Securing Home WiFi Networks
In today’s blog post we would like to talk about something that, perhaps, not many of us think about: how to effectively secure our home WiFi networks. When consumer WiFi was first introduced, it was all about keeping our neighbors from stealing our internet connection over our WiFi networks. Now, with the explosion of mobile devices, Internet of Things devices, and other “smart” devices connecting to our home WiFi there is a big chance of intruders being able to steal very sensitive information from us.
Internet of Things
In a previous blog post we went into more depth on what The Internet of Things consists of, and we encourage you to read that post for some insight as to just how many IoT devices we can expect in our future.
Securing our Home WiFi
But let us dive into what this blog post is all about; securing our home WiFi networks.
When you pull up your wireless menu, if you see a long list of WiFi networks with very similar names, they all probably came from the local cable internet provider. All those devices are like candy to an attacker since very few people change the defaults. Unfortunately, the internet providers do not encourage changing the defaults, either. This means the default WiFi network name, WiFi network passwords, and even the admin passwords probably have not been changed. The vendors of these devices try to make the relevant passwords unique, but they are not that hard to crack with a brute force password attack, since the default passwords are not that strong, and the ISP does not encourage changing them.
So, what can we do? Well, change the default values, of course. The default WiFi network name should be changed to something that suits you: “Tell My WIFI I Love Her” or “Surveillance Van” or anything else that you might like. For the WiFi network and admin passwords, you should create strong passwords/pass phrases such as “Ilikedogsthatwalkonleashesandchaserabbits” (Do not use that!).
Changing these default values tells an attacker that you have the knowledge to securely protect your personal data.
But that is not all.
Additional Security Measures
What can we do if we do not mind a little additional administration and we want to really lock the WiFi network down?
· Use a guest network – many WiFi access points have a Guest network feature built-in. This is useful when company comes over. Use it and give it a unique name and strong passphrase.
· Hide the WiFi Network name – not all Wireless Access Points (WAP) have this feature, but most of them will. Now, hiding the wireless network name does not completely hide it. It just makes it invisible to the random person who might be scanning for networks. Since WAPs want people to connect to them, even with the wireless network name invisible, the device still sends out an “I am here” signal periodically which someone with the right software can detect. Making the network name invisible is not a perfect security solution but is part of a layered defense.
· Use MAC Address filtering – MAC address filtering is one of the more effective ways we can use to protect our home wireless networks. It does require a bit more administration on our part. All Wireless Access Points ought to have this feature, and when enabled the default behavior is to “deny all” connections until they are added to the MAC Address whitelist. This will include your guest network, if you are using one. More administration will be necessary because when a new device, such as a new smart phone, is introduced, its MAC Address needs to be added to the WAP whitelist. Once it is added, though, you are set. It is the same for guests. If you have guests over frequently and are using a guest network with MAC Address filtering, you will have to add their devices for them to be able to access your WiFi.
· Reduce the antenna power – This is not a feature that all WAPs have, but it is very useful in being able to control how far our wireless signal extends. Being able to reduce the power output of the wireless signal means that a potential attacker will not be able to sit in the parking lot of our apartment building and try to hack our network. It also means that if an attacker is Wardriving around looking for wireless networks, they might not be able to see ours. Using this in combination with hiding the network can be a very effective deterrent against wardrivers.
· Use time of day restrictions – This technique can be very useful for controlling access to our guest network, as well as controlling when kids have access to the internet. As with these other features not every WAP will have it, but if it does, see if it fits into your usage patterns.
The most important idea to take away from this blog post is to make sure you are making the best use of the exiting features of your Wireless Access Point to protect your sensitive personal data. To paraphrase one of my photography mentors, the better you know the features of your camera the better your photos will be. The same can apply to protecting our home wireless networks. The better we know the built-in features of our WAPs, the more secure our networks will be.
Michael Allbritton is a Cybersecurity Analyst and Trainer with Alpine Security. He holds several security-related certifications, including Certified Information Systems Security Professional (CISSP), Network+, Security+ and CyberSec First Responder (CFR). Michael has many years of experience in software testing, professional services, and project management. He is equally comfortable working with software engineers on testing and design and with sales to meet and manage customer expectations. Michael’s cybersecurity experience with Alpine includes penetration testing, vulnerability assessments, and social engineering engagements for various clients as well as teaching courses for the above-mentioned certifications.
In his spare time Michael is an enthusiastic amateur photographer, diver, and world traveler. He has photographed wildlife and landscapes in the United States, Africa, Central America, West, and East Europe and has amassed several hundred dives as a PADI Divemaster.