SEARCH

How-To Geek

How To Secure Your Wi-Fi Network Against Intrusion

wifisecurityheader

Insecure Wi-Fi is the easiest way for people to access your home network, leech your internet, and cause you serious headaches with more malicious behavior. Read on as we show you how to secure your home Wi-Fi network.

Why Secure Your Network?

In a perfect world you could leave your Wi-Fi networks wide open to share with any passing Wi-Fi starved travelers who desperately needed to check their email or lightly use your network. In reality leaving your Wi-Fi network open create unnecessary vulnerability wherein non-malicious users can sponge up lots of our bandwidth inadvertently and malicious users can pirate using our IP as cover, probe your network and potentially get access to your personal files, or even worse. What does even worse look like?  In the case of Matt Kostolnik it looks like a year of hell as your crazy neighbor, via your hacked Wi-Fi network, uploads child pornography in your name using your IP address and sends death threats to the Vice President of the United States. Mr. Kolstolnik was using crappy and outdated encryption with no other defensive measures in place; we can only imagine that a better understanding of Wi-Fi security and a little network monitoring would have saved him a huge headache.

Securing Your Wi-Fi Network

2011-07-19_151252

Securing your Wi-Fi network is a multi-step affair. You need to weigh each step and decide if the increased security is worth the sometimes increased hassle accompanying the change. To help you weigh the benefits and drawbacks of each step we’ve divided them up into relative order of importance as well as highlighted the benefits, the drawbacks, and the tools or resources you can use to stress test your own security. Don’t rely on our word that something is useful; grab the available tools and try to kick down your own virtual door.

Note: It would be impossible for us to include step-by-step instructions for every brand/model combination of routers out there. Check the brand and model number on your router and download the manual from the manufacturer’s website in order to most effectively follow our tips. If you have never accessed your router’s control panel or have forgotten how, now is the time to download the manual and give yourself a refresher.

Update Your Router and Upgrade to Third Party Firmware If Possible: At minimum you need to visit the web site for the manufacture of your router and make sure there are no updates. Router software tends to be pretty stable and releases are usually few and far between. If your manufacturer has released an update (or several) since you purchased your router it’s definitely time to upgrade.

Even better, if you’re going to go through the hassle of updating, is to update to one of the awesome third-party router firmwares out there like DD-WRT or Tomato. You can check out our guides to installing DD-WRT here and Tomato here.  The third party firmwares unlock all sorts of great options including an easier and finer grain control over security features.

The hassle factor for this modification is moderate. Anytime you flash the ROM on your router you risk bricking it. The risk is really small with third-party firmware and even smaller when using official firmware from your manufacturer. Once you’ve flashed everything the hassle factor is zero and you get to enjoy a new better, faster, and more customizable router.

Change Your Router’s Password: Every router ships with a default login/password combination. The exact combination varies from model to model but it’s easy enough to look up the default that leaving it unchanged is just asking for trouble. Open Wi-Fi combined with the default password is essentially leaving your entire network wide open. You can check out default password lists here, here, and here.

The hassle factor for this modification is extremely low and it’s foolish not to do it.

2011-07-19_143620

Turn On and/or Upgrade Your Network Encryption: In the above example we gave, Mr. Kolstolnik had turned on the encryption for his router. He made the mistake of selecting WEP encryption, however, which is the lowest encryption on the Wi-Fi encryption totem pole. WEP is easy to crack using freely available tools such as WEPCrack and BackTrack. If you happened to read the entire article about Mr. Kolstolnik’s problems with his neighbors you’ll note that it took his neighbor two weeks, according to the authorities, to break the WEP encryption. That’s such a long span of time for such a simple task we have to assume that he also had to teach himself how to read and operate a computer too.

Wi-Fi encryption comes in several flavors for home use such as WEP, WPA, and WPA2. In addition WPA/WPA2 can be further subdivided as WPA/WPA2 with TKIP (a 128-bit key is generated per packet) and AES (a different 128-bit encryption). If possible you want to use WP2 TKIP/AES as AES is not as widely adopted as TKIP. Allowing your router to use both will enable to use the superior encryption when available.

