Below is a list of routers vulnerable to VPNFilter, malware that can brick your device.
The Justice Department last week urged everyone with a small office home office (SOHO) or NAS device to reboot their gadgets immediately in order to thwart VPNFilter, a new strain of malware that can brick your router.
The FBI seized a domain used to send commands to the infected devices, but it can't hurt to reboot anyway.
As Symantec outlines, VPNFilter is "a multi-staged piece of malware." Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. "These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor."
VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot," Symantec says.
Still, "rebooting will remove Stage 2 and any Stage 3 elements present on the device, [temporarily removing] the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers."
Those who believe they're infected should do a hard reset, which restores factory settings. Look for a small reset button on your device, though this will wipe any credentials you have stored on the device.
Below is a list of routers Symantec identified as vulnerable to VPNFilter. MikroTik tells Symantec that VPNFilter likely proliferated via a bug in MikroTik RouterOS software, which it patched in March 2017. "Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability," Symantec says.
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
"No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues," according to Cisco Talos, which first reported the bug.
To date, Cisco Talos estimates that at least 500,000 in at least 54 countries have been hit by VPNFilter.
The feds are pinning this attack on Fancy Bear, a hacking group also known as APT28 and Sofacy Group, among other monikers. The group is notorious for attacking governments across the world and stealing confidential files from the Democratic National Committee during the 2016 election.
The 4G LTE Cat 6 IIoT Router with Dual Band WiFi (NTC-400) and the cloud-based remote device manager (RDM) platform
A new router launched today by NetComm Wireless will help improve speed and connectivity for the industrial internet of things (IIoT) – which it says will improve the reliability of large-scale fleet tracking.
The 4G LTE Cat 6 IIoT Router with Dual Band WiFi (NTC-400) and the cloud-based remote device manager (RDM) platform will also create high speed WiFi hotspots for vehicles and public transport, the company said.
Designed to connect and manage some of the most bandwidth intensive in-vehicle IIoT applications – also including surveillance and 4K/UHD digital displays – the NTC-400 series offers reliable data connectivity across more environments where fixed line applications are either unavailable or unsuitable.
The NTC-400’s dual band WiFi access point has carrier-grade remote management and support for multiple LTE bands including band 28 (700 MHz).
Launched in conjunction with the NTC-400 to lower the total cost of ownership, the RDM enables the secure upgrade of firmware and applications to individual, groups or large-scale fleets of devices.
It supports TR-069 and OMA LWM2M standards, and enables real time monitoring, analytics, comprehensive reporting on failed connections and tasks, profile updates and inventory reports.
The device also integrates into existing remote management platforms, and includes Gigabit Ethernet ports, a serial port, and a USB port for network flexibility.
It also features a robust metal enclosure and a wide temperature rating; and supports in-vehicle and tracking applications with integrated GPS that is compatible with all global systems.
NetComm Wireless chief operating officer Timo Brouwer says the NTC-400 Series is engineered to increase operational efficiencies.
"Our cloud based remote device management platform adds another level of efficiency with live visibility and smart network management at scale," he says.
Sometimes the best thing to say about a wireless router in your house is that once it's set it, you forget it exists. As long as the devices that need the Wi-Fi connection can get on and function, that's all that matters, right?
Maybe, but we also live in the age of leaks, wiki and otherwise. If you're worried about the security of your home and by extension your personal data—especially from hackers who could casually sit in a car outside and get access to your systems—then you need to put a padlock on that wireless. You may also want to prevent others from using your network, and freeloaders alike.
So what do you do? Follow these tips and you'll be well ahead of most home Wi-Fi users. Nothing will make you 1,000 percent safe against a truly dedicated hack. Crafty social engineering schemes are tough to beat. But don't make it easy on them; protect yourself with these steps.
Time-Tested Wi-Fi (and All Around) Security
Change Your Router Admin Username and PasswordEvery router comes with a generic username and password—if they come with a password at all. You need it the first time you access the router. After that, change them both. Immediately. The generic usernames are a matter of public record for just about every router in existence; not changing them makes it incredibly easy for someone who gets physical access to your router to mess with the settings.
If you forget the new username/password, you should probably stick to pencil and paper, but you can reset a router to its factory settings to get in with the original admin generic info.
