MAKE YOUR WI-FI SAFER
5 Disable WPS
Wi-fi Protected Setup (WPS) was introduced in 2006 to simplify the process of connecting wireless devices. In that respect, it’s been true to its word: simply press the WPS button on your router, then the WPS button or a menu option on the device you want to connect, and the two make the connection automatically.
Behind the scenes, they’re swapping a pair of four-digit codes – and that’s where the problems lie. These codes offer ‘only’ 10,000 possible combinations for the first code (anything from 0000 to 9999) and just 1000 for the second, because the fourth digit of the second code is a verification number, meaning only the first three numbers need to be guessed (somewhere between 000 to 999).
Cracking the code by trying out each combination could take days or weeks, but a hacker with a computer can do it in seconds. Therefore, we advise against using WPS and instead suggest the tried and trusted method of entering your wireless network’s password on each device you connect.
The problem is, WPS is enabled on many routers by default. To disable WPS on a BT Home Hub or, in our case, a Plusnet Hub One, click Advanced Settings, followed by Wireless. Click WPS on the next menu and change ‘Wireless push button connection (WPS) enabled’ option from On to Off (see screenshot above right), then click Apply to save the changes.
6 Switch to more secure encryption
Your router offers several wireless security options (known as ‘protocols’). These encrypt your data as it travels between your router and connected devices. As well as ‘none’ (avoid using this), you should see the options of WPA (Wi-fi Protected Access) and WPA2 (see screenshot below left). Some routers may also offer WPA3, which was launched in January 2018. Each protocol builds on the security features of its predecessor, so always choose the highest-numbered version available.
If you change the setting here (as opposed to just checking that WPA2 is set and leaving everything as it is), your devices may lose their wireless connections. In most cases, you’ll simply need to enter your Wi-fi password again to reconnect them. Your laptop, PC, phone or tablet should then automatically update the security protocol.
Other wireless devices, such as printers and internet radios, may require an explicit instruction to switch to WPA2 from whatever protocol they were using previously. Exactly how you do this depends on the device, but it’s usually a case of accessing wireless settings either on the device or via the software that came with it.
Some older devices only support WPA. If you have such a device, we recommend upgrading to a more recent model, as this was in use for a very short period of time before being replaced by WPA2 in 2004 (if your router was supplied by your broadband provider, ask them if you’re eligible for an upgrade on security grounds).
WPA2 not only does more to verify the identity of the devices at either end of your wireless connection; it also uses strong encryption, and all devices that use it are required to be officially certified. Should you ever need to buy a new router, it’s highly likely to support WPA2 – look for the Wi-fi Alliance logo on the device’s packaging (see it at www. snipca.com/32922).
Finally, avoid using WEP (Wired Equivalent Privacy), even if your router offers it. WEP is now more than 20 years old, and early incarnations were comparatively weak in order to comply with restrictions on exporting cryptographic technology from the US.
7 Filter your MAC addresses
Every wireless device has what’s known as a Media Access Control (MAC) address. This is specific to the circuitry that handles the wireless connection, not the machine in which it’s installed. So, a smartphone will have two MAC addresses – one for Wi-fi and one for mobile data. So will a PC with built-in Bluetooth (one MAC address for the Wi-fi chipset and another for the Bluetooth transmitter).
Enabling MAC address filtering on your router allows you to lock out any device whose Wi-fi circuit’s MAC address doesn’t appear on a pre-approved list. Not all routers support MAC address filtering. BT’S range of Home Hubs don’t, for example, but you will find it on some Virgin routers (see Virgin’s help website at www.snipca.com/32911 for full details). To check your router, look for a MAC filtering option in the LAN, Network or Security menus.
If you have this option available, you’ll need to find out what your MAC address is so you can include it and thus avoid being locked out yourself. In Windows, open Settings (Windows key+i), click ‘Network & Internet’, then ‘Network and Sharing Centre’. On the page that opens select your wireless connection to open
its status box. Click the ‘Details...’ button and make a note of what you see beside Physical Address. This will be six pairs of numbers and/or letters in the form A1-B2-C3-D4-E5-F6 - in our example, it’s DC-F5-05-F5-05-ED (see screenshot below). Add this to the list of addresses that are authorised to access your network.
You’ll find the MAC address of an ipad or iphone by opening Settings, tapping General followed by About. Copy the sequence beside Wi-fi Address, in which the six sets of numbers are separated by colons, rather than dashes.
On an Android device, your MAC address could be in one of four locations, depending on which version of the Android operating system you’re using. The simplest way to find it, therefore, is to open Settings and type MAC address into the search box at the top of the page. This reveals that on our Motorola phone, our MAC address is found both in the Wi-fi Preferences pane and in the ‘About phone’ option.
You don’t need to make any changes to your wireless devices after you’ve enabled MAC address filtering on the router. However, there will be no way for them to get online until you have added their MAC addresses to the list of authorised numbers. Bear in mind that while MAC address filtering is an excellent second level of protection, it should always be combined with WPA2 or later so that your wireless data is encrypted. Another use for address filtering is to
restrict internet access. Routers that support the technology usually let you define which devices should be blocked, either permanently or between certain hours, by reference to their unique address.
