With the end of the COVID-19 pandemic nowhere in sight, many people have turned to working from home as an alternative. While certainly useful for containing the spread of the virus, it opens up new risks in the form of cybersecurity issues. Home Wi-Fi networks are generally far less secure than company networks because they lack the complex security measures that only companies can afford. But fortunately, securing your home Wi-Fi network is relatively simple.
The Goal of Wi-Fi Security Measures
Company networks have to be very secure because they house lots of sensitive data. Any disruption to that network can cause interruptions to company services, data leaks, data loss, and other huge headaches for that company. So, they essentially have a big target painted on them from a hacker’s point of view.
In contrast, most residential networks are far less valuable targets. They’re numerous, decentralized, and don’t hold the vast amounts of useful data company networks do. As a result, you’re only likely to be targeted by a “hobbyist” hacker or even a curious neighbor, if at all. These people are usually not as skilled as professional hackers or as persistent. Even so, you might have sensitive data on your devices such as financial or personal data. And as more jobs shift to work-at-home positions, home devices will become more enticing targets. Another fact to consider is that if an attacker decides to use your network to spread spam and do other malicious activities, those activities will be linked to you, not the attacker (it came from your network). So, it’s still a very good idea to secure your home Wi-Fi network.
There is no such thing as perfect security. There’s always going to be some exploit or workaround that can lead to a security lapse. The best you can do is mitigate the risk to a low enough level. But as you increase the amount of security measures, you also sacrifice convenience. The key is to strike a balance between the two so that you have both a secure and usable network. Thus, the goal of home Wi-Fi security measures is not to stop every possible threat but to merely frustrate the would-be attacker enough that he or she decides to give up and move on.
Tips for Securing Your Home Wi-Fi Network
Most home Wi-Fi networks consist of a wireless router that’s connected to an internet service provider (ISP) and a host of devices connected to it. That router is essentially the “gatekeeper” of your network, so most of your efforts should be aimed at securing it as much as possible. Fortunately, modern routers are actually a bunch of devices built into one and have plenty of security features. They generally have a router, switch, firewall, wireless access point (WAP, or wireless hotspot), content filter, and a virtual private network (VPN) gateway all in one device. That’s a lot of settings to go through, but I’ll highlight the main ones.
On a side note, because you’re depending on this one device to do all this, you’re vulnerable to the single point-of-failure problem. As a result, it’s a good idea to have a spare in case it stops working.
To access the router’s settings, type in the router’s IP address in the address bar of your web browser. The router will usually have this IP address written on it somewhere or have it in the manual. It should usually be something like 192.168.1.1 or 192.168.1.254. Remember to log out of administrator status when you’re done changing any settings to prevent an attacker from taking advantage of a still-active session.
Change the Default SSID and Password
The SSID is your network’s name. Changing it and the default password is one of the easiest things you can do, and it’ll stop pretty much any non-technical person from getting into your network. The reason you need to change these is because you can find the default settings of any network device if you look around on the Internet. That means if you don’t change them, an attacker will know exactly what model your router is (and its security vulnerabilities) and the password to get into your network.
Change the SSID to something nondescript that won’t give any hints to which house it belongs to or its purpose. Make sure you have a strong password as well. Just a heads up, any time you change them, you’ll need to reconnect all your devices to the router again.
Change the Router’s Default Admin Password
On many routers, there’s an admin password for the router itself to help prevent attackers from accessing and changing the settings. Change this one from the default into a strong password for the same reason as above.
Use WPA3 (or WPA2) Encryption
Whatever you do, don’t use WEP or nothing at all. WEP was the original encryption protocol, and it’s very weak, so using it is a security risk. WPA has since replaced it (more recent routers don’t even have WEP as an option). The latest version is WPA3, though that just came out. If your router doesn’t have WPA3, don’t fret about it. Just use WPA2.
Make Sure Your Firewall Is On
If your router has a built-in firewall, make sure to turn it on. What it does is prevent your network (and the devices connected to the network) from responding to “probes” (port scans) from attackers looking for open connections. This effectively makes your network invisible to them. In addition to stopping suspicious incoming connections, it can also stop suspicious outgoing connections in case the device is compromised with malware.
Modern Windows and Linux systems also have a built-in firewall. Make sure it’s on for another layer of security.
Disable Remote Access
This is typically available for when you need someone, such as a tech support representative, to change the settings of the router over the Internet. But since you don’t need this feature any other time, turn it off to remove another possible security vulnerability.
