While Wi-Fi uses the convenience of a seamless, untethered data connection, it come with security disadvantages the hackers love come exploit. Without discovering the tricks hackers usage to target Wi-Fi devices, it’s tough for users to recognize which behavior may be putting them most at risk. 

Wi-Fi hacking frequently takes benefit of small mistakes customers make when connecting devices to a network or setup up a router. To prevent the worst of these mistakes, there are a few simple precautions you deserve to take to alleviate your assault surface and also prevent girlfriend from falling victim to several of the most typical Wi-Fi attacks.

You are watching: How to protect my router from hackers


Get the free Pen Testing active Directory environments EBook


“This really opened my eyes to ad security in a means defensive work never ever did.”

The risks of Wi-Fi

When the average human thinks about Wi-Fi hacking, they most likely imagine a hacker breaking right into their neighborhood Wi-Fi network. When this does happen, Wi-Fi can also be abused to track users by your devices, damage passwords with phishing attacks, and reveal information about where a human being works or travels.

Hackers targeting Wi-Fi can decide even if it is to attack the network chin or to walk after any connected devices. This provides hackers the versatility to choose the weakest link, relying ~ above a target come make an essential mistakes and also targeting any type of vulnerability that’s easy to exploit. 

Wi-Fi is an strike surface that can additionally follow you around. Cell phone Wi-Fi gadgets can conveniently be tracked between locations, leaking network surname that deserve to reveal information about the owner. For anyone no wanting their maker to broadcast whereby they work-related or have actually been recently, this have the right to be both a privacy and also security issue.

To alleviate these risks, we deserve to lock down behaviors that leak personal information and also or make our devices an ext vulnerable. By taking the complying with steps, you have the right to reduce your assault surface and also keep yourself safer once using Wi-Fi at home or on the go.

1) Purge networks you don’t need from your preferred network list

The desired Network List, or PNL, is a list of Wi-Fi network names your an equipment automatically trusts. This list is developed from the networks you connect to over time, however it can’t distinguish in between networks i m sorry share both the same name and type of security. That way that ~ connecting come a Starbucks Wi-Fi network a single time, your an equipment will remember and also connect instantly to any open network v the very same name.

For a hacker, producing rogue accessibility points which mimick the surname of usual open Wi-Fi accessibility points is the easiest way to track nearby devices and conduct MITM attacks. If friend leave your smartphone Wi-Fi ~ above in public, your machine won’t warning you when instantly joining an open network v a name matching any type of that did you do it joined before. Without various other precautions, this could permit a hacker to load phishing pages, track which sites you visit, and learn which apps you’re using.

In Windows, you have the right to delete your desired networks by going come “Manage well-known networks” and also clicking “Forget” on any type of networks you don’t desire your computer system connecting come automatically. At a minimum, you need to remove all open up Wi-Fi networks from this list. The risk of your maker connecting automatically to a rogue AP pretending to be open up Wi-Fi is much greater than encountering a malicious network with the precise same name and password as one stored in her PNL. 

*

In the strike above, I used a $3 esp8266 microcontroller to develop up come a thousands fake networks. Many adjacent smartphones test to sign up with networks with names lock had associated to before, revealing which they trust. By finding i beg your pardon network names display up in the PNL the multiple surrounding devices, a hacker deserve to hijack the data connection of plenty of devices in ~ the very same time through a single rogue network v a name choose “attwifi.” If you have actually networks similar to those top top the list over saved in her device’s PNL, you have to delete lock immediately!

2) usage a VPN to keep your neighborhood traffic encrypted

One the the basic flaws that WPA2 it is being solved in WPA3 is the concept of forward secrecy. This method that in the brand-new WPA3 standard, tape-recorded Wi-Fi traffic can’t it is in spied on also if the attacker gains expertise of the Wi-Fi password later. V the existing WPA2 standard, this is not the case. Website traffic on a neighborhood network deserve to be spied ~ above both by various other users and by one attacker who records the traffic and decrypts that after learning the password later.

While HTTPS has actually made the internet much more secure and more private for Wi-Fi customers on untrusted connections, VPN’s choose up the slack to discourage snooping on traffic. Through encrypting DNS request and also other revealing information that have the right to open the door come a phishing attack, VPN’s make it harder because that an attacker to view what the target is law online, or come redirect users to a malicious website.

For the function of encrypting your neighborhood traffic, most famous VPN’s will sell a class of protection to prevent being straightforward prey. PIA, Mullvad, or NordVPN will certainly all render your regional traffic indecipherable come a hacker, and administer forward secrecy by make recordings of your Wi-Fi web traffic useless also if the attacker learns the WI-Fi password later.

