Last updated: February 2021
With the continuous proliferation of public hotspots, and increase in a remote workforce, more and more attention has been drawn to the security measures in place to prevent wireless man-in-the-middle attacks. You should start by using TLS/SSL Certificates to provide network security. However, in addition to employing TLS Certificates to provide network security, these WiFi security options will dramatically improve the security of your network.
Like all passwords, the WPA2 password that you use to secure your wireless network should be long and sophisticated enough to foil hackers attempting to “aircrack” your password. Avoid personal names, simple dictionary words, or easily guessed numbers should be avoided.
The easy first step to improved security is to change the default username and password. Since most routers don’t require a physical connection to log into the admin interface, eliminating this vulnerability removes the lowest hanging fruit available to hackers.
If your hardware can only support WEP or WPA encryption, you should replace it. The Wi-Fi Alliance strongly recommends the uniform adoption of WPA2. Cutting-edge encryption has been proven to be secure against even the most committed attackers as long as it is properly implemented. If you manage an enterprise environment, you should be using the additional protection afforded by dedicated digital certificates.
Taking your WiFi security a step further requires securing your administrative login pages with a digital certificate for WiFi. The self-signed certificates that come pre-installed on some routers are publicly untrusted, easy to duplicate, and vulnerable to Man-In-The-Middle (MITM) attacks. TLS Certificates from trusted Certificate Authorities will ensure that all of your communication via WiFi remains secure and private. If your router doesn’t cover digital certificates in the quick start guide, you can find instructions on the manufacturer’s support website.
Research shows that up to 80% of routers ship with severe security vulnerabilities. According to the Home Router Security Report from 2020, “[T]here is not a single device without known critical vulnerabilities.” Part of the reason for this is the firmware that is included is obsolete and automatic updates that are turned off by default. Like other aspects of your network, timely updates are an essential part of any security plan. Ignoring the firmware updates will ensure that your network security will fall further and further behind as new exploits are devised by hackers.
While this may not be practical in larger networks, admins on smaller networks can lock down MAC addresses to have a high level of control. Wireless routers and Access Points rely on access control methods like MAC (Media Access Control) address filtering to prohibit network requests from potential attackers. Every WiFi-enabled device is assigned a unique MAC or physical address and maintains a list of devices that can connect to them. You can manually input addresses to designate exactly who can connect to your network, although you should be aware that there are tools that allow attackers to fake MAC addresses.
Your mobile workforce might be tempted to set their devices up to auto-connect to any WiFi signal it encounters. This is especially dangerous in situations where it would otherwise be obvious to your users that it would be unwise to check their email due to the possibility of a nearby hacker sniffing the network, but their device connects without asking for permission. Another danger comes in the form of hotspots created specifically by hackers with the sole goal of hacking into connected devices.
The same reasons that you should use HTTPS everywhere throughout your website apply equally to WiFi. Accessing an account on an encrypted page and then continuing to interact with the site via unencrypted pages leaves the user vulnerable to session side jacking.
Whether you are a regular WiFi user or operate a wireless network, take a few minutes to consider the security you are employing and whether it has been properly configured. Wireless access points are occasionally an afterthought when securing a complex network but are easily exploitable if you haven’t taken the correct precautions.