For the first time ever, I actually have a wireless router that can cover my whole house. I’ve been interested in wireless security for a long time, but haven’t actually had to do much with it because I wasn’t running any wireless networks at home.
I spent a few minutes securing my network after I got it up and running. I talked at rather long length about that in the past, but on a really practical level, here’s what I did in a mere 10 minutes that will make a big difference.
1. Change the network name
I don’t want to advertise to some stranger with a laptop in his car or a low-flying aeroplane what brand of network router I have, just in case an exploit ever appears for the particular router I happen to own. Let those guys figure out what router I have, then try to find an exploit for it. Most won’t bother; they’ll keep looking for someone with an unsecured router or one using factory default passwords.
I also don’t want to advertise to anyone which network is mine, so I didn’t use my name, address, phone number, or anything resembling either of those things.
I set my network name to a meaningless number. There’s no house with that number anywhere close. Some people use creative names on their networks, or name their networks things like “Stay out.” I didn’t. Why? So I don’t attract a that’s-funny-I’ll-click-on-that-one response.
2. Use WPA2-PSK (or better) if all your hardware supports it
WPA is crackable, and WEP is trivially easy to crack. Since all of my equipment is capable of WPA2, I used that. There’s no reason to open your network to more attack vectors.
If I had hardware that didn’t support WPA2 and couldn’t be upgraded to support it–some game consoles might fall into that category–I think I’d get another router capable of running DD-WRT, configure it as a bridge or repeater using WPA2, and plug that device into it via a wired connection. That would improve network coverage for other devices and keep the network more secure.
If no wired network is available for the device, I’d get a second router, secure it as tightly as possible, put the rest of my network on that router, and put the older, less secure devices on the first router. That does nothing to mitigate the chances of someone cracking that network and using the Internet connection, but it does keep a freeloader from being able to see the rest of your network if they do break in.
I still don’t like that last option for one reason. If the freeloader jumps on your network and does something illegal, you could end up having to prove you didn’t do it. That’s inconvenient and expensive. The stories about the MPAA or RIAA or other organizations suing people in distant jurisdictions for many thousands of dollars for downloading music or movies are true. You’ll be found innocent if you can prove you didn’t do it, but you’ll spend a lot more time and money in legal fees than you’d like in the process of doing so. It’s a lot cheaper and easier to secure your network.
3. Change the wireless password
My default password was just a number, making it trivially easy for a computer to guess. A program could just sit there and try every possible number until it found one that worked. It should only take a few minutes.
I changed my wireless key to a 63-character password with uppercase and lowercase letters, numbers, and symbols. I avoided spaces and commas, which tend to be problematic for certain hardware. Can’t think of a 63-character password like that? Use a random password generator. That type of password is too much even for supercomputer-toting governmental organizations with 3-letter abbreviations to crack in a reasonable length of time. The technology just doesn’t exist in 2011. It’s not them I’m worried about anyway. It’s the guy one street over looking for an open network to use to download Metallica MP3s I’m worried about.
Typing that password was going to be a mess, so I saved it as a text file, put it on a USB drive, then opened the file on my laptops, connected to the network, and copied and pasted it from that file into the blank when the computer asked for a network password. Then I realized there was a better way when I realized just how painful it was going to be to type that password into a smartphone. So I temporarily enabled WPS (Wireless Protected Setup), let the phone connect via WPS, then disabled WPS again.
4. Disable WPS, but use it occasionally
WPS wasn’t enabled by default. I enabled it in order to get a smartphone on the network without typing 63 characters of gibberish via Swype–that might have taken an hour–but then I disabled it again. There’s no reason to leave WPS enabled when you’re not using it.
I don’t know of any exploits for WPS, but I don’t know that there never will be any, either. Within a month of writing that, a WPS exploit appeared. That’s the way things go.
WPS is extremely convenient but it’s extremely difficult to get both convenience and good security. WPS has failed over and over at trying to get that balance correct.