If you have attended any of my presentations of WLAN/Wi-Fi Security or even my Security Courses,you know that the design of WLAN/Wi-Fi networks leaves a lot to be desired when it comes to security. This is also evidenced by the law suit against Amazon with hackers allegedly controlling Ring cameras.
Like a teeter totter, Security is always a trade off between ease of use and difficult to break into. You have to find balance between these two end points and what works for you.
The bottom line is that ordinary people like you and I are a key part of the security equation. While we cannot change the design flaws of the equipment or standards, we can very much reduce the vulnerabilities through good practices. Searching the web you will find good suggestions for the most part, but I have found them to be lacking in one way or another, especially when it comes to thoroughness.
I think in this time of short attention spans, and shock information, not enough time is spent contemplating the issues and listening to detailed advice. When it comes to security, one little weakness is all it takes to bring down an entire system or network. Invest some time, and read the advice below.
Everyone is vulnerable when it comes to WLAN/Wi-Fi, even those in the countryside. You cannot prevent someone from scanning your network. To verify this go to https://www.wigle.net/index and search for your address. Have you been scanned? Another place to look is https://www.shodan.io/
So here are my "Best Practices for Consumer WLAN/Wi-Fi Security":
Do not trust the built-in security alone of any WLAN/Wi-Fi system. Understand the the inherent security of WLAN/Wi-Fi is not good. Your WLAN/Wi-Fi traffic is not 100% encrypted, and it never has been. Understand this, and assume that it is not.
ALWAYS use HTTPS:// when browsing to any web site because that guarantees that the traffic you are sending and receiving is encrypted.
If you don't already know, use strong passwords, and only use WPA2 or WPA3. Frankly we should not even say passwords anymore, we should say pass phrases. Use sentences without spaces: "Ineedtostartworkby800am!" is a great, easy to remember, almost uncrackable pass-phrase. Always replace default passwords. Lastly, change them routinely, like every quarter.
Use different passwords/passphrases and manage then using a password manager. Think about this: if you use the same password over and over and one of your sites that you have an account on is compromised, and your password is leaked, now the people with your password for that site can access all the other sites you have accounts on! Here is an answer for this: use a passphrase that increments like "IwishmybirthdaywasonJanuary10th!" You can increment the month or the date, or both. This also works for regularly changing the passphrase on a particular site.
Your wireless SSID: this is the name of your wireless network that is seen by anyone near your wireless router (assume 100 yards). Use the SSID that your service provider requires, but make sure it does not contain your name, or any other identifying factor for your home. Never use the default factory SSID (examples: dlink, Linksys, 2wire, Netgear, ATT, etc.). Further, make sure your SSID is not on this list: https://www.wigle.net/stats#ssidstats
Don’t use first or last name, address, phone number, or anything else personal. Broadcasting personal information identifies who owns the network, and may aid the hacker in cracking the wireless password.
Be unique when selecting an SSID, but too much creativity may draw attention to the networks name along with attempts to hack the network.
With a maximum of 32 characters you have some creative capabilities, but also think camouflage, so the network name blends in with the other networks in range and does not stand out.
Follow these rules even if your SSID is hidden or not being broadcast. Hidden network SSID's can very easily be discovered and they are not immune.
Turn off devices that act as Access Points (like printers, some Wi-Fi Cameras, etc.) when you do not need them to be WLAN/Wi-Fi access points. This will reduce interference with your actual Access Point and reduce your vulnerabilities.
Make sure that systems like IP Cameras, security systems, computers you do your banking on, in other words systems that you depend on are wired via Ethernet, not on the WLAN/Wi-Fi. This is not a guarantee, but it will minimize those systems being exposed to someone listening to your wireless network.
Don't let anyone other than authorized technical service people touch, or change settings on your wireless router. If your service provider allows you administrative access to the wireless router configuration, take the same precautions with using passwords mentioned above. In some cases you may need to access the system remotely, while away, but if this is not necessary, disable remote access to the configuration.
Disable WPS - this system to ease wireless connectivity is horribly flawed. No exceptions.
Disable WEP security - this system is also horribly flawed. No exceptions.
This is going to sound a little counter-intuitive, but you should limit WLAN/Wi-Fi signal strength wherever possible. The goal should be to provide enough signal only to the areas where it’s required. Your WLAN/Wi-Fi network signal can reach way beyond building walls and out into public spaces, and when that happens, you risk allowing bad actors to attempt to connect to your network or interfere with the operation of your network.
Having your Access Point (or AP) in the right place is critical to good operation of your wireless network, and it is good for controlling how far your signal goes beyond where you want. Understand that this is not always possible, but making good trade-off's here is important.
Make sure you know how to control the channel (if your service provider allows this), and manually set it to minimize interference.
Use both 2.4 GHz and 5 GHz with different SSID's so you know which network you are on. 5 Ghz tends to travel less far, which is good to control access, but bad if you need distance. Again, these are trade-offs.
Be prepared to adjust over time, especially in populous areas.
Pay very close attention to any changes: things like having to reconnect to the wireless network unexpectedly. Make sure your system connect to the right wireless networks. I can easily trick you into connecting to an insecure network using the same SSID as yours, unless you are vigilant. This is easier to imagine in more crowded environments, but nonetheless it applies to all of us.
It is a pain, but I prefer NOT to connect automatically to networks. This ensures that I am always in control.
If you are detailed oriented, look closely at the MAC addresses of your system and the wireless router. Make sure these MAC addresses are always in play and not some rogue MAC address.
Giving out your SSID passphrase is an issue as you are extending your circle of trust. I prefer, if it is available, to have a guest wireless network with a relatively simple passphrase like "Welcometoournetwork!" or "ThewaytotheInternet!" that I change routinely. Guest networks can be set up on most modern wireless routers (ask your service provider for help here).
Turn these off when not needed.
Change the passphrase routinely.
You will be helping to educate your friends and family on how they should set up their own networks!
Ultimately, there are always weak spots in every network. Know where they are. Know how to occasionally scan your network if you suspect something is not right (I will add a link on how to do this here). Or, simply reset the system and change the passphrases. This always puts any possible bad actors back to square one.
I hope this helps you to secure your home or small business wireless network.
What am I missing? Please feel free to comment below.
P.S. Corporate networks are a bit more involved, though fundamentally everything above applies. I will write a separate article on that.