Introduction

Ars Technica's original Wireless Security Blackpaper was first published back in 2002, and in the intervening years, it has been a great reference for getting the technical lowdown on different wireless security protocols. As a sequel to the original blackpaper, we wanted to do something a little more basic and practical, because the number of devices with 802.11x support has greatly expanded since 2002. Wireless security is no longer the domain of geeks and system administrators, but is now an issue in the lives of everyday users, from the worker with a home office who wants to keep sensitive files secure to the homemaker who wants to avoid an RIAA lawsuit because the teen next door is a wireless-leeching P2P addict.

In this practical introduction to the basics of securing your home wireless network, we'll cover the important, high-level points that ordinary users need to know in order to secure a network of game consoles, phones, and PCs. Along the way, we'll also recap some of the relevant information from the original wireless blackpaper, which I recommend if you want to pursue the topic further. So look through the guide, and if you're already technically savvy then send it along to your uncle or your sister-in-law, and you may get one less phone call when it comes time for them to set up their new WLAN.

Note: This short guide will focus on securing 802.11g/802.11 draft-n routers, since these are the two most common types on the market today. Most of the information we'll present should be applicable to older 802.11b or even 802.11a routers as well, assuming that your device's manufacturer provided appropriate firmware updates.

First things first

The first thing to understand about wireless security is that by default, you have none. The router you buy from Newegg or Best Buy is going to come preconfigured for open access, which means that all of your neighbors can hop on and begin snarfing up MP3s with your bandwidth. This makes the router easier to set up—on a modern OS, you shouldn't have to do much more than plug in both adapter and router—but it leaves the wireless access point (WAP) completely open to attack. Most manufacturers use a simple login/password combination, and such information is easily available online.

The first step to securing any wireless network, therefore, is to change the default router password. Most manufacturers set the default password to something along the lines of "admin," "password," or "changeme," and the router IP address is almost always a simple variation on 192.168.x.1, where x = 0, 1, or 15. A nonstandard, strong password is no substitute for actual encryption, but it's a step in the right direction. The next step should be to check for a firmware update for your router, particularly if it's an older model. Many routers that didn't support more advanced security settings (i.e., WPA, which I'll describe later) had such support added via later firmware updates.





Setting a password for your router should be one of the first things you do

Debunking myths

You're likely to get some bad wireless security advice from the guy at your local electronics superstore who sold you your router, because many of the commonly recommended wireless security tips floating around out there aren't actually all that useful and may even do more harm than good by lulling the end-user into a false sense of security.

Hiding the SSID

The SSID (Service Set Identifier) is an identification code (typically a simple name) broadcast by a wireless router. If a wireless device detects multiple SSIDs from multiple access points (APs), it will typically ask the end-user which one it should connect to. Telling a router not to broadcast its SSID may prevent basic wireless access software from displaying the network in question as a connection option, but it does nothing to actually secure the network. Any time a user connects to a router, the SSID is broadcast in plaintext, regardless of whether or not encryption is enabled. SSID information can also be picked up by anyone listening to the network in passive mode.

Changing the SSID

This is sometimes touted as a security measure. It isn't. Changing your access point's SSID will change the identification code the router is broadcasting, but it won't change anything else. It doesn't prevent the router from being detected, snooped, or hacked in any way.

Disable DHCP

Switching DHCP off and using static IP addressing is no defense against hacking. Anyone snooping the network can usually figure out the pattern that has been used to assign the IP addresses in question and then make a specific request accordingly.

Filtering MAC addresses

In theory, this sounds great. Every NIC has its own unique MAC address, and wireless access points can be configured to block all but a handful of specified NICs. The problem with filtering by MAC address, however, is that these addresses are easily faked and readily detected by anyone using appropriate monitoring software. In addition, this approach requires a great deal of overhead in corporate environments, and even for a large home network with multiple machines and gadgets (consoles, phones, and consumer electronics) it quickly becomes untenable.

Of the above bogus "security" measures, filtering MAC addresses is the only one with even a minimal level of value. MAC address filtering can keep obnoxious and non-tech-savvy neighbors from easily freeloading on your wireless network, but it won't do much else. To keep more determined intruders off of your network, you'll have to use encryption.