We often get asked by clients, colleagues & family about security on Wi-Fi networks. Here is our advice for the average consumer and small business owner.
“Public” Wi-Fi
Don’t use public WiFi. It opens you up to identity fraud hackers and other unnecessary risks. I’m not going to go into the particular reasons as to why, but this article is an excellent easy read on the matter: https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6
If you must use public WiFi, you are generally safer in less populated areas with fewer people around. But even then, no guarantees. Stick to “trusted” private WiFi networks, whenever you can, such as your home network, or tethering the network form your wireless phone.
Family & Friends Wi-Fi
Don’t use Family & Friend’s Wi-Fi for anything security critical unless you trust that their network is reasonably secured. More on that below. Please note, the farther they are from their closest neighbours, the lower the potential risk.
Your Wi-Fi
For most people, your home or small business are the only places you can control enough variables to truly set-up reasonably secure Wi-Fi. In order to do this, do not use the Wi-Fi router provided by your Internet Service Provider (ISP). Have your ISP configure this device to be used as a gateway/modem only, and use a separate wireless router that you acquire and configure yourself. If you have a Mac, iPad, or iPhone, you can buy an Apple router (it will work with any type of device, but requires an Apple device in order to configure it). I recommend them only because they are exceptionally easy to configure & keep up to date, and they come with decent security settings right out of the box. Regardless, you need to configure the following on any router:
- Before you do anything else, make sure your router us using the latest software provided by the vendor.
- You must set the username and password on the router to something reasonably secure. I have written about “safer passwords” in this article here.
- Use the 5 GHz band *only*.
- Change the router’s Domain Name System (DNS) server from the ISP’s own server to a couple that that are maintained by OpenDNS:
208.67.222.222
208.67.220.220
Additional setting for non-Apple Routers
If you do not use an Apple router, there are some more settings that you will need to verify. All of these can be considered critical in terms of security vulnerability:
- You must set the Router to only use WPA2 wireless encryption.
- Disable setup over WAN, or administering the router over the Internet.
- Disable Wi-Fi Protected Setup (WPS).
- Disable Universal Plug and Play (UPnP). You can test if you need to do this here, by clicking on the “Proceed” link on this page, and then clicking the “GRC Instant UPnP…” button:
https://www.grc.com/x/ne.dll?bh0bkyd2 - Ensure that Port 32764 is closed or blocked. You can test if you need to do this here: https://www.grc.com/x/portprobe=32764
One more thing…
Lastly, you must keep your Router up to date with its latest software, regardless of the brand or model. On non-Apple routers, this also means you may need to re-verify your settings after each update, as some routers will change settings on you when an update is performed.
I know this may seem like a lot, but this list is far from exhaustive, and these basic settings will make your Wi-Fi network much safer than average. Hopefully that will be enough to keep you from being the low-hanging fruit malicious hackers are looking for.
There is no such thing as “safe-Wi-Fi”, but much “safer Wi-Fi” is something we can all achieve with a little effort. Please let me know if you have any questions!
cheers,
-Adam
p.s. The image at the top? A graphing of the signal strength of the fifty plus Wi-Fi networks in our office airspace.