CHOICE membership

Steps to secure your WiFi network

Hello CHOICE community!

Our team at IF have been collaborating with the New Things Team at CHOICE over the last few weeks, looking at creating new products that help people with problems in their connected home. We’ve had some great conversations with people here. Thanks so much for your generosity.

A few people have asked us about the security of their WiFi network and how you can know if your network is secure and safe. There’s lots of writing and how to’s on this topic that point at best practice.

Something we’re exploring with the New Things team is a new kind of router.

It would have features on it that help you understand your home network better: why things aren’t working as expected and what you can do about them. These features would be accessible on a screen on the router, going beyond what can be done with simple indicator lights.

Last week we looked at how people can know if their home WiFi network is secure from external third parties.

We focused on helping people understand when the security of their network is potentially not following established best practice, through notification of issues and educating around the steps necessary to improve security.

These steps are simple and include;

  • Updating of default WiFi name settings
  • Updating of default WiFi password settings
  • Setting encryption at a best practice standard

This is a sketch of how we think this would work, please take a look.

Changing default settings on a router is a process that does not always happen when a new router is brought into the home. A default SSID with a brand ISP name in place can broadcast to the outside world that default settings may have not been changed on your router, leaving it vulnerable to attack.

We’re keen to support people in understanding when their network may not be secure and how they can practice security hygiene around their router and home network.

Take a look at the prototype, and let me know if you’d find something like this useful. I’d particularly like to know your thoughts on the design, and if the kind of information about your home network and your broadband connection you find in it would be useful.

Thanks and all the best,

Phil

3 Likes

Hi Phil

On the router setting just a bit confused as you say set the router name…if talking about the WiFi SSID maybe name it “SSID” or" WiFI Network name" or include both eg “SSID (Your WiFi Network name)”.

Further to the Wifi settings why not enable “Do not broadcast SSID” and add some detail of why this may be useful and perhaps how to enable your other devices to use the Wifi network that isn’t broadcasting?

MAC filtering? or do you think this would be too demanding a task for the average householder?

Setting up a Guest network to allow visitors to use the internet but keep them out of your normal network?

And perhaps you should add a routine to change the default name and password to enter the router as most come standard with something similar to admin and admin or admin and password or similar easy to guess and look up on the web combinations.

Regards
@grahroll

5 Likes

hi Phil

I agree with @grahroll’s comments.

I think you need to consider doing a network map showing what is being connected to. I know only a smaller percentage of homes will have it, but you need to allow for situations where there is more than one router. Depending on where in the home/office the person is physically, they may be connecting into one or other router.

Also in relation to multiple routers you need to consider how they will be linked, and I don’t just mean wi-fi vs cable.

Finally, I would add an option to print out ALL the new settings so that people have a hard copy to recall what they have changed everything to. It also means that they can replicate the settings if needed.

3 Likes

Hi @grahroll,

Thanks for your feedback on the prototype. Really useful comments.

The thinking behind not offering the ability to do things like Mac filtering or stopping the SSID from being broadcast is that these steps would perhaps cause confusion in the average householder. When it comes to elements around naming and password, these are conventions that people have a broad grasp of. The goal being to offer a baseline of security on a router that is achievable by the vast majority of people.

Good point on offering a routine on changing the default name and password around the router admin access.

Do you feel that accessing router settings by visiting 192.168.X.X is a hurdle to people in changing these default settings? Also, in your personal opinion, do you think that if there are multiple options around the types of encryption that can be selected, that a prototype like this should automatically select the ‘best’ or ‘best practice’ for the person setting up their router?

Best regards,

Hi Phil

Not every router use 192.168. addresses some use 10.0. and for some users/householders this is the start of confusion. If your routine is picking up the router’s address and then offering the appropriate changes, then that is not such a issue and would in fact be a benefit.

As to the “best” or “best practice” this will also depend on their connecting equipment. I am still coming across older machines that only have WPA not WPA2 as the best protocol (so I then normally have to set the router to allow WPA & WPA2) and if the router was only allowing connections using WPA2 then some of their equipment would fail to connect.

As products are replaced the above situation becomes less of an issue but if for argument’s sake another Wifi encryption protocol became available on a new router this would again place a hurdle for some households if the routine only selected “best”. Perhaps a choice here of “If not sure select this option” would be helpful? Oh for some conformity across hardware manufacturers that they all had similar settings available! (should be made an ISO standard)

I certainly support @meltam’s idea of a hard copy of settings but this could possibly be achieved by creating a backup of the settings as most routers support this and it could easily be included in your routine and if no backup setting is available then saving the settings to perhaps a pdf?.

Regards
@grahroll

1 Like

No expertise with routers whatsoever and I found the basic steps useful.

