How to secure your home or office Wi-Fi

Lock down your wireless network to make sure unauthorised users can't get access

By default, wireless routers and access points have security turned off. Without Wi-Fi security enabled, anyone nearby can leech off your wireless Internet, see where you're browsing, capture your passwords to some websites, and possibly access your PCs and files. Some models help you turn security on via a wizard during initial setup or recommend using buttons or PINs; others require you to enable it manually via the router's Web interface.

But even with Wi-Fi Protected Access 2 (the latest security standard) enabled, hackers can exploit vulnerabilities to crack your Wi-Fi security. Here's how to combat these weaknesses.

The most recently discovered major Wi-Fi vulnerability involves the Wi-Fi Protected Setup feature found in most Wi-Fi routers made since 2007. Though WPS doesn't provide security itself, it's supposed to simplify turning on the personal (PSK) mode of WPA or WPA2 security.

Networking manufacturers can incorporate two methods of using WPS to help secure and connect your Wi-Fi devices. In the PIN method--the source of the latest vulnerability--you enter the eight-digit PIN assigned to your router into Wi-Fi-equipped computers and devices that also support WPS, in order to connect them to the wireless router. The alternative is to assign a PIN to your PC or to any other Wi-Fi-equipped device that supports WPS and then enter it into your router's Web interface in order to connect the device to the network.

Faulty underlying design of the WPS PIN method on routers makes it easier for an attacker to crack the PIN combination by brute force using software tools that repeatedly guess the PIN. Manufacturers can add enhancements to combat such attacks on their routers, but most of them haven't yet done so.

Two existing tools--Reaver and wpscrack--can automate the cracking. Depending on the exact wireless router, these tools can usually figure out a network's PIN and full Wi-Fi password (the WPA or WPA2 passphrase) within a few hours.

The WPS cracking process can also lock-up your wireless router, thus causing a denial-of-service attack. This can lead to major performance problems on your network and even stop it from working altogether until you reset your router.

Fixing the Vulnerability

If your router supports WPS, it's vulnerable. Look for an eight-digit PIN printed on the bottom or a WPS logo on the router. If you don't see either one, run a Google search for your model number, and find its product description or data sheet online. If you still have the box, examine it. If your router doesn't support WPS, then it isn't subject to this WPS vulnerability.

If your router does support WPS, log in to your router's Web-based configuration panel: From a computer that is connected to your network, open your Web browser and type in your router's IP address--a numerical string such as 192.168.0.1 or 192.168.1.1. If you don't know your router's IP, in Windows Vista or 7, open the Network and Sharing Center via its icon near the lower right corner of Windows. In Vista, click Manage Network Connections; in Windows 7, click Change Adapter Settings. Double-click the network connection you're using; and in the dialog box, click Details. Finally, you'll see the router's IP listed as the Default Gateway.

If you can't remember the password for logging in to the router control panel, you may not have changed it. Try the default username and password listed in the router's documentation or online (at RouterPasswords.com). If your Internet provider supplied the router, check the hardware itself. As a last resort, press the router's reset button to return to the factory default settings, but don't forget to enable security afterward.

Log on and find the WPS settings; they may be in the wireless or advanced section. Save or apply any changes.

Disabling WPS -- and Beyond

If your router uses WPS, consider disabling it (if possible). Unfortunately, on some routers, disabling WPS via the Web interface doesn't turn it off completely. To double-check, try to enter the router's PIN on a Wi-Fi-equipped computer or device that supports WPS.

If you previously used WPS to secure your network, you can find the Wi-Fi password (the WPA or WPA2 PSK passphrase) that it created in the router's wireless settings after you log on to the interface. When you want to join more Wi-Fi computers and devices to your network, you can enter that password.

For peace of mind, the best strategy may be to buy a router that doesn't have the WPS feature. That fact usually appears in the product description or data sheet online or on the box in stores. If you're willing to tinker, check to see whether your router is compatible with free aftermarket firmware that doesn't have WPS, such as DD-WRT or Tomato.

In time, manufacturers may release firmware updates to fix their routers' WPS vulnerabilities, so search the online support section for your model. If the release notes for firmware updates from as recently as this year show WPS changes, upgrading your router's firmware should patch the security hole.

Small businesses (and security fanatics at home) that have wireless routers featuring WPS can also consider using enterprise-level Wi-Fi security, which even consumer-level routers support. This is a more secure mode of WPA/WPA2 security, and it doesn't use WPS, so you aren't exposed to the vulnerability. The enterprise mode is also called the 802.1X or EAP mode, whereas the personal mode (the one vulnerable to WPS weakness) is technically called the preshared key (PSK) mode.

The enterprise mode of WPA/WPA2 security uses 802.1X authentication, which requires some sort of external authentication (or RADIUS) server. But services are available that can host such a server for you.

Session Hijacking and Password Capturing

Another major Wi-Fi security threat that has surfaced in the past few years comes from tools that allow anyone eavesdrop on wireless traffic capture passwords or other information. Tools such as the Firefox add-on Firesheep and the Android app DroidSheep make it easy for anyone on your Wi-Fi network to hijack your online accounts. As a result, if eavesdroppers run the tool as you log on to a website that isn't secured with SSL/HTTPS encryption (for example, some social networking and email sites--look for "https" in the URL to determine whether the site is encrypted), they can then get onto your account.

People can perform only session hijacking and password capturing if they are on the same network as you or if the network isn't secured, such as by using WPA/WPA2. It's not something to worry about on your home network unless you don't secure your Wi-Fi properly or you don't trust other users. But it is something of concern for business networks. and it can be prevented with enterprise Wi-Fi security.

Weak Wi-Fi Passwords

Your WPA and WPA2 passwords are susceptible to brute-force dictionary-based cracking (basically, where hackers guess your password using software tools that repeatedly guess). If your router's password is a word listed in the dictionary--or something close to such a word--it's highly vulnerable to cracking. Use a long passphrase (one of at least 13 characters and as many as 63 characters) with mixed case and random letters, numbers, and other ASCII characters. A gibberish password like this one will hold up: q$3^cP&/S#z;2%D,7x)h. Or see "How to Build Better Passwords Without Losing Your Mind" for guidance on devising strong passwords that you'll be able to remember.

For more Wi-Fi security tips, read "How to Lock Down Your Wireless Network."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Eric Geier

PC World (US online)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?