WiFi and Router Security
WiFi for Dummies ;-)
Suppliers of routers let unsuspecting users set up insecure WiFi networks. They want to make it as easy as possible for anyone, including "dummies", to get WiFi going with their routers.
They know if they send routers out with secure settings, many people would give them poor reviews, and/or return them. They would also get way too many support calls (which cost money). :^)
As a result, users don't have to do much more than plug in a WiFi router to start using it, and most people don't. Fortunately, it's easy to set up your router to give you good WiFi security.
We're not dummies. We'll learn to set up WiFi securely. :-)
Securing wireless networks
- Your job is to think of everything. The attacker's job is easy. If you forget one thing the attacker wins. :-(
- The steps below give you an index and brief discussion of what you need to know to set up secure WiFi.
- links in the block below take you to additional information that you might need.
- Don't pay any attention to persistent but harmful myths about turning off SSID beacons and adding MAC filtering.
- See Security at WiFi Hotspots to learn about security at WiFi hotspots.
Steps to a secure WiFi network.
Follow the steps below - more or less in order - to secure your WiFi network. When you have finished, go through the steps again to double-check the settings.
Screenshots that illustrate some critical security settings:
| Security Mode | Firewall | UPnP |
If the router itself is not connected to the Internet (via the modem) you will not be able to follow the links on this page at the same time you configure your router, so study the steps and linked information before you begin.
- Each computer that will be connected to the network needs sound security to start with: It should have a firewall, up-to-date software, protection against malware, etc. If one of them becomes infected, it can easily compromise the others, because the router does not ordinarily block computers on the local (internal) network from each other. [more below] [security plans]
- Pick a router that includes a stateful-inspection firewall, and be sure this firewall is turned on. The added layer of security that this "hardware firewall" adds is good to have. You could even use a router just to get the hardware firewall, even if you don't set up a network (but be sure to turn off WiFi/wireless in that case).
- Do not configure your router or change its settings via a WiFi connection. Always use a direct, wired (Ethernet) connection from the PC you're using to configure the router. Your router password is not encrypted before it is sent, and a hacker could easily sniff it for an attack later.
- Make sure remote management and Wireless (WiFi) Access is turned off: Remote management allows access from anywhere on the Internet. WiFi Access might allow a nearby snoop to hack your router. You don't want either of those. It's a hacker's dream. ;-)
- Enable WPA2-Personal encryption and use a strong shared key: Never, ever rely on WEP. It's also better to upgrade devices that don't support WPA2 than to compromise on WPA encryption. [more on shared keys and encryption]
- Use an obscure and preferably random SSID: Hackers now have powerful computing power that can crack WPA-2, and simple SSIDs make it easier for them. [How-to] [more on obscure SSIDs]
- Turn off UPnP on your router when it's not needed: (You only need it on temporarily when you're adding new UPnP (universal plug and play) devices to your network.) UPnP lets devices self-configure on your network. An attacker can often use UPnP to hack your router.
- Replace your router's default administrative username and replace your administrative password with a strong one. [see below]
- Use OpenDNS as a pre-emptive measure to guard against DNS poisoning. [instructions] [tests] [video]
OpenDNS will also improve your computer's Internet performance, and provide other safeguards.
- Do not turn off the SSID beacon or bother with MAC filtering. These security measures offer little or negative defense against modestly skilled WiFi hackers, even though there are countless persistent but harmful myths that claim these steps add real security.
More on security for each PC: Windows grants "trusted" status by default to all the computers connected to the same router. If any one of them is infected with malware, the rest are likely to become infected too. That's because the defenses that Windows maintains against intrusion from the Internet are dropped for computers on the local area network (LAN).
It's important to provide independent protection for each computer connected to the LAN by installing an effective security system on each one of them.
Update: Windows 7 and Windows 8 allow you to set network connection types -wireless or wired - to "Public", which adds addition protection against cross-infection between computers.
Securing your wireless network is not just important to protect your network and your computers. You could be held accountable for illegal activity by someone who piggybacks on your Internet connection, since it's your IP address that will be identified.
Useful information on securing routers
- Use your browser's "web access" administrative interface to change your router's settings. Typical addresses are 192.168.1.1 or 192.168.1.0, and 10.0.0.1.
- Your router manual will give you the ethernet interface address, along with the router's default username and password. Your browser manual should be on a CD that came with your router. It may also be available online at the manufacturers website. Or you can "Google" the interface information.
- If you can't get in to the browser's admin interface, push the (recessed) "reset" button for 30 seconds to reset the username, password and all settings back to the defaults.
- How to set up your home wireless network - a nice article by Microsoft
- How To Secure Your Wireless Network - a nice little video, which explains the basic ideas, but which does not go far enough, in particular, he doesn't show the step to disable UPnP.
- Windows 8: Set up a wireless router - evidently Windows 8 makes it easy for "Windows Connect Now" routers, which sound suspiciously like UPnP routers, which are vulnerable to attack. It's an informative article anyway.
Administrative username and password for your router
The password for your router - the one you need to log in to make configuration changes - needs to be strong. And the username should be unique. It's easy for hackers to break in and redirect your computer(s) to their own evil website if they are not.
Worse yet, if you don't change the username and password from the default values it is even easier to waltz right in. Cyber-criminals even use automated malware to corrupt the settings of routers that still have factory settings.
If a hacker gets in to your router's administrative settings, he can do anything from directing you to malicious sites to intercepting all the data that goes to and from the Internet. It's the ultimate "wiretap".
A strong username or password has 14 or more random characters. The Linksys WRT54GL appears to allow 16 characters, but it will actually accept 32. I recommend that you use at least one uppercase letter, one lowercase letter and one numeral, and a total of 20 or more characters for your router password. Other routers undoubtably have different requirements and limitations.
Don't confuse your administrative password with the shared key that is used for encryption. Your shared key should be much stronger than the password.
More on changing your router's password
[How to] Change the Default Password on a Network Router.
Defending your router, and your identity, with a password change.
Related WiFi security topics