Change the Network NameThe service set identifier (SSID) is the name that's broadcast from your Wi-Fi to the outside world so people can find the network. While you probably want to make the SSID public, using the generic network name/SSID generally gives it away. For example, routers from Linksys usually say "Linksys" in the name; some list the maker and model number ("NetgearR6700"). That makes it easier for others to ID your router type. Give your network a more personalized moniker.
It's annoying, but rotating the SSID(s) on the network means that even if someone had previous access—like a noisy neighbor—you can boot them off with regular changes. It's usually a moot point if you have encryption in place, but just because you're paranoid doesn't mean they're not out to use your bandwidth. (Just remember, if you change the SSID and don't broadcast the SSID, it's on you to remember the new name all the time and reconnect ALL your devices—computers, phones, tablets, game consoles, talking robots, cameras, smart home devices, etc.
Activate EncryptionThis is the ultimate Wi-Fi no-brainer; no router in the last 10 years has come without encryption. It's the single most important thing you must do to lock down your wireless network. Navigate to your router's settings (here's how) and look for security options. Each router brand will likely differ; if you're stumped, head to your router maker's support site.
Once there, turn on WPA2 Personal (it may show as WPA2-PSK); if that's not an option use WPA Personal (but if you can't get WPA2, be smart: go get a modern router). Set the encryption type to AES (avoid TKIP if that's an option). You'll need to enter a password, also known as a network key, for the encrypted Wi-Fi.
This is NOT the same password you used for the router—this is what you enter on every single device when you connect via Wi-Fi. So make it a long nonsense word or phrase no one can guess, yet something easy enough to type into every weird device you've got that uses wireless. Using a mix of upper- and lowercase letters, numbers, and special characters to make it truly strong, but you have to balance that with ease and memorability.
Double Up on Firewalls The router has a firewall built in that should protect your internal network against outside attacks. Activate it if it's not automatic. It might say SPI (stateful packet inspection) or NAT (network address translation), but either way, turn it on as an extra layer of protection.
For full-bore protection—like making sure your own software doesn't send stuff out over the network or Internet without your permission—install a firewall software on your PC as well. Our top choice: Check Point ZoneAlarm PRO Firewall 2017; there a free version and a $40 pro version, which has extras like phishing and antivirus protection. At the very least, turn on the firewall that comes with Windows 8 and 10.
Turn Off Guest NetworksIt's nice and convenient to provide guests with a network that doesn't have an encryption password, but what if you can't trust them? Or the neighbors? Or the people parked out front? If they're close enough to be on your Wi-Fi, they should be close enough to you that you'd give them the password. (Remember—you can always change your Wi-Fi encryption password later.)
Use a VPN
A virtual private network (VPN) connection makes a tunnel between your device and the Internet through a third-party server—it can help mask your identity or make it look like you're in another country, preventing snoops from seeing your Internet traffic. Some even block ads. A VPN is a smart bet for all Internet users, even if you're not on Wi-Fi. As some say, you need a VPN or you're screwed. Check our list of the Best VPN services.
Update Router FirmwareJust like with your operating system and browsers and other software, people find security holes in routers all the time to exploit. When the router manufacturers know about these exploits, they plug the holes by issuing new software for the router, called firmware. Go into your router settings every month or so and do a quick check to see if you need an update, then run their upgrade. New firmware may also come with new features for the router, so it's a win-win.
If you're feeling particularly techie—and have the right kind of router that supports it—you can upgrade to custom third-party firmware like Tomato, DD-WRT or OpenWrt. These programs completely erase the manufacturer's firmware on the router but can provide a slew of new features or even better speedscompared to the original firmware. Don't take this step unless you're feeling pretty secure in your networking knowledge.
Turn Off WPSWi-Fi Protected Setup, or WPS, is the function by which devices can be easily paired with the router even when encryption is turned because you push a button on the router and the device in question. Voila, they're talking. It's not that hard to crack, and means anyone with quick physical access to your router can instantly pair their equipment with it. Unless your router is locked away tight, this is a potential opening to the network you may not have considered.
'Debunked' Options
Many security recommendations floating around the Web don't pass muster with experts. That's because people with the right equipment—such wireless analyzer software like Kismet or mega-tools like the Pwnie Express Pwn Pro—aren't going to let the following tips stop them. I include them for completion's sake because, while they can be a pain in the ass to implement or follow up with, a truly paranoid person who doesn't yet think the NSA is after them may want to consider their options. So, while these are far from foolproof, they can't hurt if you're worried.
