5 Wi-Fi security myths you must abandon now

Wi-Fi has evolved over the years, and so have the techniques for securing your wireless network. An Internet search could unearth information that’s outdated and no longer secure or relevant, or that’s simply a myth.

We’ll separate the signal from the noise and show you the most current and effective means of securing your Wi-Fi network.

Myth No. 1: Don’t broadcast your SSID

Every wireless router (or wireless access point) has a network name assigned to it. The technical term is a Service Set Identifier (SSID). By default, a router will broadcast its SSID in beacons, so all users within its range can see the network on their PC or other device.

An SSID that isn't broadcast will still show up as
an 'Other Network' in Windows 7.


Preventing your router from broadcasting this information, and thereby rendering it somewhat invisible to people you don’t want on your network, might sound like a good idea. But some devices—including PCs running Windows 7 or later—will still see every network that exists, even if it can’t identify each one by name, and unmasking a hidden SSID is a relatively trivial task. In fact, attempting to hide an SSID in this way might pique the interest of nearby Wi-Fi hackers, by suggesting to them that your network may contain sensitive data.

You can prevent your router from including its SSID in its beacon, but you can’t stop it from including that information in its data packets, its association/reassociation requests, and its probe requests/responses. A wireless network analyzer like Kismet or CommView for WiFi, can snatch an SSID out of the airwaves in no time.

This wireless network analyzer showed the hidden SSID of 'cottage111' after I connected a device to the network. The analyzer captured the SSID from the association packets that the device exchanged with the router. (Click to enlarge.)

Disabling SSID broadcasting will hide your network name from the average Joe, but it’s no roadblock for anyone intent on hacking into your network, be they an experienced blackhat or a neighborhood kid just goofing around.

Myth No. 2: Enable MAC address filtering

A unique Media Access Control (MAC) address identifies every device on your network. A MAC address is an alphanumeric string separated by colons, like this: 00:02:D1:1A:2D:12. Networked devices use this address as identification when they send and receive data over the network. A tech myth asserts that you can safeguard your network and prevent unwanted devices from joining it by configuring your router to allow only devices that have specific MAC addresses.

Setting up such configuration instructions is an easy, though tedious, process: You determine the MAC address of every device you want to allow on your network, and then you fill out a table in the router’s user interface. No device with a MAC address not on that table will be able to join your network, even if it knows your wireless network password.

But you needn’t bother with that operation. A hacker using a wireless network analyzer will be able to see the MAC addresses of every computer you’ve allowed on your network, and can change his or her computer’s MAC address to match one that’s in that table you painstakingly created. The only thing you’ll have accomplished by following this procedure is to waste some time—unless you think that having a complete list of the MAC addresses of your network clients would be useful for some other purpose.

A wireless network analyzer scans the airwaves and shows the MAC addresses of the wireless routers and access points on your network, as well as all the computers and other devices connected to them. (Click to enlarge.)

MAC-address filtering might help you block the average Joe from connecting to your router from an unauthorized computer or other device, but it won’t stop a determined hacker. It will render your network more difficult for legitimate users to work with, however, because you’ll have to configure your router every time you add a new device to it or provide a guest with temporary access.

Myth No. 3: Limit your router’s IP address pool

Every device on your network must also be identified by a unique Internet Protocol (IP) address. A router-assigned IP address will contain a string of digits like this: 192.168.1.10. Unlike a MAC address, which the device sends to the router, your router will use its  Dynamic Host Control Protocol (DHCP) server to assign and send a unique IP address to each device joining the network. According to one persistent tech myth, you can control the number of devices that can join your network by limiting the pool of IP addresses your router can draw—a range from 192.168.1.1 to 192.168.1.10, for instance. That’s baloney, for the same reason that the next claim is.

Myth No. 4: Disable your router’s DHCP server

The flawed logic behind this myth claims that you can secure your network by disabling your router’s DHCP server and manually assigning IP address to each device. Supposedly, any device that doesn’t have one of the IP addresses you assigned won’t be able to join your network. In this scenario, you would create a table consisting of IP addresses and the devices they’re assigned to, as you would with a MAC addresses. You’d also need to configure each device manually to use its specified IP address.

Disabling your router's DHCP server and manually limiting the number of IP addresses it can assign are not effective security procedures. (Click to enlarge.)

The weakness that negates these procedures is that if a hacker has already penetrated your network, a quick IP scan can determine the IP addresses your network is using. The hacker can then manually assign a compatible address to a device in order to gain full access to your network. As with MAC address filtering, the main effect of limiting IP addresses (or assigning them manually) is to complicate the process of connecting new devices that you approve of to your network.

This scanning app reveals all of the IP addresses in use on a wireless network. (Click to enlarge.)

Myth No. 5: Small networks are hard to penetrate

This myth suggests that reducing your wireless router’s transmission power will make it harder for someone outside your home or place of business to sneak onto your network because they won’t be able to detect it. This is the dumbest security idea of them all. Anyone intent on cracking your wireless network will use a large antenna to pick up your router’s signals. Reducing the router’s transmission power will only reduce its range and effectiveness for legitimate users.

No myth: Encryption is the best network security

Now that we’ve dispensed with five Wi-Fi security myths, let’s discuss the best way to secure your wireless network: encryption. Encrypting—essentially scrambling—the data traveling over your network is powerful way to prevent eavesdroppers from accessing data in a meaningful form. Though they might succeed in intercepting and capturing a copy of the data transmission, they won’t be able to read the information, capture your login passwords, or hijack your accounts unless they have the encryption key.

Several types of encryption have emerged over the years. Wired Equivalent Privacy (WEP) provided the best security in the early days of Wi-Fi. But today WEP encryption can be cracked in a matter of minutes. If that’s the only security your router provides, or if some of your networked devices are so old that they can work only with WEP, it’s long past time for you to recycle them and upgrade to a newer standard.

Wi-Fi Protected Access (WPA) came next, but that security protocol had security problems, too, and has been superseded by WPA2. WPA2 has been around for nearly 10 years. If your equipment is old enough to be limited to WPA security, you should consider an upgrade.

WPA Security
WPA2, with an AES-encrypted preshared key, is an effective security protocol for home networks. (Click to enlarge.)

Both WPA and WPA2 have two different modes: Personal (aka PSK, an acronym for Pre-Shared Key) and Enterprise (aka RADIUS, an acronym for Remote Authentication Dial In User Server). WPA Personal is designed for home use and is easy to set up. You simply establish a password on your router and then enter that password on each computer and other device that you want to connect to your Wi-Fi network. As long as you use a strong password—I recommend using 13 or more mixed-case characters and symbols—you should be fine. Don’t use words found in the dictionary, proper nouns, personal names, the names of your pets, or anything like that. A strong password might look like this: h&5U2v$(q7F4*.

Your router might include a push-button security feature called Wi-Fi Protected Setup (WPS). WPS enables you to join a device to your WPA2-secured wireless network by pushing a button on the router and a button on the client (if the client also supports WPS). A flaw in WPS leaves it vulnerable to brute-force attacks, however. If you’re particularly security-conscious, you might consider turning off WPS in your router.

Enterprise-mode WPA2 is designed for networks run by businesses and organizations. It provides a higher level of security than WPA, but it requires a RADIUS server or a hosted RADIUS service.

Now that you understand the best way to secure your network, spend a few minutes making sure that your router is configured properly.

Subscribe to the Business Brief Newsletter

Comments