Tony Evans from Wick Hill (part of the Nuvias Group) highlights the risks of Wi-Fi and provides some advice for delivering a secure hotspot
The fact that Wi-Fi stands for Wireless Fidelity hints at how long Wi-Fi has been around, but it was only in 1999 that the Wi-Fi Alliance formed as a trade association to hold the Wi-Fi trademark, under which most products are sold.
Today, Wi-Fi is on the top of the list of must-haves for businesses of all types and sizes. People will simply vote with their feet if good and, usually free, Wi-Fi is not available.
But this demand for anytime, anyplace connectivity can mean that some of us are prepared to jump onto Wi-Fi hotspots at cafes, hotel, airports or company guest networks, with only a fleeting consideration of security – a fact that has not gone unnoticed by cyber criminals.
There are over 300,000 videos on YouTube alone explaining how to hack Wi-Fi users with tools easily found online.
Risks from unprotected Wi-Fi:
Wi-Fi Password Cracking
Wireless access points that still use older security protocols such as WEP, make for easy targets because these passwords are notoriously easy to crack. Hotspots that invite us to log in by simply using social network credentials are increasingly popular, as they allow businesses to use demographic information such as age, gender and occupation to target personalised content and advertisements.
Without encryption, Wi-Fi users run the risk of having their private communications intercepted, or packet sniffed, by cyber snoops while on an unprotected network.
Cyber criminals can set up a spoof access point near your hotspot with a matching SSID that invites unsuspecting customers to log in leaving them susceptible to unnoticed malicious code injection.
In fact, it is possible to mimic a hotspot using cheap, portable hardware that fits into a backpack or could even be attached to a drone.
There are common hacking toolkits to scan a Wi-Fi network for vulnerabilities, and customers who join an insecure wireless network may unwittingly walk away with unwanted malware.
A common tactic used by hackers is to plant a backdoor on the network, which allows them to return at a later date to steal sensitive information.
Joining an insecure wireless network puts users at risk of losing documents that may contain sensitive information.
In retail environments, for example, attackers focus their efforts on extracting payment details such as credit card numbers, customer identities and mailing addresses.
Inappropriate and Illegal Usage
Businesses offering guest Wi-Fi risk playing host to a wide variety of illegal and potentially harmful communications.
Adult or extremist content can be offensive to neighbouring users, and illegal downloads of protected media leave the businesses susceptible to copyright infringement lawsuits.
As the number of wireless users on the network grows, so does the risk of a pre-infected client entering the network. Mobile attacks, such as Android’s Stagefright, can spread from guest to guest, even if the initial victim is oblivious to the threat.
There are established best practices to help secure your Wi-Fi network, alongside a drive, from companies such as WatchGuard, to extend well-proven physical network safeguards to the area of wireless, providing better network visibility to avoid blind spots.
Implementing the latest WPA2 Enterprise (802.1x) security protocol and encryption is a must, while all traffic should, at a minimum, be inspected for viruses and malware, including zero day threats and advanced persistent threats.
Application ID and control will monitor and optionally block certain risky traffic, while web content filtering will prevent unsuspecting users from accidentally clicking a hyperlink that invites exploitation, malware and backdoors to be loaded into your network.
The use of strong passwords, which are changed frequently, should be encouraged, along with regular scanning for rogue Access Points (APs) and whitelisting MAC addresses, when possible.
WatchGuard’s latest cloud-managed wireless access points also have built-in WIPS (Wireless Intrusion Prevention System) technology to defend against unauthorised devices, rogue APs and malicious attacks, with close to zero false positives.
While WIDs (Wireless Intrusion Detection Systems) are common in many Wi-Fi solutions, WIDs require manual intervention to respond to potential threats.
This may be OK for large organisations with IT teams that can manage this, however WIPs is a fully-automated system, which makes it far more attractive to SMEs and organisations such as schools and colleges.
Using patented, Marker Packet wireless detection technology, WatchGuard WIPS differentiates between nearby external access points and rogue access points.
