WiFi Security – Introduction
Many people still unpack their new router and set-up their WiFi network without giving a second thought to security. This is sometimes due to the fact that the less experienced WiFi user believes that the router is secure, straight out of the box. This, of course, is not the case. Let’s examine some simple steps which can be taken in order to change your router from a security liability to a secure piece of networking equipment.
The Admin Interface (built-in browser page)
In order to make any of the recommended changes below, you will need to access the router’s admin page. This is achieved by visiting an IP address from within a browser and typing a username and password. A typical configuration may be:
URL: http://192.168.0.1 (in the case of NETGEAR, it may be http://routerlogin.net)
This is nice and simple for us to remember but it is also great for any hackers too, as these router manufacturer’s account details are well known, so the first thing we need to do is change them. For this example I will be using NETGEAR’s setup utility but set-up doesn’t vary too much from manufacturer to manufacturer.
To change the Router’s IP Address, go to the LAN setup page. Make sure that you use the same subnet mask as the rest of your network. To change the password, go to Administration -> Set Password. Use the longest and most complex password you can. For more on this subject, see Passphrase below. Some routers have password recovery options but for those which don’t, make sure you note down your new password as the only way to recover access to the admin panel would be to restore your router to its factory (default) settings. This brings us to the subject of backups. Always backup your router’s settings to somewhere safe, as this will enable you to restore them should something go wrong, or you have to replace the router or reset it to factory settings.
Ensure that Remote Management is off. Remote management is a way for someone to access your router from outside of your network. There are known security risks associated with this feature so it is best to switch it off. Go to Advanced Setup -> Remote Management.
WPS (WiFi Protected Setup)
WPS is a network security standard which enables users to set-up the security of their network, typically using a combination of a wizard and a button on the Router itself. This should not be enabled, or it should be disabled if it is already enabled. This is due to the fact that in Dec of 2011, a flaw was discovered whereby routers which have the WPS feature active could allow a remote attacker to reveal a WPA2 passphrase (see Passphrase below) within a few hours. So, first things first, disable WPS.
The SSID (Service Set IDentifier)
The SSID is broadcast by the router in order to aid users to find it in a list of available networks shown on the device you wish to connect to the network, such as a PC or smart phone. Some typical examples of a SSID are; netgear, Linksys and default. The problem with this naming convention is that potential hackers are immediately given their first clue; the manufacturer of your router. Because of this, the SSID should be changed immediately. Don’t use an SSID which indicates who you are, for example, your family name; THESMITHS. Again, you are volunteering information unnecessarily. A better choice may be a character’s name from your favorite TV program which you will find easy to recall; SHELDON, for example. To really deter people from attempting to gain access to your network, you may like to use something like WiFiSPY or HACKER57.
Some routers allow the user to switch-off the SSID broadcasting. This is often referred to as Network Cloaking. While this makes it more difficult for the casual user to access your WiFi network, the more determined hacker will have no problem determining what the SSID is. Another issue with not broadcasting the SSID is that it can make it more difficult for your family members or colleagues to join the network as they will need to remember the SSID. Whether to have it on or off is really a personal choice.
Encryption must be set on your router to ensure that it is secure. When you go to the encryption page on your router, you will most likely find a list of encryption options. These options are typically:
You should not use WEP. WEP is now considered cracked and obsolete. The minimum encryption standard should be WPA although I prefer the stronger WPA2 encryption standard.
If your router does not support WPA encryption, I would suggest that you buy one which does. If your router has WPA but not WPA2 encryption, you may be able to update your router’s firmware to obtain WPA2. I personally would not use a router which did not have, or I couldn’t upgrade to, WPA2 encryption.
Your security encryption choice also comes down to the lowest common denominator. If one of your WiFi devices only supports WPA, then you would have to use WPA until you updated your device.
It is worth noting that NETGEAR recommends using WPA2-PSK to achieve the best performance with 802.11N wireless adapters.
Having selected the encryption (WPA2, right?), it is time to consider the passphrase which you are going to use.