The only situation where upgrading the encryption of your Wi-Fi network may pose a problem is with legacy devices. If you have devices manufactured before 2006 it’s possible that, without firmware upgrades or perhaps not at all, they will be unable to access any network but an open or WEP encrypted network. We’ve phased out such electronics or hooked them up to the hard LAN via Ethernet (we’re looking at you original Xbox).

The hassle factor for this modification is low and–unless you have a legacy Wi-Fi device you can’t live without–you won’t even notice the change.

Changing/Hiding Your SSID: Your router shipped with a default SSID; usually something simple like “Wireless” or the brand name like “Netgear”. There’s nothing wrong with leaving it set as the default. If you live in a densely populated area, however, it would make sense to change it to something different in order to distinguished it from the 8 “Linksys” SSIDs you see from your apartment. Don’t change it to anything that identifies you. Quite a few of our neighbors have unwisely changed their SSIDs to things like APT3A or 700ElmSt . A new SSID should make it easier for you to identify your router from the list and not easier for everyone in the neighborhood to do so.

Don’t bother hiding your SSID. Not only does it provide no boost in security but it makes your devices work harder and burn more battery life. We debunked the hidden SSID myth here if you’re interested in doing more detailed reading. The short version is this: even if you “hide” your SSID it is still being broadcast and anyone using apps like inSSIDer or Kismet can see it.

The hassle factor for this modification is low. All you’ll need to do is change your SSID once (if at all) to increase recognition in a router-dense environment.

2011-07-19_143659

Filter Network Access by MAC Address:

Media Access Control addresses, or MAC address for short, is a unique ID assigned to every network interface you’ll encounter. Everything you can hook up to your network has one: your XBOX 360, laptop, smartphone, iPad, printers, even the Ethernet cards in your desktop computers. The MAC address for devices is printed on a label affixed to it and/or on the box and documentation that came with the device. For mobile devices you can usually find the MAC address within the menu system (on the iPad, for example, it’s under the Settings –> General –> About menu and on Android phones you’ll find it Settings –> About Phone –> Status menu).

One of the easiest ways to check the MAC addresses of your devices, besides simply reading the label on them, is to check out the MAC list on your router after you’ve upgraded your encryption and logged all your devices back in. If you’ve just changed your password you can be nearly certain the iPad you see attached to the Wi-Fi node is yours.

Once you have all the MAC addresses you can set up your router to filter based on them. Then it won’t be enough for a computer to be in range of the Wi-Fi node and have the password/break the encryption, the device intruding on the network will also need to have the MAC address of a device on your router’s whitelist.

Although MAC filtering is a solid way to increase your security it is possible for somebody to sniff your Wi-Fi traffic and then spoof the MAC address of their device to match one on your network. Using tools like Wireshark, Ettercap, and Nmap as well as the aforementioned BackTrack. Changing the MAC address on a computer is simple. In Linux it’s two commands at the command prompt, with a Mac it’s just about as easy, and under Windows you can use a simple app to swap it like Etherchange or MAC Shift.

The hassle factor for this modification is moderate-to-high. If you use the same devices on your network over and over with little change up then it’s a small hassle to set up the initial filter. If you frequently have guests coming and going that want to hop on your network it’s a huge hassle to always be logging into your router and adding their MAC addresses or temporarily turning off the MAC filtering.

One last note before we leave MAC addresses: if you’re particularly paranoid or you suspect someone is messing around with your network you can run applications like AirSnare and Kismet to set up alerts for MACs outside your white list.

Adjust the Output Power of Your Router: This trick is usually only available if you’ve upgraded the firmware to a third party version. Custom firmware allows you to dial up or down the output of your router. If you’re using your router in a one bedroom apartment you can easily dial the power way down and still get a signal everywhere in the apartment. Conversely if the nearest house is 1000 feet away, you can crank the power up to enjoy Wi-Fi out in your hammock.

