October is Cybersecurity Awareness Month (#BeCyberSmart) and for the entire month we're going to be sharing tips and information to help you be more secure online both at home and at work. Last week we talked about how you could more securely sign into your devices, accounts, and services. In this article we're going to talk about how you can better secure the way you connect to the internet.
Shouting across a crowded room
Most devices today connect to their local network via wireless, a technology we commonly call Wi-Fi. Wi-Fi uses radio signals to connect to your device and those radio signals can be either secured or open.
An open Wi-Fi network is one that you can connect to, and start using, for the first time without having to enter any kind of password or other authentication. You often see these in small businesses – like coffee shops or stores – or other public places that want to offer Wi-Fi to their customers, but don’t want the hassle of having to maintain and share a Wi-Fi password. Some home networks are open as well, especially older networks.
The problem with the open networks is that they’re usually not encrypted – which means that traffic on those networks is broadcast through the air in what we call “plain text”. Anybody who can see and connect to that network can potentially listen to that traffic. That’s especially worrisome if you are using that network to conduct banking or do other sensitive work.
The solution is to secure your networks with encryption such as Wi-Fi Protected Access (WPA) and only use other people's networks for sensitive or personal tasks if they're also secured.
Protecting your network
Securing the network in your home or business doesn’t have to be difficult. Here are a few steps you can take right away.
Note: These first few steps will require you to sign into the admin console of your Wi-Fi router. Usually you do that in the web browser of your device while connected to the router, though some modern Wi-Fi routers use an app instead. Naturally we can’t know what kind of router you have, so if you’re not sure how to get into the admin console we suggest that you check with the support site of your router’s manufacturer.
First step – Secure the console
If you haven’t already done so, go into the settings of your Wi-Fi administration console and make sure you’re not still using the default password for the device. This is the username and password you just used to sign into it. Especially for consumer devices that may ship with basic or standard usernames and passwords (such as “Admin” and “Password”) these are well-known, or easily discoverable, and must be changed as soon as possible.
Tip: This is true of any device you join to your network. Always change the default username and password if you can; preferably before connecting them to the internet.
While you’re at it, you should confirm that the ability to manage your network from outside your local network is turned off. For most routers that’s just a checkbox in the “Admin” or “Management” section of the console. Most people will rarely manage their routers and when they do it’s almost always done from inside the network. Few people want or need to change router settings from outside their network. Turning this feature off gives attackers one less tool to use as well.
Second step – Check the firmware
Wi-Fi routers, like almost all hardware devices, have software built into them that control how it functions. Because it’s software written to hardware and not easily modified we call it “firmware”. From time to time the device manufacturer might release an updated version of the firmware for your device. These updates may contain new functionality or security fixes.
Your device might check for it automatically, but many devices will require you to manually check for new firmware. That might be done through the administration console of your device, or you might have to go to the manufacturer’s website and check there for new firmware to download.
As long as you’re in the administration console or app, check to make sure the firmware is up-to-date. Try to check it periodically; perhaps quarterly.
Third step – Encryption
The next, and most obvious, step is to make sure that you have wireless encryption turned on. In the router’s admin console you will probably see a page or tab called “Wi-Fi” or “Wireless” or “Security”. If you can’t locate the encryption settings for your router, check with the manufacturer’s website, but they’re usually easy to find.
Ideally your Wi-Fi will be using at least WPA2 for encryption. If it’s not already enabled, turn it on. If it's currently using an older version of WPA, change it to WPA2 or newer. The router will ask you to enter a password to use for connection and of course you’ll want to pick a good password. Refer back to our previous article for tips. It’s not a bad idea to change the password for your wireless network occasionally, especially if you suspect an unwelcome device has joined your network.
Tip: Wireless routers and devices that support WPA3 have started to become available. If you're buying a new device consider looking for one that supports WPA3.
The screen where you turn encryption on is also usually the screen where you can change the Service Set Identifier (SSID) of your wireless network. The SSID is the name you see when you try to connect to it. It should be unique to avoid conflicts with other networks in the area, and the name you choose should be understandable, but not something easily mapped to you or your address. “Mike’s place” or “1234 Pleasant Lane” aren’t great choices. “Blue skies!” might be.
Fourth step – Be welcoming but not TOO welcoming
While you’re in the administration console see if your router supports guest Wi-Fi. If so, you should turn that on and when guests need to connect to your Wi-Fi have them connect to the Guest Wi-Fi.
Most modern routers support guest Wi-Fi and the special trick of it is that guest Wi-Fi is a separate wireless network. That means that devices connected to your guest Wi-Fi can’t see the devices on your primary Wi-Fi network; like your laptop or your smartphone. Most guest Wi-Fi networks even isolate the devices connected to the guest Wi-Fi from each other, though some allow you to specify devices you want to share; like a TV or streaming device.
Guest Wi-Fi isn’t only for guests, you should also put any non-essential smart devices on it. Your TV, your thermostat, your child’s iPad...anything that only needs to connect to the internet, should go on the guest Wi-Fi. That way if any of those devices get compromised, the attacker can’t use it to access any of your sensitive devices like your laptop or smartphone or listen in to their network traffic.