Passphrase (sometimes referred to as a password)
A long and difficult to guess passphrase is essential to good security. A minimum strength password would be 16 characters in length. The maximum passphrase length permissible for WPA2 is 63 ASCII or 64 Hex Digits (referred to as a Hex Key). I always use the maximum length permissible with all of my passphrases/passwords. Avoid using words or phrases in the passphrase as this makes it easy to guess using a dictionary attack. Shorter passphrases are also vulnerable to Rainbow Tables, which you can read more about here. Mix it up a little with a combination of upper and lower case letters, numbers and special characters, such as; !@#$%^.
An excellent way to generate a very strong passphrase is by using PCFerret’s Password Generator. This can be used to generate complex pseudo-random characters which are ideal for the purpose of securing your WiFi. You are, of course, not expected to remember these passphrases so I recommend keeping them in a password safe such as Dashlane or 1Password. Although these long passphrases are a pain to type in, you typically only have to do it once and the security benefits are enormous.
MAC Filtering (Access Control)
In order to prevent unauthorized access to your network, you can implement MAC Filtering. Every piece of active hardware on a network has a MAC (Media Access Control) Address which is unique to that piece of equipment. This identifier is built into the hardware itself. A MAC address takes the format of 6 hexadecimal numbers for example; 00:10:23:F4:03:7F. In part, the MAC contains the manufacturer’s ID.
By knowing the MAC address of all the devices which connect to your network, you can create an access list of them in order to ensure that no devices other than those listed can connect to your WiFi. Go to Security -> Access Control and enter the details of each MAC Address, taking care to give the entry an identifiable name for the device to which it belongs.
To find the MAC Address of your network card on a Windows computer, you can open a command prompt and type: ipconfig /all. Device MAC Addresses are shown with the label “Physical Address” and are in the format 00-10-23-F4-03-7F (see figure 1 below). The MAC Address of a smart phone can typically be found on its About screen. WiFi capable printers usually display their MAC Address on a setup screen. When obtaining a MAC Address from a printer, make sure you are getting the details for the WiFi interface and not the Ethernet connection, should one exist.
Figure 1. Ascertaining a MAC Address.
It has been said that there is no point in creating Access Control lists as MAC Addresses can be spoofed. Well, this is true. It is also true that a determined burglar can find a way to get through a locked door, but that doesn’t mean that we should stop locking the door. Anything we can do to make it difficult for a hacker is a step in the right direction.
Many Routers now allow you to enable a Guest Network so that friends and guests may use your WiFi connection without having access to the admin page or setup. If you do not require a guest network, then disable this option as it is another way for a hacker to gain access to your WiFi network. If you choose to enable it, make sure that you follow the guidelines above for choosing the SSID and passphrase for it as you do not want to make this guest network the Achilles Heel of your set-up.
Security While You Are Out and About
If you are away from home, perhaps in a coffee shop, a hotel, or an airport, I recommend that you don’t use WiFi unless you have to. In my opinion, the only firm exceptions to this are (a) if you have a hot spot device capable of connecting to a cell network, or (b) you are using a VPN (Virtual Private Network). Public locations are notoriously insecure and should not be trusted. This is especially true if you plan to access financial websites such as credit card companies and banks.
To ensure that your data is encrypted over an otherwise unencrypted network, a VPN can be used. I use TunnelBear, which is very cost effective, reliable and simple to use; switch it on when you want to access the Internet via VPN and switch it off when you don’t. It’s as simple as that. At the time of writing, with a TunnelBear account, you get 500MB of data free every month, or, if you are a heavy data user, you can get unlimited data for just $4.99 per month.
A WiFi router can be secured with very little effort. Although it may initially take an hour or so to get it set-up correctly, that is nothing compared to the potential loss of data and time should your WiFi system be compromised.
If you really want to up the ante, I highly recommend the Fing Box. It is a well designed piece of network hardware which you simply plug-in to your network. It requires no configuration, but you do have the option of changing the settings, if you so wish. The unit is controlled by the free Fing app, which is available on both iOS and Android. The app provides you with a wealth of features, too detailed to go into here. For more information on this excellent product, click here.