If a rogue access point is detected, all incoming connections to that access point are instantly blocked. WIPS also keeps a record of all clients connecting to the authorised access points, so if a known device attempts to connect to a malicious access point, the connection is instantly blocked. WIPS will also shut down denial-of-service attacks by continuously looking for abnormally high amounts of de-authentication packets.
Wi-Fi as a marketing tool
While Wi-Fi networks have traditionally been viewed as part of the IT infrastructure and the responsibility of the IT department, the latest Wi-Fi systems deliver more than just connectivity, which makes them an attractive proposition for customer services and marketing departments.
For example, the WatchGuard Wi-Fi Cloud provides visibility into marketing data, including insights into footfall and customer demographics and also makes it possible to have direct communication with individual customers in the form of SMS, MMS or social networks.
And with customised splash pages, businesses can personalise the customer Wi-Fi experiences by offering promotional opportunities or surveys and promoting all-important branding.
It is clear that Wi-Fi is here to stay and is becoming much more than simply a way to get online. While the rapid speed of Wi-Fi adoption has led to a disconnect between physical and wireless security, this is now changing and there is no longer any excuse for providing insecure Wi-Fi.
About Wick Hill
Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions.
The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.
Wick Hill is particularly focused on providing a wide range of value-added support for its channel partners.
This includes strong lead generation and conversion, technical and consultancy support, and comprehensive training. Wick Hill has its headquarters in the UK and offices in Germany and Austria. Wick Hill also offers services to channel partners in fourteen EMEA countries and worldwide, through its association with Zycko, as part of Nuvias Group, the pan-EMEA, high value distribution business, which is redefining international, specialist distribution in IT.
The TalkTalk router firmware fix fails to solve this problem because it reverts customers back to a default password hackers might already have snatched, Pen Test Partners warns. TalkTalk published a fix to the TR-064 / Annie issue. What this does is disable the TR-064 interface and reset the router.
It resets the passwords, back to the ones written on the back of the router. [But] nearly all customers never change their Wi-Fi key from that written on the router.
So, the Annie worm and hackers have already stolen their Wi-Fi keys, and the TalkTalk fix simply resets the router, to the exact same keys that have already been stolen! The TR-064 vulnerability<sup1 means that hackers can access or alter the device's LAN configuration from the WAN-side using TR-064 protocol. “Attackers appear to have cottoned on to the fact that the TR-064 vulnerability can be used for more than just recruiting the router into a botnet,” Pen Test Partners explain. “We run a TR-064 / Annie honeypot and saw requests last night, which alerted us to the issue. Here you can see someone trying to steal our Wi-Fi network key using the ‘GetSecurityKeys’ command.” The hacker has to be physically close to the router to compromise the Wi-Fi, a major mitigating factor. However, if you know the SSID (also stolen using the Annie worm) they can use databases such as https://wigle.net to find your victim’s house. TalkTalk and other ISP customers that use similar routers are likely to have had their Wi-Fi keys stolen, opening them up to hackers, Pen Test Partners concludes.
The security consultancy recommends that TalkTalk take the radical step of replacing customer routers in all cases where it’s impossible to rule out compromise. Users in the short term can act themselves by resetting their router (follow the TalkTalk advice) and then changing their Wi-Fi password.
TalkTalk supplies its customers with routers manufactured by D-Link, as previously reported. Other ISPs using kit from other manufacturers may be affected since the TR-064 / Annie issue is not restricted to D-Link. Pen Test Partners’ honey pot shows hacker activity targeting UK in particular, which means that TalkTalk’s customers may be at greater risk than most. El Reg ran this response past TalkTalk, which said that the situation was under control and that kit replacement was needed and offered the following statement. As is widely known, the Mirai worm is an industry issue, affecting many ISPs around the world.
A small number of TalkTalk customers have been affected, but we can reassure customers that no personal information is at risk.
If customers have an issue connecting to the internet, they should visit our help site where they can find a guide that will show them how to reset their router.
