Like what you see?
Maybe you haven’t noticed your WiFi router for a while. Maybe it sits in the corner of your office, lights blinking on and off, and slowly gathering dust.
Just think for a moment about what your router is actually doing. Every single interaction you have online, from chatting with your friends to managing your online banking, is handled by that little box.
What if it had a security flaw that would allow anyone – including hackers – to access all that information?
The bad news is that if you are reading this article, it probably does. Though the average user has got much better at protecting themselves online in the past few years, many of us overlook the security of our home WiFi networks.
If, like many people, you haven’t thought about the security of your wireless network, now is the time to do so. This is especially true if you haven’t looked at the settings on your router since the day you got it, because in that case the admin password for your router is probably ‘admin’. Or maybe ‘password’. Seriously.
The consequences of poor WiFi security can be severe. Because your WiFi router is the gateway through which all your data passes, a compromised router can give an attacker access to everything you do online, allow them to masquerade as you, and even steal your personal data.
If you think this sounds a bit stretched and exaggerated, think again. In 2018, Cisco’s threat research arm, Talos, in collaboration with the FBI found that a malware system with links to Russia had infected hundreds of thousands of WiFi routers made by popular brands like Netgear, TP-Link and Linksys. A few months later, Talos went further, and revealed that the problem was even worse than initially thought: routers from other brands like Asus and D-Link had also been infected.
Luckily, there are some easy ways to improve the security of your wireless network. Doing so requires, first and foremost, that you understand how your WiFi network handles security.
Since the invention of WiFi in the 1990s, wireless networks have used several different security protocols. Each new standard provided greater security, and each promised to be easier to configure than those that came before. All of them, though, retain some inherent vulnerabilities.
In addition, as each new protocol was released some systems were upgraded, and some were not. As a result, today there are a number of different security protocols in use. Some of these provide a pretty good level of protection, while some don’t.
There are three main security protocols in use today – WEP, WPA, and WPA2 – and one that is yet to be rolled out, WPA3. Let’s take a closer look at each.
Wired Equivalent Privacy (WEP) was the first mainstream WiFi security standard, and was approved for use way back in 1999. Though, as its name suggests, it was supposed to offer the same level of security as wired networks, it did not. A number of security issues were quickly found, and despite many attempts to patch them, this standard was abandoned by the Wi-Fi Alliance in 2004.
The WiFi Protected Access (WPA) protocol was developed in 2003 as a direct replacement for WEP. It increased security by using a pair of security keys: a pre-shared key (PSK), most often referred to as WPA Personal, and the Temporal Key Integrity Protocol (or TKIP) for encryption. Though WPA represented a significant upgrade over WEP, it was also designed so that it could be rolled out across the ageing (and vulnerable) hardware designed for WEP. That meant that it inherited some of the well-known security vulnerabilities of the earlier system.
WPA2 was developed in 2004 as the first truly new security protocol since the invention of WiFi. The major advance made by WPA2 was the usage of the Advanced Encryption System (AES), a system used by the US government for encrypting Top Secret information. At the moment, WPA2 combined with AES represents the highest level of security typically used in home WiFi networks, though there remain a number of known security vulnerabilities even in this system.
In 2018, the WiFi Alliance announced the release of a new standard, WPA3, that will gradually replace WPA2. This new protocol has yet to be rolled out, but promises significant improvements over earlier systems. Devices compatible with the new standard are already being produced.
Update: It’s hardly been a year since the launch of WPA3, and several WiFi security vulnerabilities have already been unveiled, which could enable attackers to steal Wi-Fi passwords. The next generation Wi-Fi security protocol relies on Dragonfly, an improved handshake that aims to protect against offline dictionary attacks.
However, security researchers Eyal Ronen and Mathy Vanhoef discovered weaknesses in WPA3-Personal that allow an attacker to retrieve and recover passwords of Wi-Fi networks by abusing cache or timing-based side-channel leaks. The research paper, titled DragonBlood, details two kinds of design flaws in the WPA3 protocol.
The first is associated with downgrade attacks, while the second leads to side-channel leaks. Since WPA2 is widely used by billions of devices worldwide, the universal adoption of WPA3 is expected to take a while. As such, most networks will support both WPA3 and WPA2 connections via WPA3’s “transitional mode”.
The transitional mode can be leveraged to carry out downgrade attacks by setting up a rogue access point that only supports the WPA2 protocol, forcing WPA3 devices to connect with WPA2’s insecure 4-way handshake.
Researchers also found that the two side-channel attacks against the password encoding method of Dragonfly allow attackers to obtain Wi-Fi passwords by performing a password partitioning attack.
When it comes to security, WiFi networks are always going to be less secure than wired networks. In a wired network, data is sent via a physical cable, and this makes it very hard to listen in to network traffic. WiFi networks are different. By design, they broadcast data across a wide area, and so network traffic can potentially be picked up by anyone listening in.
