WiFi networks have become the norm, but pose a number of security problems: they can allow an intruder to access your personal network, the machines connected to it, and its traffic. A malicious person can conduct his attack from a distance, in all discretion. As you will see, strengthening the security of your WiFi network is not just a matter of changing your network key. Here are some tips to improve the protection of your network against possible intrusions.
WiFi: limited security, whatever you do
The first advice is not to believe that you will be able to make your WiFi network completely impervious to attacks. Technology has several flaws. First, it is based on waves that pass through the walls: the signal is therefore available all around your home, which is particularly true when you live in an apartment in town.
The second problem is that encryption is no longer absolute security. Known and well documented flaws (in particular WPS) allow for example to access wireless networks without even trying to guess the key on some routers not updated. WEP and WPA ciphers are very easy to crack today. And since last year, the security of WPA2 encryption has also been cracked.
Since then, the WiFi Alliance has announced WPA3 encryption, which should allow them to regain some time ahead of hackers. But routers like more generally WPA3 compatible devices are still rare. And ultimately we expect in any case that pirates will eventually find a new parade…
The first way to strengthen the security of your WiFi network is therefore to strengthen the security of what is most at risk of being hacked, namely the security of devices connected to your network. Hence the relevance, for example, of a firewall directly on your computer rather than relying on that of your router.
Password, security…: basic advice
Let’s start with common sense advice which is unfortunately not always followed. If you already know them, skip ahead to the more advanced tips, and / or methods we don’t recommend.
Choose a strong password for your WiFi network
In general, your WiFi network is managed by your operator’s box. This means that in general, your operator has already assigned you a very complex connection key which you do not have to change. Unless your box is in common areas and you want to prevent anyone from connecting with the code stuck on the box label.
Either way, if you change it, choose something that is both mnemonic and secure. In this article we give you sound advice on choosing better passwords . One of them is to construct your passwords as sentences (sequences of pronounceable words) rather than series of numbers, letters and special characters.
Choose the highest encryption compatible with your devices
In general, all routers offer these encryption methods (in bold the most secure in the list):
- 64-bit WEP
- 128-bit WEP
- WPA-PSK (TKIP)
- WPA-PSK (AES)
- WPA2-PSK (TKIP)
- WPA2-PSK (AES) *
- WPA / WPA2-PSK (TKIP + AES)
* the strongest encryption on most routers is him, not the one right after as unfortunately many users believe…
More recently, some devices also offer this method:
WEP (Wired Equivalent Privacy) is the oldest of the encryption methods – and is now almost as recommended as leaving your network without a password (either in its 64 or 128 bit version). It is a method to be avoided in all cases.
WPA (Wi-Fi Protected Access) is a series of standards designed to improve security. WPA I was quickly supplanted by WPA2, and more recently, after discovering critical protocol flaws, the WiFi Alliance launched WPA3. The problem is that this latest technology is still slow to democratize.
TKIP is the old encryption method used by the WPA protocol.
AES is a strong encryption standard used, among others, by the military.
The mode WPA / WPA2-PSK (TKIP + AES) is not, contrary to popular belief, the most secure mode available on your router. It is actually a hybrid mode that mixes the two versions of WPA and encryption protocols (TKIP and AES) for more compatibility. However, it allows hackers to take advantage of the vulnerabilities of the WPA I protocol – knowing that the WPA 2 protocol is also vulnerable. And also allows you to use TKIP, a less secure encryption than AES.
This is why if your devices allow it, we recommend that you choose WPA2-PSK (AES) mode on your router . Since WPA3 is still slow to appear.
Change the name of your SSID network
By default your internet box broadcasts a name which betrays its origin. For example, if you have a Livebox, the name of your default WiFi network will be something like Livebox-F986 . Each operator has his own small name, and this therefore gives an important indication to a possible hacker who will seek to exploit a flaw on your equipment: if it is a Bbox, Livebox, Freebox or SFRbox, it only remains to test the vulnerabilities of newer models.
But why not rather try to confuse everyone? Choose a different name – whether it’s something that has absolutely nothing to do with it, or why not a name reminiscent of another operator’s box. This will not really improve your security, but it will certainly make a potential hacker lose a little time.
Keep your router up to date
It goes without saying that if there are flaws, manufacturers tend to correct them, and offer regular updates. However, the update is not always automatic on all models. You must therefore log into your administration area.
