Wireless technology(WiFi) is everywhere. Having WiFi n your home means you can transfer files, share the internet between computers without wires and you can use your computer anywhere inside or outside that the WiFi signal reaches. These are exciting times we are living in.
However, once people get their wifi working they generally forget about securing it. I know, because I see it all the time when wardriving. Wardriving is where you use software to scan for WIFI access points(AP). One of the programs I use is called Kismet, it categorizes all the APs by color: Encrypted & SSID Changed (GREEN), Not Encrypted & SSID Changed (YELLOW) and Not Encrypted & Default SSID (RED). Whenever I run the program, my screen is mostly Yellow and Red
You might say, “I don’t mind if someone uses my wifi to check their email” or “I don’t have anything important on my computer.” However, not everyone wants to only check their email and there’s better information flying through the air that you send out than you have on your computer
An unsecure wireless network can be a playground for those who know how to exploit it. I’ve seen people do things like build computers with tons of storage, add a strong wifi antenna, and drive around with it, while the computer continuously finds all open APs and illegally downloads media from websites. If the RIAA or the MPAA track the downloads, they’ll be knocking on your door. Another example what’s know as a man in the middle attacks(MITM). Aside from reading the unencrypted traffic that is flying though the air. Someone can redirect your traffic to their machine and manipulate the websites you go to. Either to capture your personal information or to make your web surfing a nightmare. But the new hot topic in wireless security is AP Farming. This is where people replace the software(known as firmware) running on unsecured access points with an almost identical version that they control, at that point it is no longer your network and you’d never know the difference until it was too late. Just like viruses, these infected APs can be made to infect other APs.
So hopefully you realize the importance of securing your wireless network and are asking the question “How do I properly secure my wireless network?” WiFi manufacturers try to help by improving their user interfaces to configure security options, but mostly its still time-consuming and non-intuitive. The recommendations below are what you will generally hear from people about what you should do to not be the low hanging fruit and easy pickings for people looking to do bad things with your WiFi, but most of it is just give you a false sense of security.
- Turn off SSID broadcasting. - Unless your AP has zero traffic passing through it, your SSID is always being broadcasted though other ways such as Probe requests, probe responses, association requests, and re-association requests. With the right software your SSID is just as visible.
- Enable MAC Address Filtering – This is one that you would think would be useful and in part it is. Every networking device has its own unique hard-coded identifying serial number. So if you tell your router which MAC addresses are allowed to access your network, then only those devices will be able to access your network. Unless someone changes their mac address to match one of the ones on your network, which is easily done with software. It is good as another added layer of protection just don’t depend on it to fully protect you.
- Enable WEP encryption, its better than nothing - This one is true. WEP is better than nothing…but only by a little. Two years ago you could have used WEP and gotten away with it because in order to crack a WEP password, someone needs to collect enough weak keys (that are only sent when data is sent through the router.) by enough I mean 25,000-150,000 weak keys. It might take a few days, a week maybe even a month depending on how much you use the wifi network. Today WEP passwords can be cracked in about 4 minutes and in 8 minutes, if there is no data passing though the network.
So what can you do to have a secure wireless network? Here are a few things you should be doing to protect your wireless network.
- Change the Default Password - It is the most basic thing someone can do to protect their wireless network, yet most people forget to do it. The default password protects the firmware running on the router along with any of the settings you put into
- Use a Strong Password/Passphrase – When people do remember to change the default password, they end up changing it to something very simple, short and usually in the dictionary. To provide a decent level of security a minimum 24 character password is needed. You can either use a password generator, one that I use is https://www.grc.com/passwords . You can copy the key into a text file that you save on a USB memory stick and copy paste that key the first time you connect a new device to your network. Make sure you keep the USB memory stick in a secure location. Another option is to use a passphrase. Passphrases are usually easier for people to remember. Write it just as you would on a piece of paper, so include all the capital letters, punctuation and maybe even hyphens or underscores in place of the spacebar. Having a strong password can mean the difference between days or millennia before your password is cracked.
- Update Your Firmware – Another overlooked area of security is the software running on the router. Remember the router is a small computer and just like any computer it will have vulnerabilities that will be found. Manufacturers do their best to patch these vulnerabilities as soon as possible, so you should be in the habit of logging to your router and clicking the update firmware button. Even better subscribe to the manufacturer’s security alert emails so you will know as soon as there is an update.
- Use WPA2-PSK -The encryption used in WPA is much stronger than WEP. Although the 4 way initial handshake can be captured by those who know what they are doing, how soon they break into your network totally depends on how strong your password is. There are even better options than the WPA2-PSK but that usually requires another machine acting as an authentication server.
- Setup a Timer - This is one that you won’t always hear about but it makes sense. If you know that your router is only needed during certain times of the day. Then configure your router to stop incoming connections during those hours of the day. This will limit your exposure to attacks because if your router isn’t on then your network can’t be attacked from the outside.
Well I hope this has given you some food for thought and that you will maybe look at your router in a different way, so you can protect it and your network much better from now on. As always I’d love to hear from you and know how any of this has helped you.