October 31, 2023
How to make your home network more secure and less scary
October is Cybersecurity Awareness Month- a month dedicated to raising awareness of the importance of cybersecurity. Because nothing is scarier than having your Wi-Fi hacked, we've updated this classic blog to help you keep your network safer everyday. No need to feel any deja boo, keeping your Wi-Fi security up-to-date can help keep internet boogeymen at bay.
Most of us use Wi-Fi networks to connect to the Internet. It’s so easy to get online over Wi-Fi that it can be easy to overlook Wi-Fi security, and that can cause some problems from the minorly scary (think Haunted Mansion) to majorly terrifying (Shining-level).
Why do we care?
In almost every security presentation or document, there is a “scare the user” section … and this is that section. Here we’ll list all the horrible things that can happen if you don’t secure your Wi-Fi network. They’re listed from just annoying to horrifying.
But there are ways to prevent all these problems. Below you’ll find ways to make your home network more secure. We’ve listed them from easy to hard, from most important to least important. At a high level, everyone should do steps 1 & 2, and should think about step 3. If you’re especially tech savvy, then step 4 is a good step to take, although it can make troubleshooting access issues a bit more difficult. Finally, step 5 isn’t a technical step, but is standard maintenance that everyone should consider.
Step 1: Encryption
The first step, and one that is more and more common by default on Wi-Fi devices, is to enable encryption. There are several Wi-Fi encryption standards, with different levels of rigor and difficulty to break. Starting with WEP, then came WPA, WPA2, and WPA3. As these levels have evolved, they’ve gotten harder and harder to crack, using the latest in cryptographic standards.
Setting up Wi-Fi encryption is a fairly straightforward task. For Google Fiber devices, the online support pages walk you through enabling WPA3 encryption on the network box (and here’s how to do it on Google WiFi). Other manufacturers will have other processes to enable Wi-Fi encryption, and if it isn’t done by default, it should be the first step you take when setting up your home network (search online if instructions are not included in the box).
Step 2: Obfuscation
Almost every Wi-Fi access point that ships today comes with a default SSID and default login credentials (aka admin password). This is handy and helpful for launching the device, but these defaults are often easily determined, printed on the side of the device, or both. As such, changing them to something you know that’s hard for others to guess is a great way to prevent someone easily figuring out the credentials and taking over your Wi-Fi device.
The same page that shows how to set up encryption on the Google Fiber network box also walks through changing the SSID and password (check here for how to do this on Google WiFi).
Step 3: Separation
Do you have smart home devices at home? Does half your house chirp if you say “Hey Google” or “Alexa”? Maybe an Android TV device for watching YouTube TV on your main set? If so, often these devices don’t need to be on the same network as your home computers, phones, tablets, and other computer devices.
Many newer Wi-Fi routers allow you to set up multiple SSIDs, sometimes also referred to as setting up a guest network in addition to your main one. In this way, you can separate your smart home devices from your main household network, isolating devices that don’t need to talk to the printer or file servers or the like off into their own space. With the explosion of devices that simply connect to the internet, there is no reason to allow them to access other local devices.
Step 4: Authorization
Most Wi-Fi routers have the ability to lock down an SSID so that only devices with approved MAC addresses can use them. At a high level, a MAC address is a unique* identifier that every network device has for identifying it on the local network. While the IP address assigned to that device may change, the MAC will stay the same*.
Given this, if you know the MAC addresses of the devices in your house, you can lock your Wi-Fi so that ONLY those devices can access the network. So even if an attacker was able to get the SSID and encryption information, they still couldn’t access the network as their device wouldn’t be on the approved list.
Step 5: Rotation/Validation
So at this point, you’ve set up your home router: It is encrypted, with a personalized SSID, and has new admin credentials. You may also have set up multiple networks to separate devices that don’t need to talk to each other. Perhaps you’ve even gone to the effort of locking devices by MAC address. You’ve done the key technical steps, and now it’s time to think about maintenance.
Just like you change the oil in your car, the filters in your furnace/AC, or the batteries in your smoke detectors, so you also need to update and change the settings of your Wi-Fi every 6 months or so:
Wi-Fi is here to stay and will remain the main way we’ll be getting online for the foreseeable future. By taking a little bit of time, you can make sure that there are no security surprises lurking on your home network.
Posted by Chris Roosenraad, Head of Security, Privacy, & Trust.
* Yes, MAC addresses can be changed, but that is rare, and highly unusual.
Most of us use Wi-Fi networks to connect to the Internet. It’s so easy to get online over Wi-Fi that it can be easy to overlook Wi-Fi security, and that can cause some problems from the minorly scary (think Haunted Mansion) to majorly terrifying (Shining-level).
Why do we care?
In almost every security presentation or document, there is a “scare the user” section … and this is that section. Here we’ll list all the horrible things that can happen if you don’t secure your Wi-Fi network. They’re listed from just annoying to horrifying.
- Piggybacking:
Simply put, someone else can use your home Wi-Fi to access the internet. In most cases, this will merely increase the use of your network bandwidth (which, if you are using a network provider other than GFiber, may also impact your bill). But if they use your network connection to perform illegal activities, it can make your life very difficult. The last thing anyone wants is a knock on the door from the police due to illegal activity traced to your house. Or more likely receiving a copyright violation notice from your ISP or possibly having your service terminated for copyright infringement.
