7 Wi-Fi Security Tips: Avoid Being Easy Prey for Hackers (2024)

While Wi-Fi offers the convenience of a seamless, untethered data connection, it comes with security disadvantages that hackers love to exploit. Without knowing the tricks hackers use to target Wi-Fi devices, it’s hard for users to know which habits may be putting them most at risk.

Wi-Fi hacking frequently takes advantage of small mistakes users make while connecting devices to a network or setting up a router. To avoid the worst of these mistakes, there are a few simple precautions you can take to reduce your attack surface and prevent you from falling victim to some of the most common Wi-Fi attacks.

Learn how to automate Microsoft 365 management with our free PowerShell course

The risks of Wi-Fi

When the average person thinks about Wi-Fi hacking, they probably imagine a hacker breaking into their local Wi-Fi network. While this does happen, Wi-Fi can also be abused to track users by their devices, compromise passwords with phishing attacks, and reveal information about where a person works or travels.

Hackers targeting Wi-Fi can decide whether to attack the network itself or to go after any connected devices. This gives hackers the flexibility to pick the weakest link, relying on a target to make critical mistakes and targeting any vulnerability that’s easy to exploit.

Wi-Fi is an attack surface that can also follow you around. Mobile Wi-Fi devices can easily be tracked between locations, leaking network names that can reveal information about the owner. For anyone not wanting their device to broadcast where they work or have been recently, this can be both a privacy and security issue.

To reduce these risks, we can lock down behaviors that leak private information and or make our devices more vulnerable. By taking the following steps, you can reduce your attack surface and keep yourself safer when using Wi-Fi at home or on the go.

1) Purge networks you don’t need from your preferred network list

The Preferred Network List, or PNL, is a list of Wi-Fi network names your device automatically trusts. This list is created from the networks you connect to over time, but it can’t distinguish between networks which share both the same name and type of security. That means that after connecting to a Starbucks Wi-Fi network a single time, your device will remember and connect automatically to any open network with the same name.

For a hacker, creating rogue access points which mimick the names of common open Wi-Fi access points is the easiest way to track nearby devices and conduct MITM attacks. If you leave your smartphone Wi-Fi on in public, your device won’t warn you when automatically joining an open network with a name matching any that you’ve joined before. Without other precautions, this could allow a hacker to load phishing pages, track which sites you visit, and learn which apps you’re using.

In Windows, you can delete your preferred networks by going to “Manage known networks” and clicking “Forget” on any networks you don’t want your computer connecting to automatically. At a minimum, you should remove all open Wi-Fi networks from this list. The risk of your device connecting automatically to a rogue AP pretending to be open Wi-Fi is much higher than encountering a malicious network with the exact same name and password as one stored in your PNL.

In the attack above, I used a $3 esp8266 microcontroller to create up to a thousand fake networks. Many nearby smartphones attempted to join networks with names they had connected to before, revealing which they trust. By finding which network names show up in the PNL of multiple nearby devices, a hacker can hijack the data connection of many devices at the same time with a single rogue network with a name like “attwifi.” If you have networks similar to those on the list above saved in your device’s PNL, you should delete them immediately!

2) Use a VPN to keep your local traffic encrypted

One of the fundamental flaws of WPA2 that’s being fixed in WPA3 is the concept of forward secrecy. This means that in the new WPA3 standard, recorded Wi-Fi traffic can’t be spied on even if the attacker gains knowledge of the Wi-Fi password later. With the current WPA2 standard, this is not the case. Traffic on a local network can be spied on both by other users and by an attacker who records the traffic and decrypts it after learning the password later.

While HTTPS has made the internet much safer and more private for Wi-Fi users on untrusted connections, VPN’s pick up the slack to discourage snooping on traffic. By encrypting DNS request and other revealing information that can open the door to a phishing attack, VPN’s make it harder for an attacker to see what the target is doing online, or to redirect users to a malicious website.

For the purpose of encrypting your local traffic, most popular VPN’s will offer a layer of protection to avoid being easy prey. PIA, Mullvad, or NordVPN will all render your local traffic indecipherable to a hacker, and provide forward secrecy by making recordings of your Wi-Fi traffic useless even if the attacker learns the WI-Fi password later.

In the example above, I turned off PIA while monitoring my Wi-Fi connection from another computer with Wireshark. Immediately after disconnecting, I was able to see that my phone was running Signal messenger, was on the AT&T network, and was currently watching a YouTube video just from DNS requests. I can even identify the VPN checking in with its update server. All of this information was leaked in a few seconds of sniffing traffic without using a VPN.

