Comment (4)
Securing a Wi-Fi network is an essential step in limiting the risk of malicious intrusion or misuse of the Internet connection. Here are some examples of methods to implement.
©Netgear iStock
Essential security
As the news regularly shows, the risks associated with Wi-Fi connections are very real. Despite this, many consumers still too often neglect the security of their wireless network and do not change, for example, the identifiers provided by Internet service providers or router manufacturers. Contrary to popular belief, cracking a poorly secured Wi-Fi network is now within the reach of the greatest number. A multitude of applications allow you to hack a connection without any technical skills. Even if zero risk does not exist, a few relatively simple precautionary measures can considerably limit the risks. Those who wish to go even further can then camouflage their connection and all their digital activity via dedicated security tools such as a VPN router.
Changing the default password and SSID: precautions for use
Why try to crack well-protected wireless networks, when a few searches can find Wi-Fi networks open to all comers? As security experts keep saying, most attackers favor the softer targets. To realize the absolutely catastrophic state of security that reigns in some homes and businesses, just go to the Shodan search engine. This service specializing in the search for connected objects on the Internet also makes it possible to find routers visible on the network. It references poorly secured devices with identifiers often left by default such as admin/admin, admin/password, etc. In addition, attackers can easily obtain specialized equipment on the Web to scan remote Wi-Fi networks as well as applications to crack their passwords. Arnaud Cassagne, Director of Operations at Newlode, revealed some of these applications to us: "Among the tools used by hackers to attack Wi-Fi networks are NetStumbler, which allows you to find open networks, Aircrack and AirSnort, which serve as it's up to them to crack the WEP and WPA keys, and finally Airjack allowing denial of service on Wi-Fi networks."
Based on this observation, it is first necessary to immediately modify the identifiers (login and password) provided by default. Easily recoverable on the Internet, these identifiers allow neither more nor less to access the administrator interface and to take full control of a router. It is therefore strongly advised to define a complex password combining a series of letters, numbers and special characters. One of the tricks is to compose an easy-to-remember sentence with different characters: "Mai$Qu1V@ALa?", for example. It is also better to confuse the issue by changing the default network name (SSID) and putting a name that is not identifiable (eg web_surf, Mabox, etc.). In order to complicate the task of possible attackers, it is possible to mask the broadcasting of the SSID via the settings of the router so that it is not visible in the vicinity.
The Shodan connected object search engine (©Shodan)
Select a reliable security protocol: enable complex encryption
For many years, experts have advised abandoning the old WEP encryption protocol in favor of WPA2 or ideally WPA3 if it is available. Long considered the best Wi-Fi protection, WPA2, launched in 2014, took a turn for the worse following the discovery of critical security flaws, including the one called Krack, which made it possible to take control of a Wi-Fi network. remotely and insert a malicious payload. Although manufacturers rushed to close the gap, the Wi-Fi Alliance (the organization in charge of Wi-Fi protocols) rushed to accelerate the development of the new WPA3 protocol. Officially launched in June 2018, WPA3 is being rolled out gradually to certified routers. Easier to configure, this protocol has new security features that are supposed to make Wi-Fi networks unbreakable, including those with weak passwords.
In all cases, it is essential to activate one of these two protocols via the security options of the administration interface of the box or the router. In this way, the information exchanged on the network, such as the password, is encrypted and a priori inviolable. It is important to establish a complex password of at least 10 to 12 characters and to change it regularly. Without forgetting to always make updates that may contain important security patches.
The options of the administration interface of the Orbi router from Netgear (©Netgear)
Use MAC filtering: control each connected device
At a time when equipment connected to the wireless network is multiplying in homes, this security measure is not really the most practical to implement. MAC (Media Access Control) filtering consists of selecting one by one the devices that you want to authorize to connect to the Wi-Fi network. Each device equipped with a network interface (computer, smartphone, tablet, printer, connected speaker …) indeed has a unique MAC address. Routers have an option to filter these addresses to define which devices can connect to the wireless network. Devices that are not in the list of authorized MAC addresses cannot access the network.
Create a guest Wi-Fi network: protect access to personal data
Creating a Wi-Fi network is too rarely part of advice on the security measures to take to protect a Wi-Fi network. However, it is an essential precautionary measure, because the router's Wi-Fi code does not allow not just to access the Internet, but potentially all content stored on computers, NAS and other hard drives connected to the network. The majority of ISP boxes (Freebox Delta/Revolution, Livebox Orange, etc.) now have an option to create an independent Wi-Fi network dedicated to guests with its own WPA2 or WPA3 key. Care should also be taken to configure the guest network to be limited to Internet access. To do this, you must disable access to the local network in the router settings.
Since the beginning of 2018, the Freebox Revolution allows you to create a guest network (© Freebox OS)
Disabling WPS: a potentially dangerous option
WPS (Wi-Fi Protected Setup) is a handy feature for quickly connecting new equipment to the Wi-Fi network. One of the most common connection methods is to simultaneously press on the physical "WPS" button on the router and the physical or virtual button on the device to be added to automatically pair it to the Wi-Fi network. Depending on the equipment, the connection can be established using a PIN code to enter, an NFC near-field connection, or a USB key containing the connection data.
However, this connection mode suffers from a bad reputation in terms of security, because the signal can be relatively easy to intercept for a seasoned attacker. Critical security flaws allowing Wi-Fi passwords to be cracked via WPS had notably been discovered on Orange and SFR boxes. To limit the risks, always check that the WPS is off by default.
Install a VPN server or router: completely lock down a Wi-Fi network!
Installing a VPN (Virtual Private Network) server directly on a router or box is probably the best way to protect a local network. This method, reserved for advanced users, makes it possible to encrypt all the data that passes through household equipment, including connected objects that cannot natively manage a VPN. Once is not custom, Free was the first operator to offer an option to create a VPN server then allowing to connect all household equipment. To do this, it is strongly recommended to subscribe to a paid VPN subscription with a known and recognized provider such as ExpressVPN, NordVPN, Vypr.VPN, or HideMyHass, for example. Better to avoid free VPNs that offer no guarantees and are likely to illegally collect all the data that passes through their servers. Free services are also far too slow to manage connections from multiple devices.
ExpressVPN offers pre-configured routers to protect all devices connected to the Wi-Fi network (©ExpressVPN)
Long reserved for businesses, VPN routers are only beginning to become more popular with the general public. ExpressVPN is one of the first providers to offer preconfigured routers. It offers powerful Asus, Linksys or Netgear routers with its pre-installed ExpressVPN app (from €220). This service offers a stable and secure wireless connection thanks in particular to an automatic reconnection system. Generally speaking, the main VPN providers offer progressively faster speeds, approaching those of the original connection. This ultimate solution is not cheap, but it undoubtedly offers the highest level of security possible for a private Wi-Fi network.