8 Change your router’s IP address
Sitting at the very heart of your network, your router controls the addresses given out to all wireless devices that connect to those devices as well as their own address on the network. Unfortunately, the latter means two things: it’s easy to guess how to access a router’s configuration pages, and the address it gives itself may be required by another device.
Fortunately, most routers let you change their default address which, in combination with hiding your network’s name (see Tip 10), can make it much more difficult for a hacker to gain access.
On a BT Home Hub or Plusnet Hub One, you’ll find this option in Advanced Settings by clicking Home Network, then IP Addresses. Here, change the number (or numbers) that appear after the final dot in the IP Address box. This will likely be 1, 2 or 254 (see screenshot above) in its default configuration (the latter being the highest possible entry). Changing this last number to something more obscure – such as 163, 42 or 9 – adds an extra level of security.
None of your devices should lose their wireless connection when you do this because they use the network name to connect, not the router’s address. However, if you have changed the router’s address to one that is already being used by another device, that device will be kicked off the network. Fortunately, it should immediately attempt to reconnect, at which point it will be given a new address by the router. If it still can’t access the internet, restart the device so that it connects to the network afresh.
9 Change your admin password
The internet is awash with lists of routers’ default passwords. This becomes a problem should anyone manage to gain access to your network because the first thing they’ll see is your router’s login page, which will usually reveal its make and model. They can then simply look it up on one of the many available lists to discover its default login credentials.
Routers from BT, Plusnet and some other manufacturers have unique administrator passwords. If yours doesn’t, you should change it today. Log in using the existing password and navigate the menus to find the appropriate option, which will usually be found in a system or admin section.
Your admin password is not the same as the password used to connect your PC and other devices to your Wi-fi network, so you don’t need to make any changes to them once you’ve changed it.
10 Hide your network name
If you click the Wi-fi icon on your taskbar, you might expect to see all nearby networks. However, while this list may show a dozen or more available networks in a highly populated area, there could be others you can’t see. That’s because they’ve had their network names hidden. Why? So that only people who know they are there can connect to them.
Hiding your wireless network name is usually done on its Wireless or LAN settings pages (it’s not offered on the BT Home Hub or Plusnet Hub One). A wireless network’s name is more properly known as its Service Set Identifier (SSID). Therefore, look for an SSID concealment setting within the menus.
You don’t need to make any changes to your wireless devices when you change your SSID, because any that are already linked to the network will continue to connect even though you’ve hidden it. However, when connecting a new device you’ll need to enter the name manually.
On IOS devices, open Settings, tap Wi-fi, followed by ‘Other…’, then type the SSID and password. On Android, open Settings, tap ‘Network & Internet’ followed by Wi-fi. Tap ‘+ Add network’ then type the name in the ‘Enter the SSID’ box. On Windows, click the taskbar’s Wi-fi icon, then Network Settings followed by Wi-fi. Click Hidden Network, then Connect, and enter the hidden SSID (see screenshot above right). Click Next and enter the password, then Next one final time to connect.
11 Block all internet traffic
If you’re concerned your home network might be under attack or a program is sending out your personal data, temporarily blocking all internet access is a good first response. Your home network will remain in tact, so you’ll still be able to access devices such as network drives, but nothing will have access to the outside world, giving you time and space to fix the problem.
Log into your router’s configuration pages and either click a Disconnect button if it has one (on a BT Home Hub or Plusnet Hub One, you’ll find it by clicking Advanced Settings, then Broadband – see screenshot below) or shut every route through the firewall. Most firewalls will have a range of quick-fix settings, such as default, disabled, and block everything. In this case, select block all and click an OK or Apply button as appropriate.
You don’t need to make any changes on your PC when you block traffic through your router, but do bear in mind that any device that also has 3G or 4G connectivity, such as a tablet or smartphone, may fall back on that to maintain the connection. If so, switch off the cell connection or enable airplane/ flight mode (tap the airplane symbol to activate this).
12 Stop your phone or tablet connecting to unsafe networks
Your phone or tablet will automatically connect to networks it already knows.
If it can’t find anything familiar, it may even leap on any open (and therefore unsecured) network it encounters. This might sound like a great time-saver, but if you’re not authorising each connection you have no way of stopping it connecting to an unsafe network that’s been set up to compromise your device and steal your data.
To stop an IOS device from automatically connecting to unknown networks, open Settings then tap Wi-fi. Next, select ‘Ask to Join Networks’ and choose either Ask (see screenshot below) or Off from the options. The former will request permission to join an unprotected network, while the latter will just ignore whatever it finds.
On Android, open Settings, then tap ‘Network & Internet’ followed by Wi-fi. Tap Wi-fi Preferences, then tap the switch beside ‘Open network notification’ so that it slides to the left. This means you won’t be alerted when Android detects an available connection.