If you want to learn more about using Wireshark for sniffing information over Wi-Fi, you can check out this useful reference: https://www.varonis.com/blog/how-to-use-wireshark/

3) Disable auto-connect when joining networks

One disadvantage of purging your preferred network list is that any networks you connect to will require you to enter the password manually every time you want to connect. This can get annoying for networks you connect to often, and also requires you to clean your PNL after every time you join a new network.

For password-protected Wi-Fi networks you join frequently, there’s a solution to save the password while reducing the risk of your device automatically connecting to malicious networks using the same name. To do this, make sure to check the “disable auto-connect” checkbox when first connecting to a network. This will prevent your device from attempting to connect to a network that matches the name and security type of the one you’re joining.

While you’ll still have to click the name of the network each time you want to join it, you won’t have to type in your password. At the cost of a single click, you can avoid your device leaking the name of networks you’ve connected to before.

On MacOS devices, you can specify which networks auto-connect in the “advanced” button of the Network menu. You can simply uncheck any networks you don’t want to auto-connect.

4) Never use hidden networks

A normal Wi-Fi access point will send beacons containing all the information needed for nearby devices to discover and connect to it, such as the network SSID and supported encryption. Hidden networks, by contrast, never send beacons and don’t announce themselves in any way, requiring that a client device to be in range and already know about the network to connect. That means you’ll never see a hidden network included in the list of nearby access points, making it harder in theory for an attacker to know a network is there.

Some users think that security by obscurity is a good way to hide their network from Wi-Fi hackers, but the ironic truth is that by hiding your Wi-Fi network, you make all of your smart devices easier to track. Because a hidden Wi-Fi network will never broadcast before a device tries to connect to it, a Wi-Fi device configured to connect to a hidden network will have to assume that the network could be nearby at any moment.

In practice, that means that your device will be constantly calling out the name of the network you’ve hidden, making it easy to track your Wi-Fi device even if the MAC address is randomized or you’re taking other precautions to stay anonymous. Not only does this make it easier to trick your device into connecting to a rouge AP, it also allows anyone to track your presence by the radio signals your smart device is constantly sending.

In the image above, I’ve added a hidden network to a smartphone’s preferred network list. In Wireshark, we can easily track the device that’s calling out for a hidden network. Far from being hidden, we can not only identify the device, but also the name of the hidden network itself. If our goal was to make our Wi-Fi network more stealthy, we’ve instead made our client device perpetually call out the name of our “hidden” network for the entire world to see.

In some cases, the “hidden” network a device is calling out for can even be located on Wigle.net, if the SSID is sufficiently unique. This means you may even be giving away your home or work address to anyone listening in on Wi-Fi transmissions. If your goal is to keep the existence of a network stealthy, you should consider just using ethernet rather than setting up a hidden Wi-Fi network.

5) Disable WPS functionality on routers

From an attacker’s perspective, networks with WPS enabled stick out like a sore thumb. With a single command, a hacker can scan the local area for networks that support WPS and would represent a good target for an attack like WPS-Pixie.

Above, we can see local networks that have various versions of WPS enabled, meaning they’re worth auditing with a tool like Airgeddon to see if we can get a quick victory. Many versions of WPS are vulnerable to both PIN brute-forcing attacks and WPS-Pixie based attacks, which can allow an attacker to gain access to a vulnerable network in as few as 15 seconds.

What’s scary about WPS setup pin attacks is that the impact of a successful attack goes beyond simply changing the password. If the attacker is able to get your WPS setup pin in either a Reaver or WPS-Pixie style attack, they’ll be able to get your password no matter how long, unique, or secure it is. This is because the WPS setup PIN was designed in the first place to recover lost passwords, so by abusing it, the hacker has the same access the owner of the device has.

In order to kick a hacker who has your WPS setup pin out, you can’t simply change the password. You also need to disable the WPS setup pin, and possibly buy a new router if you ever want to use it again. Many routers don’t let you change the WPS setup pin, so to ensure your long, secure password stays secret, make sure to disable this option in your router’s menu settings.

