Make a WiFi router secure against hackers

February 18, 2020 Eric Networking and Internet Problems, PC Problems and Solutions 0

Linksys WRT1900ACS dedicated router
Linksys WRT1900ACS dedicated router

Problem

I have a Linksys ADSL modem router that provides cabled Ethernet and wireless WiFi network connections. I want to know how to configure its setup settings to make the WiFi router secure from my neighbours (US: neighbors) and hackers.

Answer

WiFi broadcasts are always detectable

Why must you make your WiFi router secure? –  Because a modem router that broadcasts a WiFi signal can have that signal detected and picked up by a scanner or any other suitably equipped computer that is within its range. For that reason, if you only use one computer connected to a broadband modem router, it is best to have it set up close to your telephone line so that it can use a cable (Ethernet) connection. In that case, only experts on how telephone exchanges work who have or can gain access to the telephone network can tap into a telephone line.

Using a Powerline/Ethernet network

If you create an Ethernet Powerline network – that uses the mains wiring in a house to create a network – and you connect the computers in the house to that network using Ethernet cables, connecting the Powerline adapters to each computer – instead of WiFi – that would be the most secure form of network.

The annotated image below illustrates such a network. Note that wireless Powerline adapters are also available. The adapters come in pairs. You plug one Powerline adapter into a mains socket and then connect the adapter to your (main) router using an Ethernet cable. You plug the other adapter into a mains socket elsewhere in the building that uses the same electrical circuitry, then use an Ethernet cable to connect to the device that you want to join the network, That device can be another router as well as the devices shown in the image below.. Some sets of adapters also provide a mains socket on them so that you can plug in non-network devices, such as a vacuum cleaner..

Ethernet Powerline network
Ethernet Powerline network. Click on the image to view its full size

Make a WiFi router secure against Denial of Service (DOS) attacks

Spammers can make use of unsecured networks to send spam all over the Internet from your network and hackers can infiltrate and make use of hundreds unsecured computers to launch Denial of Service (DOS) attacks on websites that renders them unusable. Therefore, it is crucial that the proper measures are taken to prevent unauthorised access to the network and/or Internet connection – even if you don’t have any data worth protecting yourself.

Wireless WiFi networking is always an insecure means of transferring data

The only totally secure WiFi network system is one that is not plugged in, or is turned off completely all of the time, obviously neither of which is an option for a network or an Internet connection. By its very nature, even with the best security measures employed, wireless networking is always an insecure means of transferring data. A determined and able hacker could find a way into your home network, even if gaining entrance has to involve going as far as breaking into your home to search for documents containing passwords, etc.

For instance, if your network’s router is in an unlocked room, anyone who gains access to that room can press a button to reset the router to its factory default settings and gain unsecured access to the network. If an intruder can gain access to a network’s router, Powerline Ethernet ports, he can access and use your network.

Complete WiFi security against hackers is nearly impossible

Because of human error and weaknesses, complete WiFi security from hackers is nearly impossible, but far too many wireless routers and wireless Access Points (WAPs) are still set up with no security implementations at all.

For example, I have come across situations, both residential and commercial, where a wireless ADSL modem router, which is connected to the web by a landline and to an internet network of two or more home computers, has been left wide open to any outside user who happens to be within its range. The main reason for this is that the person who set up the router (or Access Point) has ignorantly not enabled encryption, leaving the broadband connection open to anyone within range. The access settings are often left at the factory defaults that are written on the bottom of the router. Default login information is also often publicly available from the router’s manufacturer’s website or can be guessed by skillful, experienced hackers.

The security precautions listed in the user manual for a Linksys router

Note that a particular router’s or wireless Access Point’s user manual provides all of the information you need in order to be able to enable or disable any of the settings.

Here are the security precautions listed in the user manual for a Linksys router:

“The following is a complete list of security precautions to take (at least steps 1 through 5 should be followed): 1. – Change the default SSID. [Note that a dual-band router has a separate SSID for the 2.4GHz and the 5.0 GHz bands.] 2. – Disable SSID Broadcast. 3. – Change the default password for the Administrator account. 4. – Enable MAC Address Filtering. 5. – Change the SSID periodically. 6. – Use the highest encryption algorithm possible. (WPA2/PSK) if it is available. Please note that this may reduce your network performance. 7. – Change the WPA/WPA2 encryption key(s) periodically.”

Note that dual-band router provides configuration settings for both the 2.4GHz and 5GHz bands that it uses and can switch between.

Service set identification (SSID) –

https://en.wikipedia.org/wiki/Service_set_%28802.11_network%29#Service_set_identification_.28SSID.29

WPS – WiFi Protected Access

Most modem routers provide a feature called WiFi Protected Setup (WPS). The router has a WPS button. You press it to connect a new device automatically if the router’s security settings allow that to happen.

