WiFi can be a medium to sniff around your network if you don’t setup is properly with right security. WiFi is a wireless technology making it is easier to get hacked than wired connection because anyone can capture packets over the air.
There may be a lot more option to make WiFi secure than just setting a password. Here is 7 tips to make your WiFi security more stronger as mush as possible. However nothing is 100% secure in this world.
Change Default Router Password
All WiFi router comes with some login credentials that can be used to login to your router. These default router passwords can be found anywhere in the internet so any user can get into your router setting who are using your WiFi. Your first step after installing WiFi in your home/office is to change this login credentials. To change the router login credentials connect to your WiFi or LAN.
- Open cmd. To open cmd press Win+R, a run windows popups, type cmd and press enter.
- In cmd type ipconfig and press enter. (I don’t like hitting enter key in my laptop)
- Search for Default Gateway, in my case it is 192.168.100.1.
- Download and open this app » Network Info II and in WiFi tab you can find Default Gateway
After finding Default Gateway, open that from browser (in my case it is http://192.168.100.1). Default login credentials will be available in back side of the router. Login and and change the default password. It’s typically in the Administration or Security tabs of your router’s main settings page.
Disable WPS (WiFi Protected Setup)
WPS stands for WiFi Protected Setup and gives you ability to connect to your device just by pressing WPS button in router or entering a pin code in your device. There is well known WPS bugs form which attacker gets a easy way to connect to your WiFi network with out your permission. You may have already known with android apps like AndroDumpper, WPS WPA Tester. These apps use WPS bug to hack into WiFi network. Old routers before 2011 are more vulnerable to WPS bugs. Experts found that WPS is 10000 time easier to crack.
To disable Wi-Fi network login to your router settings page. Find WPS and disable that. It will be in Wireless tab in router main settings page.
Use Best Wireless Encryption
Routers use WEP, WPA and WPA2 security protocols. Among these WPA2 is most strongest and used as default wireless security protocol in newer routers. There is sorted list of security method from best to worst based in ratings.
- WPA2 + AES
- WPA + AES
- WPA + TKIP/AES (TKIP is there as a fallback method)
- WPA + TKIP
- Open Network (no security at all)
So the best secure way is disabled WPS with WPA2+AES encryption.
Upgrade Router’s Firmware
Upgrade your router firmware if update is available. You can find information about firmware update in manufacturer’s website. Updates may provide security patches and stable environment. You can also install custom firmware in your router. You may also break router if didn’t upgrade carefully so it is for advanced user only. There is good custom firmware for routers, DD-WRT. You can search if this firmware supports your router.
Use MAC Address Filtering
All wireless device that connects to WiFi has its unique MAC address. MAC address filtering is good option to avoid connecting unwanted device in your network. Enabling MAC address filtering allows to blacklist or whitelist specific device. You can whitelist MAC address of known devices and all other device can’t connect to your WiFi even they have WiFi password. But MAC address filtering only is not secure practice because attacker can use fake MAC address to connect. Attacker may disconnect you and connect using your MAC address. Hence don’t rely completely on this.
Hide Your Router’s SSID
In common way SSID means your WiFi name. But in actual it not that. It is used to distinguish one wireless network from others. Hiding SSID is also effective way to keep noob attacker away from your network. They can’t use WPS attack using their mobile phones. Finding hidden SSID and connected user is very easy. It is why attackers can find your MAC address. You can check for Broadcast SSID option in router’s settings page.
Avoid ARP Spoofing and Poisoning
If some user you trusted is spoofing on you here is how to find that. ARP stands for Address Resolution Protocol used by Internet Protocol (IP) to map IP network addresses to the hardware addresses. In ARP Spoofing attackers sends falsified ARP message over the network and gets linked with the network with your IP address. So all the data sent for you (to your IP) goes to attacker, allowing attacker to control over your data. Attacker may modify and completely or partially disable data transmission to you.
Similarly ARP poisoning is done by changing the MAC address to victim’s MAC address and attacking the network. Here is a figure from Wikipedia to understand ARP Spoofing/Poisoning.
There are some apps to detect ARP Spoofing. For android mobile ARP Guard is available. For PCs XArp is available (search for that). NetCut and WiFi Kill are apps to slow down victim’s internet connection.