In this article, we explain how to secure your home WiFi router in 15 simple steps, as routers stand out to be one of the most frequently exploited devices by hackers.
With the increasing trend of work from home, attackers target home networks more and more, because there is more valuable information for them at home networks now compared to past. In this endeavor, attackers first target the WiFi routers to gain access on the home networks. Because, they are like doors to our homes. After gaining a foothold on the WiFi routers, other devices on the network can be attacked more easily laterally.
But, how careful are we in protecting them? Most of us just set them up haphazardly to see them working somehow. We intend to change the default settings later but never take the time to reconfigure them. Should not we be more heedful to protect such a critical component of our home networks? With the following 15 best practices, you can do so easily.
Step 1. Change the Default Admin Credentials
Every WiFi router is shipped with a default user name and a password that are required to get into the admin console and manage a router’s configuration. This user name/password pair is usually printed in the booklet that comes with the router or sometimes it is even displayed on the router itself. But, attackers can also find them online since most manufacturers use the same credentials for the same makes and models (Check out this list for default admin credentials). For instance, credentials like admin/admin, admin/password etc. are used commonly.
Once captured, these credentials allows an attacker to gain full control over your router via the management panel. Thus, the first thing you should do is to connect to the management panel and change the default admin credentials with a strong password (at least 12 characters, including alphanumeric and special characters).
To do so, you should type in the management panel URL (such as https://192.168.1.1) on a web browser as described on the router’s manual. This URL address and the admin management console is what you will need to set the following configurations as best practices.
Step 2. Change the Default WiFi Password
Similar to the default admin credentials, every router uses a default WiFi password that is again printed on the router manual and/or the router itself. Because they are explicitly printed on easily accessible materials, you should consider the default WiFi password as exposed and change it immediately with a secure password on your router’s management console.
However, you are not done yet. Firstly, you should remember to change this password frequently, such as every 3 or 6 months. Secondly, you should keep it secure and not share with others, including your guests.
Step 3. Change the Default WiFi Network Name
Router manufacturers often use the make and/or model of the routers in the default WiFi network name (SSID). A hacker can use this information to find vulnerabilities specific to that make and model of a router. Using this information, an attacker can also look up the default admin credentials to access admin control panel of a router.
Thus, you should definitely change the default SSID on your router. But, how you should rename your SSID. A rule of thumb is not to use any information that can lead to identify the owner of the router. You should also not use any naming like “Secure/Secret Network” that could back fire on you. To give you a hint, you could change your SSID to a similar identifier that is being used by other router make and models to misguide the attackers.
Step 4. Set Up Guest Network
Though it is critical that you don’t share your WiFi password with others, sometimes you feel obliged to share it friends and relatives visiting you. Luckily, many modern WiFi routers allow you to set up a separate network (Guest Network) with its own SSID and password. This is something you really need to configure if you need to share your WiFi connection with visitors.
Step 5. Set Up a Separate Network for IoT Devices
Internet connected house hold gadgets (IoT Devices) finding their way more and more in our homes. However, IoT devices are not produced with security in mind. They should be treated as insecure because most of them contain critical vulnerabilities that could be exploited by hackers.
For this purpose, you can set up a separate network for your IoT devices. By doing so, you can eliminate the risk of getting your valuable devices from being hacked in the case of this separate network is compromised by hackers due to vulnerable IoT devices. You can even create more than one network for your IoT devices. This will further contain any potential attack through vulnerable IoT devices and limit the damage only to those devices connected to the compromised that network.
Step 6. Turn Off SSID Broadcasting
Hiding your network name by disabling SSID broadcasting could be another counter measure you can take to secure your WiFi router. This could prevent attackers searching for easy targets from detecting your network. The inconvenience of disabling SSID broadcast is that you should remember your network name and enter it manually to the devices that will connect to your router.
Note that, this counter measure is flimsy (also called as Security by Obscurity) and shall not provide protection against professional attackers since they can capture your SSID by sniffing and analyzing the wireless network traffic. It is more of a protection against pass-byers rather than hackers.
Step 7. Enable Strong Encryption
Weak encryption on your router could allow an attacker to see your network traffic or modify it by conducting a man-in-the-middle attack. Currently, there are 3 different types of encryption available on most routers. These are Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA) and WPA2. By default, modern routers use WPA2, as it is considered to be the strongest of all. In fact, the other encryption protocols can be easily broken in seconds or minutes by automated tools that are used by attackers.
Thus, make sure that the encryption mode on your router is selected as WPA2. You should even use a more secure version of WPA2, that is WPA AES (Advanced Encryption Standard), if it is supported by your router. Also check the newer and more secure WPA3 standard that could be issued with the upcoming firmware updates for your router.
