WiFi networks have become the norm, but pose a number of security issues: they can allow an intruder to access your home network, the machines that are connected to it, and its traffic. A malicious person can conduct his attack from a distance, in all discretion. However, strengthening the security of its WiFi network is not just, you will see, only change network key. Here are some tips to improve the protection of your network against possible intrusions.
WiFi: limited security, whatever you do
The first advice is not to believe that you will be able to make your WiFi network completely impervious to attacks. Technology has many flaws. First, it is based on waves that cross the walls: the signal is accessible all around your home, which is especially true when you live in the city in an apartment.
The second problem is that encryption is no longer an absolute security. Known and well-documented vulnerabilities (especially WPS) allow for example access to wireless networks without even trying to guess the key on some routers not updated. WEP and WPA ciphers are now very easy to crack. And since last year, the security of WPA2 encryption has also been cracked.
Since the WiFi Alliance has announced the WPA3 encryption that will allow to regain some time a little ahead of the pirates. But routers and more generally WPA3 compatible devices are still rare. And in fine we expect in all cases that pirates eventually find a new parade ...
The first way to enhance the security of your WiFi network is to enhance the security of what is most likely to be hacked, namely the security of devices connected to your network. Hence the relevance, for example, of a firewall directly on your computer rather than relying on that of your router.
Recommended: How to import an Excel file into Google Sheets
Password, security ...: basic tips
Let's start with common sense advice that is, alas, not always respected. If you already know them, go directly to more advanced tips, and / or methods that we do not recommend.
Choose a strong password for your WiFi network
In general your WiFi network is managed by the box of your operator. This means that, in general, your operator has already assigned you a very complex connection key that you do not have to change. Unless your box is in common areas and you want to prevent anyone from connecting with the code pasted on the box label.
Anyway, if you change it, go for something both mnemonic and secure.
Choose the highest encryption compatible with your devices
In general, all routers offer these encryption methods (in bold most secure of the list):
- 64-bit WEP
- 128-bit WEP
- WPA-PSK (TKIP)
- WPA-PSK (AES)
- WPA2-PSK (TKIP)
- WPA2-PSK (AES) *
- WPA / WPA2-PSK (TKIP + AES)
* the strongest encryption on most routers, it's him, not the one just after, as unfortunately many users believe ...
More recently, some devices also offer this method:
WEP (Wired Equivalent Privacy) is the oldest encryption method - and is now almost as recommended as leaving your network without a password (either 64-bit or 128-bit). It is a method to proscribe in all cases.
WPA (Wi-Fi Protected Access) is a series of standards designed to improve security. WPA I was quickly supplanted by WPA2, and more recently, after the discovery of critical protocol flaws, the WiFi Alliance launched WPA3. The problem is that this latest technology is still slow to democratize.
TKIP is the old encryption method used by the WPA protocol.
AES is a strong encryption standard used, among other things, by the military.
The WPA / WPA2-PSK (TKIP + AES) mode is not, contrary to popular belief, the most secure mode available on your router. This is actually a hybrid mode that mixes both versions of WPA and encryption protocols (TKIP and AES) for more compatibility. It nevertheless allows hackers to take advantage of the vulnerabilities of the WPA I protocol - knowing that the WPA 2 protocol is also, now, vulnerable. And also allows you to exploit TKIP, a less secure encryption than AES.
Therefore, if your devices allow it, we recommend that you choose WPA2-PSK (AES) mode on your router. Since WPA3 is still slow to appear.
Change the name of your SSID network
By default your internet box broadcasts a name that betrays its origin. For example, if you have a Livebox, the name of your default WiFi network will be something like Livebox-F986. Each operator has his little name, and this gives an important indication to a potential hacker who will seek to exploit a flaw on your hardware: if it's a Bbox, Livebox, Freebox or SFRbox, it remains only to test the vulnerabilities of the most recent models.
But why not try to confuse everyone? Choose a different name - whether it's something that has nothing to do with it, or why not a name that evokes another operator's box. This will not really improve your security, but will certainly make some hackers lose some time.
Keep your router up to date
It goes without saying that if there are loopholes, manufacturers tend to correct them, and offer regular updates. But the update is not always automatic on all models. You must therefore connect to your administration area.
More advanced tips to secure your WiFi network
Beside the basic tips, some actions will allow you to increase security a few notches to reduce any risk of attack.
