5 Wi-Fi security myths you must abandon now

Save yourself and your friends from these outdated or inaccurate security techniques, and learn the current best practices.
  • Eric Geier (PC World (US online))
  • — 07 October, 2013 13:19

Wi-Fi has evolved over the years, and so have the techniques for securing your wireless network. An Internet search could unearth information that's outdated and no longer secure or relevant, or that's simply a myth.

We'll separate the signal from the noise and show you the most current and effective means of securing your Wi-Fi network.

Myth No. 1: Don't broadcast your SSID

Every wireless router (or wireless access point) has a network name assigned to it. The technical term is a Service Set Identifier (SSID). By default, a router will broadcast its SSID in beacons, so all users within its range can see the network on their PC or other device.

Preventing your router from broadcasting this information, and thereby rendering it somewhat invisible to people you don't want on your network, might sound like a good idea. But some devices--including PCs running Windows 7 or later--will still see every network that exists, even if it can't identify each one by name, and unmasking a hidden SSID is a relatively trivial task. In fact, attempting to hide an SSID in this way might pique the interest of nearby Wi-Fi hackers, by suggesting to them that your network may contain sensitive data.

You can prevent your router from including its SSID in its beacon, but you can't stop it from including that information in its data packets, its association/reassociation requests, and its probe requests/responses. A wireless network analyzer like Kismet or CommView for WiFi, can snatch an SSID out of the airwaves in no time.

Disabling SSID broadcasting will hide your network name from the average Joe, but it's no roadblock for anyone intent on hacking into your network, be they an experienced blackhat or a neighborhood kid just goofing around.

Myth No. 2: Enable MAC address filtering

A unique Media Access Control (MAC) address identifies every device on your network. A MAC address is an alphanumeric string separated by colons, like this: 00:02:D1:1A:2D:12. Networked devices use this address as identification when they send and receive data over the network. A tech myth asserts that you can safeguard your network and prevent unwanted devices from joining it by configuring your router to allow only devices that have specific MAC addresses.

Setting up such configuration instructions is an easy, though tedious, process: You determine the MAC address of every device you want to allow on your network, and then you fill out a table in the router's user interface. No device with a MAC address not on that table will be able to join your network, even if it knows your wireless network password.

But you needn't bother with that operation. A hacker using a wireless network analyzer will be able to see the MAC addresses of every computer you've allowed on your network, and can change his or her computer's MAC address to match one that's in that table you painstakingly created. The only thing you'll have accomplished by following this procedure is to waste some time--unless you think that having a complete list of the MAC addresses of your network clients would be useful for some other purpose.

MAC-address filtering might help you block the average Joe from connecting to your router from an unauthorized computer or other device, but it won't stop a determined hacker. It will render your network more difficult for legitimate users to work with, however, because you'll have to configure your router every time you add a new device to it or provide a guest with temporary access.

Myth No. 3: Limit your router's IP address pool

Every device on your network must also be identified by a unique Internet Protocol (IP) address. A router-assigned IP address will contain a string of digits like this: 192.168.1.10. Unlike a MAC address, which the device sends to the router, your router will use its  Dynamic Host Control Protocol (DHCP) server to assign and send a unique IP address to each device joining the network. According to one persistent tech myth, you can control the number of devices that can join your network by limiting the pool of IP addresses your router can draw--a range from 192.168.1.1 to 192.168.1.10, for instance. That's baloney, for the same reason that the next claim is.

Myth No. 4: Disable your router's DHCP server

The flawed logic behind this myth claims that you can secure your network by disabling your router's DHCP server and manually assigning IP address to each device. Supposedly, any device that doesn't have one of the IP addresses you assigned won't be able to join your network. In this scenario, you would create a table consisting of IP addresses and the devices they're assigned to, as you would with a MAC addresses. You'd also need to configure each device manually to use its specified IP address.

The weakness that negates these procedures is that if a hacker has already penetrated your network, a quick IP scan can determine the IP addresses your network is using. The hacker can then manually assign a compatible address to a device in order to gain full access to your network. As with MAC address filtering, the main effect of limiting IP addresses (or assigning them manually) is to complicate the process of connecting new devices that you approve of to your network.

Myth No. 5: Small networks are hard to penetrate

This myth suggests that reducing your wireless router's transmission power will make it harder for someone outside your home or place of business to sneak onto your network because they won't be able to detect it. This is the dumbest security idea of them all. Anyone intent on cracking your wireless network will use a large antenna to pick up your router's signals. Reducing the router's transmission power will only reduce its range and effectiveness for legitimate users.

No myth: Encryption is the best network security

Now that we've dispensed with five Wi-Fi security myths, let's discuss the best way to secure your wireless network: encryption. Encrypting--essentially scrambling--the data traveling over your network is powerful way to prevent eavesdroppers from accessing data in a meaningful form. Though they might succeed in intercepting and capturing a copy of the data transmission, they won't be able to read the information, capture your login passwords, or hijack your accounts unless they have the encryption key.

Several types of encryption have emerged over the years. Wired Equivalent Privacy (WEP) provided the best security in the early days of Wi-Fi. But today WEP encryption can be cracked in a matter of minutes. If that's the only security your router provides, or if some of your networked devices are so old that they can work only with WEP, it's long past time for you to recycle them and upgrade to a newer standard.

Wi-Fi Protected Access (WPA) came next, but that security protocol had security problems, too, and has been superseded by WPA2. WPA2 has been around for nearly 10 years. If your equipment is old enough to be limited to WPA security, you should consider an upgrade.

Both WPA and WPA2 have two different modes: Personal (aka PSK, an acronym for Pre-Shared Key) and Enterprise (aka RADIUS, an acronym for Remote Authentication Dial In User Server). WPA Personal is designed for home use and is easy to set up. You simply establish a password on your router and then enter that password on each computer and other device that you want to connect to your Wi-Fi network. As long as you use a strong password--I recommend using 13 or more mixed-case characters and symbols--you should be fine. Don't use words found in the dictionary, proper nouns, personal names, the names of your pets, or anything like that. A strong password might look like this: h&5U2v$(q7F4*.

Your router might include a push-button security feature called Wi-Fi Protected Setup (WPS). WPS enables you to join a device to your WPA2-secured wireless network by pushing a button on the router and a button on the client (if the client also supports WPS). A flaw in WPS leaves it vulnerable to brute-force attacks, however. If you're particularly security-conscious, you might consider turning off WPS in your router.

Enterprise-mode WPA2 is designed for networks run by businesses and organizations. It provides a higher level of security than WPA, but it requires a RADIUS server or a hosted RADIUS service.

Now that you understand the best way to secure your network, spend a few minutes making sure that your router is configured properly.

Tags: network security, networking hardware, security, Networking, routers

Review: Linux Security Distributions

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security That Fits

Improve the effectiveness of your security or get unique network threat discovery and remediation

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.