- WLAN from A to Z: standards, abbreviations and explanations
- The security of your smart home depends on your WiFi
The WLAN router is increasingly becoming the control center in the smart home , but every new device that we connect to it is a new attack vector. The WLAN identifier may not be properly secured via this and attackers can gain access to your network. So that we make it as difficult as possible for the attackers, there are a few rules of thumb to keep in mind when securing our WLAN.
Before you get started, you can let your curiosity prevail: find out whether a stranger is sniffing out your WiFi. We have prepared instructions for this in a separate article:
Even if everything looks clean, your WiFi data may already have fallen into the hands of an unauthorized third party. Maybe he’s just not currently connected to your network and is still waiting. Therefore, the following steps are nevertheless worthwhile.
You can implement all of the following tips on your router. You can find out how to connect to it in order to configure it either on the sticker on your router or in the documents supplied. There you will find the local (IP) address and the administrator password.
A bonus security tip at this point is to change the default access for the admin interface of your router. Once connected to the WLAN, an attacker could otherwise gain access to your router configuration simply by trying known standard combinations.
1. Hide SSID, deactivate WPS push
Even if this method will not deter clever attackers, it does raise the threshold for abuse a little. The name of your WiFi network is known as a service set identifier (SSID for short) and can be hidden. Then, at least for laptops, tablets or smartphones in your area, it will no longer be displayed in the “List of available WLAN networks”. Of course, the resourceful snoop doesn’t stop you from finding your network anyway.
Wireless Protected Setup , or WPS for short, is a simple method of connecting to a WiFi network without entering a password. The protection is that the new client has to press a button on your router or on a repeater. If he activates WPS push in his device within a small time window, the device and the router connect. The attacker therefore needs physical access to your WLAN hardware. Protect your WLAN by either making the router more difficult to access or by switching off WPS in your router settings.
2. Use and restrict guest access for secure WiFi
Most WiFi routers now allow you to set up a second WiFi for guests . They are then not allowed to see devices in your private network. And your router may also offer the option of further restricting guest access. For example, if you specify that only e-mail and web connections may be established, activities such as file sharing or remote control become more difficult.
Such access is particularly recommended if your smart home device is used by different manufacturers. Because no quality standard for WLAN security has yet been established for them, one has to classify them as generally insecure. Any lightbulb connected via WiFi could potentially give attackers access to your network. And at the latest then the home server with your private photos and documents should not be in it.
Michael Steigerwald demonstrated such a hack using the WLAN light bulbs that Heise has now outed as Tuya :
If you want to know more about the advantages of guest access for your WiFi, you can find more good tips here .
3. Use only WPA2 encryption for the WLAN, activate MAC filter
It should be self-evident that the data between the router and the WLAN end device must be encrypted and not transmitted in an audible manner. Unfortunately, the encryption used, such as WEP or WPA, is only secure as long as its security vulnerabilities are not known.
Step number 1 should be that you change the encryption (or “network security”) to “only WPA2” in the router settings. Parallel operation “WPA / WPA2” allows old devices to establish the easily crackable WPA connection, which can give attackers access to your network key.
Since the WPA2 vulnerability KRACK became known at the end of 2017, even the WPA2 , which until then had been described as safe and still has no alternative in current routers, has suffered an image damage. Several routers and repeaters received corresponding patches and made WPA2 reasonably secure again. But shortly afterwards, the WiFi alliance responsible for WLAN standardization specified WPA3 . This is the only way to make encryption much more difficult to crack.
Theoretically, WPA2 routers could be upgraded to WPA3 using a software update (see the exciting discussion in the Golem forum ). But since the router chipset has to encrypt the data stream in real time, it may be that existing hardware cannot handle this effort with its current computing power. Therefore, we are still looking forward to the first WPA3 router.
A filter for certain media access control (MAC) addresses can further increase security. Using a so-called whitelist, you determine which device IDs are assigned an IP address by the router. An attacker would first have to read an identifier from an approved device and take over its identity via spoofing.
4. Use new router firmware
The router is your linchpin when it comes to the security of your WiFi network. Because it defines which standards apply to data traffic at home. However, if its software is not up to date, even the best configuration will not help. Then security gaps like the KRACK mentioned above remain open.
Some router manufacturers regularly deliver updates that are installed automatically. Others require that you initiate the installation manually in the router configuration. A few manufacturers deliver updates rarely or far too late. And all manufacturers will put an end to updates at some point. If the model is too old, it will be given the “End of Life” status and left to its own devices.
With a bit of luck and enjoyment of handicrafts, you can replace the firmware with the community software OpenWRT .
WLAN is convenient and completely justifiably standard equipment in modern households. But unauthorized third parties take advantage of this and like to joke around with it. To make it at least as difficult as possible for you, you should at least protect your private data in your network and operate it separately from less trustworthy devices such as WLAN light bulbs.
Software updates of your router should be installed as soon as possible and – if possible – automatically installed. And when WPA3 is finally available in new hardware, upgrading your existing WiFi equipment is definitely worth it. Your provider may help you with this.