Running a WiFi-less Home Network: Security Paranoid Edition
When reading the title, you might have asked yourself: Why would anyone get rid of the Wi-Fi capabilities of their network? Aren’t wireless access points something that should improve my internet experience? Here a few reasons why you might consider moving away from using a wireless internet connection in general.
- Wi-Fi hacking is of such importance in (physical) pen-testing that industry recognized wireless penetration certifications and courses have been created specifically to train people to breaking into networks wirelessly.
- Your network will likely be included in public wardriving databases, for the whole world to find. Seriously, look it up on: Wigle.net. This information could be used for tracking you through geolocation correlation in combination with your mobile devices.
- Wi-Fi networks are prone to exploitation through publicly known vulnerabilities. Let alone the vulnerabilities found in the poor attempts from some manufacturers at integrating the WPA-protocols into their products.
- Networks often get compromised through wireless access points as they allow interaction with the network without having need to cross physical boundaries (i.e. locked doors, walls, windows). A good real-life example is how Russian GRU operatives attempted to hack The Organisation for the Prohibition of Chemical Weapons via the wireless access points.
- Wireless access points add an extra layer of complexity to your network that could introduce connection interference. WiFi issues are something every network owner has struggled with. Removing this factor from your network helps improve connection stability.
- Control. Having all devices connected over wire will allow you to have more insight and control over everything that accesses your network. It will also prevent your network from unintentionally leaving the building. And, let’s be honest, you have probably shared your Wi-Fi password with quite a bit more people than necessary.
Starting Out
Now we have that out of the way, it’s time to think of a proper integration strategy. Often, more devices than you’d expect make use of your WiFi network to function. These can range from smart lights, wireless printers, fridges, televisions, thermostats, laptops, tables, smartphones, and many more.
To get more insight into all connected devices in your home network the routers “connected devices” page can be used to find all wireless connected devices. You’ll find devices that don’t directly allow you to connect them via cable. Here we’ve arrived at the first roadblock. You will need to consider if running these devices via Wi-Fi is necessary. Phones can still reach the internet through a cellular plan and you should ask yourself if your home thermostat really need that internet connection. Other devices like televisions, gaming consoles, or even “smart” fridges can often reach your router through a wired connection.
Paranoia Mode: Removing Wi-Fi radios
A measure to make sure your systems don’t use Wi-Fi, is to remove and disable the radios in your systems. The last system you should start disabling the Wi-Fi radios from is your networks wireless access point, as it will allow you to keep an inventory of all devices still trying to connect wirelessly. Start with “smart” kitchen appliances, televisions, home automation appliances, etc. Then progress to laptops, computers, and tablets. Here you can choose to disable the radio programmatically or to crack open the systems and remove the Wi-Fi radio manually, something often easier said than done. At this point you’ll also consider investing in some quality switches, network cables and Ethernet adapters to facilitate the change to cable.
A lot of devices will setup their own wireless access point when a Wi-Fi connection is not available. Think of all to wireless printers you’re able to connect to through your smartphone or the device controllers for your smart lights. Consider disabling these access points as well. They might even introduce a greater risk than the access point from your network.
Invest in some Network Insights
Now you’ve got all these pesky network devices under control, you should consider setting up some systems to help you investigate on what is going on over the wire. A range of open-source products have been created to help you out.
Pi-Hole
A DNS caching/sinkhole system that gives you control over DNS lookups done by systems inside your network. A great tool for hunting suspicious activity on your network. An example usage of this would be the DNS sinkholing of all cryptocurrency mining pools, which would indicate devices in your network are infected by miners. Ads and trackers can also be blocked through Pi-Hole.
pfSense / OPNsense
Network security gateways running PFsense or OPNsense allows you to more closely monitor and block traffic coming through your network. You could invest in this out-of-the-box solution network firewall from Netgate if you don’t own your own hardware to run it on.
Prometheus
Tools like prometheus.io will help you gather the metrics from your network appliances and graph them on customizable dashboards. This will allow you to create an overview of network performance and stability over time.
Long story short
I’ve not written this article with the expectation that you start to abandon your wireless access points all together. The goal is to make you aware of the risks introduced with wireless network equipment and the possible attack vectors it introduces to your home network. For some, these measures seem unreasonable and the motives far-fetched. However, the reasons someone could infiltrate your home network could differ from what you initially expect.
You could live next to an important building or individual and your network can be used as a steppingstone into theirs, or your network could be used as medium for malicious actors to setup shop or spread malware. The above-mentioned tools can help create network (security) insights regardless of your reasons or integration strategy.