All modern WiFi security protocols therefore make use of two main techniques: authentication protocols that identify machines seeking to connect to the network; and encryption, which ensures that if an attacker is listening in to network traffic they will not be able to access important data.
The way in which the three main WiFi security protocols implement these tools is different, though:
|Purpose||Making WiFi networks as secure as wired networks (this didn’t work!)||Implementation of IEEE802.1 li standards on WEP hardware||Complete implementation of IEEE802.1 li standards using new hardware|
|Rivest Cipher 4 (RC4)||Temporal Key Integrity Protocol (TKIP)||CCMP and AES|
|Authentication||WEP-Open and WEP-Shared||WPA-PSK and WPA-Enterprise||WPA-Personal and WPA-Enterprise|
|Data Integrity||CRC-32||Message Integrity Code||Cipher block chaining message authentication code (CBC-MAC)|
|Key Management||Not provided||4-way handshaking||4-way handshaking|
|Hardware Compatibility||All hardware||All hardware||Older network interface cards are not supported (only newer than 2006)|
|Vulnerabilities||Highly vulnerable: susceptible to Chopchop, fragmentation, and DoS attacks||Better, but still vulnerable: Chopchop, fragmentation, WPA-PSK, and DoS attacks||The least vulnerable, though still susceptible to DoS attacks|
|Configuration||Easy to configure||Harder to configure||WPA-Personal is easy to configure, WPA-Enterprise less so|
|Replay Attack Protection||No protection||Sequence counter for replay protection||48-bit datagram / package number protects against replay attacks|
Without getting into the complicated details of each system, what this means is that different WiFi security protocols offer different levels of protection. Each new protocol has improved security over those that came before, and so the basic rating from best to worst of the modern WiFi security methods available on modern (after 2006) routers is like this:
The key point here is this: the most secure WiFi setup you can have today is WPA2 combined with AES. It will not always be possible to use this standard, though.
It might be, for instance, that your hardware does not support WPA2 or AES. This is a problem that can be overcome by upgrading your hardware. This might sound like an expensive option, but most ISPs will provide you a free upgraded router if yours is obsolete. This is particularly important if your router is ancient, and only supports WEP. If that is the case, junk it and get a new one.
The only disadvantage of using WPA2 and AES is that the military-grade encryption it uses can sometimes slow down your connection. This issue, though, mainly affects older routers that were released before WPA2, and only support WPA2 via a firmware upgrade. Any modern router will not suffer from this problem.
Another bigger problem is that we are all forced to use public WiFi connections from time to time, and in some cases the level of security offered on them is poor. The best approach is therefore to be aware of the level of security offered on the networks you connect to, and to avoid sending passwords (or other important information) across poorly secured networks.
All of this can be summed up in the following table:
|Encryption Standard||Summary||How it works||Should I use it?|
|WEP||First 802.11 security standard: easy to hack.||Uses RC4 cipher.||No|
|WPA||Interim standard to address major security flaws in WEP.||Uses RC4 cipher, but adds longer (256-bit) keys.||Only if WPA2 is not available|
|WPA2||Current standard. With modern hardware increased encryption doesn’t affect performance.||Replaces RC4 cipher with CCMP and AES for stronger authentication and encryption.||Yes|
There are some simple steps you can take to make your wireless network more secure, whether you are working in a business environment or simply looking to improve security of your home network.
Amidst all the talk of encryption schemes and key protocols, it is easy to overlook a pretty basic aspect of WiFi security: the physical location of your router.
If you are working with a home network, this means being aware of how much of your WiFi signal is ‘leaking’ out from your home. If your WiFi signal can be picked up by your neighbour, on the street outside, or even in the bar downstairs, you are opening yourself up to attacks. Ideally, you should place your router in a position where you can get a good signal everywhere you need it, and no-one else can.
In a business environment, the physical security of your router is even more important. Attack vectors can be introduced by the simple act of someone pushing the reset button on your router. You should keep your wireless router in a locked cabinet or office, and even think about video surveillance systems that will allow you to monitor access to it.
Do you know what the admin password is for your router? If you don’t, it is probably the one that the router arrived with, and this is probably ‘admin’ or ‘password’. Everyone is supposed to change this password when they first set up their router, but hardly anyone does.
The process for changing the password on your router will depend on the brand and model of your hardware, but is not difficult. A quick Google search for the model of your router will furnish you with instructions on how to do so.
While choosing a new password and username, you should pay attention to the general guidelines on choosing strong passwords: your new password should be at least 15 characters long, and include a mix of letters, numbers, and special characters. You should also change your username and password settings on a regular basis. Set a reminder to change the password every quarter. Just make sure you tell your family you have changed the password, before they come and complain that ‘the internet is broken’!
Like their generic passwords and usernames, most wireless routers arrive with generic Service Set Identifiers (SSIDs), which is the name that identifies your WiFi network. Typically, these are something like ‘Linksys’ or ‘Netgear3060’, which gives you information on the make and model of your router. This is great during initial setup, because it allows you to find your new router.
