/hide-your-wireless-network-from-your-internet-leeching-neighbors-2487655)