The procedure for disabling your WPS setup pin may vary, but in general, you should log into your Wi-Fi router and disable the checkbox related to “WPS PIN” or “WPS Setup” to make sure this option is off. In some older routers, disabling this may not actually turn it off, so if you want to check for yourself, you can use the “-wash” command in Kali Linux to identify any nearby networks advertising WPS. If your device still advertises WPS after disabling it, you should replace the device.

6) Never re-use passwords for Wi-Fi

One of the biggest flaws of WPA2, the current Wi-Fi standard, is that a weak password can make it easy for an attacker to break into the network. If the password to your Wi-Fi network is among the top million or so worst passwords out there, it’s likely a hacker could breach your network in a matter of minutes. That’s because all they need to do is capture a handshake from a device connecting to the Wi-Fi, load it into a tool like Hashcat, and sit back while it tries every guess in a massive file of breached passwords.

One thing that’s critical here is to think of passwords as “strong” in two ways. For one, they must be difficult to guess, and for another, they must be unique. That means that using the same or very similar passwords in other accounts can lead to your password ending up on a breached password list, making it one of the default “bad” passwords a hacker will try in a brute-forcing attack.

So how can even a long and complicated password used in multiple places become public? Companies lose passwords from user accounts in breaches all the time, and one of the most common tactics is to try to use these passwords in other places once they become available. WI-Fi hackers know that people love to copy their favorite “strong” password from one account to another, and this makes it easier to brute force passwords that may be long but aren’t actually unique.

To see which of your favorite passwords might already be common knowledge, you can run your accounts through haveibeenpwned.com and see which companies may have leaked your account passwords. Never use a password for your Wi-Fi you use elsewhere online, and definitely never use a password that’s been exposed by another service.

7) Isolate clients to their own subnet

A potentially devastating mistake made by many small businesses offering Wi-Fi to customers is failing to restrict guest users to their own subnet. When done properly, subnet isolation means that each client can only communicate with the router, and isn’t free to scan other devices on the network or try to connect to open ports.

On a network with proper client isolation, an Nmap or ARP-scan should reveal nothing, or simply the router as the only device on the network. In addition, the router shouldn’t have any ports accessible which are hosting administration or configuration pages from the guest network, as these pages often will leak information a hacker can use to exploit the router.

In the picture above, we see the situation for most small business Wi-Fi networks that are offered to customers and don’t properly isolate clients to their own subnet. Without client isolation, anyone on the network can see and interact with every other connected device. This means security cameras, DVR systems, the router itself, and NAS or file servers on the network can be directly accessible to a hacker from the moment they join the network, greatly simplifying the task of finding the networks weakest link.

In the image above, a business providing Wi-Fi to clients has also exposed their security camera’s NAS server using default credentials to anyone on the network, allowing hackers to see through the cameras of the business and even go through old footage stored on the server. More often than not, businesses set up these networks and connect many Wi-Fi devices, forgetting to change the default password on everything from routers to printers.

If a business forgets to change the default password to a router and fails to isolate clients to their own subnet, it’s only a matter of time before a hacker steps in to administer the router for them. When a guest scans the network, they should only see two devices, the gateway and themselves.

With default admin passwords like “admin” or “password” left sitting on a router, hackers can upload malicious firmware updates to spy on users or run stolen credit cards through the connection by using the router as their own personal VPN. The first step to preventing this is to prevent unnecessary access to devices on the network in the first place.

Wi-Fi is safer with a few basic precautions

In general, you should store as few trusted Wi-Fi networks in your devices as needed, and disable auto-connect. If you work in a sensitive position and have unique Wi-Fi network names at your office, you could be leaking the details of your employment to interested parties without knowing it. When in doubt, simply disable your Wi-Fi radio when you’re not using it, as this will prevent most Wi-Fi-based attacks.

By taking the steps above, it’s easy to reduce the risk of your Wi-Fi device joining a malicious network automatically, being tracked between locations, or leaking personal information. While these tips aren’t a complete guide to staying safe on Wi-Fi, they will keep you safe from several of the easiest and cheapest attacks hackers employ.

If you want to learn more about what can happen when an attacker does breach your network, you can see more in our Office 360 Attack Lab.

7 Wi-Fi Security Tips: Avoid Being Easy Prey for Hackers (2024)

FAQs

How do I make my Wi-Fi secure? ›

Contents
  1. Change the default name of your home Wi-Fi.
  2. Make your wireless network password unique and strong.
  3. Enable network encryption.
  4. Turn off network name broadcasting.
  5. Keep your router's software up to date.
  6. Make sure you have a good firewall.
  7. Use VPNs to access your network.

