Securing a wireless router has been an ongoing battle since the first days of WiFi.
There have been numerous encryption types and protocol updates which have been constantly shown to have flaws that can be exploited.
With that said routers have become much more secure and with the right set up can be very secure devices.
Best Security Settings for a Router
Not all of these options will be possible for everyone. This is simply a list of the best possible setup for securing a router.
- Turn off WPS (WiFi Protected Setup)
- Disable 2.4 GHz Frequency if possible
- Only connect to a router with a device (smartphone, tablet, laptop) that is an 802.11ac device.
- Enable WPA2 / WPA3 encryption and put in a long password.
- Weaken the WiFi signal if possible.
- Never input passwords or usernames into a pop-up. Always go directly to a router admin-page to enter usernames and passwords.
- Change the routers default admin-page log-in username/password.
- Update the firmware of the router
- Change the SSID broadcast name.
WEP, WPA, WPA 2, WPA 3 Encryption
Every router should have basic encryption setup. As most everyone knows an open WiFi signal is asking for problems.
WEP is notoriously easy to hack and hasn’t been used much since 2003 when a security flaw was found in it.
Router Encryption Standards
Encryption | Year | Security |
WEP | 1999 | Bad |
WPA | 2003 | Poor |
WPA 2 TKIP | 2004 | Poor |
WPA 2 AES | 2004 | Medium |
WPA 3 | 2019 | Good |
The original WPA also has countless security flaws and is no longer very secure.
WPA2 AES or the new WPA3 should be enabled for WiFi and with a long password/paraphrase.
There are hacks for WPA2 AES but it is much more difficult to hack than the older encryption standards.
WPA3 is a new standard being released and adds many security features that older protocols lack.
Routers with the new WiFi 6 AX along with WPA3 are slowly being introduced.
WPS
WPS (WiFi Protected Setup) is a method many routers use for devices to easily connect to a router via wireless.
A flaw was found in WPS in 2012 that allows the pins to be attacked, which bypasses any security such as WPA/WPA2.
Many new routers have found a way around this by having a WPS button that is pressed and only enables WPS for a short time before disabling it.
Not all routers do this though and some have WPS enabled by default.
Popular programs such as Reaver built into Kali Linux can crack the WPS pins in 2-10 hours, with Pixiewps attack able to do it much quicker on some routers.
If your router has WPS enabled, disable it otherwise it is open to the above popular attack.
5 GHz / 2.4 GHz Frequencies and 802.11ac Protocol
Up until 2013, 2.4 GHz was the only frequency routers used for WiFi.
Since 2.4 GHz has become overcrowded the 5 GHz range has been introduced.
These types of routers are called dual-band routers since they can use both 2.4 GHz or 5 GHz for a WiFi signal.
For those unaware not any wireless card can be used to attack a router.
Specific USB dongles/adapters with the correct chipset must be used.
There is an abundance of USB adapters that can hack a router on the 2.4 GHz side.
Currently, there is a shortage of USB adapters that can hack the 5 GHz frequency of a router.
There are a few USB adapters that can but with limited success.
The reason for the limited success rate is the 802.11ac protocol.
WiFi hacking tools simply have not been updated yet to attack this new protocol.
Only 802.11n and 802.11ac protocols work in the 5 GHz range. 802.11n has been around a while and works in both the 2.4 GHz and 5 GHz.
802.11ac only works in the 5 GHz range.
802.11n is being used for legacy devices that need to connect to a router but is a well-known protocol that can be hacked with many WiFi cracking tools.
Currently, a router set up to only broadcast WiFi in the 5 GHz range with the 802.11ac protocol is almost un-hackable with current WiFi hacking tools.
Any device connected to a router must also be capable of using the 802.11ac protocol as any setup is only as good as its weakest link.
Keep in mind this can change at any time as hacking software and hardware are in a constant state of evolution.
Currently, a router with the 2.4 GHz side turned off, along with WPS support off, using WPA2 encryption, and only using the 5 GHz frequency with 802.11ac protocol is almost impossible to hack.
Nothing is ever completely un-crackable but it would take a very advanced malicious attacker to crack that kind of setup.
A script kiddie newbie hacker would not be able to watch the multitude of WiFi hacking YouTube videos and be able to crack a setup like this currently.
Man-In-The-Middle-Attack
Man-In-The-Middle attacks called MitM are when a hacker puts themselves between a router and a device that is connected to it.
A malicious hacker doing a MitM attack can kick a router signal forcing the person to connect to their computer, which lets the victim back online.
Most users are unaware of this and continue surfing online. The attacker can view all the data as it passing through their machine capturing passwords or any other data that is looked at.
MitM router attacks come in many forms with popular ones being a pop-up showing a user a fake router-login-page that looks legitimate.
If a user enters their user name and password into a fake MitM attack page then they are allowed to continue on thinking they have fixed the problem.
In the meantime a malicious attacker has acquired their information.
To counter this kind of attack don’t simply enter username password information blindly.
Know where the login settings information on a laptop, tablet, or smartphone is and only enter information there.
A router should never give a pop-up asking for information. If it does manually log into a router with a wired connection and check the settings.
Change a Routers Default Admin Page log-in Credentials
All routers have a default username and password to log into the admin page.
Often something as simple as Username: admin, Password: admin
This should be changed to something secure, as it is an easy way for someone who is on the same network and types in your routers IP address to gain access to it.
Change the Default SSID Broadcast Name
All routers come with a default broadcast name such as a Linksys or Dlink routers which will broadcast the name Linksys or Dlink as the WiFi AP connection name.
Changing the broadcast name will give an attacker less information about the vulnerabilities that the router has.
A Linksys router has different vulnerabilities than a Dlink router, and so on.
One of the things I do is instead of giving the router a unique pet name is change it to another router manufacturer name.
For example if it is a Linksys router change the SSID to Dlink and vice versa.
This can confuse an attacker since they believe they are attacking a certain router with a known vulnerabilities when it is something else entirely.
WiFi Range Distance
Distance can be important with WiFi but can leave a router open to attack.
All wireless router attacks need a good WiFi signal to do their job if they can’t get a good signal than it can’t be done.
Attackers do use signal boosters to help boost a weak signal so often not much can be done about this.
None-the-less if you do not need a strong wireless signal weakening it can help prevent an attack.
Many routers have a setting to adjust the WiFi signal strength which can be adjusted down or up.
Router Differences
When it comes to routers manufactures they all have different interfaces and options.
It is impossible to list in one post where the location of these settings are for the many routers that are sold.
Most options will be universal such as WEP, WPA, WPA2 encryption, but how the options are activated will vary from one router to another.
A routers interface options can always be Googled or the manual found and looked at for its settings.
The main thing to understand about securing a router is the universal security options most any router will have.
Summary
Any router will always be acceptable to attacks but doing simple things like that above will greatly reduce your risk.
Often WiFi attackers will move on to an easier target (since there are many) instead of wasting hours if not days trying to target a difficult setup.
When the Firmware updates stop replace your router as soon as possible. Just because it “works fine” probably means it hasn’t had any firmware updates in years, it’s been discontinued by the manufacture and supports old WiFi standards only. Disable any Guest user access. Disable 802.11b and g on the 2.4GHz and 5GHz wireless networks. Use N and AC only. Be sure to use WPA2-AES encryption. Don’t use WPA2-TKIP encryption. If you can run a device wired do so. WPA3 is coming soon.
Never heard of a firmware update. How do i know if it has done that?
This page is so important to understand regarding the Wifi Security, I found it very helpful and i will apply this settings in my router. Hackers are your worst enemies.