When it is enabled in the router’s settings, WPS is known to be vulnerable to password-cracking software if a password (registration) is necessary to connect a new device. The feature has three possible settings – 1. – To connect a new device automatically – 2. – To require a password to connect a new device – 3. – Never to connect a new device.

The setup page of a router’s wireless network settings in the image below shows the security settings and WPS options. WPS is Enabled and New stations are allowed (automatically).

Those are the most insecure settings.  If someone with a wireless device has access to the router, just pressing its WPS button connects that device to the network automatically.

The most secure settings are to have WPS disabled

The most secure settings are to have WPS disabled and the setting to never connect a new device enabled.

If you want to use WPS to connect a new device to the network, open the router’s settings using the login user name and password and enable the WPS and “Connect a new device automatically” settings. After you have finished using the new device, disable those settings.

Note that you should replace the router’s settings page’s default login user name and password with your own, because the default ones are the same for all of the routers made by a particular manufacturer.

Router security and WPS settings
Router security and WPS settings. Click on the image to view its full size.

Wi-Fi protected Access – https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

Using a guest network

Some routers, bought independently, not usually provided by Internet Service Providers, provide an option to use guest network.  If you have visitors to your home or business who need to use your broadband connection, if available, using it is good from a security point of view. Guests are isolated from the main network and so cannot hack into any of the computers on it. You give the guest network its own login details to prevent guests from logging in to your home or business network.

A guest network is available on both the 2.4GHz and 5GHz bands. You configure it in the same way as any other wireless network. Just make sure that it has different login password.

The settings configuration webpage of a Linksys modem router

The image below is of the configuration webpage of a Linksys modem router. Click on it to view its full size.

The configuration webpage of a Linksys modem router showing the SSID setting
The configuration webpage of a Linksys modem router showing the SSID setting. Click on the image to view its full size

Avoid using old WEP encryption – it is easy to hack

Note that a knowledgeable hacker can easily get around finding a network that has the broadcasting of its network name – SSID – disabled. Also note that you should not use WEP encryption unless there is no WPA option, because it is easy to crack. You change or disable the SSID in a router’s web-based configuration page that provides all of the router’s settings. There is a video provided at the end of this page that shows how to access a router’s setup page under the heading: “How to find out who has been using your Wi-Fi network”.

All of the above-mentioned configuration settings are made available from a router’s web-based configuration page, discussed here on this website: Wireless network security: WEP, WPA, and WPA2 encryption.

Routers that support wireless and wired connections (usually providing 4 Ethernet ports for cabled connections) are the main piece of networking equipment around which a home network is created. These are dealt with in detail on the Networking section of this website. Routers with 8 Ethernet ports are available, but are more expensive.

Router manufacturers continue providing support for the older security encryption standards in order to make it possible to continue using the older equipment that supports them. If your equipment only supports WEP, you should update it, because it is easily cracked, but the original WPA can still be used if the latest version is not available.

Make a WiFi router secure – Neighbours’ networks left open to access

During a visit to someone having problems with a wireless network, there were several wireless networks in the vicinity completely open to access from the main computer in his house.

Every one of the Access Points had the default name or SSID, the default channel (6), and the default security level (NONE). Believe it or not, many of these networks were installed and configured by the technicians of major broadband Internet Service Providers.

The first step in making your Linksys WiFi router secure is to change the SSID and create a strong password

The first step in making your Linksys wireless router secure is to change the SSID (broadcasted network name) from linksys (the default for a Linksys router) to something else and then change the password.

Create a strong password, using a combination of numbers and letters (capital and low case) to make it more difficult to guess or crack with password cracking tools. Definitely don’t use your last name, because using that would just make it easy to guess and for an unscrupulous neighbour to know exactly who it is whose network he has successfully broken into.

Never use a password with eight characters or less because they are relatively easy to crack. The more characters a password has and the more diverse the characters are the longer password cracking software would take to crack it. A password of 15 diverse characters would take many years to hack by the most up-to-date password-cracking tool.

Most people use something like their child’s name or pet’s name. Don’t do that! Hackers will look for information about you in the social networks on which you might name your pets.

The most effective passwords are long and contain alphanumeric characters (both letters and numbers). You can also use # – +, *, etc. Some routers are even case sensitive. So, using a capital “P” instead of lowercase “p” would make a telling difference to its crackability.

Make a WiFi router secure – Ways to create a clever uncrackable password that you can remember easily

There are ways to create a clever password that you can remember easily.

