Many home routers offer a “Guest Mode.” This isolates your guests onto a separate Wi-Fi network, and you don’t have to give them your normal Wi-FI passphrase. But Guest Mode is often insecure.
Guest Mode isn’t always bad — D-Link, Netgear, and ASUS router seem to do it right. But, if you have the type of Guest Mode we’ve seen on home routers from Linksys and Belkin, you should never use it.
Why Guest Mode?
In theory, Guest Mode is a fine idea. Rather than having guests connect to your normal Wi-FI networks, a router with Guest Mode will host multiple Wi-Fi networks. Guests who visit your home can connect to the guest network, which can have a separate passphrase from your normal Wi-Fi network.
This allows you to keep your normal Wi-Fi network private. It also keeps guests from accessing your network file shares and other sensitive data. Even if they’re feeling snoopy or have malware installed, all those guest devices will be isolated from your normal Wi-Fi network.
Rather than gaining access to your entire network, devices connected to the Guest Network just get access to the Internet. Guest Mode settings may also allow you to limit the number of devices that can connect to the guest network. So far, this is fine.
How Some Routers Botch Guest Mode
The problems are immediately obvious when you enable guest mode, or when you connect to a network configured for Guest Mode. You’ll see that the separate guest network is likely an open Wi-Fi network. In other words, it’s not protected by the normal Wi-Fi encryption that secures your main network.
This means that any network traffic travelling over the guest network is sent “in the clear,” and is vulnerable to snooping. It’s just like connecting to a typical hotel’s Wi-Fi network. The connection is unencrypted, and anyone nearby can snoop. Modern operating systems will even warn you about this when you connect.
But there is a password that guards access to the Internet. After a device connects to the Guest Mode network, it sees a login page. The user has to provide a passphrase or the device doesn’t get Internet access.
This provides more protection than hosting a typical open Wi-Fi network, but not by much. The Wi-Fi login page is generally unencrypted — you can tell because there’s no HTTPS or lock icon on the address bar. If you connect to the guest network and provide the password, it’s also sent unencrypted to your router. Anyone snooping on Wi-Fi traffic nearby can clearly see the Guest Mode password every time it’s typed in, and they could use it to access your guest mode network without your permission.
The default Guest Mode password on Linksys routers seem to be “BeMyGuest”, which is also insecure — many people will use Guest Mode without changing this.
How Some Routers Offer Secure Guest Modes
Some router manufacturers avoid this problem by actually using normal Wi-Fi encryption in guest mode. All they have to do is host an entirely separate Wi-Fi network with the typical encryption — generally WPA2 encryption — that you should be using on your main Wi-Fi network.
We’ve seen D-Link, Netgear, and ASUS routers provide proper guest networks in this way. They create a separate, encrypted Wi-Fi network and isolate it from the main network. The most important thing is that encryption is available.
To test whether it’s safe or not, just enable Guest Mode on your router. Try to connect and see whether it’s an open Wi-Fi network that allows you to connect instantly, or a closed Wi-Fi network that your operating system requires as passphrase for before connecting. If you see an operating system password dialog, it’s secure. If a web browser pops up and asks for a password, it’s insecure.
Guest Mode is a nice idea, but it’s far from completely necessary. If you want to use Guest Mode, be sure that your router offers a secure encrypted guest network — not an open, unencrypted one. With an open guest network, your guests could have their Wi-Fi usage snooped on and your Guest Mode passphrase could be easily eavesdropped on and captured, allowing anyone nearby to gain access to your Internet connection.