Be safer over wireless connections
In this article we'll show how you can better secure the ways you connect to the internet.
Shouting across a crowded room
Most devices today connect to their local network via wireless, a technology we commonly call Wi-Fi. Wi-Fi uses radio signals to connect your device and those radio signals can be either secured or open.
An open Wi-Fi network is one that you can connect to, and start using, for the first time without having to enter any kind of password or other authentication. You often see these in small businesses – like coffee shops or stores – or other public places that want to offer Wi-Fi to their customers, but don’t want the hassle of having to maintain and share a Wi-Fi password. Some home networks are open as well, especially older networks.
The problem with the open networks is that they’re usually not encrypted – which means that traffic on those networks can be broadcast through the air in what we call “plain text”. Anybody who can see and connect to that network can potentially listen to that traffic. That’s especially worrisome if you are using that network to conduct banking or do other sensitive work.
The solution is to secure your networks with encryption such as Wi-Fi Protected Access (WPA) and only use other people's networks for sensitive or personal tasks if they're also secured.
Protecting your network
Securing the network in your home or business doesn’t have to be difficult. Here are a few steps you can take right away.
Note: These first few steps will require you to sign into the admin console of your Wi-Fi router. Usually you do that in the web browser of your device while connected to the router, though some modern Wi-Fi routers use a smartphone app instead. If you’re not sure how to get into the admin settings for your network we suggest that you check with the support site of your router’s manufacturer.
First step – Secure the console
If you haven’t already done so make sure you’re not still using the default password for the router. This is the username and password you just used to sign into it. Especially for consumer devices that may ship with standard usernames and passwords (such as “Admin” and “Password”) these are well-known, or easily discoverable, and must be changed as soon as possible.
Tip: This is true of ANY device you join to your network. Always change the default username and password if you can; preferably before connecting them to the internet.
If your network is managed via a web browser console, you should confirm that the ability to manage your network from outside your local network is turned off. For most routers that’s just a checkbox in the “Admin” or “Management” section of the console. Few people want or need to change router settings from outside their network. Turning this feature off gives attackers one less tool to use as well.
Second step – Check the firmware
Wi-Fi routers, like almost all hardware devices, have software built into them that control how it functions. Because it’s software written to hardware, and not easily modified, we call it “firmware”. From time to time the device manufacturer might release an updated version of the firmware for your device. These updates may contain new functionality or security fixes.
Your device might check for new firmware automatically, but many devices will require you to manually check for it. That might be done through the administration console of your device, or you might have to go to the manufacturer’s website and check there for new firmware to download.
As long as you’re in the administration console or app, check to make sure the firmware is up-to-date. Try to check it periodically; perhaps every month or so.
Third step – Encryption
The next, and most obvious, step is to make sure that you have wireless encryption turned on. In the router’s admin console you will probably see a page or tab called “Wi-Fi” or “Security”. If you can’t locate the encryption settings for your router check with the manufacturer’s website, but they’re usually easy to find.
Ideally your Wi-Fi will be using at least WPA2 for encryption. If it's currently using an older version of WPA, change it to WPA2 or newer. The router will ask you to enter a password to use for connection and of course you’ll want to pick a good password. It’s not a bad idea to change the password for your wireless network occasionally, especially if you suspect an unwelcome device has joined your network.
Tip: Wireless routers and devices that support WPA3 have started to become available. If you're buying a new device look for one that supports WPA3.
The screen where you turn encryption on is also usually the screen where you can change the Service Set Identifier (SSID) of your wireless network. The SSID is the name you see when you try to connect to your network from a device like a gaming console or smartphone. It should be unique to avoid conflicts with other networks in the area, and the name you choose should be understandable, but not something easily mapped to you or your address. “Mike’s place” or “1234 Pleasant Lane” aren’t great choices. “Blue skies!” might be.
Fourth step – Be welcoming but not TOO welcoming
If your router supports guest Wi-Fi you should turn that on and when guests need to connect to your Wi-Fi have them connect to the Guest Wi-Fi.
Most modern routers support guest Wi-Fi and the special trick of it is that guest Wi-Fi is a separate wireless network. That means that devices connected to your guest Wi-Fi can’t see the devices on your primary Wi-Fi network; like your laptop or your smartphone. Most guest Wi-Fi networks even isolate the devices connected to it from each other, though some allow you to specify devices you want to share; like a streaming device.
