Every day is a computer security day, but November 30th is officially Computer Security Day, intended to raise awareness of online security issues and to promote cybersecurity best practices.
Days like these are a handy nudge to do a few extra security checks. With that in mind, here are some tips from the Sophos support team on how to secure your Wi-Fi network at home.
Many people think that “no hacker would be interested in my home network.”
But everyone has something that’s valuable to attackers: personal information, bank details, financial data, perhaps even a webcam that could let criminals know when you aren’t at home, or that might let creeps spy on you when you are.
And if you’re working from home, it’s worth remembering that for a skilled attacker it’s just a hop, skip and jump across the network from your personal computer or connected device to your work laptop, and possibly from there to the whole company network.
For a detailed explanation of Wi-Fi, check out our Wi-Fi Fundamentals article on the Sophos Community site.
Tip 1. Apply those updates
“Patch early, patch often” is a regular mantra on Naked Security, and it applies to all access points, modems and routers you use for your home network, as well as all the devices that can connect to it.
Take a moment to check when your firmware was last updated. If it’s not up to date, patch without delay.
Set your devices to automatically install updates where possible. If you discover that you are unable to update (for instance, if the manufacturer is no longer providing support), consider migrating to a device that is properly supported.
Tip 2. Check your encryption settings
We recommend using at least WPA2-PSK (AES) encryption, also known as WPA2-CCMP. (PSK stands for Pre-Shared Key, which is the password you need to connect to the network in the first place.)
WPA2 was first ratified by the Wi-Fi Alliance in 2004. If the router you’re using doesn’t support WPA2, upgrade to a newer model that does.
Never use WEP, short for Wired Equivalent Privacy, because the encryption system it uses was cracked completely many years ago – it gives nothing but a false sense of security.
LEARN MORE ABOUT WEP AND WHY TO AVOID IT
Here’s a video we made more than seven years ago explaining why you should choose decent encryption for your home Wi-Fi. Some older network devices don’t support anything better than WEP, so it’s tempting to keep on using WEP if your router still supports it. Get rid of the old devices instead.
Tip 3. Pick a proper password
Pick a proper password for your Wi-Fi network.
It’s tempting to use a short and obvious password so it’s easy to type in on devices such as phones, or to read out for friends who want to join your network while they’re visiting.
But an obvious password makes it easy for people you haven’t invited onto your network to connect up as well. You only need to enter it once, so a little bit of extra hassle putting in the password in the first place is worth it to make it harder for outsiders to guess the password in future.
Remember also that if you have allowed a guest to access your network but then decide that you don’t want them connecting any more, you will need to change the password to keep them out.
Tip 4. Check who’s on your network
It’s worth taking a moment to see which devices have accessed your Wi-Fi network recently. Many routers have an option in their management pages, usually accessed via your browser, that will show you which devices have connected recently.
Are there any rogue computers online? Perhaps the teenager next door is still connected from their last babysitting session? Are there any home devices such as webcams or baby monitors that you’d forgotten about or thought you’d turned off?
If there are devices accessing your network that shouldn’t be, disconnect them. Changing the Wi-Fi password will stop any unwanted devices getting back online automatically.
Tip 5. Review your IoT devices
IoT is short for Internet of Things, and it refers to devices that didn’t used to be computers in their own right, such as webcams, smart speakers and doorbells, but that now connect to your Wi-Fi network by themselves, and operate independently.
Paul Ducklin’s recent article on 8 tips to tighten your work-from-home network included some great advice for securing IoT devices such as webcams and smart speakers. The main takeaways are:
- Only connect devices that you really need to have online. Power down devices when you’re not using them.
- Make sure you know how to update your devices.
- Configure your devices correctly,
- Change any risky settings, such as default passwords.
- Check how much data you are sharing.
- Put IoT devices on a ‘guest’ network if you can.
- Turn on ‘client isolation’ if available.
- Make sure you know who to turn to if you have a problem.
Every day is a computer security day
Good computer security is, of course, something we need to take seriously every day, not just on November 30th.
That said, it’s worth using events like Computer Security Day as a prompt to take a deeper look at your security and check that everything is as it should be.
Dave
Technical nit-pick: PSK is not an encryption method, but your authentication type, a single static password. In the home environment, PSK is adequate . In corporate environments, best practice is to use EAP authentication to a managed authentication server (such as RADIUS) where every user has separate credentials.
Paul Ducklin
Note that the article talks about “WPA2-PSK (AES) encryption”, and then simply explains what the letters “PSK” stand for. There is no suggestion in the article that “PSK is an encryption method”.
As you can see from the headline, this advice is aimed at home Wi-Fi networks (because it’s Computer Security Day), which is why we didn’t go into EAP, which is, as you say, a protocol for authentication. (As it happens, there is a flavour of EAP called EAP-PSK. The fact that PSK appears fairly widely as an abbreviation is why we decided to say what it stands for.)
Julien Jans
I will take a sophos firewall home editon working with Google home and nest products. I love them at work, why not at home
will need to integrate wireless router capability, Vlan to seperate IOT to real devices, with a bridge. some storage as Nas, guest mode obviously
BenGi
This is all good advice,
But the reality is 90% of the U.K. home setups are BT, plusnet talk talk or sky. Most don’t offer firmware updates, before I moved to a home XG setup I was stuck with sky for years with non updatable router.
Then add in the fact that most home users can just about connect to Wi-Fi and won’t want to fiddle with their router.
Really what the big ISPs should do is put emphasis on the initial setup come with basic initial Wi-Fi with code printed in router but force a password and network name change.
I’m pretty sure I read at one point it was possible for people to generate your default Wi-Fi key on sky devices based on its MAC so a big red flag advertising what make router you have is probably also a bad idea
Paul Ducklin
I recently ended up on a “major UK” service and it came with a router that was upgraded within the last week or so… though the router gets its own updates to suit itself, which might not be what everyone wants. It came with a unique (I assume) password on a printed card and there was no suggestion I could find online that the password is concoctable from the MAC address.
This ISP doesn’t force you to use the router it provides – I was able to swap it easily enough for an old one I had lying around, though the new one turned out to have better performance and more frequent updates so I stuck with it in the end.
I won’t mention the ISP’s name but it is a major UK brand. Thus I don’t think the current situation is as quite as bad as you imply, at least in the UK.
David
In addition to the above security settings. I set mine up so it only allows access from the 3 devices I use on it, via their MAC addresses. Probably hackable, but an added step.
Paul Ducklin
Please watch the embedded video to understand what MAC filtering does (and does not) do for you. Saying it is “probably hackable” suggests you think that it is a security measure – but it is not.
James Beckett
Many WiFi routers also have an option to create separate WiFi signals with routing that only allows access out onto the Internet, not to other devices on your home network. I have several set up, e.g. general, guest (still needing a password) and IoT.
Paul Ducklin
Indeed. These are great settings to use if you can. Older routers (or modern ones with simplified firmware) often don’t have these features, so we didn’t cover them in the article itself… but look for options in your router setup pages with names like “guest network” (essentially setting up a second access point on the same router but with a different configuration, network name and password) and “client isolation” (which allows each client device to access the router and from there to get onto the internet, but firewalls off each device from the others on the LAN so they can’t poke sticks at each other or sniff out each other’s traffic).