There is no need for customers to reset their wifi password. “I think TalkTalk haven’t realised that the Wi-Fi keys and related TR-064 issues are different consequences of the same bug last week,” Pen Test Partners Ken Munro told El Reg. “Whilst they’re fixing the bug and also blocking TCP port 7547 [maintenance interface] which it uses, it’s too late in the case of stolen Wi-Fi keys, as most users have never changed them from the default values.” “The fix resets the Wi-Fi key to the same value that has already been exposed,” he concluded. Lee Munson, security researcher at Comparitech.com, added: “If TalkTalk routers have, as one expert claims, been compromised following the theft of Wi-Fi passwords, customers of the telecoms company could potentially be in for a whole lot more pain following the well-publicised massive data breach and recent connectivity issues experienced by the firm." Bugnote 1Mirai and the TR-064 issue are different, but there are many similarities.
The Mirai malware uses default credential, TR-064 exploits a vulnerability.
The TR-064 bug started to be referred to as "Annie" though it’s also referred to as TR-06FAIL. Sponsored: Customer Identity and Access Management
I don't think that renaming a Wi-Fi network is an act of praise! It's neutral, it's nonsense, it's not an argument." She added that the man's computer, phone, Twitter, and Instagram were seized and searched. Nothing else terrorist-related was found. His Wi-Fi network has been subsequently re-named "Roudoudou 21," the name of a French electronic musician. The case could be further appealed in France or in European courts. "The question is whether it is in accordance with French law," Marie Fernet, a French lawyer, told Ars. "And if this law is itself consistent with the fundamental principles protected by the Constitution, the Declaration of Human Rights and the European Convention on Human Rights.
This legislation regarding the praise of terrorism is recent, and many people think it is not consistent with our texts on human rights and freedom of expression."
These credentials allow root access to the device, and are hard-coded and cannot be changed by the user.Additionally, these cameras contain an always running instance of telnet that allows network access by an attacker.
Telnet cannot be disabled.CWE-636: Not Failing Securely ('Failing Open') - CVE-2016-5650According to the reporter, the Zmodo ZP-NE14-S DVR and ZP-IBH-13W cameras can be forced to deauthenticate and connect to an unencrypted network with the same SSID, even if the device settings specify use of encryption such as WPA2, as long as the competing network has a stronger signal.
An attacker must be able to set up a nearby SSID, similar to an "Evil Twin" attack.The CERT/CC has to-date been unable to reach the vendor to confirm these vulnerabilities. Impact A remote unauthenticated attack with knowledge of the credentials may gain root access to the device. Solution Apply an updateThe CERT/CC has received the following statement from Zmodo: Zmodo has released firmware Version 184.108.40.206 (for ZPNE14S) and firmware Version 220.127.116.11 (for ZPIBH13W) to address these issues.
Affected users are encouraged to use their mobile phone with Zmodo APP installed to upgrade theirZmodo devices to the latest firmware as soon as possible. Please see their support announcement here. Vendor Information (Learn More) Vendor Status Date Notified Date Updated ZModo Affected 11 May 2016 25 Aug 2016 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal 8.5 E:POC/RL:U/RC:UR Environmental 2.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND References Credit Thanks to Garrett Miller and John Kotheimer for reporting this vulnerability. This document was written by Garret Wassermann. Other Information CVE IDs: CVE-2016-5081 CVE-2016-5650 Date Public: 11 Aug 2016 Date First Published: 12 Aug 2016 Date Last Updated: 25 Aug 2016 Document Revision: 16 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email.
They were discovered by security company Rapid7. Some of the programming bugs are pretty amateurish, raising the larger question of what kind of security review the products go through before being put on the market. Lightify devices connect wireless to a gateway box via ZigBee, and the gateway connects to the home Wi-Fi network.
The gateway is controlled from an iOS or Android app. As a result of the holes, attackers can do everything from turning off the lights and taking control of the management interface – an annoyance but not dangerous – to gaining access to the network by pulling the network password out of a device, the first step in what could be a significant compromise. It was discovered that the Lightify iPad app stores your network Wi-Fi password in plain text (CVE-2016-5051) right next to its SSID, providing an open invitation to your network if your tablet is seized or nobbled in some way.
The company has put out a patch that prevents the information from being stored unencrypted. Then there are two still-unpatched holes (CVE-2016-5052 and CVE-2016-5057), due to the fact that the company does not use SSL pinning and so it is possible for someone to launch a man-in-the-middle attack to crack SSL-encrypted traffic running to and from the control app. Osram says it is working on a patch to introduce SSL pinning – which basically consists of checking for a specific SSL certificate when a connection is established.