Keep Your Computer and Your Router’s Firmware Updated
These updates usually fix security vulnerabilities, so it’s absolutely a good idea to check for them regularly. In your computer’s case, make sure you update your anti-virus/anti-malware software regularly in addition to getting the updates for your OS. Many malware attacks (such as the WannaCry ransomware attack) rely on people not updating their systems with the latest updates. Also remember to actually run your anti-virus/anti-malware programs regularly too.
Be Wary of Program/App Settings
The best security software can’t save you if you let attackers into your system yourself (unwittingly). Programs that use the Internet, such as chat programs or web browsers, are essentially holes in your firewall. Check their settings to see if they are exactly the ones you want. Also remember to close the program or app when you’re done with it.
Some recent high-profile attacks involved programs and apps. “Zoombombing”, the term for attackers gaining access to a session on the videoconferencing app Zoom, was (and still is) one of them. It happens partly because many Zoom users don’t configure the settings to make their sessions more secure (ex. using their Personal Meeting ID, not enabling the Waiting Room feature, and not disabling the join before host, screen-sharing for non-hosts, remote control, file-sharing, annotations, and autosave features). Another recent attack (by Russian hacker group Evil Corp.) involved code lurking on certain websites that looked for virtual private networks (VPNs) belonging to major businesses. When a person with such a VPN visited an infected site, it downloaded malware onto the person’s computer that would activate once he or she reconnected to the company network.
Back Up Your Data Regularly
This isn’t exactly a prevention measure. It’s a measure that allows you to recover relatively unscathed from an attack that restricts or deletes your data. It’s also a good practice in general because hard drives can fail unexpectedly. Just remember to disconnect your backup drive from the computer when you’re done. Otherwise, an attacker could access that drive too.
More Optional Things You Can Do
The tips here are things you can do for extra security if you don’t mind very limited functionality. What I mean by that is it will probably make your wireless network difficult to use, especially for non-technical people. On the plus side, they’ll prevent all but the most determined hacker from getting into your network. It’s all about security vs. convenience, so see if these measures are right for you.
Set Up a MAC Address Whitelist
Every device that can connect to a network has a unique media access control (MAC) address. Routers usually have a whitelist feature where you can put the MAC addresses of all the devices you own. Once you have that set up, anyone without an approved MAC address will be blocked automatically. The downside of this is you’ll need to change the whitelist entries every time you get a new device or when a guest wants to access the network.
Do note that it’s possible to spoof a MAC address, so you shouldn’t rely on this measure alone.
Disable Network Broadcasting
This will stop your network from appearing on any device’s list of possible networks to connect to. To connect to it, you’d have to do it manually by typing in the SSID and password.
There are tools to detect hidden networks, so you shouldn’t depend on this measure alone either.
Disable Universal Plug and Play (UPnP)
This feature makes it easier for devices in a network to find and connect with each other. However, malware that somehow got onto one device can take advantage of it to bypass your router’s firewall and spread to other devices in the network. This can then possibly allow a hacker to control them remotely. So, if you don’t need it, turn it off.
Disable Wi-Fi Protected Setup (WPS)
This feature allows non-technical people to easily connect devices (like a network printer) to a network by just pressing a button. But some WPS procedures use a PIN, which can be cracked using a brute-force attack in just a few hours. If yours has this feature, you should consider disabling it.
Use a Guest Network
As the name suggests, this allows guests to access a separate network from the one that has all your devices on it. That way they can’t access any of your devices when connected to it. The downside is you’re going to have to manage two networks. It also won’t stop someone from just leeching off that network instead (if they can access it).
Turn Off the Router When You’re Not Using It
This is probably the most secure way to stop an attacker. After all, you can’t hack something that’s not on. But it’s pretty annoying to have to boot up your router and wait for all your devices to connect to it every time you want to use it, though. So this should only be something you do when you’re going to be away from home for a long time or as a last resort if you suspect someone is really trying to access your network. While this measure vastly reduces the chance an attacker can break into your network, it’s not foolproof. Malware can still get into your computer (and thus network) while you’re using it and compromise it.
Sources
https://us.norton.com/internetsecurity-iot-keep-your-home-wifi-safe.html
https://www.wired.com/story/secure-your-wi-fi-router/
https://www.consumer.ftc.gov/articles/0013-securing-your-wireless-network
https://us-cert.cisa.gov/ncas/tips/ST15-002
https://www.nytimes.com/2020/06/25/us/politics/russia-ransomware-coronavirus-work-home.html
https://www.cnet.com/how-to/how-to-prevent-zoombombing-in-your-video-chats-in-4-easy-steps/