Guest Wi-Fi isn’t only for guests, you should also put any non-essential smart devices on it. Your TV, your thermostat, your child’s iPad...anything that only needs to connect to the internet should go on the guest Wi-Fi. That way if any of those devices get compromised, the attacker can’t use it to access any of your sensitive devices like your laptop or smartphone, or listen in to their network traffic.
Tip: Your router may have the ability to notify you when a new device joins the network. Consider turning that feature on. If you get a notice that a new device has joined your network, and you’re not the one who did it, that’s a cue that you may want to look around and figure out what just joined. If it’s unauthorized you can probably go into the administration console for your Wi-Fi and remove them. Then you should change your Wi-Fi password.
Taking those easy steps can help make your Wi-Fi a lot more secure. Now let’s take a look at how you can use your Wi-Fi connected devices – like your laptop or smartphone – more securely.
Using Wi-Fi securely
Even if you don’t have your own network to secure, you can be more secure with how you use Wi-Fi networks.
If you have to connect to a public Wi-Fi network try to choose one that is encrypted. Yes, it does require a bit more work to connect because you’ll usually have to find and enter the password but it’s important to have that level of security, especially in a public place.
You can usually tell the encrypted ones because they say "secured" or something similar, and may have an icon indicating they're secure.
Open networks will usually say "Open" and may have an icon indicating they're insecure.
If you’re connecting to public Wi-Fi be sure not to select “Connect automatically” or “Remember this network”. Though it’s certainly convenient, you don’t want your device to connect to public Wi-Fi networks automatically. Why? Because of how “Remember this network” works.
Will the real O’Hare Wi-Fi please stand up?
When you tell your device to remember a Wi-Fi network it will constantly watch for that network. If you’re walking down the street, and your device is on, your device is continually looking for one of the remembered networks. When a remembered network appears, your device will try to connect to it automatically.
The way your device sees Wi-Fi networks is by their SSID, which is basically the Wi-Fi network’s name. However, you can configure most Wi-Fi routers to broadcast any name you want. You can set your Wi-Fi router’s SSID to be “Joe’s House” or “Contoso Electronics” or…“Free_ORD_Wi-Fi”, which is the SSID of the real Wi-Fi network at Chicago’s O’Hare airport.
If you've been through an airport, connected to the airport's free Wi-Fi, and allowed your device to “remember” that network, when your device sees a router, any router, that has the same SSID it’s going to try to connect. Once it’s connected it will start sending and receiving traffic via that router. It could sign into social media (transmitting your username and password), your email, your bank, really any apps you have open on the device may start communicating through that network. Even though that network may not be the legitimate network.
Almost every public airport has Wi-Fi. So do all the big hotel chains, coffee shops, shopping malls, grocery stores….and these SSIDs are all publicly known. Cybercriminals know those SSIDs too and they can deploy Wi-Fi routers with fake SSIDs to snare unsuspecting passersby.
Never allow your device to connect automatically to any Wi-Fi network that you don’t control.
Forget those networks
That’s fine for tomorrow, but what about yesterday? If you’ve had your device for a while there may be a long list of networks you've connected to in the past, which are already remembered. All devices have a way to manage that list. If you do an internet search for your device and how to “forget” or manage wireless networks you should find instructions.
Go through that list and remove any wireless network that you don’t control. Yes, we know that means you’ll have to sign into the coffee shop Wi-Fi each time – but in this case the risk can outweigh the convenience.
Tip: Another way to be safer is to turn off the Wi-Fi on your device when you’re not using it. Bonus: You’ll use less battery not having your Wi-Fi on when you’re just walking or driving around.
Use a VPN
If you have to use a public Wi-Fi network you should consider using a Virtual Private Network (VPN). A virtual private network creates an encrypted “tunnel” between your device and a server out in the world. The server could be one your company controls, or perhaps a 3rd party service that you subscribe to. All of the traffic inside that tunnel is encrypted, so if you’re using a public Wi-Fi network an attacker may be able to see that a VPN tunnel has been established but the content flowing inside that tunnel would be hidden from them.
Tip: A VPN can add security to any network connection, even the encrypted ones, so it’s a good habit to have even on networks you think are secure.
The VPN service you’re using will tell you what you need to do on your device to connect to them.
Use your mobile carrier
Another option, if there are no secure networks available, would be to use the data from your mobile carrier like you do when you're not on Wi-Fi. Some laptops now include a built-in LTE radio that can connect to your mobile carrier for data over 4G or 5G. Or you may be able to use your smartphone as a personal Wi-Fi hotspot.
If you have that option it should be more secure than using an open Wi-Fi network, though it might be slower and if you get charged for data or have a data cap you’ll want to keep that in mind.