How to lock down your wireless network and find rogue devices that could be stealing your data.
Whether you’re a home or business user, identifying who and what is on your network is as important as ever. Even if you’re on a fast, generous broadband plan, there are still major potential problems if your wireless network is compromised.
An unauthorised user could be streaming pirated movies, hogging your bandwidth and, potentially, landing you in a spot of legal bother. They could be indulging in more nefarious activity, maybe even trying to hack into your systems.
Avast recently scanned over 4.3 million routers and found 48% had some sort of vulnerability. Thankfully, there are plenty of tools and tricks to identify who's on your connection and how to get rid of them.
1. Change the admin password
If you want to know what your wireless network is up to, you’ll need to roll up your sleeves, open your browser and head straight for your router’s admin panel. It will be an IP address such as 192.168.0.1 but you’ll need to consult the manufacturer’s manual or search their website for the exact address.
Alternatively, you can head over to routerpasswords.com – most makes and models are listed there, complete with login details. And if that doesn't convince you to change your router from the default settings, nothing will...
Default login settings should only be used to get up and running out of the box, after which you should change the password to something long and complex, and change the username if your router allows it. Long and random is great passkey advice, which is almost always ignored on the basis that people want to join the Wi-Fi network without any hassle. Well, duh! Ask yourself this: how often does any user actually have to enter the Wi-Fi password manually? Certainly within the home, and for many small-business scenarios, the answer is usually hardly ever after the initial setup.
A key that's over 20 characters long, with a randomly generated mix of upper and lower-case alpha-numericals, with special characters, is your best bet. Tools such as this one from LastPass can produce randomly generated and secure passwords.
2. Don't broadcast your router details
While you're in your router settings, you should change your service set identifier (SSID). This is the name of your network that the outside world sees; it commonly defaults to the router manufacturer's name. In light of how easy it is to find admin logins online, best not make the hackers life any easier than it already is.
A determined hacker isn't going to be prevented from detecting and accessing your network simply because there's no SSID being broadcast, but using a random name rather than the factory default makes sense. Not least as it suggests the user is more security savvy than someone who is still broadcasting the router manufacturer.
3. Disable Wi-Fi-Protected Setup
Wi-Fi-Protected Setup (WPS) uses the press of a button, or entry of a PIN number, to establish an encrypted connection between a device that supports it and your network. Advising users to disable WPS may appear counter-intuitive, but it's broken. It makes use of what appears to be an eight-digit PIN code – but looks can be deceiving. The last number is always a check digit, so already the PIN is reduced to seven numbers, which makes brute-forcing much easier. As does the fact that most routers don't include a cooling-off timeout between WPS guesses.
Here comes the stinger, though: as far as validation is concerned, the first four digits are seen as a single sequence, as are the final three. That means the possible number of combos just shrank from over ten million to around 11,000. No wonder pen-testing tools such as Reaver can brute-force WPS in a matter of seconds.
4. Update your firmware
Research has shown that only around 14% of broadband users have updated their router firmware. If you're one of the 86%, though, do it today. Updating your router firmware boosts your security at no cost and in very little time, yet it's a step that most home and small-business users fail to take.
Why? Because our mindset is wrong. In the home, and in many small businesses, the concept of “patch management” doesn't exist – but it should. We're all used to watching Windows disappear into the land of suspended resource time as it installs an update, after all. The majority of routers will have an automatic update option, so hunt it down and enable it. Be advised that sometimes a firmware upgrade might default the router back to original settings – do a quick check afterwards to be on the safe side.
5. Sniff out rogue devices
Now we've covered most of the major security precautions you could take, how might you discover who's actually using your Wi-Fi? You can do this from your router’s control panel, and it varies from router to router as to where the option will be. Netgear routers, for example, list the connected devices list in a Maintenance menu.
There are lots of tools out there to help you do the same, and they don't have to be as complex as something such as Nmap.
One of our favourites is Fing for iOS or Android (pictured above). This app scans any IP range and shows what's connected – and in plain English, where possible. So whereas the BT router will often only list a device's IP address, Fing usually spells out the device's manufacturer, making it easier to identify the dozens of devices we have connected these days.
If the numbers don't add up, it's a good idea to determine why. If you only have a laptop, a phone, an Android-powered TV set and a printer connected to your hub, why are there nine devices using your Wi-Fi? And how do you know how many people are using it and what those devices are?
See something you don't recognise and Fing will, at the touch of a button, reveal the information you need to block it from your router admin gateway. That you can do all of this from your smartphone, anywhere in the home or office, makes keeping tabs on who's using your Wi-Fi hassle-free.
Next: Advanced wireless security tips