In turn, that provides access to the system's setup and data and would enable them to take control of the system.
The company has since patched the hole. What bad security looks like (Rapid7's graphics) The other big, unpatched hole (in both the Home and Pro systems – CVE-2016-5054 and CVE-2016-5058) stems from the fact that the system does not refresh the keys it uses to pair devices to the system through the ZigBee protocol.
As such, all past commands can be grabbed and replayed without the need for authentication. Osram says it is working on an update that will introduce routine rekeying. And if all that weren't bad enough, the system uses weak default pre-shared keys (PSKs), one being "0123456789abcdef", which means that it would only take a decent hacker a few hours to break into the system.
A patch will use longer and more complex PSKs. In short, the whole exercise highlights what many people have been warning and worrying about for some time: that smart-home and IoT manufacturers are not doing a sufficient job on security and so opening up consumers and businesses to serious security risks. As we have seen with baby monitors, smart watches, cameras, bathroom scales, and now light bulbs, this new consumer-friendly technology represents a significant risk and companies need to up their game and take security much more seriously than they currently do. ® Sponsored: Global DDoS threat landscape report
Although convenient, this feature is eminently easy to exploit by cybercriminals who set up a false Wi-Fi network with a common SSID. Moreover, web traffic can be visible to anyone on any Wi-Fi network that is unencrypted.
Any Wi-Fi that does not require a password is a risk. In its day-long experiment Avast saw more than 1.6Gbs transferred from more than 1,200 users.
Some 68.3 per cent of users‘ identities were exposed when they connected, and 44.5 per cent of Wi-Fi users checked their emails or chatted via messenger apps.
The researchers scanned the data, but did not store it or collect personal information. Avast learned the following about the Republican National Convention attendees: 55.9 per cent had an Apple device, 28.4 per cent had an Android device, 1.5 per cent had a Windows Phone device, 3.4 per cent had a MacBook laptop and 10.9 per cent had a different device 13.1 per cent accessed Yahoo Mail, 17.6 per cent checked their Gmail inbox, and 13.8 per cent used chat apps such as WhatsApp, WeChat and Skype 6.5 per cent shopped on Amazon, and 1.2 per cent accessed a banking app or banking websites like bankofamerica.com, usbank.com, or wellsfargo.com 4.2 per cent visited government domains or websites 5.1 per cent played Pokemon Go 0.7 per cent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup 0.24 per cent visited pornography sites like Pornhub.com “With Washington heatedly discussing cybersecurity issues virtually every week, we thought it would be interesting to test how many people actually practice secure habits,” said Gagan Singh, president of mobile at Avast. “Understanding the talking points behind these privacy issues is very different from implementing secure habits on a daily basis.
Though it is not surprising to see how many people connect to free Wi-Fi, especially in a location with large crowds such as this, it is important to know how to stay safe when connecting. When joining public Wi-Fi, consumers should utilize a VPN service that anonymizes their data while connecting to public hotspots to ensure that their connection is secure.” ® Sponsored: Global DDoS threat landscape report
Changing the defaults in other cases will just end up biting you in the end with ...
Drivers communicate through the GSM mobile network via mobile data to a module on the car. The Outlander PHEV does it differently.
Instead of a GSM module, the car comes outfitted with a Wi-Fi access point.
Drivers need to disconnect from any other Wi-Fi networks and explicitly connect to the car Access Point in order to control car functions. This means that drivers can only communicate with the car from within Wi-Fi range, a huge disadvantage. Worse yet, Pen Test Partners (PTP) found that Mitsubishi had failed to implement the system securely. The Wi-Fi pre-shared key is written on a piece of paper included in the owner's manual.
The format is too simple and too short, so PTP was able to use brute force hacking techniques to crack the keys within four days.
