Monday, June 16, 2014

How secure is your home WiFi?


Do you have WiFi at home? Do you have a mobile Hotspot? Maybe you have a small business or a Church with a WiFi wireless network. 
The next question might be a little more difficult to answer:  How secure is that WiFi? 

Most people don't give this a lot of thought.  As long as they can connect to their wireless network and access the internet in order to check email or watch Netflix, then they don't give their wireless network another thought.  But the real question is, "Should you"?

How would you like someone accessing your network, using the public IP address of your network, and doing nefarious things on the internet?  They could be viewing or downloading kiddie porn across your network, downloading illegal media, or even just sucking up your bandwidth by streaming or downloading large amounts of data thereby reducing the throughput potential of your network for your own use.  That means your favorite Netflix or YouTube video will not be able to stream properly and result in a large amount of buffering.  This kind of activity can also lead to your Internet Service Provider (ISP) reducing or blocking your service, or even to the authorities showing up at your doorstep with a warrant to arrest you and seize your computers.  While you might be able to prove that you are innocent, you will still need to pay the cost to prove the illegal activity was not you.

So, how can you protect yourself you might ask?  Well the answer comes back to the question first asked: How secure is your wireless network?  In other words, is your wireless network wide open so anyone may access it or is it secured and access limited with a passcode?  There are also some other basic settings that should be configured  to help optimize the speed and security of your network.

The first thing to do is to figure out how to log into your router.  This is usually done by visiting an internally hosted website which within the router itself.  This site is for administration purposes and is technically only accessible to the internal network but not easily from the the external network, better known as the public internet.  Consult your owners manual for the web address for this admin site for your specific router, but for most routers the web address is: http://192.168.1.1

Once you open this website, the router will ask you to log in.  Since this is the main admin site where you will set all the configuration options for the router, it is secured by a username and password.  The user name should be "admin", but once again please consult the documentation for your specific router as it might be different.  The default password is usually one of the following: "" (No password), "admin", "12345", or "password".  If you have visited here before, you may have changed the password already.  Enter in the login credentials, username and password, for your router.

Once you are logged into your router, you should see the configuration or setup page specific to your router.  Each one is slightly different and have the various setting organized in different ways, but most all routers present the basic settings which we will cover here in this discussion.  I will use the following Linksys screen shots for reference when describing the various settings, but keep in mind that your settings might be in a different section or labeled slightly different based on your router.

Below are the various things in your setting which you will want to set in order to secure your router and wireless network.

1) DHCP
This is used to dynamically assign IP (Internet Protocol) addresses on your local network.  Every device that wants to, and you allow to, connect to your local network will need an IP address.  The router handles this using the range of IP addresses specified in this setting.
First make sure DHCP is enabled, then verify the start IP address and either the ending IP address or the number of DHCP addresses to use.  If, as shown below in the Linksys example, the setting requires a starting address and a number of DHCP addresses, make sure that the resulting ending IP address will not be greater then 254.  In other words, if your starting IP address is 192.168.1.100 (where 100 is the number you entered), and the number of DHCP address you entered to allow is 155.  Then this would result in an ending IP address of 192.168.1.254.  However, if you entered 157, this would result in an ending address of 192.168.1.256 which is an invalid address and will result in an error.


2) SSID and WPS
This is your wireless network ID or the name of your network.  This ID is the name that you see when you search for a wireless network within windows or on your phone.  To be extra secure, you can "hide" this ID by turning off the option to Broadcast the SSID.  This means that when you scan for wireless networks, your network ID will not popup as being an available option, i.e. It will be hidden.  To connect,  you would have to type in the network ID and connect manually every time you want to connect.  But I do not recommend this as it becomes a pain because your devices will never automatically connect to your network either.  So level the Broadcast SSID option set to true.  
Set the SSID to a name that means something to you, but it is best not to leave it as the default of "Linksys G***" or whatever.  The reason is that leaving the SSID as the default will give would be criminals information about your network which would allow them to possibly compromise it if desired.  Also renaming your network to something you recognize will help you identify your network instead of a neighbor's network.
For Network Mode, choose the "Mixed" option.  The reason is that this will allow the greatest range of devices to connect to your wireless router.  If you are absolutely certain that you know that only one kind of device may be connecting to your network, like maybe only Wireless-N network cards, then you can choose that option.  But as a general rule, the safer choice is "Mixed"
For the Radio Band and Wide Channel options, you can change those, but again when you change them from the defaults, you are limiting the devices that might be able to connect.  So the recommended option is to leave them as their defaults.
If given the option to turn off WPS (Wi-Fi Protected Setup), make sure that this is either set to Manual, off, or changed away from WPS.  WPS can be used as an exploit to gain access into your network.


3) Wireless Security
Wireless security is another area that is commonly overlooked in setting up a private WiFi network.  To enable wireless security, navigate to that option in the menu structure for your device, then select the Security Mode of WPA2 Personal (or WPA2/WPA - or sometimes it is listed as WPA2-PSK).  Then if given the option, choose the WPA Algorithm of "TKIP+AES".  Next create a Pass-phrase with which you will use to connect to the network.  This should be a phrase which means something to you and is at least 10 characters long.
The other Security Mode settings are:

  • WEP (Wired Equivalent Privacy) - This is a Wireless security mode that was introduced with the original 802.11 wireless network standard. While it does offer some encryption and protection, it's algorithms can easily be broken.  This makes it almost as unfavorable as leaving your network without encryption.
  • WPA (Wi-Fi Protected Access) - This wireless security mode was created in order to address the security concerns, but still was lacking higher encryption standards and had a few vulnerability which could be exploited allowing people to access a secure network.
  • WPA2 (Wi-Fi Protected Access II) - This wireless security mode was release to supersede WPA and included AES encryption which helped eliminate the risk of attackers being able to breach the network directly.  Although both WPA and WPA2 both still have a vulnerability in terms of the WPS (Wireless Protected Setup) function.  If this function is disabled, then the vulnerability is removed.


If you'd like to learn more about the different Wireless Security Modes, visit this Blog about The Difference Between WEP WPA and WPA2

4) Change default password for the admin account.
This is a very important step.  It is highly recomended that you not only change the Default SSID, but you should also change the admin password as well so that others are not able to easily gain access to your router. The reason this would be bad is that if someone got access to your router, they could change your passwords, change your network ID, exclude your devices from connecting, or even set up more advanced networking options without you being aware.  I suggest using a password safe like www.LastPass.com to generate a random password and then store it do you don't have to worry about remembering it.


So, what happens if you forget your new Admin password or you mess up some settings and don't know how to get them back to a working state? 
Well luckily the answer is easy for most modern devices these days. Usually on the back, but sometimes on the front, there is a small round push button. If you use a pencil or a paper clip, push that button in for at least 10 seconds, maybe 30 seconds for some devices. This will perform a hard reset and change all router settings back to the factory defaults. Once back to the defaults, you can reapply your changes. 

I hope this helps you in setting up your own home wireless network and maybe even with  help troubleshooting issues with your router. Please feel free to add your own nuggets of information about your wireless networking experience in the comments below.