The hassle factor for this modification is low; it’s a one time modification. If your router doesn’t support this kind of adjustment, don’t sweat it. Lowering the output power of your router is just a small step that makes it necessary for someone to be physically closer to your router to mess with it. With good encryption and the other tips we’ve shared, such a small tweak has a relatively small benefit.


Once you’ve upgraded your router password and upgraded your encryption (let alone done anything else on this list) you’ve done 90% more than nearly every Wi-Fi network owner out there.

Congratulations, you’ve hardened your network enough to make almost everyone else look like a better target! Have a tip, trick, or technique to share? Let’s hear about your Wi-Fi security methods in the comments.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 07/19/11

Comments (37)

  1. Richard

    Nice guide, ISP have got allot better with routers they send out, just the last one i did had WPA2 encruption turned on and a random password. Would be fine for most people with little technical knowledge.

  2. Jason Fitzpatrick

    @Richard: That’s pretty awesome. Glad to hear somebody in the chain went “You know… people are herping when they should be derping. Maybe we should just ship these things with better security?”

  3. Wayne

    Nothing about using guest networks for security purposes? With guest networks, you can set up your devices on a lan filtered by MAC and high encryption. You can set your guest network to use lower or no encryption and just allow people to join based on SSID and password. I can even set it so guests only have access to the internet and cannot see any other devices on that guest network.

    My WNDR3700 supports two wireless guest networks along with our primary networks. Many devices (desktops, DVR, Bluray, Printers) are connected via Gigabit Ethernet. The iPods, iPhones, iPads and my daughter’s laptop connect to the primary network via wireless and each device can select N or G speeds. I broadcast the SSIDs for this network.

    The first wireless guest network has access to N and G speeds as well as they can connect to printers and other shared devices on the LAN. It uses WPA2 with TPIK/AES encryption. Though different passwords for everything compared to the primary network. This network’s SSID is also broadcast.

    Our second wireless guest network uses WEP encryption. Devices can only access the Internet and cannot see any other devices. I realize it is a risk but my kids have older Nintedo DS devices which do not support WPA or WPA2. This allows them to connect to the internet on those devices. It is MAC filtered as well. I don’t broadcast the SSID for this network.

  4. C_3PO

    Great stuff but sadly a lot of ISP provided routers don’t allow “MAC” filtering??? BT charge £65 set up your new home hub “wireless network” what a rip off!! Hooked up a friends, took me all of 5 minutes!

  5. jack

    every wireless connection is a risk…i don’t care if you have wpa2 encryption i can flood your wireless network…and you won’t be able to surf online…and maybe you will try to change encryption..to wep which can be cracked in few minutes /;)
    hiding SSID is a myth …i can find the ssid name easy :)

  6. g-d

    Unfortunately MAC filtering is incompatible with windows vista’s/7′s network map feature,since to fully map the network, a separate random MAC address is generated by the computers, and the router blocks it.

  7. Johann

    @Wayne: You got it going on.

  8. Rod Dog777

    A (very questionable) company called Nirsoft has an arsenal of freeware Wi-Fi signal tracers/de-encrypters, and signal interceptors. Their hackware can highjack a Wi-Fi signal, the older the computer the more they get, steal passwords and profile your surfing habits, even piggy-back onto your signal for their use which blows a lot of your best security to bits and may cost you extra cash if they are downloading TB’s of movies or other audio-visual downloads unbeknownst to you and only shows up on your I.S.P. bill when U R charged for WAY over your I.S.P.’s limit monthly allowance of d/l data, totally unknown unless your signal strength drops off, a very good reason I keep my computers running bandwidth thru cable DSL modems. Older, but the whole neighborhood does not get a heads-up every time I go Wi-Fi online. Like Wi-Fi printing? That is also one of their highjack top downloads! Pity if it’s a very personal/private document(s) you just gave away to a complete stranger, or maybe a nosy neighbor! If you doubt that, find them on a search and hold your breath!

    R D

  9. durr

    Hiding your SSID doesn’t help that much. WPA2 Enterprise would help much more and packing the wifi into seperat VLANs to secure the LAN and to secure the LAN it would be even better to have DMZ. The cheapest way would be a virtual DMZ preferable a dual DMZ if you have a NAS or something like that you access from the outside.