A more powerful rig or a cloud-based system could drastically reduce the time it would take to recover these crypto keys. The access point has a unique SSID in the format: <REMOTEnnaaaa>, where "n" are numbers and "a" are lower case letters. This meant PTP’s security boffins were able to search Wireless Geographic Logging Engine wigle.net and easily geolocate Outlander PHEVs, including several in the UK. A thief or hacker can therefore easily locate a car that is of interest to them, Pen Test Partners warns. Knowing the SSID and the associated PSK creates a means for attackers to mount all manner of attacks. After running a man-in-the-middle attack, Pen Test Partners gained the ability to replay various messages from the mobile app.
After working out the binary protocol used for messaging, the security researchers were able to successfully turn the lights on and off. the same approach allowed manipulation of the car electricity charging programme, forcing the car to charge up on premium rate electricity. PTP researcher further gained the ability to turn the air conditioning or heating on/off to order, draining the battery in the process. Much more seriously, PTP white hats were able to disable the £40K car’s anti-theft alarm - something that wasn’t possible in an earlier pen test against the Nissan Leaf electric car by the same team of security researchers. After sending the correct message, with no further authentication than having cracked the Wi-Fi PSK, it was possible to turn off the alarm of the Mitsubishi Outlander. Pen Test Partner’s Ken Munro commented: “Disable the alarm, prise the door or smash the window. Unlock the car. Nuts! This is shocking and should not be possible,” he added.
Once unlocked, there is potential for many more attacks against the car.
The onboard diagnostics port is accessible once the door is unlocked, opening the door to all sorts of mischief.
The full scope of potential malfeasance was beyond the scope of Pen Test Partners research. In particular, the security researchers haven’t as yet looked at connections between the Wi-Fi module and the CANBUS. “There is certainly access to the infotainment system from the Wi-Fi module,” Munro explained. “Whether this extends to the CAN is something we need more time to investigate.” Pen Test Partners passed on its research to Mitsubishi UK (when?) before going public. Mitsubishi told the security researchers that ‘did not consider it a problem’ and had no plans to resolve the issues PTP had unearthed. Munro expressed dismay at this response. “We had found a trivial route to disable the theft alarm of a vehicle, exposing it (or at least its contents) to theft,” Munro said. “It would not take long for someone rather less ethical to figure out the same hack and potentially share it with the vehicle theft community.” Fortunately security conscious Mitsubishi Outlander owners can protect themselves from attack even without action by Mitsubishi. Owners can unpair all mobile devices that have been connected to the car access point, as a short term workaround. “Once all paired devices are unpaired, the Wi-Fi module will effectively go to sleep,” Munro explained. “It cannot be powered up again until the car key remote is pressed ten times.
A nice security feature.” “This has the side effect of rendering the mobile app useless, but at least it fixes the security problem,” he added. A longer term fix is in the hands of Mitsubishi and would involve pushing new firmware to the Wi-Fi module so the mobile app can be used without creating a security fix.
In the longer term, Mitsubishi needs to re-engineer the rather odd Wi-Fi Access Point – client connection method completely, Pen Test Partners concludes. Mitsubishi has published a fix, whereby the user "Delete[s] Registration", which also has the effect of turning off the Wi-Fi access point.
The fix is half-way down this web page, under the heading "Delete Registration (Initialization Process)". Pen Test Partners said it would be demonstrating the hack live on its stand at the Infosecurity Europe trade show. ® Sponsored: Rise of the machines
It would be a bit of an effort, but you'd get fine-grained control and monitoring.
But what if they get on the Web using a PlayStation 4 or some other connected device that's not covered by your parental control tool? That's where a product like the Peace Wireless Router ($99) comes in. When you replace (or supplement) your home router with it, you can filter Web traffic for every device that connects to its network. However, you need some serious technical skills to use it, you don't get control over what's filtered, and it doesn't use the very latest Wi-Fi technology.The Peace Router also goes by the unwieldy name pcWRT 802.11n 300Mbps Parental Control Router.
That's what you'll see if you go to purchase it on Amazon.
To make the connection clear, the company's website highlights letters in the name Peace Wireless Router. Our company contact explained, "The main theme of the product is to bring peace of mind to parents, and bring peace between parents and children." Like Circle with Disney, the Peace Router costs $99. Note, though, that in both cases it's a one-time fee, rather than a yearly subscription like with ContentWatch Net Nanny 7, Qustodio Parental Control 2015, Symantec Norton Family Premier, and most others. In addition, the Peace Router covers an unlimited number of devices and users, while most software-based systems set a limit on the number of children, number of devices, or both.