*

In the instance above, ns turned off PIA while security my Wi-Fi link from one more computer through Wireshark. Automatically after disconnecting, i was able to check out that mine phone was running Signal messenger, was on the at & t network, and was at this time watching a YouTube video clip just from DNS requests. Ns can even identify the VPN checking in v its upgrade server. Every one of this information was leaked in a few seconds of sniffing web traffic without using a VPN.

If you desire to learn much more about utilizing Wireshark because that sniffing info over Wi-Fi, girlfriend can inspect out this valuable reference: https://www.lasignoralaura.com/blog/how-to-use-wireshark/

3) Disable auto-connect when involvement networks

One disadvantage that purging your preferred network perform is that any networks you affix to will call for you to go into the password manually every time you want to connect. This can obtain annoying for networks you affix to often, and likewise requires you come clean her PNL after every time you sign up with a brand-new network.

For password-protected Wi-Fi networks you sign up with frequently, there’s a equipment to save the password if reducing the risk of your machine automatically connecting come malicious networks making use of the very same name. To execute this, make sure to examine the “disable auto-connect” checkbox when first connecting to a network. This will protect against your device from attempting to affix to a network the matches the name and security kind of the one you’re joining.

While you will do it still need to click the surname of the network every time you desire to join it, girlfriend won’t have actually to kind in her password. At the price of a solitary click, you have the right to avoid your device leaking the surname of networks you’ve associated to before.

*

On MacOS devices, you can specify which networks auto-connect in the “advanced” switch of the Network menu. You can simply uncheck any networks friend don’t want to auto-connect.

4) Never use surprise networks

 A normal Wi-Fi access point will send beacons containing every the details needed for adjacent devices to discover and connect come it, such as the network SSID and also supported encryption. Surprise networks, by contrast, never ever send beacons and also don’t announce themselves in any type of way, requiring that a customer device to it is in in range and already know around the network come connect. That means you’ll never see a surprise network included in the list of nearby access points, making the harder in concept for one attacker to know a network is there. Some individuals think that defense by obscurity is a good way come hide your network from Wi-Fi hackers, yet the ironic fact is the by hiding your Wi-Fi network, friend make every one of your smart gadgets easier come track. Due to the fact that a hidden Wi-Fi network will never broadcast before a an equipment tries to affix to it, a Wi-Fi maker configured to affix to a hidden network will have to assume the the network could be nearby at any kind of moment. In practice, that method that your machine will it is in constantly calling out the surname of the network did you do it hidden, making it easy to track her Wi-Fi device even if the MAC resolve is randomized or you’re taking various other precautions to stay anonymous. Not only does this make it less complicated to trick your maker into connecting come a rouge AP, that also permits anyone to monitor your presence by the radio signals her smart device is continuous sending.

*

In the picture above, I’ve added a surprise network come a smartphone’s desired network list. In Wireshark, we can quickly track the maker that’s calling out for a surprise network. Far from gift hidden, we have the right to not only determine the device, but additionally the name of the concealed network itself. If our goal was to make our Wi-Fi network much more stealthy, we’ve rather made our customer device perpetually speak to out the surname of ours “hidden” network because that the entire human being to see. In some cases, the “hidden” network a device is calling out for can also be located on Wigle.net, if the SSID is saturated unique. This means you may also be providing away your home or work address to anyone listening in on Wi-Fi transmissions. If her goal is to keep the presence of a network stealthy, girlfriend should consider just using ethernet rather than setup up a hidden Wi-Fi network. 

5) Disable WPS use on routers

From one attacker’s perspective, networks with WPS enabled stick out like a sore thumb. V a single command, a hacker deserve to scan the regional area for networks that assistance WPS and also would stand for a great target because that an assault like WPS-Pixie.

*

Above, we can see neighborhood networks that have actually various version of WPS enabled, an interpretation they’re worth auditing through a tool choose Airgeddon to watch if we can acquire a quick victory. Countless versions of WPS are breakable to both pen brute-forcing attacks and WPS-Pixie based attacks, i beg your pardon can enable an attacker come gain access to a vulnerable network in as few as 15 seconds.

What’s scary about WPS setup pin strikes is that the affect of a successful strike goes beyond simply changing the password. If the attacker is able to acquire your WPS setup pen in one of two people a Reaver or WPS-Pixie layout attack, they’ll be able to get your password no matter just how long, unique, or secure the is. This is since the WPS setup pen was draft in the an initial place come recover shed passwords, therefore by abusing it, the hacker has the same accessibility the owner the the device has.

In bespeak to absent a hacker who has your WPS setup pen out, you can not simply readjust the password. You also need come disable the WPS setup pin, and possibly purchase a brand-new router if you ever before want to usage it again. Countless routers don’t let you readjust the WPS setup pin, so to ensure her long, secure password stays secret, make certain to disable this alternative in her router’s food selection settings. 