Don't Broadcast the Network Name
This makes it harder, but not impossible, for friends and family to get on the Wi-Fi; that means it makes it a lot harder for non-friends to get online. In the router settings for the SSID, check for a "visibility status" or "enable SSID broadcast" and turn it off. In the future, when someone wants to get on the Wi-Fi, you'll have to tell them the SSID to type in—so make that network name something simple enough to remember and type. (Anyone with a wireless sniffer, however, can pick the SSID out of the air in very little time. The SSID is not so much as invisible as it is camouflaged.)
Disable DHCPThe Dynamic Host Control Configuration Protocol (DHCP) server in your router is what IP addresses are assigned to each device on the network. For example, if the router has an IP of 192.168.0.1, your router may have a DCHP range of 192.168.0.100 to 192.168.0.125—that's 26 possible IP addresses it would allow on the network. You can limit the range so (in theory) the DHCP wouldn't allow more than a certain number of devices—but with everything from appliances to watches using Wi-Fi, that's hard to justify.
For security, you could also just disable DHCP entirely. That means you have to go into each device—even the appliances and watches—and assign it an IP address that fits with your router. (And all this on top of just signing into the encrypted Wi-Fi as it is.) If that sounds daunting, it can be for the layman. Again, keep in mind, anyone one with the right Wi-Fi hacking tools and a good guess on your router's IP address range can probably get on the network even if you do disable the DHCP server.
Filter on MAC Addresses Every single device that connects to a network has a media access control (MAC) address that serves as a unique ID. Some with multiple network options—say 2.4GHz Wi-Fi, and 5GHz Wi-Fi, and Ethernet—will have a MAC address for each type. You can go into your router settings and physically type in the MAC address of only the devices you want to allow on the network. You can also find the "Access Control" section of your router to see a list of devices already connected, then select only those you want to allow or block. If you see items without a name, check its listed MAC addresses against your known products—MAC addresses are typically printed right on the device. Anything that doesn't match up may be an interloper. Or it might just be something you forgot about—there is a lot of Wi-Fi out there.
Turn Down the Broadcast Power Got a fantastic Wi-Fi signal that reaches outdoors, to areas you don't even roam? That's giving the neighbors and passers-by easy access. You can, with most routers, turn down the Transmit Power Control a bit, say to 75 percent, to make it harder. Naturally, all the interlopers need is a better antenna on their side to get by this, but why make it easy on them? via pcmag
It's the little things that count, right? Like WiFi names that can actually make you laugh out loud or think, "Damn, why didn't I think of that?" We've come across some pretty legendary ones (many straight from you!), and of course, we just have to share 'em. Did we miss any good ones? Chime in with your favorites!
Karma Mobility, a provider of reliable mobile WiFi data services delivered through our best-in-class LTE/3G/2G hotspot platform, today announces a new hotspot product focused on the growing security needs of our customers.
On March 23rd of this year, The US Senate voted to eliminate the FCC regulations that prevent Internet providers from selling customer information to advertisers and other companies. The Senate 50 to 48 vote will remove these long-standing user protections allowing for the distribution of surfing patterns to the highest bidders.
The Karma response? Karma Black.
Karma Black, a specialized version of our popular KarmaGO hotspot, will provide state-of-the-art security features to allow for anonymous secure browsing to protect against online data collection and behavior tracking. Karma Black will provide anonymous browsing (Tor), integrated Virtual Private Network (VPN), black listing and ad blocking on our new Karma connected device. Karma Black encrypts your web activity, hides your physical location, hides your identity and provides an additional layer of protection against threats such as invasive advertising, malware and viruses. Karma Black is like an invisibility cloak for our customers who are surfing public internet anywhere they go.
Karma has been working behind the scenes for months on our new Black product. Platform upgrades including new partner services and application will be announced soon outlining the full breadth of the offering. A hardware upgrade program will also be announced allowing existing KarmaGo customers to take advantage of the new power of Black. As always, Karma offers “no contract” and aggressive data rates keeping your surfing costs as low as possible. Karma’s Drift and Pulse services allow users to buy data at the levels that fit their life styles.
