Have You Done Enough to Ensure Wireless Network Security?
Wi-Fi access is nearly everywhere. You use it at work, at home, and when you travel. But whether on a corporate Wi-Fi network or public Wi-Fi network, there are precautions you can apply to keep you better protected and your information secured.
CBRS Has Arrived
Citizens Broadband Radio Service (CBRS) is a license-free technology that is part of 5G and could potentially compete with Wi-Fi (see "Understanding 5G: CBRS"). CBRS is 150 MHz of the 3.5 GHz band made available by the FCC for commercial use. This makes spectrum available for the delivery of LTE services without requiring a license, the same as Wi-Fi.
The expectation is that CBRS will be as easy to deploy as Wi-Fi and may be a competitor to Wi-Fi. CBRS has a longer signal range equivalent to today's cellular services. It can cover a campus of buildings or municipality that would require many Wi-Fi access points. This means CBRS can experience the same security issues as Wi-Fi networks.
Wi-Fi Range Extension
A Wi-Fi range extender contains two wireless routers, similar to the wireless router you already have in your office. One wireless router receives the signal from the existing Wi-Fi network. The extender then transfers the signal to the other wireless router, which then transmits the boosted signal. The net result is that the signal range can be boosted to about 1,000 feet, well outside the office. While this may reduce your enterprise's cabling requirements, the additional range may also increase your security vulnerability by enabling access to those outside your office walls.
This can lead to piggybacking. If your office neighborhood is densely populated, failure to secure your wireless network can open your Internet connection to many unintended users. These users can conduct illegal activity, monitor and capture your traffic, or even steal files.
Another possibility is wardriving. The extended broadcast range of a wireless access point can make Internet connections available outside your office to other offices and the street. Some computer users know this, and have made a hobby out of driving through cities and neighborhoods with a wireless-equipped computer searching for unsecured wireless networks that can be compromised.
Evil Twin Attack
Use of public Wi-Fi access points -- at a coffee shop, library, airport, or in other public places -- is very common today. With an evil twin attack, an attacker collects information about a public network access point, and then sets up their system to impersonate the public access point.
The attacker broadcasts a signal stronger than the one generated by the legitimate access point. The unsuspecting user mistakenly connects to the stronger (attacker) signal. It's easy for the attacker to use specialized tools to read any data the victim sends over Wi-Fi. Always confirm the name and password of a public Wi-Fi hotspot prior to using it.
Recommendations for Protecting Your Wi-Fi Network
There are many ways to protect your wireless networks. Here are some easy recommendations that do not require any investment except time on your part to implement:
- Do not use default passwords -- Network devices are pre-configured with default administrator passwords to simplify setup. These default passwords are available online and provide little protection. Implementing your own complex passwords makes it harder for attackers to access a device. Periodically changing passwords is your first line of defense in protecting your network.
- Ensure you restrict network access -- Only allow authorized users to access your network. You can restrict access to your network by blocking unauthorized MAC addresses. You can setup a guest account. This allows you to grant wireless access to guests on a separate wireless channel with a separate password. This maintains the privacy of your primary credentials.
- Deploy encryption on your network -- There are several encryption protocols available. Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and WPA2 encrypt information being transmitted between wireless routers and wireless devices. WEP and WPA are both still available; however, it is advisable to use equipment that specifically supports WPA2 or WPA3, In January 2018, Wi-Fi Alliance announced the release of WPA3 with several security improvements over WPA2.
- Do not publicize your Service Set Identifier (SSID) -- Change your SSID to something unique. Leaving it as the default setting allows an attacker to identify the type of router and possibly exploit any known vulnerabilities.
- Keep your software patched and up-to-date -- The manufacturer of your access point (AP) periodically releases updates to and patches for the AP. Check the manufacturer's website regularly for any updates or patches.
- Check your security options -- Your ISP and router manufacturer may provide information or resources that can be used to secure your wireless network. Access the customer website support area for recommendations or instructions.
A valuable resource on this topic is "A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family)," published by the Department of Homeland Security, Cybersecurity Engineering. This 17-page document summarizes best practices and guidance for securing Wi-Fi networks from threats and for implementing secure wireless access to networks. The recommendations in this DHS guide address wireless threats that are universal and describe security controls that can work together to mitigate these threats.