What is the most secure Wi-Fi security setting? ›

WPA3 Personal is the newest, most secure protocol currently available for Wi-Fi devices.

Which Wi-Fi security types should be avoided? ›

Make sure that the protocol you choose is compatible with your devices. Choose WPA2 if your network does not support WPA3. WPA2 uses strong encryption and security features, and it is supported by most devices used at home and in corporate environments. If possible, try to avoid using WEP and WPA.

How do hackers get into my Wi-Fi? ›

Brute-force hacking your Wi-Fi password: Hackers can try hundreds of different password combinations to gain access to your password-protected router's internal settings. If your Wi-Fi password is cracked, hackers can change the password and lock you out of your home Wi-Fi.

How do I check if my Wi-Fi is secure? ›

For Android
  1. Find and click on Settings.
  2. Click on Wi-Fi. If there is a padlock over the signal symbol besides your network, your network is protected.
  3. For iOS.
  4. Find and click on Settings.
  5. Click Wi-Fi. ...
  6. For Windows 10. ...
  7. Click Manage known networks.
  8. Click the current wifi network your are connected to, and click Properties.

How do I stay safe on Wi-Fi? ›

  1. Confirm you have the correct network. Make sure you are connecting to the right network. ...
  2. Turn off auto-connect. ...
  3. Turn off file sharing. ...
  4. Use a VPN. ...
  5. FBI warning about encrypted websites - HTTPS. ...
  6. Accessing sensitive information not recommended. ...
  7. Secured vs. ...
  8. Keep your firewall enabled.

What security setting should my Wi-Fi be on? ›

Set to WPA3 Personal for better security, or set to WPA2/WPA3 Transitional for compatibility with older devices. The security setting defines the type of authentication and encryption used by your router, and the level of privacy protection for data transmitted over its network.

Does hiding your SSID keep hackers from connecting to your network? ›

While hiding your SSID can prevent strangers from finding your network, hackers are much more skilled and can find ways to identify your SSID through a variety of techniques. Data packets carry the SSID that points to the network they come from.

What are the most secure Wi-Fi passwords? ›

The strongest passwords are at least 12 characters and include a mix of uppercase and lowercase letters, numbers, and special characters (! @#$&^%).

What is the weakest security Wi-Fi? ›

Wi-Fi security broken down

The oldest (from the 1990s) and least secure is WEP. The next step up is WPA, then WPA2—either TKIP or AES. WPA2 AES is a lot stronger than WPA2 TKIP but both are a common standard used on today's routers.

What is the security weakness of Wi-Fi? ›

Rogue access points are unauthorized WiFi devices that hackers set up to gain access to a network. They can be difficult to detect as they appear to be legitimate access points. To prevent this type of attack, regularly scan your network for unauthorized devices.

Should I enable WPS? ›

The WPS feature should be disabled when it is not in use to prevent cybersecurity threats or unwanted devices from connecting to your home network. The WPS feature can be turned off or disabled by logging into your router's settings, under Wireless Setup. Look for WPS and select “WPS Off”.

Can you check if your Wi-Fi is hacked? ›

Look for signs like unexpected changes in router settings, unknown devices connected to your network, slow internet speeds, increased data usage, redirects to unfamiliar websites, unusual network activity, disabled security features, and phishing attempts.

What to dial to see if your phone is hacked? ›

##4636## or ##197328640## ➡️ To Check Unknown Connections (Android) If you're concerned someone has installed malware or spyware on your Android phone, these codes open up a screen that lists all running processes and services.

Can someone see if you are connected to their Wi-Fi? ›

Router logs display connected devices, timestamps, sources, and IP addresses – but not necessarily specific URLs. Even so, the Wi-Fi owner could use tools like WireShark and OpenDNS to view your internet activities in greater detail. Make sure you have CyberGhost VPN switched on anytime you use someone else's Wi-Fi.

Why does it say my Wi-Fi is not secure? ›

You might see a notification that tells you that you're connected to a Wi-Fi network that's not secure because it uses an older security standard. For example, this can occur if you connect to a Wi-Fi network that uses WEP or TKIP for security. These security standards are older and have known flaws.