For example, by using the first letters (capital letters and lower case letters) in each of the words and the number in full in these two sentences – “I was born in Plymouth. My son is 25 years of age” – you get the password IwbiPMsi25yoa, which is made up of lower case and capital letters and contains a number, making it impossible to guess. It doesn’t appear in a dictionary so software that uses the words in a dictionary to gain access won’t be able to crack it. The more imaginative the sentence you use is, the more uncrackable the password is. “The screwy British parliament contains 650 mostly useless MPs,” gives the excellent password TsBpc650muMPs.

Write the sentences you use as passwords down in a notebook that you hide somewhere safe.

To secure a wireless network, you should use suitable passwords for the router/wireless Access Point and for the computers on the network, which should be running security-supported versions of Windows – currently only Windows 8.1/10. You can also use password techniques when creating secure keys for WiFi Protected Access (WPA/WPA2) encryption.

Encryption levels vary among the router manufacturers

Encryption levels can vary among the router manufacturers. Most old WEP-enabled routers support encryption levels of 40-bit to 128-bit. However, some recent routers, such as those made by TP-Link can support 256-bit encryption.

For maximum protection, you should always be using the highest encryption level that your router supports. Remember, the higher the encryption level and the more complex the encryption password is, the longer it’s going to take a hacker to crack it. If it takes weeks, months or years to hack, obviously no hacker will bother unless the rewards are worthwhile.

Change the administrator password and turn off the SSID broadcast option. Doing that means that the router will no longer be screaming, “Here I am, and this is my name!” Even though a site-survey program would be able to pick up the presence of a wireless network, the name of the network cannot be identified, making it much more difficult for intruders to gain access to files on that network.

Secure Password Generator – http://www.andrewscompanies.com/tools/passwords.asp

You must use an encryption method that all of the wireless equipment on the network supports

Note that you must use an encryption method that all of the wireless equipment on the network supports. For example, if all of the computers (desktops and laptops) support WPA/WPA2 encryption, but you need to connect to an elderly PDA (Personal Digital Assistant) that can only make use of 64-bit WEP encryption, you have to use 64-bit WEP encryption for the whole network.

Encryption keys

Most current routers for home use allow you to type in a word or a phrase for the WPA encryption key, which they use to create a key that they encrypt. But other routers require you to enter a series of hexadecimal digits, which is the base 16 number system that uses the first ten decimal numbers from 0 to 9 (the base 10 number system), plus the letters A,B,C,D,E, and F for the other six numbers from 11 to 16. An example is 0A DB 4C. 0A which is 11 in the hexadecimal number system, because 0 is zero, and A is worth 11. 0F is worth 16, etc. DB is worth 14 + 12 = 26. Therefore, to generate the key you can only make use of the digits 0 to 9 and the letters A to F.

Of the wireless equipment manufacturers, Buffalo has done the best job of simplifying the encryption process with its AOSS system. The current Buffalo routers and wireless equipment that supports it have an AOSS button. You just have to have the wireless equipment set up on the computers in the network and then press the AOSS button on each bit of equipment that has it, and the device transfers all of the settings across the network automatically.

Make a WiFi router secure – Videos on how to find out who has been using your WiFi network

How to View Devices Connected to Your Wi-Fi – Using the router configuration page.

How to check who is using my wifi. – Using MAC addresses and software.

https://www.youtube.com/watch?v=k9UpERQgLDk

Make a WiFi router secure – Online articles on WiFi security settings

Wi-Fi Protected Access (WPA) – https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

It is not advisable to use WEP encryption. Read the following articles to find out why that is the case

[WEP] Wi-fi security system is ‘broken’ – http://news.bbc.co.uk/1/hi/technology/7052223.stm

WPA stands for Wi-Fi (WiFi) Protected Access, and SSID stands for Service Set Identifier (a changeable password).

Episode 1 – Wireless router security [WEP and WPA and WPA-PSK] –

Shows you how to set up the security options in a wireless router.

http://www.veoh.com/watch/v228005fD2HxAkq

The following article deals with the crackability of a WPA/WPA2-encrypted WiFi network. –

http://www.tomshardware.co.uk/wireless-security-hack,review-32252.html

The following article provides the state of play with regard to the crackability of the three main wireless encryption standards used to secure wireless networks.

How To Crack WEP and WPA Wireless Networks – Cracking WEP, WPA-PSK and WPA2-PSK wireless security using aircrack-ng –

http://www.speedguide.net/articles/how-to-crack-wep-and-wpa-wireless-networks-2724

About Eric 275 Articles
I am an experienced PC technician who has been the owner and sole writer of the PC Buyer Beware! website since 2004. I am learning all the time in this very dynamic, ever-changing field.