- Network capture/sniffing:
Looking at what someone else is doing on a computer network requires two things: access to that network and the ability to decode the traffic once you have that access. With Wi-Fi, access is easy … no physical connection is required, just someone close enough to access the radio signal (and with modern antennas, that can be surprisingly far away — up to a mile). As for decoding what you are up to online, while most internet traffic is encrypted by the application (thank you TLS, not everything is protected … and you’d be surprised how much metadata about someone’s activities you can get from the unencrypted traffic. You can potentially tell what websites someone is visiting, even if you can’t see the web traffic itself.
- Abusing network services:
Many people have network attached printers, file servers, cameras, home security systems, and other smart home devices. Most of these devices try very hard to make using them easy and intuitive … the last thing manufacturers want is to annoy their customers with too many steps. But the same features that make it easy for you to use may make it easy for an attacker to use as well. This can range from printing garbage to stealing data from your file servers to watching people via the camera and even unlocking your front door.
But there are ways to prevent all these problems. Below you’ll find ways to make your home network more secure. We’ve listed them from easy to hard, from most important to least important. At a high level, everyone should do steps 1 & 2, and should think about step 3. If you’re especially tech savvy, then step 4 is a good step to take, although it can make troubleshooting access issues a bit more difficult. Finally, step 5 isn’t a technical step, but is standard maintenance that everyone should consider.
Step 1: Encryption
The first step, and one that is more and more common by default on Wi-Fi devices, is to enable encryption. There are several Wi-Fi encryption standards, with different levels of rigor and difficulty to break. Starting with WEP, then came WPA, WPA2, and WPA3. As these levels have evolved, they’ve gotten harder and harder to crack, using the latest in cryptographic standards.
Setting up Wi-Fi encryption is a fairly straightforward task. For Google Fiber devices, the online support pages walk you through enabling WPA3 encryption on the network box (and here’s how to do it on Google WiFi). Other manufacturers will have other processes to enable Wi-Fi encryption, and if it isn’t done by default, it should be the first step you take when setting up your home network (search online if instructions are not included in the box).
Step 2: Obfuscation
Almost every Wi-Fi access point that ships today comes with a default SSID and default login credentials (aka admin password). This is handy and helpful for launching the device, but these defaults are often easily determined, printed on the side of the device, or both. As such, changing them to something you know that’s hard for others to guess is a great way to prevent someone easily figuring out the credentials and taking over your Wi-Fi device.
The same page that shows how to set up encryption on the Google Fiber network box also walks through changing the SSID and password (check here for how to do this on Google WiFi).
Step 3: Separation
Do you have smart home devices at home? Does half your house chirp if you say “Hey Google” or “Alexa”? Maybe an Android TV device for watching YouTube TV on your main set? If so, often these devices don’t need to be on the same network as your home computers, phones, tablets, and other computer devices.
Many newer Wi-Fi routers allow you to set up multiple SSIDs, sometimes also referred to as setting up a guest network in addition to your main one. In this way, you can separate your smart home devices from your main household network, isolating devices that don’t need to talk to the printer or file servers or the like off into their own space. With the explosion of devices that simply connect to the internet, there is no reason to allow them to access other local devices.
Step 4: Authorization
Most Wi-Fi routers have the ability to lock down an SSID so that only devices with approved MAC addresses can use them. At a high level, a MAC address is a unique* identifier that every network device has for identifying it on the local network. While the IP address assigned to that device may change, the MAC will stay the same*.
Given this, if you know the MAC addresses of the devices in your house, you can lock your Wi-Fi so that ONLY those devices can access the network. So even if an attacker was able to get the SSID and encryption information, they still couldn’t access the network as their device wouldn’t be on the approved list.
Step 5: Rotation/Validation
So at this point, you’ve set up your home router: It is encrypted, with a personalized SSID, and has new admin credentials. You may also have set up multiple networks to separate devices that don’t need to talk to each other. Perhaps you’ve even gone to the effort of locking devices by MAC address. You’ve done the key technical steps, and now it’s time to think about maintenance.
Just like you change the oil in your car, the filters in your furnace/AC, or the batteries in your smoke detectors, so you also need to update and change the settings of your Wi-Fi every 6 months or so:
-
The first thing to do is check for updates. Similar to how the OS on your phone/computer/etc receives new versions, there will also be new versions of the firmware that runs your Wi-Fi router. Check to make sure you’re running the latest version — if you aren’t sure how to do this for your device, do an online search with your model name/number and “firmware update.”
-
Review your router logs. Check to make sure you know all the devices that are on your network. If you set up MAC address filtering, verify all those devices are still in use. If you threw something out, then make sure you’ve removed it from the approved address list.
-
Rotate the encryption key. This is going to be annoying, there is no way to get around that. Every device on that SSID will need to be updated with the new key. But if you did have someone who had figured out the key and was surreptitiously using your Wi-Fi, rotating the key will knock them off your network.
-
Change the admin credentials. Similar to underwear, passwords should not be shared and should be changed regularly.
Wi-Fi is here to stay and will remain the main way we’ll be getting online for the foreseeable future. By taking a little bit of time, you can make sure that there are no security surprises lurking on your home network.
Posted by Chris Roosenraad, Head of Security, Privacy, & Trust.
* Yes, MAC addresses can be changed, but that is rare, and highly unusual.