How to lock down your wireless network and find rogue devices that could be stealing your data.
Whether you’re a home or business user, identifying who and what is on your network is as important as ever. Even if you’re on a fast, generous broadband plan, there are still major potential problems if your wireless network is compromised.
An unauthorised user could be streaming pirated movies, hogging your bandwidth and, potentially, landing you in a spot of legal bother. They could be indulging in more nefarious activity, maybe even trying to hack into your systems.
Avast recently scanned over 4.3 million routers and found 48% had some sort of vulnerability. Thankfully, there are plenty of tools and tricks to identify who's on your connection and how to get rid of them.
1. Change the admin password
If you want to know what your wireless network is up to, you’ll need to roll up your sleeves, open your browser and head straight for your router’s admin panel. It will be an IP address such as 192.168.0.1 but you’ll need to consult the manufacturer’s manual or search their website for the exact address.
Alternatively, you can head over to routerpasswords.com – most makes and models are listed there, complete with login details. And if that doesn't convince you to change your router from the default settings, nothing will...
Default login settings should only be used to get up and running out of the box, after which you should change the password to something long and complex, and change the username if your router allows it. Long and random is great passkey advice, which is almost always ignored on the basis that people want to join the Wi-Fi network without any hassle. Well, duh! Ask yourself this: how often does any user actually have to enter the Wi-Fi password manually? Certainly within the home, and for many small-business scenarios, the answer is usually hardly ever after the initial setup.
A key that's over 20 characters long, with a randomly generated mix of upper and lower-case alpha-numericals, with special characters, is your best bet. Tools such as this one from LastPass can produce randomly generated and secure passwords.
2. Don't broadcast your router details
While you're in your router settings, you should change your service set identifier (SSID). This is the name of your network that the outside world sees; it commonly defaults to the router manufacturer's name. In light of how easy it is to find admin logins online, best not make the hackers life any easier than it already is.
A determined hacker isn't going to be prevented from detecting and accessing your network simply because there's no SSID being broadcast, but using a random name rather than the factory default makes sense. Not least as it suggests the user is more security savvy than someone who is still broadcasting the router manufacturer.
3. Disable Wi-Fi-Protected Setup
Wi-Fi-Protected Setup (WPS) uses the press of a button, or entry of a PIN number, to establish an encrypted connection between a device that supports it and your network. Advising users to disable WPS may appear counter-intuitive, but it's broken. It makes use of what appears to be an eight-digit PIN code – but looks can be deceiving. The last number is always a check digit, so already the PIN is reduced to seven numbers, which makes brute-forcing much easier. As does the fact that most routers don't include a cooling-off timeout between WPS guesses.
Here comes the stinger, though: as far as validation is concerned, the first four digits are seen as a single sequence, as are the final three. That means the possible number of combos just shrank from over ten million to around 11,000. No wonder pen-testing tools such as Reaver can brute-force WPS in a matter of seconds.
4. Update your firmware
Research has shown that only around 14% of broadband users have updated their router firmware. If you're one of the 86%, though, do it today. Updating your router firmware boosts your security at no cost and in very little time, yet it's a step that most home and small-business users fail to take.
Why? Because our mindset is wrong. In the home, and in many small businesses, the concept of “patch management” doesn't exist – but it should. We're all used to watching Windows disappear into the land of suspended resource time as it installs an update, after all. The majority of routers will have an automatic update option, so hunt it down and enable it. Be advised that sometimes a firmware upgrade might default the router back to original settings – do a quick check afterwards to be on the safe side.
5. Sniff out rogue devices
Now we've covered most of the major security precautions you could take, how might you discover who's actually using your Wi-Fi? You can do this from your router’s control panel, and it varies from router to router as to where the option will be. Netgear routers, for example, list the connected devices list in a Maintenance menu.
There are lots of tools out there to help you do the same, and they don't have to be as complex as something such as Nmap.
One of our favourites is Fing for iOS or Android (pictured above). This app scans any IP range and shows what's connected – and in plain English, where possible. So whereas the BT router will often only list a device's IP address, Fing usually spells out the device's manufacturer, making it easier to identify the dozens of devices we have connected these days.
If the numbers don't add up, it's a good idea to determine why. If you only have a laptop, a phone, an Android-powered TV set and a printer connected to your hub, why are there nine devices using your Wi-Fi? And how do you know how many people are using it and what those devices are?