Step 8. Turn On the Firewall
Most routers will contain a built-in network firewall on them, but it could be turned off by default. You should browse through the management console settings to make sure it is turned on. Making use of the firewall, you can control and limit which IP addresses and ports are allowed to communicate with the outside world, that is the Internet.
Step 9. Use MAC Filtering
MAC (Media Access Control) address filtering is another feature that is available on modern routers. As you may already know, every device that can connect to a network has a MAC address, similar to having an IP address. However, the MAC address is unique for each device and it is statically embedded on the NIC (Network Interface Card) when it is manufactured.
Making use of this MAC address, it is possible to block (black listing) or allow (white listing) each device that wants to connect to a network. For your WiFi network, you can control it through your router’s administrator console. As a best practice, you should only allow the devices that can connect to your network and deny any other devices (whitelisting).
It is also worth noting that this measure does not provide a real protection (Security by Obscurity) against professional attackers and it can be bypassed. They can sniff the wireless network traffic, capture the allowed MAC addresses to your network and spoof their MAC address with one of these allowed MAC addresses.
Step 10. Turn Off UPnP
Universal Plug and Play (UPnP) is a convenient feature that allows our household appliances (a.k.a. Internet of Thing Devices- IOT devices) discover and communicate with each other automatically, once they are connected to your home network. This feature is by default enabled on many routers and household gadgets.
Behind the scene, UPnP automatically forwards a port on your router (meaning, allowing a port to communicate through the firewall), defeating the whole purpose of a firewall on your router. This is a significant vulnerability that can be used by any malicious software (such as a virus, warm, trojan etc.) to bypass the firewall and communicate with the outside world. Attackers even add your IoT devices to botnets to conduct other malicious activities on others without your notice.
You can use the UPnP initially to set up your household devices to communicate with each other. However, it should be disabled both on the router and the IoT devices to prevent any security breach on your home network.
Step 11. Turn Off WPS
Another convenient feature that is available on many modern routers is WiFi Protected Setup (WPS). While UPnP allows IoT to communicate with each other after getting connected to the home network, WPS allows your devices to connect to the router automatically, without providing any WiFi credential manually.
WPS can be activated through a button on the router to advertise itself to the devices that will connect to it. The device is automatically connected to the network once the advertised network is selected on it. Sometimes this process can be completed by pressing the WPS buttons both on the router and the device.
A third method involves the use of an eight-digit PIN generated by the router. Some devices without a WPS button but with WPS support will expect this PIN to be entered manually. This code method presents a vulnerability on your network, because it is easy to crack. For this reason, you should only use the WPS button on your router and disable the code method on the router management console.
Step 12. Disable Remote Access
Some routers allows remote administration, that is, connecting to the router administration console from the Internet. However, this feature increases your attack surface since it also opens the door to the hackers to try to gain access on your router administration without connecting your local network. Thus, you should disable remote access mode and only allow local computers to access your router’s admin console.
Step 13. Keep the Firmware Up to Date
Just like operating system or software updates, your router firmware should also be updated both to remediate any known vulnerabilities and get new features provided by the manufacturers. So, you should check the manufacturer’s site or the management console occasionally to make sure that your router is running the latest firmware. Though it sounds a little bit more trickier than software updates, your router management console shall guide you on how to upgrade the router firmware.
Step 14. Reduce the Range of the WiFi Signal
Unlike physical networks, WiFi signals can extend beyond the walls of your home. This is a security breach, because outsiders can sniff your WiFi network traffic and capture your data. To prevent this threat, you should reduce your WiFi footprint, in addition to using strong encryption as described above.
There are two methods to adjust your WiFi signal coverage properly; router placement and signal strength adjustment. Placing the router at the center of your home will give you maximum signal coverage at home while reducing the signal footprint for the outsiders. Secondly, you can manually adjust the signal strength level from the router management console to reduce signal coverage. However, don’t forget that highly motivated attackers can still receive even weak signals with special equipments like enhanced antennas.
Step 15. Turn Off the Router
When you are not using your WiFi router (such as when you are sleeping or when you are at vacation), you should turn it off to limit the window of opportunity for the hackers to attack your WiFi network. For instance, hackers might conduct brute force attacks to compromise your WiFi password. However, they can only conduct brute force attacks when your WiFi router is turned on. Thus, turning your WiFi router off when it is not in use shall reduce the possibility of a successful attack.
The Internet of Things (IoT) devoid of comprehensive security management is tantamount to the Internet of Threats.
Stephane Nappo
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
Check the Logs
Last but not least, you should check your router logs on the management console to detect any potential suspicious activity. If your router does not support log management, you can also check the firewall and MAC address filtering features to find out which devices are currently connected and which devices have connected previously to your wireless network.
You could also read our popular articles What is a Security Vulnerability? or What is Vulnerability Scanning?
