How to make your home Wi-Fi network more secure
Wi-Fi networks are the ubiquitous way that most of us connect to the Internet. Simpler than finding a wire to plug into our device (assuming our device can be plugged in at all), Wi-Fi has been providing network services ever since 1997 (and the original model it was built on traces all the way back to ALOHAnet in Hawaii in 1971. For more about how Wi-Fi came to be, check out this page). Despite this long history … or perhaps because Wi-Fi is such a big, seamless part of our lives, we often overlook Wi-Fi security, resulting in a variety of concerns ranging from the annoying to the potentially catastrophic.
Why do we care?
In almost every security presentation or document, there is a “scare the user” section … and this is that section. Here we’ll list all the horrible things that can happen if you don’t secure your Wi-Fi network. They’re listed from just annoying to horrifying.
Simply put, someone else can use your home Wi-Fi to access the internet. In most cases, this will merely increase the use of your network bandwidth (which, depending on your network provider, may impact your bill). But if they use your network connection to perform illegal activities, it can make your life very difficult. The last thing anyone wants is a knock on the door from the police due to illegal activity traced to your house. Or more likely receiving a copyright violation notice from your ISP or possibly having your service terminated for copyright infringement.
2. Network capture/sniffing:
Looking at what someone else is doing on a computer network requires two things: access to that network and the ability to decode the traffic once you have that access. With Wi-Fi, access is easy … no physical connection is required, just someone close enough to access the radio signal (and with modern antennas, that can be surprisingly far away — up to a mile). As for decoding what you are up to online, while most internet traffic is encrypted by the application (thank you TLS, not everything is protected … and you’d be surprised how much metadata about someone’s activities you can get from the unencrypted traffic. You can potentially tell what websites someone is visiting, even if you can’t see the web traffic itself.
3. Abusing network services:
Many people have network attached printers, file servers, cameras, home security systems, and other smart home devices. Most of these devices try very hard to make using them easy and intuitive … the last thing manufacturers want is to annoy their customers with too many steps. But the same features that make it easy for you to use may make it easy for an attacker to use as well. This can range from printing garbage to stealing data from your file servers to watching people via the camera and even unlocking your front door.
But there are ways to prevent all these problems. Below you’ll find ways to make your home network more secure. We’ve listed them from easy to hard, from most important to least important. At a high level, everyone should do steps 1 & 2, and should think about step 3. If you’re especially tech savvy, then step 4 is a good step to take, although it can make troubleshooting access issues a bit more difficult. Finally, step 5 isn’t a technical step, but is standard maintenance that everyone should consider.
The first step, and one that is more and more common by default on Wi-Fi devices, is to enable encryption. There are several Wi-Fi encryption standards, with different levels of rigor and difficulty to break. Starting with WEP, then came WPA, WPA2, and (launching soon) WPA3. As these levels have evolved, they’ve gotten harder and harder to crack, using the latest in cryptographic standards.
Setting up Wi-Fi encryption is a fairly straightforward task. For Google Fiber devices, the online support pages walk you through enabling WPA2 encryption on the network box (and here ’s how to do it on Google WiFi). Other manufacturers will have other processes to enable Wi-Fi encryption, and if it isn’t done by default, it should be the first step you take when setting up your home network (search online if instructions are not included in the box).
Almost every Wi-Fi access point that ships today comes with a default SSID and default login credentials (aka admin password). This is handy and helpful for launching the device, but these defaults are often easily determined, printed on the side of the device, or both. As such, changing them to something you know that’s hard for others to guess is a great way to prevent someone easily figuring out the credentials and taking over your Wi-Fi device.
Do you have smart home devices at home? Does half your house chirp if you say “Hey Google” or “Alexa”? Maybe an Android TV device for watching YouTube TV on your main set? If so, often these devices don’t need to be on the same network as your home computers, phones, tablets, and other computer devices.
Many newer Wi-Fi routers allow you to set up multiple SSIDs, sometimes also referred to as setting up a guest network in addition to your main one. In this way, you can separate your smart home devices from your main household network, isolating devices that don’t need to talk to the printer or file servers or the like off into their own space. With the explosion of devices that simply connect to the internet, there is no reason to allow them to access other local devices.
Most Wi-Fi routers have the ability to lock down an SSID so that only devices with approved MAC addresses can use them. At a high level, a MAC address is a unique identifier that every network device has for identifying it on the local network. While the IP address assigned to that device may change, the MAC will stay the same.
Given this, if you know the MAC addresses of the devices in your house, you can lock your Wi-Fi so that ONLY those devices can access the network. So even if an attacker was able to get the SSID and encryption information, they still couldn’t access the network as their device wouldn’t be on the approved list.
So at this point, you’ve set up your home router: It is encrypted, with a personalized SSID, and has new admin credentials. You may also have set up multiple networks to separate devices that don’t need to talk to each other. Perhaps you’ve even gone to the effort of locking devices by MAC address. You’ve done the key technical steps, and now it’s time to think about maintenance.
Just like you change the oil in your car, the filters in your furnace/AC, or the batteries in your smoke detectors, so you also need to update and change the settings of your Wi-Fi every 6 months or so:
The first thing to do is check for updates. Similar to how the OS on your phone/computer/etc receives new versions, there will also be new versions of the firmware that runs your Wi-Fi router. Check to make sure you’re running the latest version — if you aren’t sure how to do this for your device, do an online search with your model name/number and “firmware update.”
Review your router logs. Check to make sure you know all the devices that are on your network. If you set up MAC address filtering, verify all those devices are still in use. If you threw something out, then make sure you’ve removed it from the approved address list.
Rotate the encryption key. This is going to be annoying, there is no way to get around that. Every device on that SSID will need to be updated with the new key. But if you did have someone who had figured out the key and was surreptitiously using your Wi-Fi, rotating the key will knock them off your network.
Change the admin credentials. Similar to underwear, passwords should not be shared and should be changed regularly.
Wi-Fi is here to stay and will remain the main way we’ll be getting online for the foreseeable future. By taking a little bit of time, you can make sure that there are no security surprises lurking on your home network.
* Yes, MAC addresses can be changed, but that is rare, and highly unusual.
Posted by Chris Roosenraad, Head of Security, Privacy, & Trust.