The problem is that these names also give everyone, who can pick up your wireless signal a, very useful piece of information: the make and model of your router. Believe it or not, there are lists online that detail the hardware and software vulnerabilities of almost every router out there, so a potential attacker can quickly find out the best way to compromise your network.
This is a particular problem if you haven’t changed the default login information on your router (see above), because an attacker can then simply log into your router as an admin, and cause havoc.
We all know that we should keep our software up to date in order to limit security vulnerabilities, but many of us don’t. This goes double for the software and firmware on your router. If you’ve never updated your router firmware before, you are not alone. In a 2014 survey of IT professionals (!) and employees who work remotely, conducted by the security firm Tripwire, only 32% said they knew how to update their routers with the latest firmware.
Part of the reason for this is that unlike your OS, many routers will do not periodically remind you to check for and download security updates. You’ll probably have to check for these yourself, so set a reminder to do so every few months, and change your passwords while you’re at it.
Firmware updates are particularly important, because firmware is the most basic code used by your router. New vulnerabilities in WiFi router firmware are identified all the time, and with access to the firmware level of your router there is no end to the mischief that an attacker can cause.
Typically, firmware updates are released to patch specific security vulnerabilities, and will self-install after you download them. This makes them a simple step in securing your wireless network.
You should use the most secure wireless network protocol that you can, and for most people this will be WPA2 combined with AES.
Most modern routers have the option to run several different types of WiFi security protocol, in order to make them compatible with as wide a range of hardware as possible. This means that your router may be configured to use an outdated protocol out of the box.
Checking with protocol your router is using is easy enough: just search for instructions online, login to your router, and you will be able to see (and change) the settings. If you find that your router is using WEP, you should change this immediately. WPA is better, but for the highest level of security you should be using WPA2 and AES.
If you are using an older router, it might be that it is not compatible with WPA2, or with AES. If this is the case, you have a few options. First, you should check for a firmware upgrade that will allow your router to use WPA: since WPA was designed to be compatible with older WEP routers, many now have this functionality.
If you can’t find a firmware upgrade, it is time to start thinking about upgrading your hardware. This need not be an expensive option – many ISPs will provide you with a new router at minimal cost, or even for free – and is certainly cheaper than the consequences of your network getting hacked!
Though WPA2 is far more secure than the protocols that came before it, it retains a number of specific security vulnerabilities that you should be aware of. Some of these are caused by a feature of WPA2 that was designed to make setting up your wireless network easier: WPS.
WiFi Protected Setup (WPS) means that connecting a device to your WiFi network for the first time is as easy as pushing a button. If you think that sounds like a security flaw, you are right. If you leave WPS enabled, anyone who can physically access your router can gain a foothold in your network.
Turning off WPS is easy enough: login to your router as an admin user, and you should see an option to disable it. If you need to connect an additional machine to your network, you can briefly turn it back on, of course, just make sure that you turn it off again when you are done!
If you are looking for even more security, you should consider disabling the Dynamic Host Configuration Protocol (DHCP) server that your router uses. This system automatically assigns IP addresses to every device connected to your router, allowing additional devices to connect to your wireless network easily. The problem is that it will give anyone connected to your network an IP address, including someone seeking to gain unauthorized access.
There are two approaches that you can take to combat this potential vulnerability. The first is to limit the DHCP range that your router uses, which has the effect of limiting the number of machines it can connect to. The second approach is to disable DHCP entirely. This means you will have to manually assign every device an IP address every time it connects to your network.
Whether these approaches are suitable for your network will depend on how you use it. If you commonly connect and reconnect multiple devices to your router, it can become very time consuming to manually assign each an IP address. On the other hand, if the number of devices you want to connect is limited and predictable, disabling DHCP gives you a lot of control over who is connected to your network.
Knowledge is power, so finding out what Wi-Fi security protocol you are using is the first step in protecting yourself.
There are a couple of ways you can do this. The easiest is to use your smartphone:
If you are on a laptop or desktop computer, pulling up the network settings will typically also allow you to see the Wi-Fi security protocol you are using.
If it doesn’t, do a Google search for the brand and model of your router, and you should find instructions on how to login to its settings, where you can see (and change) the protocol you new using.
Knowing how to do this is also necessary to change the default settings of your router, which is an important part of keeping your network secure, so you should know how to login to your router in any case!
In general, yes.
A better answer would be that it depends on the Wi-Fi network. Your 4G (or 3G, or whatever your smartphone uses for mobile data) is secure because you are the only person who uses that connection. No-one else can access the information you send over this connection, unless they are using very sophisticated techniques.
The same principle applies to Wi-Fi networks. If you are the only person who uses your home network, for instance, and it is setup in a secure way (see our guide above), then your connection will be pretty secure.
Never, ever send personal information, including passwords or banking details, over a public Wi-Fi network. Many of these networks use poor security protocols, but even those which claim to be secure are inherently vulnerable because of the number of people using them at one time.