See something you don't recognise and Fing will, at the touch of a button, reveal the information you need to block it from your router admin gateway. That you can do all of this from your smartphone, anywhere in the home or office, makes keeping tabs on who's using your Wi-Fi hassle-free.
Next: Advanced wireless security tips
6. Try a different DNS server
Just as you can install an alternative to the firmware that runs your router, you can choose a different Domain Name System (DNS) server instead of the ISP default. There may come a time when the DNS servers used by your ISP come under attack, by a distributed denial-of-service (DDoS) attack, for example, or someone changing the DNS to effect a cloned banking fraud. The bigger ISPs are a target for this, since the consequences of hacking their DNS servers would be enormous.
We've seen the DNS servers of the larger providers suffer downtime, so having a backup and knowing how to flick the switch is useful. The most common choice will be Google Public DNS server (on 188.8.131.52 and 184.108.40.206 for the IPv4 service) or OpenDNS (on 220.127.116.11 and 18.104.22.168). There's a setup guide, which details changing your DNS for home routers, laptops, smartphones and servers.
Essentially, though, open your router admin panel and look for the Domain Name Server addresses configuration page; input a primary and secondary DNS IP. Some routers will have a third server option, and for OpenDNS this would be 22.214.171.124. And that's it, other than to test it's working by hitting the Test button on the OpenDNS guide pages.
Certain providers prevent you from adjusting the DNS server addresses in their own-brand routers, but you can still set individual computers to seek alternate servers.
7. Install alternative firmware
The more adventurous user may take the “update your firmware” message a step further and install totally new firmware from an alternative source. If you think of your router as being a mini-computer, it's akin to changing the OS on a laptop from the supplied Windows install to a Linux distro.
Why would you do this? To gain functionality missing from the original firmware, especially relating to security. And why wouldn't you? Your warranty will be invalidated, so it's best left to older routers.
8. Employ MAC filtering
The information that Fing reveals when you want to block something from using your Wi-Fi is our old friend the Media Access Code (MAC), which every device connecting to a network is allocated. It's a 48-bit digital identifier used by the device to tag network packets, to be precise.
By default, your router will connect to anything that wants access, provided it has the correct password. If you want to prevent a device from connecting, even if the user has the correct password, that's where MAC filtering comes in.
Once you have a MAC address code, you can use an online specialist site such as What's My IP or MAC Vendor Lookup to identify any piece of connected kit that you don't recognise. Fing does the MAC lookup for you in the background and then automatically displays the device maker on-screen as part of its auditing process.
When you've identified the culprit, head to the “access control” section of your router control panel, which is MAC filtering by another name. Here you can either block all new devices, so before anything can join the network you'd have to whitelist the device's MAC address, or block individual devices by blacklisting their MAC.
It isn't foolproof: most devices allow their MAC to be changed in software, so a determined hacker could clone a device that you whitelist and gain access. Ultimately, if you don't want someone to use your Wi-Fi, don't give them the password. If they're already using it, then change the password to something more complex.
9. Use a virtual private network
Whether you're using the original router firmware or have installed an alternative, there's a strong chance that virtual private networks (VPNs) will be supported. When people think of a VPN, they think of a third-party application that re-routes all their internet traffic through a proxy server – at a cost. What's less commonly considered is operating your own VPN through your router.
This will give you the advantage of being able to securely access your home network, across an encrypted internet tunnel, when you're away. It gives you the same end-to-end encryption as a subscription service, so you can securely use that coffee shop or hotel Wi-Fi, but with no fees or bandwidth implications.
You'll almost certainly need a Dynamic DNS (DDNS) service to resolve a domain name to your router as a home user, to get around the fact that most ISPs don't offer a static IP address for your router; the free-to-use No-IP is as good as any for this.
10. Set up a guest network
The trouble with passing out your Wi-Fi passkey to family and friends who visit is that, every time you do, it dilutes your security. Not only do they know your password, but they might also give it to someone else. You could change to a new password after every occasion, which is the most secure, if not the most convenient, solution.
More conveniently, and pretty secure as well, is going the whole nine yards and setting up a guest network for visitors. If the concept of a properly secured guest network isn't supported by your router, all is not lost: simply buy a better router or change the firmware as mentioned earlier. The popular replacement router firmware Tomato supports a guest mode, and means you can provide users with a key that puts them online on a virtual network without exposing your own connected devices.