Hi Phil,
It could be very useful. Although I think I am reasonably familiar with my home IT, the modem/router settings are very confusing and so any simplification of what should be the simplest processes like change of name and password, change of security setting etc can be daunting at least on the two such devices I have used over the last decade or so (Bigpond and NetComm).
Furthermore we have a so-called smart tv which is mostly connected to our wifi network. But it regularly drops out so that the Freeview options red and green are not available. So if your device will help with this sort of issue great.
G

Try altering the placement of your router as this can have a big effect on the stability of your Wifi signal.

Does your router/modem have external antennas or internal? If external try adjusting the antenna instead on it rather than moving your router. Alignment is very important just like the old rabbit ear TV aerials if you didn’t have them right you could forget watching TV or some stations until you got them just in the right place.

Have you traced your Wifi network? If you have a wireless pad or smartphone install an app such as Wifi Anallyzer to map out signal strength in the area of your TV and as you adjust your Router or antennas check the strength to ensure you are getting the best signal. This should reduce or remove drop outs for you.

1 Like

MAC address filtering is easy to set up. If an intruder even knows your WIFI password he /or she still cannot access your network. Setting the maximum number of WIFI connection also helps.

Gerard

1 Like

Thanks grahroll,
I’ll admit we have a tricky situation with router on another floor to TV and have done as you suggest, moving router as much as is possible and redirecting the two external antennae. I thought of an add on external antenna but no connection provided. But it still drops, I will live with that but it would be good if Phil’s device told me that was the problem straight off without eliminating the TV based options. I am with TPG ADSL and my first thought is that with other devices operating we have exceeded bandwidth. However, I will get Wifi Analyser onto the task.

Hi @grumpyoldman

On most routers you can unscrew the provided antenna and install a bigger antenna. I have done this previously using an extension cable with the appropriate connectors (available from JayCar I think). I used this to take the antenna out of the room where the router was and put it above the door jam on the outside of the room. Made a huge difference.

1 Like

Thank you for your feedback.

A typical Wireless Router allows up to about 250 simultaneous connections, of course they will be very slow connections with that many competing for bandwidth. If you are sharing your wireless network with say 6 or so devices and it is the older G band you will be able to support about 8 Mbps each with all devices actually using the network at the same time (not likely but possible), speed if only streaming to your TV is likely to be higher as most devices are not constantly sending and receiving all the time. If N band the bandwidth for those same 6 depending if it is using only 2.4 GHz or if it is using Dual band (2.4 + 5 GHz) would be about 20 Mbps for the former to about 40 Mbps for the latter. If AC band you would get speeds nearly 100 Mbps or greater. In our house for example we have 4 Smartphones, 3 Pads, and 2 Smart TV all connected to our N band (dual band) Wifi network with no discernible deterioration in service.

For SD versions of programs you need about 5 -11 Mbps for reasonable viewing and for HD programs about 20 - 30 Mbps. Ultra HD is more extreme in its requirements.

As @meltam states you can replace the external antenna with either a more powerful gain one (most external ones that come fitted are no more than 2 dBi gain and more typically about 1 dBi) say 7, 8, 9 or 12 dBi or go for an antenna on a cable. They start around $7 or so dollars but are generally single band at this price level (see next paragraph).

You must be sure to get the right type. Some antennae are designed for just one band ie 2.4 GHz or 5 GHz and if your modem/router is a dual band you will need to ensure you get a dual band antenna to get best performance (Dual band tend to be more expensive).

An easier answer may just be to buy a Wifi Repeater/extender they start around $20 or so dollars (or look for them on second hand sites eg Gumtree, Ebay, Cash Converters). If you get lucky you can find the Ethernet over powerline ones but the power circuit they are plugged into has to be the same one for both adapters, they allow changes in floor levels more easily than the others.

I hope this helps

Thanks for this too grahroll and to meltam6554. The NetComm modem router antennae are not removable.
I tested the signal strength at the tv it is -69dB and about -30dB at the modem. Even with best arrangements I can make.
The best download speed I can get is about 8 Mbps. But wait! the wonders of Malcolm’s new nbn are soon to reach us and so I will hold off until I know what I actually have installed.

Good luck with that.
I don’t know if you saw the ABC News article on some people’s NBN experiences “NBN creating digital divide on New South Wales Central Coast”:

From the Choice Community discussions, the NBN is not all it’s cracked up to be.

I hope you will be one of the people with a positive experience.

Yes saw that excellent use of a tree and ziplock bag to achieve broadband. I thought it the modern equivalent of the tin cans joined by tight string of my childhood. What can I say but an excellent example of how politics can ruin a great initiative. I am not counting any chickens yet!

1 Like

Actually you can improve directional Wifi signal by using a tin can…They are sometimes called Cantenna see:

For further fun hacking of antennas see:

2 Likes

thanks for the great links.

1 Like

Old topic I know, but theres good info above and some ‘fun’ info in the link below :slight_smile:

In this writeup, I’ll describe a new technique to crack WPA PSK (Pre-Shared Key) passwords.
[…]
This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

They throw some GPU grunt into it, so its not completely trivial, but at the same time not terribly difficult either …

https://hashcat.net/forum/thread-7717.html

5 Likes