More advanced tips for securing your WiFi network
Besides basic advice, a few actions will allow you to increase security by a few notches to reduce any risk of attack.
WPS, for Wi-Fi Protected Setup, is a technology launched by the Wi-Fi Alliance to simplify the connection of a device to a Wi-Fi network. It consists of proposing a physical button on the router on which it suffices ” press to validate the pairing of a device to the WiFi network, replacing the password. But there are several WPS connection methods. One of them is based on an eight-digit PIN code – set at the factory, sometimes we find 12345678 on older models.
But other flaws exist on newer models with other WPS connection modes. For example, a protocol attack had been demonstrated in 2017 on the Livebox 2 and 3 and Neufbox 4, 6 and 6V. The flaw was rather worrying, since it was enough for the attacker to send an empty PIN code to initiate the connection. In short, if you do not use it – many users do not even know the existence of this feature on their router – disable it via the management interface of your box .
Hide the SSID
To go further, you can opt for a strategy aimed at making your network as discreet as possible in an environment already saturated with many WiFi networks. One of the tips in this direction is to hide the name of the SSID network. This means that it will no longer appear in the list of wireless networks on computers, smartphones and tablets.
It is nevertheless possible to discover the presence of a hidden network via specialized tools, but this adds a difficulty to penetrate your wireless network since to connect to it, it is absolutely necessary to know the name of the network and the key. Again, this should not be seen as a real security measure. At best, this is an obstacle that will make a hacker waste a little time.
To connect to your network, you will now have to manually enter its name, security standard and key.
Reduce the signal strength and therefore its range
Unfortunately not all routers allow this, but one of the best methods of making your network less vulnerable to attack is to reduce the strength of the WiFi signal. It then becomes much more difficult to connect outside your walls, the connection being weaker.
In the same vein, opt, if your devices are compatible, for a single 5GHz WiFi network (and deactivate the 2.4 GHz network): the higher you go in the radio wave spectrum, the more easily the signal is stopped by the walls. We also advise you to deactivate the WiFi network if possible when you leave your home for long periods – for example when you go on vacation.
Take a look at the list of connected clients from time to time
Go from time to time to take a look at the administration pages of your router to consult the list of connected devices. Try to check that all devices are among those authorized. For this, you can help yourself, among other things, with the MAC address of your devices which allow you to guess the brand of the device. This site allows you to find a lot of information from MAC addresses:
Choose a different login / password for the administration of your router
Imagine that an intruder manages to break into your network without your knowledge and change the configuration of your router to reduce the risk of being discovered, or carrying out an attack. It is for this reason that it is strongly advised to change the default username and password of the router, even if its management interface is only accessible from your network. If the login / password in question is Admin / Password (it’s often that or something like that, alas), change it urgently.
The complicated methods we don’t recommend (and why)
Besides that, there are methods that we have read elsewhere on the net, and which are to be avoided, because they unnecessarily complicate the use of the WiFi network (and are therefore likely to be quickly abandoned) and / or because they do not really improve the security proper of your WiFi network, in addition to making your connection less stable.
Mac address filtering: try it, hate it
Often recommended, Mac address filtering should be avoided for two reasons. The first, undoubtedly the most important, is that it is possible to manipulate this address, however initially conceived as a kind of electronic tattoo. An intruder can therefore brute force find the authorized mac addresses and pretend to be a valid device.
The second is that each time you have guests, you will need to retrieve their mac address and put them in the list of authorized devices to connect them to WiFi. We bet that it will not amuse you for more than two minutes!
Install a VPN on the home router
We have seen in other files on the subject some advising to configure a VPN on your router. We believe that this advice is the distortion of another, for the wise move: that of using a VPN when you connect to public WiFi networks. The idea is to encrypt the traffic between your machine and the rest of the net, complicating man-in-the-middle attacks .
In your home, we talk about the private network – a place where the risk posed by this kind of attack is precisely very low (especially if you follow the advice above). Besides, apart from helping you connect to Netflix US on all your home devices, setting up a VPN network on your router (instead of your devices) will add absolutely no security to your WiFi network.
Finally to have tested the thing on several models of routers (in particular Netgear with firmware Voxel or DD-WRT…), this tends to make the connection unstable with cuts, quite frequent, being able to last several minutes each time. You then risk being one of the most hated people in your household, identified as the one “who always rots the internet connection with his hackles” and that, frankly, believe me, it’s not cool (I know something!).