  10. gedda

    I always setup my SSID as “Infected”. I think most people wouldn’t even try to connect to it even if I wasn’t using WPA2. A couple years back, my neighbor told me to be careful because he had FireDog (the Circuit City PC goons – you remember Circuit City, don’t you?) come out to clean up some malware on his laptop and the dude said that the trojans must have come from the “Infected” wireless network in the neighborhood.

  11. Kevin Cummings

    Love the “infected” SSID. Other fun SSIDs to discourage low-tech users are WeakSignal, NotConnected, and LowSpeedNetwork.

  12. Wayne

    Someone in my neighborhood uses the SSID of “CIA Secure Line”.

  13. Saman

    my ssid is “virus.win32.sality”

  14. Scott

    I’ve done all these things except the MAC filtering, which I’ve been considering. My favorite ssid name was found while in downtown Houston. It was called “Don’t even think about it”

  15. tommy2rs

    Here’s how I secured my wifi. Moved to the boonies. Did the war drive prior to moving, not a wifi signal on the whole mountain but good cell phone reception on top. Old house with metal roof, metal awnings, metal window screens and door screens, aluminum siding. Note this is a house and NOT a trailer. No signal (cell phone, AM or FM, TV, not to mention wifi) gets in or out. Have to use an external antenna for cell and mobile broadband reception. But I still use WPA2-PSK just in case.

  16. mo

    I use WPA2 with a 100+ mixed character randomly generated passcode and MAC filtering.
    My SSID is PurpleMonkeyDishwasher, more as a laugh than anything.

  17. Angela

    Another layer of security is to shut off remote access to the router (if available). This prevents a wireless device from hacking the router itself. Any configuration changes (such as editing the MAC filter) have to be done through a wired connection, but with a desktop that isn’t a major hassle.

  18. Grant

    Some wireless routers allow you to schedule when the wireless signal is on. So, while you sleep, you can turn the wireless signal off and no one can break in to your network.

  19. Isaac

    To Rod Dog777:
    Nirsoft is not very questionable company, is a IT admin web site, where professionals like me find excellent tools for our work. Saying that those tools are questionable is like accusing the gun manufactures of being questionable, the use you give to them is up to you, so if you still thing Nirsoft is questionable, please return your gun, because in your hands is questionable.

  20. Steveo

    @ Wayne – any chance you could contact me at stevehebe at yah00 dot c0m. I would like to see if you could help me with some “guest network” solutions. Thanks for the great article too!

  21. Gary

    Netgear Nightmare. I got a “free to use” WNR-1000 from Comcast. It takes a notion to stop being wireless. I called Comcast and got refered to Netgear. Netgear talked me through getting it back up and gave me a case number. Wireless went down again. I called my ubergeek son and he took control of my computer and got it up. It went down again. I called Netgear again, got transfered to someone who could not hear me and I could not hear them. Called back. “Your warranty is expired. Would you like to try our email support?” I resisted the urge to say something obscene and ended the call.

  22. Tejaswin

    Some routers don’t have option to adjust the power. there are many ways to secure the network like hide the SSID [name of your wifi network],make a list of mac address, then put each mac adress in either accept list or reject list, connect a device using WPS [new routers after 2010 manufacture date]

  23. Road Dog777

    Highly questionable is why I have every tool Nirsoft lets me d/l, the questionable part is R U using it for reasons which R legal, or not? Just like one of the many pistols & shotguns I own, I choose to use them in a legal manner, and like a car-jacker I choose not to steal or harm others. Leave a trace-route set to ping your ISP every mili-second & expect them to cut U off, use it once to verify their IP range and U break no TOS. Please do not lecture me on what our tools can or can not do OK.
    Later,

    R D

  24. Me

    “Don’t use hidden SSIDs because they’re easily discovered passively and thus don’t provide extra security”

    “Use MAC filtering because even though addresses can be easily discovered passively and simply spoofed in all operating system it provides you extra security”

    Huh?

