Working from Home? Wi-Fi Security and Tips and Tricks
Now that nearly all Rapid7 employees—along with a huge percentage of U.S.-based knowledge workers—are sliding into a work-from-home (WFH) routine, I jotted down some Wi-Fi security and management tips for my friends and colleagues who might not have paid much attention to their home networking. Hopefully, you find one or two of these points useful in your own new WFH Wi-Fi life.
Please note that these tips are only useful in cases where you own and operate your own wireless access point (in other words, you went out of your way to buy a router that’s separate from your ISP-provided hardware). If your ISP owns and controls your access point (for example, it’s part of your DOCSIS modem that connects to the WAN-side cable that runs out to your local drop), only some of these tips apply to you. For example, with Google Fiber’s gear, you can rename your SSIDs, but you can’t really check or update your own firmware. I’m sure it’s fine, though. Probably. If you are concerned though, you can always contact your ISP and ask them about this.
Change your administrative password
Usually, the default password on Wi-Fi routers is something easy, like “admin.” Change that to something decent. A longer passphrase with spaces and punctuation is a good start, but really, you shouldn’t be picking your own passwords at all anymore. This will prevent people who associate to your access point (AP) from changing settings or modifying firmware to something evil. Also, usually these attackers are close by, since it’s rare these days for administrative interfaces to be exposed to the internet.
Have you forgotten your administrative password? That’s no problem—most home routers have a factory reset button (it’ll often require a paperclip or something to actually push and hold). Go ahead and do that. Note that this will cause an outage, so give everyone plenty of warning. But, on the upside, you can follow the rest of this post with a clean slate to work with!
Replace your router
If you do own your own router but don’t remember when you bought it, it’s probably pretty old. Check the model number on Amazon (or your favorite retailer), as it’s written on the sticker on the bottom of the device. If it’s no longer in stock, seriously consider updating to the latest in the series—there are likely unpatched vulnerabilities on the old model, since small office/home office (SOHO) router vendors rarely backport fixes to old platforms, and these routers are basically immortal from the day they enter service. It’s not uncommon to see APs in the wild that are over 10 years old.
Update your firmware
Many modern APs have auto-updates, so if you have one of these, go ahead and enable that. Router manufacturers often silently update firmware with security fixes. If your router doesn’t provide for silent auto-updates, manually check for firmware updates. Note, manual firmware updates have a non-zero chance of bricking your router, so maybe first consider upgrading your hardware as previously discussed.
WEP is dead
Once you have your administrative password and your firmware all nice and fresh, take a look at your configured networks. You should see something about WPA, WPA2, or WPA3. If you only see WEP as a “secure” option, your firmware or hardware is definitely too old to be used for anything other than a teaching tool for young Wi-Fi hackers—definitely not as your family’s primary gateway to the internet.
It’s this point where I could write a whole bunch of nerdy crypto-jargon about the differences between WPA, WPA2, WPA3, but I won’t. Yes, it hurts, but this is just a short blog about home networking safety. I also won’t spend too much effort examining WPS (Wi-Fi Protected Setup, which was a Bad Idea, but here we are). If you’re passionate about these kinds of things, then you’re probably not the person this blog post is written for, and you know to just skip all this and head straight for OpenWRT.
Actually associate
So, you’ve put all this work in (which really shouldn’t be more than 30 minutes or so), it would be a shame if you weren’t actually on your now-mostly-secure Wi-Fi AP. If you live in a dense, urban area, double-check that your roaming devices are actually associated with this router. Sometimes, people fall off their local wireless access point and end up on a nearby coffee shop’s, and don’t notice. How embarrassing!
External scans
By now, you should have a pretty solid home networking setup. But, maybe you (or someone else in your house) was experimenting with your firewalling or routing rules. Always double check what your external exposure looks like by peeking at your network from the outside. I like What is My IP’s port scanning service for something super basic (Note, with What Is My IP, red is closed (good), and green is open (bad)—connectivity good, exposure bad, basically).
Don’t fight with the kids
Since many of us have kids at home pretty much all the time, you might be noticing that your Very Important Zoom Meetings are getting throttled by your kids’ streaming. As it happens, modern routers often have two radios, one for 5Ghz and one for 2.4Ghz. 5Ghz is higher bandwidth, but shorter range, so it’s better for streaming HD video and interactive gaming if the device happens to be reasonably close to the AP.
2.4Ghz still provides plenty of bandwidth for normal video conferencing, and should have enough power behind it to reach your home office space (if you’re fortunate enough to have one of those). So, naming these two networks different SSIDs can help you slot your kids’ tablets and laptops on a “better” network, while keeping enough bandwidth left over for your own low-def conferencing, Slack, and whatever else.
Of course, if you have smart TVs, gaming consoles, or other mostly fixed devices, you will want to run physical Ethernet cable to those—it hurts my heart every time I see someone trying to play a twitchy shooter game over Wi-Fi, since cable is almost always going to be faster and less error-prone than most practical Wi-Fi setups.
Last, you might want to check your service tier with your local residential ISP. Your neighborhood just got a lot more active during the day, so if you have the chance and the means to bump your service level up, it might be worth it. Hey, maybe your employer can help out with this unexpected business expense!
Get thee behind me, IoT!
If your AP supports a Guest network (and if it’s reasonably modern, it should), use it for your various IoT gewgaws and gimcracks. In home routers, guest networks are usually segregated from the rest of your “real” computers, and IoT devices often don’t have to talk to each other (usually, they only need to communicate with a cloud-hosted service out on the internet). This is an easy way to enforce network segmentation between devices you can control and have sensitive material on (like your work laptop), and devices you have less control over (like your thermostat).
Go further
Again, these might be some basic tips for most tech types (who make up the vast majority of people who read this blog), but working from home can be pretty alien (and alienating) for many people. Also, this is a minimum-bar kind of setup here—there is a lot you could do in your home networking to start approaching the bar set by modern enterprise networking, and hey, if you happen to have some free time, now is a great time to pick up a cheapo enterprise switch and start delving into areas like proper network segmentation, IDS/IPS, honeypotting, or any number of other modern networking technologies. It all can be pretty fun and illuminating, not to mention lucrative for people looking to switch or start careers. We’ve always had a shortage of talented and passionate network engineers, and I doubt that will change much post-pandemic.
Finally, if you have any other tips, hit me up on Twitter at @todb. If they’re both easy and high-impact, we can add them to this post.