Depending on the subscription you choose, Net Nanny protects either five or 10 children on all the devices they use.
Familoop Safeguard protects either three or 10 devices used by an unlimited number of children.
Symantec Norton Family Premier is a rarity, with no limits on devices or children. Router FeaturesYou don't get the latest Wi-Fi technology with the Peace Router.
It's based on the MediaTek MT7620N chip, which contains a 580MHz MIPS processor and supports the 802.11n wireless protocol.
It is a single-band N300 router, which means its maximum theoretical throughput tops out at 300Mbps, as opposed to today's 802.11ac routers that start at 750Mbps and can reach theoretical speeds of up to 5.3Gbps. Moreover, it doesn't support 802.11ac technologies, such as Beamforming, which broadcasts wireless signals directly toward clients rather than over a wide spectrum, and Multi-User Multiple Input Multiple Output (MU-MIMO), which allows the router to service multiple clients simultaneously rather than sequentially. The Peace Router is compact, measuring just 5.7 by 8 by 1.2 inches (HWD).
It has a white finish with green trim, and features two antennas and eight small LED status indicators (one for each of the wired ports, power, Internet activity, wireless activity, and WAN connectivity).
Around back are four wired LAN ports, but they are Fast Ethernet (10/100Mbps) ports rather than the much faster Gigabit Ethernet (1/100/1000Mbps) ports.
There's also a USB port in the back, but it was not enabled at the time of our testing (a spokesperson confirmed that it will be enabled at a future date). In addition to the Parental Control button, the Web-based management console offers buttons for Internet, Wireless, Network, Dynamic DNS, UPnP, and system Settings. Use the Internet button to choose a protocol (Static, DHCP, PPP, PPPoE, PPPoATM, Unmanaged) and designate an override MAC Address, and use the Wireless button to name your SSID, select a channel, configure transmission power, and set up wireless security (WPA-PSK, WPA2-PSK, WPA-PSK/WPA2-PSK Mixed Mode). The Network settings menu is where you go to configure IP Address and Network Mask settings, set DHCP lease times, enable port forwarding, and add Static Routing.
The Dynamic DNS menu allows you to enable automatic DNS updating, and the UPnP settings let you to configure NAT-PMP and UPnP services and create rules to permit internal and external port access.
Finally, the System button takes you to a screen where you can do things like change the host name, configure the time settings, change passwords, and update the router's firmware. High-Tech SetupThe Peace Router doesn't give you anything like the colorful hand-holding setup instructions offered by Circle with Disney.
Installing it is exactly like installing any new router.
Fortunately, the documentation does offer clear step-by-step instructions. If you're replacing an existing router, you start by connecting the device to power and plugging in the Ethernet cable.
If your existing router has to remain, perhaps because it also handles your cable TV or other services, just plug the Peace Router into one of its ports and disable Wi-Fi on the existing router. You know how to disable Wi-Fi, right? The default IP address, administrator name, and password are printed on the bottom of the router.
As with the $149 Clean Router, the connection is initially unencrypted. You connect one of your devices, either by Wi-Fi or Ethernet, using the default credentials. Once you set your own password and time zone, you can configure Wi-Fi encryption, choosing WPA-PSK, WPA2-PSK, or WPA-PSK/WPA2-PSK Mixed Mode.
For testing, we chose simple WPA-PSK, which stands for Wi-Fi Protected Access / Pre-Shared Key. If you know what you're doing, you can select from three encryption variants: Force CCMP; Force TKIP; or Force TKIP and CCMP. Most users should simply leave this in Auto. If your network already uses WPA-PSK, you can save yourself a lot of trouble by giving the new router the same SSID and password as the old router.
If not, you'll have to configure each device to use the new settings.
Don't worry; when the Wi-Fi stops working, the kids will come running to you for a fix! It's worth noting that the Clean Router handles setup using a helpful wizard.