“Karma is committed to protecting the privacy of our customers, even in the face of these regulatory challenges. Getting or staying “off the grid”, in terms of surfing the public internet, is more and more important to people who believe that being online should not mean giving up their right to lawful private activity.” Said Todd Wallace, CEO of Karma Mobility. “Karma Black has been engineered to create anonymity for users surfing on devices connected through our market proven mobile hotspot. Whether at home, in a care, in a dorm or in the park, Karma Black will protect you from prying eyes and hungry advertisers.”
Availability of the Karma Black hotspot is scheduled for September 2017. Additional announcements on partnerships and distribution will be released this month.
About Karma:
Karma Mobility began in 2012 with one simple idea: everyone should be able to get online, everywhere they go. Karma introduced the first peer-to-peer WiFi device that allows users to pay-as-they-go, with no contracts, and is made for sharing. Today Karma is the choice for people on the go who travel for work and leisure, or need an extra connection as a backup or for special circumstances. Karma continues to disrupt the WiFi with innovations like the best in market priced DRIFT pay as you go plan. Visit yourkarma.com for more information. Along with our plans, our mobile hotspot Karma GO is available for purchase at:https://yourkarma.com/wifi/pricing/
You would be forgiven for thinking that wireless mesh networking is just another marketing bullet point for new Wi-Fi routers, a phrase coined to drive up prices without delivering benefits. But we can avoid being cynical for once: mesh technologydoes deliver a significant benefit over the regular old Wi-Fi routers we’ve bought in years past and that remain on the market.
Mesh networks are resilient, self-configuring, and efficient. You don’t need to mess with them after often minimal work required to set them up, and they provide arguably the best and highest throughput you can achieve in your home. These advantages have led to several startups and existing companies introducing mesh systems contending for the home and small business Wi-Fi networking dollar.
Mesh networks solve a particular problem: covering a relatively large area, more than about 1,000 square feet on a single floor, or a multi-floor dwelling or office, especially where there’s no ethernet already present to allow easier wired connections of non-mesh Wi-Fi routers and wireless access points. All the current mesh ecosystems also offer simplicity. You might pull out great tufts of hair working with the web-based administration control panels on even the most popular conventional Wi-Fi routers.
Luma Home, Inc.
A conventional wireless router delivers limited coverage if you can't hardwire additional Wi-Fi access points to it.
The concept of mesh networks first appeared in the 1980s in military experiments, and it became commercially available in the 1990s. But hardware, radio, and spectrum requirements; cost; and availability made it truly practical for consumer-scale gear only in the last couple of years. That’s why we’re seeing so many systems hit the market all at once.
Mesh networking treats each base station as a node that exchanges information continuously about network conditions with all adjacent nodes across the entire set. This allows nodes that aren’t sending and receiving data to each other to still know all about each other. This knowledge might reside in a cloud-based backend or in firmware on each router.
Mesh networks don’t retransmit all the data passing through among a set of base stations. The systems on the market dynamically adjust radio attributes and channels to create the least possible interference and the greatest possible coverage area, which results in a high level of throughput—far higher than anything that’s possible with WDS (Wireless Distribution System) and similar broadcast-style systems.
Luma Home, Inc.
Mesh network routers, such as Luma, connect multiple wireless nodes to blanket your home with Wi-Fi.
The principle behind all wireless networking is “how do I transmit this number of bits in the smallest number of microseconds and get off and let someone else use it?” explains Matthew Gast, former chair of the IEEE 802.11 committee that sets specs used by Wi-Fi. Mesh networks manage this better than WDS.
In some cases, Gast notes, a mesh node might send a packet of data to just one other node; in others, a weak signal and other factors might route the packet through other nodes to reach the destination base station to which the destination wireless device is connected.
Some mesh routers have single-band-at-a-time radios, and are meant more as smart extensions. But it’s more common that the nodes have radios for two or even three frequency bands, like the latest Eero. This lets mesh dedicate bands to intra-node data, switching channels to reduce congestion, or mixing client data and “backhaul” data on the same channel.
Netgear
High-end conventional routers offer high-performance features not currently found in mesh Wi-Fi systems. The Netgear Nighthawk X10, for instance, has a 10Gbps ethernet port for network storage.