Tip: Your router may have the ability to notify you when a new device joins the network. Consider turning that feature on. If you get a notice that a new device has joined your network, and you’re not the one who did it, that’s a cue that you may want to look around and figure out what just joined. If it’s unauthorized you can probably go into the administration console for your Wi-Fi and remove them. Then you should change your Wi-Fi password.
Taking those easy steps can help make your Wi-Fi more secure. Now let’s take a look at how you can use your Wi-Fi connected devices – like your laptop or smartphone – more securely.
Using Wi-Fi securely
Even if you don’t have your own network to secure, you can be more secure with how you use Wi-Fi networks.
If you have to connect to a public Wi-Fi network try to choose one that is encrypted. Yes, it does require a bit more work to connect because you’ll usually have to find and enter the password but it’s important to have that level of security, especially in a crowded public place.
You can usually tell the encrypted ones because they say "secured" or something similar, and may have an icon indicating they're secure.
Open networks will usually say "Open" and may have an icon indicating they're insecure.
If you’re connecting to public Wi-Fi be sure not to select “Connect automatically” or “Remember this network”. Though it’s certainly convenient, you don’t want your device to connect to public Wi-Fi networks automatically. Why? Because of how “Remember this network” works.
Will the real O’Hare Wi-Fi please stand up?
When you tell your device to remember a Wi-Fi network it will constantly keep an eye out for that network. If you’re walking down the street, and your device is on, your device is continually looking for one of the remembered networks. When a remembered network appears, your device will try to connect to it automatically. That’s the point of remembered networks.
The way your device sees Wi-Fi networks is by their SSID, which is basically the Wi-Fi network’s name. However, you can configure most Wi-Fi routers to broadcast any name you want. You can set your Wi-Fi router’s SSID to be “Joe’s House” or “Contoso Electronics” or…“Free_ORD_Wi-Fi”, which is the SSID of the real Wi-Fi network at Chicago’s O’Hare airport.
If you've been through an airport, connected to the airport's free Wi-Fi, and allowed your device to “remember” that network, when your device sees a router, any router, that has the same SSID…it’s going to connect. Once it’s connected it will start sending and receiving traffic via that router. It could sign into social media (transmitting your username and password), your email, your bank, really any apps you have open on the device may start communicating through that network. Even though that network may actually be impersonating the legitimate network just to fool your device into connecting through it.
Almost every public airport has Wi-Fi. So do all the big hotel chains, coffee shops, shopping malls, grocery stores….and these SSIDs are all publicly known. Cybercriminals know those SSIDs too and they can deploy Wi-Fi routers with fake SSIDs to try and snare unsuspecting passersby.
Never allow your device to connect automatically to any Wi-Fi network that you don’t control.
Forget those networks
That’s fine for tomorrow, but what about yesterday? If you’ve had your device for a while there may be a long list of networks that you connected to in the past, which the device is still looking for. All devices have a way to manage that list. The ways to do it vary too widely for us to detail in this article but if you do an internet search for your device and how to “forget” or manage wireless networks you should find instructions.
You want to go through that list and forget any wireless network that you don’t control. Yes, we know that means you’ll have to sign into the coffee shop Wi-Fi automatically each time – but in this case the risk can outweigh the convenience.
Tip: Another way to be safer is to turn off the Wi-Fi on your device when you’re not using it. Bonus: You’ll probably use less battery not having your Wi-Fi on when you’re just walking or driving around.
Use a VPN
If you have to use public Wi-Fi network for sensitive tasks you should consider using a Virtual Private Network (VPN). A virtual private network creates an encrypted “tunnel” between your device and a server out in the world. The server could be one your company controls, or perhaps a 3rd party service that you subscribe to. All of the traffic inside that tunnel is encrypted, so if you’re using a public Wi-Fi network an attacker may be able to see that a VPN tunnel has been established but the content flowing inside that tunnel would be concealed from them.
Tip: A VPN can add security to any network connection, even the secured ones, so it’s a good habit to have even on networks you think are secure.
Whatever VPN service you’re using will tell you what you need to do on your device to connect to them.
Use your mobile carrier
Another option, if there are no secure networks available, would be to use the data from your mobile carrier like you do on your smartphone when you're out and about. Some laptops now include a built-in LTE radio that can connect to your mobile carrier for data directly, over 4G or 5G, without needing Wi-Fi. Alternatively you may be able to use your smartphone as a personal Wi-Fi hotspot.
If you have that option it should be more secure than using an open Wi-Fi network, though it might be slower and if you get charged for data or have a data cap you’ll want to keep that in mind.
Let’s keep going!
We’ve gone through some easy steps to improve your cybersecurity, talked about more securely signing in to your devices and accounts, and now we’ve looked at connecting your devices more securely. Next Monday, October 19th, we’ll be talking about common online scams and attacks and how you can spot and defeat them. Come back to https://support.microsoft.com/security to keep Cybersecurity Awareness Month going and #BeCyberSmart.