  25. Rob

    VPN anyone? Isn’t that an extra security layer, making it difficult to spoof MAC addresses?

  26. Steve

    Thanks for the tips. I just do the obivious when I am not at home or at night. The WiFi on my router is on a timer so it turns off at night. And if I’m not at home, I just turn the WiFi off. I realize this is not for everbody, but it sure is safe!

  27. TLW

    What great info!!! And I’m still laughing at the story Gedda shared. Now that is just too funny :)

  28. durr

    @Rob
    Read the article about VPN on Wikipedia, it is not related to wireless-security.

  29. sam

    My WiFi setup is super secure. It’s rock solid. No one can hack into it. I probably should patent my setup before I go with the public but in the interest of security, I will give you a hint. I don’t have a WiFi router. My entire home is wired.

  30. jihn q

    @SAM, yeah I think my house will be too when I get one. wi-fi is such a hassle.

    Well, after reading this article I now know several ways to hack a persons wi-fi. Thanks HTG!

  31. sam

    @jihn q

    If you want wireless, get a wireless VPN router.

  32. ThorQuest

    I want to change the SSID on my CLEAR wireless router but can’t find any way to access the control panel. I”ve searched CLEAR website but no luck. Any help is greatly appreciated. Thanks

  33. skrewdriver

    I am liking the new Engenius WAP I purchased recently. Of course, it has all the security features you mentioned out of the box…plus some. You can actually have multiple SSIDs and assign VLANs to each one. If you are really into setting up security, it is pretty good for the cost. Still won’t beat out Cisco, but who has the money for that for home use.

  34. Tom

    There are many different ways to secure your router, hiding SSID is easy and limits visibility, but it is more of a false sense of security, Airodump, kismet, etc. all pick them up. If you are using WPA/WPA2 encryption and you are paranoid about war drivers you can change your SSID and passphrase weekly, bi-weekly, or monthly. Notice I said SSID as well, because you SSID is incorporated into your encryption data along with your passphrase in WPA/WPA2 encryption set. So changing both makes the 4-way handshake the nasty wardriver picked up 2 weeks ago on his little cruise by your house completely useless. Also, when you choose your password use upper and lower case letters, numbers, and unique characters. Also ensure your passphrase does not have consecutive letters and/or number or spells an actual word. Also making the password as long as possible helps which will lengthen the time it takes a cracker, using brute force, to crack your password. 20 character password 7.795036469024206e+24 years, I would use more than 20 characters if possible, but just an example. Of course theirs rainbow tables and many other methods, but limiting the hackers choices helps to deter them, especially when your neighbor is broadcasting their WEP encrypted network, with wireless access to their router. Nothing is 100% secure, that 20 character password could take 7.795036469024206e+24 years or it could take 7.8 seconds. Also to go along with that wireless flooding, I would laugh at that…just a minor annoyance, probably less if it’s a wardriver and that also lets me know to look outside and grab the license plate number of the vehicle driving by with an antenna on their vehicle.

  35. Sheen

    It would be a nice feature to have a button on your wifi router that LOCKS IN the currently connected computers. After that you need to press it again to unlock if you want to add another computer.

    Open
    CLOSED.

    Two options, at the push of a button.
    Very simple for low-skilled users. Convenient for intermediates, who know a lot about windows but don’t want to much around with learning about wireless security.

    What do you think of such a simple security feature for the masses?

  36. lee

    I have my router connected to a pig tail power strip and only hit the power when I wish to go on line. I then use insidder2 to see if I am alone periodically in the wifi world. Not a total cure for security but an extra layer of not to inconvenient security.

  37. Tom

    Any security that requires physical access to the router is always better. At the same time anything that is built can be broken, reverse engineered. But the biggest way to secure yourself is with knowledge, watch your browser httpS. When doing anything that you want encrypted ensuring that the S is there and the certificates are valid. Stay informed, check out recent security vulnerabilities. There will always be vulnerabilities, software or protocol, they will be there.

Enter Your Email Here to Get Access for Free:

Go check your email!