How do I fix my Wi-Fi security? ›

Weak security Wi-Fi fix: How to fix weak security on Wi-Fi
  1. Update router firmware: ...
  2. Change default login credentials: ...
  3. Use WPA3 encryption: ...
  4. Set a strong Wi-Fi password: ...
  5. Enable network encryption: ...
  6. Change default SSID (network name): ...
  7. Use a guest network: ...
  8. Adjust firewall settings:
Dec 11, 2023

How do I secure my Wi-Fi on my phone? ›

If you want to ensure that your data is safe when connected to a Wi-Fi network, you should follow these steps.
  1. 1 Go to Settings, and then tap Biometrics and security.
  2. 2 Tap Secure Wi-Fi.
  3. 3 Review the information, and then tap Continue.
  4. 4 Tap Start on the next screen.

How do I change my open Wi-Fi to secure? ›

3 Steps for Updating Security Settings on Home WiFi Networks
  1. Change Your Router's Default Administrator Password and Disable Remote Administration. ...
  2. Update Your Router's Firmware. ...
  3. Configure Your WiFi Security Settings.

Top Articles
How long do debt collectors take to respond to debt validation letters?
Rudra Gas Enterprise IPO Details - IPO Date, Price, GMP, Analysis & Review
Loves Employee Pay Stub
Wizard Build Season 28
Ixl Elmoreco.com
Triumph Speed Twin 2025 e Speed Twin RS, nelle concessionarie da gennaio 2025 - News - Moto.it
The Potter Enterprise from Coudersport, Pennsylvania
Roblox Developers’ Journal
Fototour verlassener Fliegerhorst Schönwald [Lost Place Brandenburg]
Swimgs Yung Wong Travels Sophie Koch Hits 3 Tabs Winnie The Pooh Halloween Bob The Builder Christmas Springs Cow Dog Pig Hollywood Studios Beach House Flying Fun Hot Air Balloons, Riding Lessons And Bikes Pack Both Up Away The Alpha Baa Baa Twinkle
Infinite Campus Parent Portal Hall County
South Bend Tribune Online
Ree Marie Centerfold
Mephisto Summoners War
Current Time In Maryland
Conan Exiles Thrall Master Build: Best Attributes, Armor, Skills, More
Mail.zsthost Change Password
Best Uf Sororities
St Maries Idaho Craigslist
Zoe Mintz Adam Duritz
Fort Mccoy Fire Map
Clare Briggs Guzman
Never Give Up Quotes to Keep You Going
Buying Cars from Craigslist: Tips for a Safe and Smart Purchase
Why Are Fuel Leaks A Problem Aceable
Workshops - Canadian Dam Association (CDA-ACB)
Grave Digger Wynncraft
Abga Gestation Calculator
Jazz Total Detox Reviews 2022
Nurofen 400mg Tabletten (24 stuks) | De Online Drogist
Ff14 Laws Order
Sf Bay Area Craigslist Com
Golden Tickets
Everstart Jump Starter Manual Pdf
24 slang words teens and Gen Zers are using in 2020, and what they really mean
Best Workers Compensation Lawyer Hill & Moin
Reading Craigslist Pa
Aveda Caramel Toner Formula
Quake Awakening Fragments
Frank 26 Forum
The TBM 930 Is Another Daher Masterpiece
Busted Newspaper Campbell County KY Arrests
Great Clips Virginia Center Commons
Bill Manser Net Worth
Studentvue Calexico
17 of the best things to do in Bozeman, Montana
Barback Salary in 2024: Comprehensive Guide | OysterLink
Bbwcumdreams
Cars & Trucks near Old Forge, PA - craigslist
Unit 4 + 2 - Concrete and Clay: The Complete Recordings 1964-1969 - Album Review
Famous Dave's BBQ Catering, BBQ Catering Packages, Handcrafted Catering, Famous Dave's | Famous Dave's BBQ Restaurant
How to Choose Where to Study Abroad
Latest Posts
Article information

Author: Gregorio Kreiger

Last Updated:

Views: 5958

Rating: 4.7 / 5 (57 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Gregorio Kreiger

Birthday: 1994-12-18

Address: 89212 Tracey Ramp, Sunside, MT 08453-0951

Phone: +9014805370218

Job: Customer Designer

Hobby: Mountain biking, Orienteering, Hiking, Sewing, Backpacking, Mushroom hunting, Backpacking

Introduction: My name is Gregorio Kreiger, I am a tender, brainy, enthusiastic, combative, agreeable, gentle, gentle person who loves writing and wants to share my knowledge and understanding with you.