The Risks

If you leave your network wide open, anyone within range can access it. If it's your neighbor next door doing it occasionally, it may not be a problem. But it could be someone using the Internet for illegal purposes. Whatever they do could be traced back to your IP address, and you could end up having to explain to law enforcement that it wasn't you.

An open network is subject to "evil twin" attacks. Someone else can set up an access point with the same name. Devices set to automatically connect to your network may connect to it by mistake. The rogue access point could record and even alter the traffic that goes through it.

There are risks to your own network. Someone who connects without permission can bypass security measures such as the router firewall. This might let them put malware on your machines or access private information.

The equipment connecting your systems to the Internet generally includes a modem, a router, and one or more WiFi access points. They might all be in the same unit or in separate boxes. It's common for a router to include Wi-Fi capability. You might want an additional access point for better coverage.

For this discussion, we'll talk about the Wi-Fi part as an access point, whether it's part of another device or a separate unit.

The equipment comes with factory settings that are the same for every unit of a given model. If you leave it as it is, you present a target that everybody knows about. That signals that you haven't taken the trouble to configure it, suggesting that you could be easy pickings. For the best router security, you need to do some customization.

Wireless communication with WiFi is defined by the IEEE 802.11 standard. It's gone through many editions. Each one has a one or two-letter identifying suffix.

The Wi-Fi Alliance has adopted a new scheme, which is easier to understand than the chaos of suffixes. The current generation, described by 802.11ac, will be known as WiFi 5. The next generation will be called WiFi 6, which is based on 802.11ax. Not many people have heard of this terminology so far, but it will be used everywhere once WiFi 6 equipment hits the mass market. Major revisions of WiFi come out about every five years.

Wi-Fi traffic goes over the air using well-known protocols. Anyone can intercept it with off-the-shelf equipment. If it isn't protected, they can see what you're sending and receiving. Fortunately, Wi-Fi offers protocols which encrypt traffic between devices and access points. If you're using a secure Internet connection, that information is protected, but a lot of traffic consists of unprotected data. With an unencrypted wireless connection, information is exposed to lurkers.

A public connection, such as one at a shopping mall or library, has no encryption. This creates a risky situation. Someone else can set up an access point with the same SSID. That is known as an "evil twin." Clients may connect to it, thinking they're using a trusted connection. While an unencrypted access point takes the least effort, it's a bad idea. Public facilities use it because they have no choice, but you shouldn't set your home network up that way.

WEP

The oldest of the WiFi security types is WEP. It supposedly kept communication private, but several serious flaws were discovered in it. With modern levels of computing power, it's not extremely difficult to crack. It's an obsolete protocol, and you shouldn't use it in your network.

WPA

The Wi-Fi Alliance replaced WEP WiFi encryption with a protocol called WPA. The first version came out in 2003. While it was much better than WEP security, the original WPA had significant weaknesses. It was replaced by WPA2 in 2006.

WPA2

WPA2 is currently the best protocol available for secure WiFi connections. A significant weakness turned up in 2017, though. It's called the KRACK, or "key reinstallation attack," vulnerability. It can be used to eavesdrop on communications and even to alter data with a "man in the middle" attack. The vulnerability is inherent in the protocol, but the implementation can mitigate it. Most current devices have updates that remedy the KRACK weakness. Old devices that haven't had a firmware update in years are likely to be susceptible to it.

WPA3

A better encryption protocol, WPA3, is on the horizon as part of WiFi 6. It offers better security, stronger protection against password guessing, easier connection for IoT devices, and encryption for public access points. If both ends of a connection don't support it, it will fall back to WPA2. Devices supporting the new protocol should be widely available by the end of 2020.

Several concrete steps will make your network's WiFi safer against penetration attempts.

• First, change your SSID from the default to a distinctive name. This will reduce mistaken connections if a nearby device uses the same factory default. You can call it something clever, like RebelBase1, but avoid putting real information such as your name into it. There's no point in giving strangers clues about your network.
• There's an option to have your access point not broadcast its SSID. This means it won't show up on a list of access points within range of a device. It really doesn't help much. A client has to broadcast the SSID when searching for it, so the name isn't secret. It isn't worth the trouble.
• What is useful is to have different SSIDs for owner and guest access. With devices that offer this, only the owner can access the settings, including router settings. If you want visitors to have access, you need to give out the password. Even if you trust them, someone you shouldn't trust may get hold of it. If you need to change the guest SSID, you can do it without disrupting your own network usage.
• For encryption, use WPA2, When WPA3 is available, you can switch to it, and WPA2 devices will still be able to use your access point. This prevents "evil twin" attacks, since the other access point won't know your password. (A client device doesn't send the password to the access point, but instead performs a handshake that requires knowing it.)
• If you have a wireless router, it will have an admin account. The user name is usually "admin" or "administrator." Change it to something else to make it harder for intruders to break in. Log in to the account and check the dashboard occasionally, to make sure nothing amiss is happening. When you're done, log out.
• Check regularly for firmware updates to your access point or router. You may be able to set it to check and install them automatically. This saves you from forgetting. Updates may fix important security issues.

If you do everything mentioned so far, you're in good shape for wireless security. If you want to go for a little more, here are some additional suggestions.

Take some time to understand your wireless network, and you'll be able to protect it better. You should know what all the devices on it are and be able to identify their IP addresses. We offer a tool to identify your router's IP address. If you spot devices that shouldn't be there, check where they're coming from and whether they should be there. If you've got questions or comments, feel free to contact us.