Why WiFi Encryption?
In this day and age, it seems most of us have at least one WiFi Access Point in our home.
A WiFi Access Point (AP) is a device that allows wireless devices to connect to a wired network using Wi-Fi, or related standards. The AP usually is part of a router or modem. This “wired” network is typically the network used to connect to the Internet.
Since such an access point can have a range of about 300 meters (100 feet), this practically means that your neighbor(s) might be able to pick up the signal, or even worse: passing people (see also: Wardriving and PiggyBacking).
If your WiFi encryption is not enabled, then individuals like your neighbor or simply a passing person, might be able to use your Internet.
A few point to that:
- Such freeloaders will take away bandwidth from you and potentially slow down your Internet,
- These people might access, steal and/or destroy data on your computer(s),
- These individuals might use your connection for illegal downloads or other illegal activities.
Reducing your speed is one issue, but doing illegal things or accessing your private data through your WiFi is another.
As if stealing, copying or destroying your data isn’t bad enough, doing illegal things thorugh your WiFi comes with even worse problems. Crime investigators will see YOU as the person that committed the crime, with you having pretty much no evidence to who actually did it or prove your innocence. If things get really bad, so called Copyright Trolls (lawyers that intimidate and threaten you because they assume you’re the one downloading movies or music illegally) will try to make your life hell until you pay the ransom or find yourself in court.
The legality of accessing a WiFi without explicit permission, is different per country, and seems frequently changing. See also this Wiki Article on the legality of PiggyBacking.
From an ethical stand point, I’d say that accessing somebody’s WiFi without their permission is like breaking into their house. It’s simply wrong and should not be tolerated.
From a WiFi-owner perspective I do think that a certain level of responsibility is required as well. Like with your house, make sure you lock the door – even though it’s sad that this is needed, as some people seem to have no scruples or understanding of what is theirs and what is not theirs.
The latter is where WiFi encryption comes in to play as a analogy to the look on your doors.
WiFi Security through Encryption?
Most modern routers and/or modems, that function as a WiFi access point, offer some kind of encryption for WiFi.
The used standards however are puzzling at best. Below we will highlight the standards WEP, WPA and WPA2.
WiFi Alliance Logo
Since the late 90’s, WiFi encryption standards have gone through quite a lot of changes, and for good reasons.
WEP (Wired Equivalent Privacy)
WEP is one of the oldest and most widely used WiFi encryption algorithms. This doesn’t mean it’s the best choice, but due to backwards compatibility, equipment that did not get updated to the latest standards, and ignorance or laziness, are still too often being used.
Initially this standard, due to US government limitations on export of algorithms, was using only a 64 bit key, which appeared relatively easy to crack. After lifting these export limitations, 128-bit encryption appeared, but even though 256-bit encryption exists, 128-bit remained the most commonly used.
Despite WiFi encryption, some serious flaws make it very easy to exploit and crack WEP. A nice list of publicly available tools even do this automated for you. Therefor the WiFi alliance retired the WEP standard in 2004.
WEP is NOT RECOMMENDED!
If your equipment does not offer the newer standards, then I highly recommend either upgrading the firmware so it does support newer standards, or simply replacing the equipment with equipment that does support the newer standards. It seems though that old WEP only equipment cannot be upgraded with software to WPA/WP2, so a new router or modem might be needed.
WPA (WiFi Protected Access)
In 2003, a new standard was introduced called WPA, as an answer to the failing WEP WiFi encryption standard.
The most common configuration is WPA-PSK (Pre Shared Key) where the key is 256-bit, a significant improvement over the earlier 64- and 128-bit keys seen in WEP.
Another improvement, is the use of TKIP (Temporal Key Integrity Protocol) which uses a per-packet key system to verify the integrity of a packet. It is said that TKIP allows the use of hardware formerly used for WEP.
Later TKIP has been replaced by AES (Advanced Encryption Standard), offering even better protection but would require specific hardware (reference: The Difference between TKIP and AES).
For us mere mortals: AES is the recommended way to go.
WPA however isn’t perfect either and, even though a little harder to do, still vulnerable to hacking. Unlike WEP, where the algorithm is being attacked, WPA attacks focus on the WPS (WiFi Protected Setup) function of a router, often recognizable as a “setup” button on your router or modem.
WPA-AES is only to be used when WPA2 is not available.
WPA2 (WiFi Protected Access 2)
As of 2006, WPA has been replaced by WPA2, with the main difference being the mandatory use of AES and the introduction of CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) as a replacement for TKIP.
Note : TKIP is still preserved in WPA2 WiFi Encryption as a fall back, for devices that only support WPA.
WPA2 is currently the recommended option.
