Wireless Security Tips
What Is a Wireless Network?
A wireless network is created when an access point, such as the wired cable from an internet service provider (ISP), connects to a wireless router to create a local-area network (LAN). This network allows multiple devices to connect to it so that the devices can access the internet wirelessly.
Security Issues in Wireless Environments
The weak security of wireless networks is a perfect environment for cyberattackers. They know that the most efficient way to access a group of devices located together in a small area is to hack into the wireless network on which users depend for internet access. As such, wireless security solutions are in high demand.
With increased work-from-home orders and students studying from home, more people are accessing the same wireless router simultaneously and for longer periods than they had in the past.
But how do you know if you are being hacked?
Consider the scenarios below, and immediately take action if you suspect there has been misuse or compromise of your home Wi-Fi network.
Denial of Service
A denial-of-service (DoS) attack is a cyberattack intended to shut down a device or network, or render it inaccessible or useless for users, by flooding it with traffic. Malicious actors do this by sending it so many requests in such a short amount of time that all of its available memory, system resources, or storage gets inundated. In rare, extreme cases, damage to the device's physical components also occur.
One of the goals of this type of attack is to "bump off" regular, valid users who need access to the network. While the DoS attack is sending these fake, invalid connection requests to a system, unfortunately, legitimate users making connection requests cannot connect.
If a home wireless router is being attacked with DoS, the home—or legitimate—users of the service would not be able to access the internet. If you or other internet users in your home cannot connect to your router, or you are finding internet speed extremely slow, you might be the victim of a DoS attack.
Rogue Access point
A rogue access point (rogue AP) is a wireless access point that has been added to a network's infrastructure—such as the router connected to the cable in the wall—without the explicit consent or even knowledge of the owner of the network.
This would be akin to a hacker connecting a Wi-Fi router to a cable outside your home without your knowledge. You might think that the router inside your house and issued by your ISP is the only router using your cable access point, but if a hacker installs a rogue AP, you would be wrong.
Another example of a rogue AP, sometimes referred to as an "evil twin," involves a hacker positioning another wireless router just outside of your house but still within the perimeter of your router to receive beacons transmitted by the router inside your house. The evil twin then begins to transmit identical signals with the purpose of having end-users—you or your family members—connect to it. Once connected, the evil twin can then be used by cyberattackers to hack into your network and the devices connected to it.
A rogue AP can cause harm because home users think they are connected to a router from their ISP, when in reality, they are connected to a rogue router that is likely stealing data from the devices connected to it. The only way to discover whether you or others in your home network are inadvertently using a rogue AP is to have your ISP visit your home and use sniffers around the perimeter to determine if there are unauthorized access points.
Passive capturing is a type of network attack in which a system is simply monitored and scanned for any open vulnerabilities. The purpose of passive capturing is solely to gain information about the target. It becomes an active attack if the malicious actor finds there is a vulnerability worth exploiting.
A passive attack could be the first step of a rogue AP attack. Cyberattackers identify a vulnerable Wi-Fi router via sniffing or scanning software. If they feel it would be successful, they try to gain unauthorized access to the network using an outside access point.
Passive capturing can also simply mean spying. Cyber criminals sometimes pose as authorized users of the network—perhaps as an "extra" device at home that no one has used for a long time—to determine whether further intrusion would be worth their while.
If you suspect that there are other devices unlawfully accessing your home Wi-Fi network, follow the tips below and contact your ISP for further recommendations.
10 Tips to Secure Your Wireless Wi-Fi
The password on the sticker on the side of the router is painfully long, plus you are paying ISPs hefty fees per month, so do you really need to worry about wireless security?
The sad and painful answer is yes. Home internet use has skyrocketed this year with the rise of work-from-home and study-from-home directives. People need to be aware that cyber criminals who may have targeted corporate or enterprise networks in the past are now targeting home Wi-Fi networks, as these are what the majority of people use these days to work and study.
In August 2019, long before the arrival of COVID-19 and the surge in home internet use, Consumer Reports found that most wireless routers lack basic security protections. In addition to reviewing models and explaining the differences, the magazine offered suggestions and quick fixes on how to make routers more secure.
