It is January 2021, and we are looking at another 6 months of various lockups, and lockdowns. Perhaps it is time to consider your wireless security.
Wireless connectivity has become a essential service for many, with phones, tablets, laptops, IOT devices, and even desktops becoming increasingly untethered. With that need comes proliferation, and with proliferation comes vulnerability.
As a professional paranoid, I tend to sweep my environments with vulnerability scanners and exploit tools on a regular basis. Most people will not have those tools, knowledge or capability, but there are number of things to be done to enhance your wireless security.
Step 1: Update your gear.
In a recent scan of my home environment, I found some interesting items, not in my world, but elsewhere, (unintendedly). Things like ancient wifi routers, with known exploits, open networks, and default configurations.
So perhaps it is time to get a newer model that has supported firmware updates, and can handle multiple network zones, and all the newest high speed protocols. (A minimum of three zones is suggested)
Step 2: Update your firmware
I use a commercial firewall and wireless system, and pay for support. I note that it seems I have a patch and reboot to do almost monthly. One would assume that as fast as a firmware release hits the net, exploits are found. It is well worth your time to make sure you check for firmware updates on a regular basis, and apply them.
How bad can this be? Urban legend is that a “Hacker” released a worm to break into a specific brand and model of wireless router, ( in excess of 10,000 devices ), for the sole purpose of patching a vulnerability so that it could not be used as a DDOS agent.
Step 3: Change the admin login
Once can do a simple google search for wifi router default login and find the credentials. Do make sure your login is NOT listed … Change the admin name and password. Use a strong password, and use a password manager to store it. (Saves that nasty password recovery and reconfigure job.)
Step 4: Create Multiple zones
A guest network will allow you to provide internet access to visitors, without exposing your home devices to whatever virus they may be carrying. Just consider it a “NET MASK”, (tech joke loading … ).
A home or private zone will allow you to share data between your home devices, as the devices in this zone should be fairly static, one may wish to implement mac address filtering for this zone.
With the explosion of IOT devices, it is recommended, that a IOT network be defined and things that reach out to the cloud be placed there. Think doorbells, thermostats, security cameras, these can all be used as vectors for digital trespass, so isolate that traffic.
Do make sure that “secure” zones do not broadcast the SSID, and just for giggles do not name your secure zone(s), things like “HOME”, “HOUSE”, or “SECURE”. Personally, I like the zone name “FBI SURVEILLANCE VAN” or “VIRUS DO NOT TOUCH”.
Step 5: Password / Encrypt Wifi Zones
Use a strong password, it does no good to jump through the hoops to upgrade, update, and lock down, if the password to your secure zone is “password” or your home phone number or “1234”. (remind me to change the combination on my luggage.)
Every zone should have a password. Period. Even the guest.
Step 6: Egress Filtering by dns
Use of a dns service that will filter dns queries for possible malicious hosts is a safety net. Just in case someone gets that one malicious link on a web page. Use of OpenDNS or quad9 as your primary dns server may avoid an annoying event.
Locking down your now critical wifi infrastructure is a key step in creating a secure home network. DO CHECK YOUR OWNERS MANUAL. If you are using a providers equipment, contact them about enhancing the security of their devices. One might do a simple google for the device make and model, and review the mass of information presented there.
I have mentioned specific services and products in this missive, whilst I DO NOT receive remuneration from those services or products, I DO use them in my professional life.