A poorly secured home wireless network is one of the easiest ways for an attacker to steal private data. Here are tips for understanding how to keep your wifi secure and private, including which wifi encryption methods are best.
If you think that simply enabling security features on your wireless router means people can’t steal your personal information, think again. Most wifi security features are broken. In many cases, an attacker with a basic set of free tools — like the aircrack-ng suite — can easily get on your network even if encryption is enabled.
So what works and what doesn’t when it comes to wireless router security? Here’s a list of common security features, and how reliable they are as of 2016:
- MAC filtering. This lets you specify that only certain devices can connect to your router based on each device’s MAC address. That sounds great, but this security feature is of very little use because it’s very easy to “spoof” a MAC address. Anyone who wants to connect and is unauthorized can just configure his device to appear to the router like one that is approved, and can get online. MAC filtering also won’t do anything to encrypt your wireless data against eavesdroppers.
- Hidden SSID. Some routers let you hide the name of your wireless network (also called an SSID) so that it is not broadcast publicly. That may feel secure, but it doesn’t actually do anything to stop attackers, since auditing tools can easily detect hidden SSIDs.
- WEP encryption. WEP was the first type of wireless encryption. It’s now completely broken. An attacker using aircrack-ng can break WEP keys easily, often in a matter of minutes, even if the WEP key is long. (Longer WEP keys take longer to break, but you’re still only talking minutes, not days or weeks.)
- WPA encryption. WPA (short for Wi-Fi Protected Access) is the most modern encryption method commonly found on routers. It comes in two forms: WPA1 and WPA2. The differences between them do not really matter; they are more or less equally secure. (WPA2 is newer, but that does not make it better.) Generally speaking, WPA encryption cannot be broken. But there are two exceptions that make it possible to attack WPA successfully. The first is if you use a WPA password that is too simple. For WPA1 or WPA2 to be reliable, make sure to create a very complex, long password, which will not appear on a list of known words or phrases. The second vulnerability is having Wi-Fi Protected Setup, or WPS, enabled on your router. WPS can be exploited by attackers to circumvent WPA encryption.
Other wireless router settings make little difference for privacy. You may be able to choose between 11b, 11g and 11n modes, but these don’t have security implications. The wireless channel (usually a number between 1 and 12) also makes no difference for data privacy.
The takeaway is this: If you want your wireless network to be secure, the best thing to do is choose WPA1 or WPA2 encryption, create a very strong password and disable WPS. This is the only router security approach that currently works.