Secure your Wi-Fi against hackers in 10 steps
Lock down your Wi-Fi network and find devices that are stealing your bandwidth – and, potentially, your data
The days of worrying about your data allowance are largely a thing of the past, courtesy of faster broadband speeds and generous tariffs. But that doesn't mean you should forget about who's using your Wi-Fi. Whether you're a home or small-business user, identifying who and what is on your network is as important as ever.
An unauthorised user could be streaming pirated movies, hogging your bandwidth and, potentially, landing you in a spot of legal bother. They could be indulging in more nefarious activity, maybe even trying to hack into your systems. This shouldn't come as any great surprise when research commissioned by Broadband Genie shows 54% of British broadband users are concerned about someone hacking their router, yet only 19% had accessed the Wi-Fi router configuration controls, and a measly 17% had changed the admin password from the default.
Avast recently scanned over 4.3 million routers and found 48% had some sort of vulnerability. Thankfully, there are plenty of tools and tricks to identify who's on your connection and how to get rid of them.
1. Change the admin password
If you want to know what your wireless network is up to, you'll need to roll up your sleeves and head straight for the admin gateway of your router: BT will usually default to 192.168.1.254; Sky users should try 192.168.0.1; and all TalkTalk routers have an internal IP of 192.168.1.1. If you've swapped out the supplied router for one of your own preference, Google is your friend.
Alternatively, you can head over to routerpasswords.com most makes and models are listed there, complete with login details. And if that doesn't convince you to change your router from the default settings, nothing will...
Default login settings should only be used to get up and running out of the box, after which you should change the password to something long and complex, and change the username if your router allows it. Long and random is great passkey advice, which is almost always ignored on the basis that people want to join the Wi-Fi network without any hassle. Well, duh! Ask yourself this: how often does any user actually have to enter the Wi-Fi password manually? Certainly within the home, and for many small-business scenarios, the answer is usually hardly ever after the initial setup.
A key that's over 20 characters long, with a randomly generated mix of upper and lower-case alpha-numericals, with special characters, is your best bet. LastPass' tool is excellent for producing randomly generated and secure passwords.
2. Don't broadcast your router details
While you're in your router settings, you should change your service set identifier (SSID). This is the name of your network that the outside world sees; it commonly defaults to the router manufacturer's name. In light of how easy it is to find admin logins online, best not make the hackers life any easier than it already is. A determined hacker isn't going to be prevented from detecting and accessing your network simply because there's no SSID being broadcast, but using a random name rather than the factory default makes sense. Not least as it suggests the user is more security savvy than someone who is still broadcasting the router manufacturer.
3. Disable Wi-Fi-protected setup (wps)
Wi-Fi-Protected Setup (WPS) uses the press of a button, or entry of a PIN number, to establish an encrypted connection between a device that supports it and your network. Advising users to disable WPS may appear counter-intuitive, but it's broken. It makes use of what appears to be an eight-digit PIN code but looks can be deceiving. The last number is always a check digit, so already the PIN is reduced to seven numbers, which makes brute-forcing much easier. As does the fact that most routers don't include a cooling-off timeout between WPS guesses. Here comes the stinger, though: as far as validation is concerned, the first four digits are seen as a single sequence, as are the final three. That means the possible number of combos just shrank from over ten million to around 11,000. No wonder pen-testing tools such as Reaver can brute-force WPS in a matter of seconds.
4. Update your firmware
The same Broadband Genie research mentioned earlier also shows only 14% of British broadband users had updated their router firmware and, to be honest, we're surprised it's that high. If you're one of the 86%, though, do it today. Updating your router firmware boosts your security at no cost and in very little time, yet it's a step that most home and small-business users fail to take.
Why? Because our mindset is wrong. In the home, and in many small businesses, the concept of "patch management" doesn't exist but it should. We're all used to watching Windows disappear into the land of suspended resource time as it installs an update, after all. The majority of routers will have an automatic update option, so hunt it down and enable it. Be advised that sometimes a firmware upgrade might default the router back to original settings do a quick check afterwards to be on the safe side.
5. Try a different dns server
Just as you can install an alternative to the firmware that runs your router, you can choose a different Domain Name System (DNS) server instead of the ISP default. There may come a time when the DNS servers used by your ISP come under attack, by a distributed denial-of-service (DDoS) attack, for example, or someone changing the DNS to effect a cloned banking fraud. The bigger ISPs are a target for this, since the consequences of hacking their DNS servers would be enormous.
We've seen the DNS servers of the larger providers suffer downtime, so having a backup and knowing how to flick the switch is useful. The most common choice will be Google Public DNS server (on 22.214.171.124 and 126.96.36.199 for the IPv4 service) or OpenDNS (on 188.8.131.52 and 184.108.40.206). There's a setup guide at pcpro.link/271dns, which details changing your DNS for home routers, laptops, smartphones and servers.
Essentially, though, open your router admin panel and look for the Domain Name Server addresses configuration page; input a primary and secondary DNS IP. Some routers will have a third server option, and for OpenDNS this would be 220.127.116.11. And that's it, other than to test it's working by hitting the Test button on the OpenDNS guide pages.
Certain providers prevent you from adjusting the DNS server addresses in their own-brand routers, but you can still set individual computers to seek alternate servers.