The Basic WiFi Security Checklist
Here are some low-cost ways you can protect your home and business by implementing basic security on your WiFi access points and devices that use WiFi:
Router or Access Point WiFi Security
- Set a strong WPA2 password on your router. As a bare minimum, we would suggest 12 characters (non-dictionary), however, using longer passwords or pass phrases is recommended. Longer, complex passwords will reduce the risk of brute force password cracking to negligible levels.
- Enable ‘Encryption of Management Frames’, if your router has the option. This will prevent deauthentication attacks (see last month’s blog for an explanation).
- Update your router firmware to the latest version.
- Activate MAC address restrictions in your router to limit connections to trusted devices only, e.g. authorised phones and laptops etc.
- Disable WPS and UPnP. This will stop hackers from being able to exploit weaknesses in these features to open vulnerabilities for attack.
- Change your default router administration credentials to your own User-ID and password.
- Disable remote administration and administration via WiFi for the router (internal fixed network only).
- Hide your SSID (WiFi identifier). This may not be ideal for guests as they won’t be able to see your network to connect to and will require specific details to be provided to them.
- Use the router firewall to restrict access to the minimum services (ports) and IP addresses required.
- Reduce the WiFi range on your router to the minimum possible without disrupting normal use.
- Switch off the wireless router when not required i.e. when your office is closed overnight or on weekends. This can be scheduled in the device or setup using a simple power socket timer.
- Avoid open sharing of WiFi access credentials – don’t post them on the wall for everyone to see!
WiFi Device Security – phone, laptop, tablet, watch etc.
- Disable WiFi on your device and only enable it when you are connecting to a known trusted Access Point.
- Avoid automatic connections when setting up a new WiFi connection or, at the very least, remove automatic connections for Access Points you do not regularly use.
- Use a VPN when accessing the internet over untrusted connections where possible.
- Never enter or view sensitive information with a web site that does not support encrypted (HTTPS) communications (the lock symbol in your browser).
- Never connect to an open WiFi network (no password required) unless you are managing the risk.
- Ensure all internal network server endpoints such as printers have encrypted (HTTPS) communications.
What if I suspect I’m already being attacked?
The checklist above will not provide absolute protection, but it’s a good start to making it harder for attackers to access your WiFi. Treat it as the recommended minimum that will prevent many low-level attacks from succeeding.
If you suspect that your WiFi networks have already been compromised, or are subject to being attacked or hijacked, then the only way to stop this is to physically find the rogue devices and remove them.
Let’s repeat: the only way to stop unauthorised WiFi from attacking or hijacking your network is to physically find it and remove it.
You’ll need specialized hardware to do this, such as the HackHunter Pursuit portable WiFi tracker (pictured).
This lightweight, handheld device detects unauthorised WiFi in your environment and locates the source to within a few centimetres, so it can be removed.
Conclusion
WiFi hacking is a risk to all businesses, and following the checklist above will strengthen your security. However, there are still inherent flaws in WiFi that make it vulnerable to attack. The only way to be sure of your WiFi network’s security is by using a WiFi tracker to locate and remove rogue devices.