Be aware though that even WPA2 is vulnerable, but at the time of this writing, a lot of effort needs to be done – unless one is already connected to the encrypted WiFi … but otherwise this is considered the safest way to protect your WiFi.
WPA Personal versus WPA Enterprise WiFi Encryption
When exploring the settings of your router or modem, you might run into “Personal” and “Enterprise” WiFi encryption variants. A little confusing and yes I had to Google that one myself as well. See also: WPA Personal vs Enterprise at TP-Link.
The “Personal” version is definitely intended for home use, where no additional setup is needed.
WiFi Encryption – Personal – Router handles authentication
The “Enterprise” version however adds additional security by using a so called Radius server, which handles authentication. This is typically a more advanced setup and commonly used in enterprise (business) applications of WiFi. If you have such a Radius server available at home (a QNAP NAS has this option), then of course you can use this method as well, although it might make things unnecessary complicated.
WiFi Encryption – Enterprise – Radius Server handles authentication
Ranking of WiFi Encryption
Below a short list, in order of preference, which methods to use:
- WPA2 (includes the use of AES)
- WPA + AES
- WPA + TKIP/AES (TKIP is used as a fallback when AES is not available)
- WPA + TKIP
- Encryption disabled / No Encryption
Sense of security …
Some methods seem to give a false sense of security …
Rule of thumb for good protection …
The most important part of good protection is:
– Good Encryption Algorithm (WPA2)
– Strong (long) Password
What may help (but not a guarantee):
– Mac Address Filtering
– Time Schedule WiFi availability
What will probably not help:
– Disable DHCP
– Hide SSID
– Physical location far enough from the road
Strong Password and Encryption Algorithm …
The bottom line for good security is good WiFi encryption, which builds on using the proper WiFi Encryption standard (WPA2) and a strong password. Keep in mind that WEP (the oldest standard) encrypts, but is considered UNSAFE.
A strong password is a must – don’t use easy to guess phrases and make sure you mix in capital characters, numbers and/or special characters. Also make sure the password is LONG. Most routers or modems allow up to 63 characters, … so use them. The longer the password, the harder to crack. You could even enter a simple sentence if you’d like. Make sure you save the password in a safe place though …
Maybe not a good habit, but it might be practical: write down the (long) password on a Post-It and stick it under your router or modem. Unless you router/modem is standing in a public place of course.
Hiding the SSID can make things worse …
The SSID, or “name” of your WiFi, can be hidden on most routers or modems. You’d think that this would make things more secure, but it seems that this method comes with a downside. Your computer keeps “asking” for this SSID, to see if it’s around, and with simple tools this SSID can be picked up quite easily. This is seen mostly with Windows computers as they are notoriously known for this. I honestly do not know if this problem occurs with Linux or MacOS X and other systems.
Does Disabling DHCP help …?
This one is frequently debated … does it help, or does it not help,…
Some say that disabling DHCP makes a network unmanageable, and with some trial and error one could set an IP address manually to gain access to your network.
From the other side, if you have a fixed and very limited number of devices, DHPC might throw up a tiny hurdle slowing hackers down. And connecting seems a little faster and machines persistently have the same IP address (which can be handled with DHCP in the router as well).
In the end: it’s up to you to decide if the little hurdle is really worth the hassle of managing IP addresses manually. For the average user I’d recommend leaving DHCP on and possibly reserve IP-Addresses for certain machines (a setting offered in most routers, based on MAC addresses).
MAC address filtering can add some more security …
Filtering can help, but it’s not the magic trick that guarantees that other will not enter your network.
Every NIC (Network Interface Controller) has a unique ID, knowns as MAC Address (Media Access Control Address). Most routers allow you to enter the MAC addresses of the equipment that is allowed to connect.
People with the right tools however can figure out what the MAC address is of your computer and can relatively easy change the MAC address of their computer’s NIC to that MAC address and thus gain access to the network.
It is more of a hassle though to break in … and most certainly not a bad thing to add … but it guarantees nothing.
I’m too far away from the road, so I’ll be safe …
Well, from personal experience: you’re not.
My driveway is about 900 meters (3000 feet) from the road, yet people manage to get into my network by simply driving to my house when I’m not home. So this assumption is not reliable, specially when you’re not home.
Time Schedule when WiFi is available
This method, even though not 100% watertight, will most certainly help if your router allows you to disable WiFi at given times.
I work from 8 AM to 5 PM and in that time frame nobody is home, and at night when I’m pretty sure I’m sleeping from 2 AM to 7AM. During those times I have no real view on who’s near my house anyway and I’m not using it, so why not disable it.
A possible downside, with the current trend to increased remotely accessible home automation, themostats and surveillance camera’s, is that this might not be practical – so that’s something to keep in mind.