The ultimate goal is to make sure as much throughput remains reserved for actual productive traffic, such as streaming 4K video from one end of a house to the other or making fast connections to internet multiplayer games, relative to that consumed by moving data around the network.
If a node is powered down or crashes—your cat gets a little too interested and knocks one off a shelf—the network doesn’t go down, too. As long as every node can continue to communicate with at least one other node, you still have a fully functioning network.
You typically rely on a smartphone to help set up the first node and network parameters and add additional nodes to an existing network. Because you don’t have to plan where mesh nodes go, mesh systems automatically reconfigure as you add nodes. Most of the systems available offer help in figuring out where to locate units, some of them using indicators on the nodes themselves while others require smartphone software. “There is an immense amount of engineering effort to make something very simple,” says Gast.
Is it smart to invest in mesh?
The price you pay for this better efficiency? Proprietary protocols. While Wi-Fi remains standardized, and extremely and reliably compatible among equipment from different makers, no two mesh systems on the market work with each other. An early mesh protocol, 802.11h, wound up being not just insufficient to the task, but entirely ignored by companies as they pursued better results and competitive advantages. It’s also unlikely that any time in the next few years a compatible industry standard would arise and get uptake, given no such standard is currently working its way through the pipeline.
Michael Brown
Every major router manufacturer, and a number of startups, have jumped on the mesh network bandwagon.
You have three reasons to want compatibility: a way to acquire cheaper equipment if one manufacturer charges more than you want to pay for additional nodes; as an escape route if a company or product line goes under; or as a way to upgrade a network gradually to incorporate new standards. That’s not possible with mesh.
Being locked in to one manufacturer increases risk, because several companies making mesh gear—Eero, Luma, and Securifi—are startups, and not all startups succeed. More established firms, such as D-Link, Linksys, Netgear, and TP-Link, make mesh networking hardware, but if those product lines don’t produce profit, they won’t continue to make units forever.
All of this could affect you in six ways:
Inability to get technical support when something goes wrong.
Lack of warranty coverage for failed hardware. (Companies in bankruptcy, however, might be required to fund some amount of repair and replacement.)
No way to purchase new units to expand your network.
Smartphone apps, which some systems rely upon exclusively, stop receiving updates and stop working.
Cloud-based elements for configuration and management get turned off, rendering the nodes inoperable or locked into the last configuration. A Wi-Fi camera memory card maker at one point intended to disable configuration updates to its cloud-linked product. This can be an issue even with active products: Google accidentally reset its non-mesh OnHub and mesh Google Wifi routers in February because of a cloud-based account login issue.
Critical security flaws are discovered, but can’t be updated. While it seems unlikely that a mesh device that didn’t sell enough to be a success would be exploited, most standalone hardware of any kind—from DVRs to internet-connected cameras—use a variation of Linux and one of a handful of widely used chipsets.
Balanced against this is the lifecycle of Wi-Fi routers. In my nearly 20 years of buying and testing wireless networking hardware, I’ve found that it either fails in three to five years or needs an upgrade in that time to take advantage of newer networking features. Consider the price tag on a mesh system your rental price across that period, and think about whether the value of $70 to $150 a year, depending on the system and number of nodes, delivers enough utility. If you’re lucky, it will last much longer.
Michael Brown
The Netgear Orbi RBK50 is our current top pick in Wi-Fi routers (even if it isn't a true mesh router).
Weaving a finer mesh
The future of mesh isn’t more and more and more nodes. Rather, it’s nodes that have more and different kinds of radios and other features built in. Already, some mesh nodes have Bluetooth for configuration and personal area networking control and up to three Wi-Fi radios supporting the full 802.11a/b/g/n/ac range.
Future nodes could add more radios or slice-and-dice an 802.11ac Wave 2 feature that allows beamforming and device targeting to further separate intra-node traffic from device-to-device traffic. And they could throw in 802.11ad/Wi-Gig for superfast ultra-high-definition streaming or ZigBee and other smart-home standards.
But the baseline set already today is for fast, efficient, and simple. Newer nodes can put more icing on the cake.
To comment on this article and other TechHive content, visit our Facebookpage or our Twitter feed.
The FBI seized a domain used to send commands to the infected devices, but it can't hurt to reboot anyway.
Luma Home, Inc.
Luma Home, Inc.