After hooking it up, you log into the CleanRouterWizard hotspot and follow instructions to get the router configured. When you're done, that hotspot vanishes, and your new, encrypted connection appears.
Circle with Disney doesn't replace your router, instead relying on ARP Spoofing to control network access.
It, too, handles setup using a step-by-step wizard. Configure Parental ControlOnce you log into the router using the password you defined, you'll be confronted with seven large buttons to configure various features of the device. We'll focus first on Parental Control. To get started, click the Parental Control button and enable the parental control system; it's not enabled right out of the box.
At this point, the Internet connection for every device on the network is filtered using OpenDNS Family Shield.
This service blocks inappropriate content automatically.
It's similar to OpenDNS Home VIP, but without the ability to fine-tune just what content categories should be blocked. You can choose from a collection of other DNS (Domain Name System) replacements.
Google Public DNS doesn't perform any parental control filtering, nor does Norton ConnectSafe - Security. You might choose one of these for your own profile (more about profiles later).
Choosing Norton ConnectSafe - Security + Pornography or Norton ConnectSafe - Security + Pornography + Other adds content filtering. You can also choose to force Safe Search, run YouTube in restricted mode, block numeric IP addresses, and block the use of proxies, VPNs, and TOR.
All of these are enabled by default except for the YouTube restriction. In testing, we found that using OpenDNS worked well.
It blocked inappropriate sites, displaying the categories that triggered blocking. However, when we chose either of the Norton options, inappropriate sites simply did not load.
The browser's loading indicator spun and spun, and eventually resulted in an error message.
According to Symantec's FAQ for this service, "you will see a warning that includes information on why we rated the site as dangerous." We never did. Our Peace Router contact couldn't explain why the warning page didn't appear. You can't configure blocking categories with OpenDNS Family Shield or with the Norton choices. However, it's possible to connect an OpenDNS Home account with the Peace Router.
It took me quite a bit of effort, including some trial and error, as the instructions for this configuration were (as far as we could tell) incomplete.
The average user would not be able to manage this feat.
In truth, it would have been easier to just configure an existing router to use the OpenDNS Home account. Time SchedulingInternet time scheduling is handled through the calendars feature. You can have up to three calendars in each profile.
To create a calendar, you start by giving it a name and listing the websites that should be affected.
For example, you could create a social media calendar and add all the social sites your kids use.
If you leave the website list blank, the calendar affects all access to the Internet. Qustodio Parental Control 2015, Mobicip, and many other products let you schedule computer use, Internet use, or both using a weekly grid, in hour or half-hour intervals.
Typically, dragging across the grid lets you draw rectangular areas, for example, to block access between midnight and six in the morning on all days of the week. The Peace Router works a bit differently. You do get a grid, a very tall one that requires significant scrolling to see all the hours in the day.
Clicking with the mouse places a tiny access-allowed marker on the day and time you clicked.
The marker's edges have up and down arrows that you drag to define the desired time period, and you can add more than one marker on a given day. However, unless you're really precise with the mouse, you're likely to wind up, for example, allowing access from 6:03 p.m. until 8:56 p.m.
And the window doesn't auto-scroll when you drag, so setting a lengthy time period requires you to drag, scroll, drag, scroll, and so on.
Fortunately, you can switch to text mode, and edit the time spans to the precise values you want. We defined a social media calendar that didn't include any allowed time on the current day. When we tried to connect with Facebook and Twitter, instead of seeing a warning from the device saying, "Your connection is not private.
Attackers might be trying to steal your information from block.opendns.com," we got a browser error message saying, "Your connection is not private." Our company contact explained that this happens any time the Peace Router tries to block a secure (HTTPS) site.
To be fair, Circle by Disney has a similar problem, as its ARP Spoofing looks like an attack when HTTPS is involved. Don't Block Me!So far, we've described a situation where time-scheduling and content-filtering rules apply to every device on your network.
Chances are good, though, that you don't want to be cut off from the Internet just because it's your child's bedtime.
It's also essential to exempt any Internet of Things devices, such as connected doorbells or Wi-Fi security cameras from parental control.
If your children's ages differ greatly, you may also want different settings for different kids.
To handle these tasks, you need to define one or more new profiles. For each profile, you have the option to choose a DNS server other than the system default.