"Routers are a critical part of our homes,” says Robert Richter, who oversees security and privacy testing for Consumer Reports. "They are the conduit through which all of your data travels."
1. Use Encryption on Your Wireless Network
Nearly all wireless routers come with the ability to choose an encryption protocol, such as Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3). By default, wireless encryption is turned off. Turning it on, and choosing the strongest protocol—WPA3—can strengthen your Wi-Fi security. If you are unsure how to do this, consult your ISP or the device manufacturer.
2. Limit Access To Your Network
Many users are unaware that you can block certain devices from attempting to connect to your wireless network. To do this, allow only specific devices access to your wireless network. Every hardware device that is able to communicate with a network—most smartphones, tablets, laptops, desktops, and printers—is assigned a unique identification number, known as a Media Access Control (MAC) address that is made up of six two-digit hexadecimal numbers separated by colons.
You can configure your wireless router to only allow devices with particular MAC addresses to access your home Wi-Fi network. In this way, devices that do not have an approved MAC address—set by you—cannot connect.
3. Secure Your Router
Router security is paramount to protecting your entire home Wi-Fi network. Here are a few steps you can take to quickly secure your router:
- Change the default name of the router.
- Change the default password of the router.
- Keep the router's software up to date.
- Disable any remote management features.
- Make sure that all of the devices connected to the network are also secure.
4. Use Firewalls
A firewall is not just a piece of software for your PC or laptop. There are also hardware firewalls to add another layer of protection. Many wireless routers come with a firewall built in, but you may need to turn it on. Contact your ISP for assistance if needed.
If your router does not come with a firewall, you can purchase one and install it.
5. Protect Your Wi-Fi Network During Mobile Access
Not surprisingly, there are apps that allow you to access your home network from a mobile device. This can be useful if you find that you are going to be away from home much longer than expected and you need to disable the network remotely.
However, app usage via a mobile device needs additional layers of security. Make sure to create a strong (20 characters, alphanumeric, and symbols) password for the app, and log out of the app when you are finished using it. Further, ensure that your phone has a strong password or has multi-factor authentication (MFA) installed. This prevents misuse of the phone and app—and access to your home Wi-Fi network—if the phone gets lost or stolen.
6. Change the Name of Your Default Wi-Fi Network
This is an often-overlooked security measure, but it remains important. Every Wi-Fi network or router has a "name" or a service set identifier (SSID). When consumers purchase home internet service, they receive a router that arrives with a predefined username and password on a sticker affixed to the device. It is important to change this. Even a name starting with an ISP, such as ATT, but followed by a seemingly incomprehensible string of letters and numbers, can alert hackers as to the service name.
Sophisticated cyber criminals are familiar with the device models of different service providers. As such, knowing which router is affiliated with which provider makes it easier for them to try and exploit any vulnerabilities. Changing the network name to your first or last name, or using any identifiable information is another no-no, as this can encourage another type of cyber crime: identity theft.
If you are unsure how to do this, consult your ISP or the device manufacturer.
7. Make Your Wireless Network Password Strong and Unique
This is perhaps one of the oldest pieces of advice for increasing security for any device or service. Your wireless network's password needs to be strong and unique—and changed frequently. A good, strong wireless password should be at least 20 characters and should include numbers, letters, and symbols.
Unlike other services that remind you to change or update your password, you will likely not receive these alerts from your ISP. Set reminders at least once per quarter to change your router's password.
8. Use VPNs To Access Your Network
A virtual private network (VPN) creates a secure connection between networks, generally between one that is not secure and one that is secure. VPNs are typically used by enterprises when employees are working from home or traveling and need to access a company's network via the internet.
Even though this might seem extravagant for simple, everyday home internet use, a VPN also encrypts data and can serve as an additional layer of security when using your home wireless network.
9. Regularly Run Software Updates for Your Router
Windows users have automatic updates for their PCs and laptops, but home routers do not automatically update their software, also known as firmware. Software updates usually include security patches, and the longer the time passes without updating your device's firmware, the more vulnerable the router is to security breaches.
