How to secure your home Wi-Fi network and router?

Remesh Ramachandran
6 min readDec 29, 2021

--

The security of your home network depends on the configuration of your router or gateway. If you keep it open or vulnerable, either freeloaders hog your bandwidth or someone can examine your internal traffic in order to collect sensitive information about you that can be exploited.

Here we list a few steps to ensure that only approved devices are connected to your network and to strengthen its security. If you are not able to access some of these settings in your gateway, consider switching off the router part of it and using a dedicated router instead, either of the traditional or mesh variety.

Change password

You can change both the administrator password and the Wi-Fi password. Older routers usually have very simple and easy passwords for the administrator account like “admin” and “password”. Instead use a new, stronger password. You can make use of a built-in password generator in a password manager that helps to create random and more secure ones.

Newer routers usually have random passwords as default. If those details are printed on your router or gateway and if you are not sure who might have physical access to the device, it is advisable to change it. Make sure to keep track of your new passwords in a password manager.

Enable encryption

Make sure that you always encrypt your network traffic. For best security, you can choose WPA2. Older protocols like WPA and the ancient WEP won’t protect you satisfactorily. That router that supports the newer WPA3 protocol can also be tried out. It is an improvement over WPA2 but it is necessary that all of your connecting devices must support that protocol. It is best to use WPA2 for now, and then move to WPA3 once all devices in the household are also changed.

While setting up WPA2 encryption, it is advisable to use WPA2 Personal if possible in your router settings. If you find TKIP and AES as different encryption options, go with AES as it is much stronger.

For older devices that only have WEP, upgrade your router.

Those users who do not encrypt as you need to share your internet with others, keep in mind that people can spy on your internet traffic which could lead to some problems down the road.

Change SSID

A Service Set Identifier (SSID) is the name of a wireless network. It is the name that you see while trying to connect to a Wi-Fi network such as Linksys616, D-Link2289, 555MainSt, etc.

Most routers use a combination of the manufacturer name and numeric string like a model name for the SSID. This makes it easier for an attacker to look up the default admin password. Just change the SSID unless you have a modern router that issues random passwords as part of the factory settings.

Turn off remote access

There are routers that let you access the administrator account from outside your home network. You need to disable this feature. Some users might have to leave this on, and by turning it off, someone will have to be in range of your router and successfully connect to it to attempt mischief. You can then protect yourself by enabling encryption, changing your SSID, and turning off WPS.

Disable Wi-Fi Protected Setup (WPS)

WPA2 and the older WPA protocol needs more complicated passwords for Wi-Fi access. In order to easily connect to those types of networks, router manufacturers started providing Wi-Fi Protected Setup, or WPS, as a feature. But it can be easily cracked, and so you need to disable it.

Consider this feature similar to setting both a password and another, less complex form of authentication on the same device. On a mobile device, that might be a personal identification number (PIN) or registering a fingerprint. Instead of entering your password, you can simply enter the PIN or hold your finger against a reader.

WPS works similarly, except that it comes as a default part of your settings. The two common methods for implementation are either an eight-digit PIN or a button you push on the router (either physically or virtually) to authenticate a device and allow it onto your network. The PIN method is the more vulnerable of the two: Hackers can guess the PIN through brute force — and possibly lock up your router as the cracking happens, which effectively causes a denial-of-service attack on your network.

In the push-button method, anyone who can have physical access to your router can still use it as a roundabout way to determine your Wi-Fi password.

Update router’s firmware

Over time, your router’s existing firmware can have vulnerabilities. Check for regular updates to patch those weaknesses. Most routers have automatic notifications and updates built into the admin account’s interface. If not you can also easily perform manually by going to your router’s support page, and checking to see what the latest firmware version is. If a newer one is available, download it and then follow the instructions for applying the update to your router.

Disable UPnP

Universal Plug and Play (UPnP) is a common feature on routers that allows network devices to find each other easily. UPnP can help when trying to get VOIP services and online gaming on consoles working properly — it allows devices from other networks to access them. Some routers also have a “Demilitarized Zone,” or DMZ — a mode that allows all of a device’s ports to be exposed to the internet. It’s a more nuclear option than UPnP.

Any port exposed to the internet is a vulnerability. Windows built-in firewall protects your PC from malicious actors from trying to gain access to perform DDoS attacks.

Avoid leaving ports open on a device, and disable any DMZ-like feature. UPnP is often not necessary, so leave that off and instead, use manual port forwarding.

Set up a guest network for smart home devices

Some routers have a feature called a guest network where you can set up a separate SSID and password for access to your home network, and people on that network won’t be able to see devices on your primary network.

By separating your guests’ internet access from your household’s, you can diminish snooping on the traffic of your home devices. A guest network is also a good feature when it comes to insecure devices — like baby monitors, smart speakers, and other smart devices that can be put online but don’t often have strong security to prevent being taken over and then used in eavesdropping attacks.

Disable Wi-Fi access to your router’s admin account

Users so not often log into their router’s administrator account. On some routers, you can restrict admin account access to devices on a wired ethernet connection only. In order to lock down those privileges, turn that feature on. Later someone would require both physical access and a wired device to manage your router.

This setting is best for people who logs into the admin account via a PC. You can also use phones and tablets but you will require an appropriate dongle to connect an ethernet cable to the device.

Enable MAC Filtering

All internet-capable devices have a Media Access Control (MAC) address which is a unique string of alphanumeric characters formatted as six pairs of characters connected by colons. A MAC address is how your PC, phone, or other gear identifies itself to your router.

You can make Wi-Fi available to specific devices based on MAC addresses. Your router grants access if a MAC address is on its allow list. Your router will prevent any device not on that list from connecting — even when it provides the correct Wi-Fi password.

Be aware as MAC addresses can also be spoofed. So any device that fakes the MAC address of a device on the allow list can still connect to your router with your Wi-Fi password.

MAC filtering at home can also make you less anonymous. The latest versions of Android and iOS use randomized MAC addresses to reduce your chances of being tracked by that identifier. Usually, people will turn off the feature for MAC filtering, as the alternative is updating your router’s allow list with the new MAC address each time you want to connect to the Wi-Fi at home.

--

--

Remesh Ramachandran
Remesh Ramachandran

Written by Remesh Ramachandran

Security Researcher & Consultant for the Government, Enthusiast, Malware Analyst, Penetration Tester He has been successful participant in various bug bounty

No responses yet