As noted, earlier, the Google Public and basic Norton ConnectSafe options provide secure DNS without parental control filtering. You can also just disable parental control for the profile.
Calendars are profile-specific, so if you don't define any, you won't have any time limitations.
Conversely, maybe you'd actually like to disable Wi-Fi when it's your own bedtime, to suppress interruptions. Once you've defined a profile, you need to associate your devices with it.
Clicking the Add button brings up a list of devices you can add.
If you're lucky, the device names will be clear, making your choice easier.
If not, you have a bit of work to do. At the top-right corner of the router-management screen there's a button to switch from settings to status; click that.
Among other things, the status screen lists all devices connected through the router, along with the IP address and MAC address for each.
Go to the device you want to add, and check its MAC address; the technique for getting this information varies by platform. Now find the device's MAC address in the Peace Router's list, click it, and give it a friendly name. Once you've named all the devices that need naming, you can go back and add the right ones to your various profiles. But what if you and your kids share a Windows or Mac PC under different user accounts? Well, it gets a bit more complicated.
For each user who should not be managed by the default profile, you define a Proxy User name and password, and add that Proxy User account to one of the profiles. When you log into your account on the shared device, you must also configure the device to use the proxy IP address and port defined by the router.
The browser will prompt you for the proxy username and password; then you're free of restrictions. LimitationsLike the Clean Router, Circle with Disney, and other router-based parental control solutions, the Peace Router can only control devices that are connected to its network.
The same is true of OpenDNS, SafeDNS, and any other solution that works by reconfiguring your router's DNS settings. If your kids are away from the house, the Peace Router can't do a thing.
If they mooch the neighbor's wireless, it's powerless.
And if they have smartphones, they may not even notice time limitations—the phone will just switch to cellular data.
Conceivably, a tech-savvy kid could install a different router; the Clean Router gets around this last worry by offering a $50 Lock Box that puts the cables out of reach. The other router- and DNS-based solutions we've mentioned let you fine-tune what content categories get blocked, and they log online activity.
The DNS services that the Peace Router offers don't allow this kind of tuning. You also don't get a log of online activity the way you do with the Clean Router. Jumping through hoops to get OpenDNS Home working in this device gives you both of those features.
But at that point, you might as well just connect your existing router to OpenDNS Home. Router PerformanceThe Peace Router's performance was slightly faster than that of the Tenda Wireless N300 Easy Setup Router F3, another single-band 300Mbps device we were also testing.
Its score of 64.5Mbps on our close-proximity (same-room) throughput test bested the Tenda F3's score of 48.5Mbps, and it's score of 41.3Mbps on the 30-foot test also beat the Tenda F3 (40.6Mbps), but just barely. To illustrate how these scores compare with routers using the latest wireless technologies, our Editors' Choice for midrange routers, the Linksys EA7500 Max-Stream AC1900 MU-MIMO Gigabit Router, scored 97.3Mbps on the 2.4GHz close-proximity test and 52.1Mbps on the 30-foot test.
That said, the Linksys EA7500 is a dual-band router AC1900 that is capable of maximum theoretical speeds of 600Mbps on the 2.4GHz band and 1,300Mbps on the 5GHz band.
It scored a speedy 495Mbps on the 5GHz close-proximity test and 298Mbps on the 30-foot test.
It should be noted that it costs around $100 more than the Peace Router. Only Techie Parents Need ApplyIf the prospect of installing and configuring a new router sounds like fun, the Peace Wireless Router might be just the thing for you. Most parents, however, will find it easier to set up the Clean Router, or Circle with Disney. For more traditional parental control tools, our top picks are ContentWatch Net Nanny 7, Qustodio Parental Control 2015, and Symantec Norton Family Premier.
Crew were eventually satisfied the SSID posed no threat and the plane made it to Perth without incident, albeit a couple of hours late. QANTAS has recently installed in-flight entertainment systems that stream content over Wi-Fi and this report suggests the plane in question, VH-VXE, was upgraded to those systems in February 2016. Which explains why passengers were looking up Wi-Fi network names. ® Sponsored: Rise of the machines