The router's software will likely need to be updated manually. If you are unsure how to do this, contact your ISP or device manufacturer.
10. Disable Your Wireless Home Network While You’re Not at Home
If you need to be away from home for long stretches, disconnect the wireless network and power it down altogether. This reduces the possibility of cyber criminals gaining access when they know you are away. The only issue with disabling the wireless network while away is if you need it—ironically—for your internet-enabled home security or any connected Internet-of-Things (IoT) devices, such as lights or window shades that you have set to adjust while you are not at home.
Wireless Security Protocols
Wireless networks are not as secure as wired networks. Wired networks use a network cable to connect two points, whereas wireless networks broadcast data through the air within a limited range. Though there can be interference, any device within the range can be "listening."
As such, the Wi-Fi Alliance, over time, has approved wireless encryption protocols to provide stronger security for data transferred via a Wi-Fi connection.
Wired Equivalent Privacy or WEP
This was the very first security standard for wireless networks and was approved in September 1999. Wireless security was a new concept 20 years ago, and this was the accepted—and only—wireless security protocol. However, it was deemed difficult to configure.
Additionally, as with any aging software or standard, a host of vulnerabilities were soon discovered. Experts advise both home users and businesses to either upgrade their systems to the latest WPA standard, or if this is not possible, to completely upgrade their equipment. The Wi-Fi Alliance abandoned WEP in 2004.
One of the largest and most publicized data breaches, the attack on retailer T.J. Maxx in 2009, was traced back to its wireless network being configured with WEP. As a result, the PCI Security Standards Council prohibited retailers from processing credit card data using WEP.
Wi-Fi Protected Access or WPA
Because it was taking time for the Wi-Fi Alliance to approve the 802.11i wireless security standard, the WPA protocol was released in 2003 as a placeholder. There are two versions: WPA Personal, which uses a preshared key (PSK) and the Temporal Key Integrity Protocol (TKIP), and WPA Enterprise, which uses an authentication server to generate keys or certificates.
WPA would soon also be found vulnerable to threats and intrusions and was only in use for one year before WPA2 was introduced.
Wi-Fi Protected Access Version 2 or WPA2
Finalized in 2004, WPA2 was the long-awaited protocol based on the 802.11i wireless security standard. WPA2's most important improvement over WPA was its incorporation of the Advanced Encryption Standard (AES) for encryption.
Developed in 1997 by the National Institute of Standards and Technology (NIST), AES is a cipher chosen by the U.S. government to protect sensitive information. It has three different key lengths to encrypt and decrypt a block of messages: 128-bit, 192-bit, and 256-bit. AES is widely used for protecting data at rest in such applications as databases and hard drives. At the time of its rollout, it was the strongest encryption protocol for wireless connections.
Wi-Fi Protected Access Version 3 or WPA3
In June 2018, the Wi-Fi Alliance launched WPA3 as the "next generation" of Wi-Fi security. As with previous versions of WPA, WPA3 has different specifications for personal and enterprise networks. To ward off any brute-force attacks, WPA3-Personal users are protected more strongly than in the past from too many password-guessing attempts. WPA3-Enterprise users are able to access higher-grade security protocols in the form of authenticated encryption and key derivation and confirmation, among other measures.
To facilitate widespread adoption, WPA3 is interoperable with devices using WPA2.
How Fortinet Can Help
The Fortinet next-generation firewall (NGFW) filters network traffic to protect an organization from threats. More than simply a mechanism to block malware, NGFWs provide organizations with advanced visibility and control across the network.
As the threat landscape continues to evolve and becomes more sophisticated, Fortinet can help organizations of all sizes keep their critical assets and infrastructure safe as new cyber threats emerge.
The Fortinet NGFW is the centerpiece of the Fortinet Security Fabric platform, providing complete integration and automation across an organization’s entire security infrastructure. Every network device and appliance, whether virtual, in the cloud, or on-premises, needs to be protected from cyberattacks, unauthorized access, and data loss.