WPS, for Wi-Fi Protected Setup, is a technology launched by the Wi-Fi Alliance to simplify the connection of a device to a Wi-Fi network. It consists in proposing a physical button on the router on which it is sufficient to press to confirm the pairing of a device to the WiFi network, replacing the password. But there are several WPS connection methods. One of them is based on an eight-digit PIN - set at the factory, sometimes 12345678 is found on older models.
But other flaws exist on more recent models with other WPS connection modes. For example, a protocol attack was demonstrated in 2017 on Livebox 2 and 3 and Neufbox 4, 6 and 6V. The flaw was rather disturbing, since it was enough for the attacker to send an empty PIN code to initiate the connection. In short, if you do not use it - many users do not even know the existence of this feature on their router - disable it via the management interface of your box.
Hide the SSID
To go further you can opt for a strategy to make your network as discreet as possible in an environment already saturated with many WiFi networks. One of the tips in this direction is to hide the name of the SSID network. This means that it will no longer appear in the list of wireless networks on computers, smartphones and tablets.
It remains possible to discover the presence of a hidden network via specialized tools, but it adds a difficulty to penetrate your wireless network since to connect to it, it is imperative to know the name of the network and the key. Again, this is not to be considered as a real security measure. This is at best an obstacle that will waste a little time on a hacker.
To connect to your network, you will now have to enter your name, security standard and key manually.
Reduce the signal strength and therefore its range
Unfortunately, not all routers allow it, but one of the best ways to make your network less vulnerable to attack is to reduce the power of the WiFi signal. It becomes much more difficult to connect outside your walls, the connection being weaker.
In the same vein, opt, if your devices are compatible, for a single WiFi network 5GHz (and disable the 2.4 GHz network): the higher you get in the spectrum of radio waves, the more the signal is easily stopped by the walls. We also advise you to disable the WiFi network if possible when you leave your home for long periods of time - for example when you go on vacation.
Take a look at the list of connected customers from time to time
Go from time to time to take a look in the administration pages of your router to see the list of connected devices. Try to control that all devices are among those allowed. For this, you can help, among other things, the MAC address of your devices that can guess the brand of the device. This site allows you to find a lot of information from MAC addresses:
Choose a different login / password for the administration of your router
Imagine that an intruder manages to break into your network without your knowledge and change the configuration of your router to reduce the risk of being discovered, or carry out an attack. For this reason it is strongly advised to change the router's default login and password, even if its management interface is only accessible from your network. If the login / password in question is Admin / Password (it's often that or something, alas), change it urgently.
The complicated methods we do not recommend (and why)
Beside that, there are methods that we have read elsewhere on the net, and which are to be avoided, because they unnecessarily complicate the use of the WiFi network (and are therefore likely to be quickly abandoned) and / or because they do not really improve the security itself of your WiFi network, in addition to making your connection less stable.
Filtering mac addresses: to try it is to hate it
Often recommended, Mac address filtering is to be avoided for two reasons. The first, probably the most important, is that it is possible to manipulate this address, yet initially conceived as a kind of electronic tattoo. An intruder can therefore brute force find the mac addresses allowed and pretend to be a valid device.
The second is that every time you have guests, you will have to get their mac address and put them in the list of authorized devices to connect to WiFi. We bet that it will not entertain you more than two minutes!
Install a VPN on the home router
We have seen in other files on the subject some advising to configure a VPN on your router. We think that this advice is the distortion of another, for the smart shot: that of using a VPN when you connect to public WiFi networks. The idea is to encrypt traffic between your machine and the rest of the net, complicating man-in-the-middle attacks.
But at home, we speak of private network - a place where the risk posed by this type of attack is precisely very small (especially if you follow the advice above). Besides, apart from helping you connect to Netflix US on all your home devices, setting up a VPN on your router (instead of your devices) will not add any security to your WiFi network.
Finally to have tested the thing on several models of routers (including Netgear with firmware Voxel or DD-WRT ...), this tends to make the connection unstable with cuts, quite frequent, can last several minutes each time. You may be one of the most hated people in your home, identified as the "who always rots the internet connection with his hacks" and that, frankly, believe me, it's not cool (I know something!).
Read also: Best Internet Browsers on Android in 2019
Do you know of any other tips to make your WiFi network more secure? Share your opinion in the comments!