The procedure because that disabling her WPS setup pin might vary, however in general, you should log right into your Wi-Fi router and disable the checkbox concerned “WPS PIN” or “WPS Setup” to make certain this option is off. In part older routers, disabling this might not actually turn it off, therefore if you desire to examine for yourself, you have the right to use the “-wash” command in Kali Linux to determine any nearby networks proclaiming WPS. If your an equipment still advertises WPS ~ disabling it, you should replace the device.

6) Never re-use passwords because that Wi-Fi 

 One the the greatest flaws the WPA2, the present Wi-Fi standard, is that a weak password have the right to make it basic for an attacker to break into the network. If the password to your Wi-Fi network is among the peak million or for this reason worst passwords out there, it’s likely a hacker can breach her network in a issue of minutes. That’s because all they need to do is record a handshake indigenous a machine connecting come the Wi-Fi, load it into a tool choose Hashcat, and sit back while it tries every assumption: v in a massive paper of breached passwords. One point that’s an important here is come think that passwords as “strong” in two ways. For one, they have to be daunting to guess, and also for another, they must be unique. That way that utilizing the same or very comparable passwords in various other accounts have the right to lead to her password finishing up ~ above a breached password list, do it one of the default “bad” passwords a hacker will try in a brute-forcing attack. So how can even a long and complicated password provided in many places end up being public? Companies lose passwords indigenous user accounts in breaches all the time, and one of the most common tactics is to shot to use these passwords in other areas once they end up being available. WI-Fi hackers recognize that world love to copy their favorite “strong” password from one account come another, and this makes it much easier to brute pressure passwords that might be long yet aren’t in reality unique. To see which of her favorite passwords might currently be common knowledge, you deserve to run her accounts with haveibeenpwned.com and see which providers may have leaked your account passwords. Never ever use a password for your Wi-Fi friend use elsewhere online, and definitely never use a password that’s been exposed by one more service.

7) Isolate client to their very own subnet

A potentially devastating mistake do by many tiny businesses providing Wi-Fi to customers is failing to restrict guest customers to their own subnet. As soon as done properly, subnet isolation means that each client can only connect with the router, and also isn’t totally free to scan other tools on the network or try to connect to open up ports. 

On a network with proper client isolation, an Nmap or ARP-scan have to reveal nothing, or merely the router together the only maker on the network. In addition, the router do not do it have any type of ports easily accessible which are hosting administration or construction pages indigenous the guest network, as these pages frequently will leak information a hacker deserve to use to make use of the router.

*

In the snapshot above, we view the instance for most tiny business Wi-Fi networks the are readily available to customers and don’t properly isolate client to their very own subnet. Without client isolation, everyone on the network deserve to see and interact through every other linked device. This way security cameras, DVR systems, the router itself, and NAS or paper servers ~ above the network deserve to be directly easily accessible to a hacker native the minute they sign up with the network, considerably simplifying the task of detect the networks weakest link.

*

In the photo above, a business providing Wi-Fi to client has also exposed their protection camera’s NAS server utilizing default credentials to anyone on the network, enabling hackers to see with the cameras that the business and also even go v old clip stored ~ above the server. Much more often 보다 not, businesses collection up these networks and connect numerous Wi-Fi devices, forget to change the default password on whatever from routers to printers. 

If a service forgets to change the default password come a router and fails to isolation clients come their own subnet, it’s only a issue of time before a hacker procedures in to administer the router for them. Once a guest scans the network, they have to only see two devices, the gateway and themselves.

With default admin passwords prefer “admin” or “password” left sitting on a router, hackers have the right to upload malicious firmware updates to spy on users or run stolen credit transaction cards through the link by making use of the router together their own personal VPN. The very first step to avoiding this is to prevent unnecessary accessibility to devices on the network in the very first place.

Wi-Fi is safer with a few basic precautions

In general, you should store as couple of trusted Wi-Fi networks in your tools as needed, and also disable auto-connect. If you job-related in a sensitive position and also have unique Wi-Fi network name at her office, you can be leaking the details of her employment come interested next without knowing it. As soon as in doubt, just disable your Wi-Fi radio once you’re not making use of it, together this will certainly prevent most Wi-Fi-based attacks.

By acquisition the measures above, it’s simple to minimize the risk of her Wi-Fi an equipment joining a malicious network automatically, being tracked in between locations, or leaking personal information. While these tips aren’t a finish guide to remaining safe top top Wi-Fi, lock will save you for sure from several of the easiest and also cheapest strikes hackers employ.

See more: How To Wash Swimsuits In Washing Machine, Washing Swimwear

If you want to learn an ext about what can occur when one attacker walk breach her network, you can see more in our Office 360 attack Lab.