Wi-Fi security has evolved to the extent that most modern routers are set up to be secure with strong passwords, encryption methods, built-in firewalls and other security measures devised to protect you from malicious attacks. But what happens when those encryption methods are broken?
That's exactly what has happened, after Belgian researchers at KU Leuven University broke the WPA2 security protocol. WPA2 is used to protect the majority of Wi-Fi connections in the world because it is the most secure method available for general use.
How can I protect my data if Wi-Fi isn't secure?
The fact that WPA2 has been hacked is alarming news and affects many consumer devices, but there's no cause for panic.
In essence the researchers exposed a bug in the Wi-Fi standard which leaves wireless traffic vulnerable to potential eavesdropping with malicious intent. In other words, anyone could use the flaw to see what you're doing on the internet and grab credit-card numbers, passwords, chat messages, emails, photos and more.
Fortunately, many devices have now been patched or updated to fix the bug. And in any case, it isn't usually WPA2 alone that's the security between a hacker and your data.
For a start, a Wi-Fi attack needs to be within range of the network in question, but it likely that you're sending a large amount of information over the internet which is already encrypted, which means the hacker couldn't read it anyway.
Note that a new standard - WPA3 - is coming very soon which is a lot more secure than WPA2 and fixes the main vulnerabilities.
This is why you should be particularly mindful of the padlock icon in your browser's address bar. If a padlock is not visible, which indicates the site is not using https, then there is a possibility any data you enter will be viewable to others.
So if you're about to enter your address and payment details and hit 'submit' make sure that padlock is there first.
Returning to those patches and updates, Microsoft issued a fix for Windows devices on 10 October 2017 (which will have been applied if you're using Automatic Updates). Apple also patched the vulnerability for macOS and iOS around the same time.
Google issued security updates for Android devices in November, so check in the About section of your phone or tablet's settings to see when the last security update was. If prior to November and your phone runs Android 6 or earlier, you should seek out an update.
Wireless routers are rarely updated, as are smart home devices, but it's well worth checking to see if you can install an update for your particular gadgets. You may find that some automatically update themselves, so it's just a case of checking that your device's firmware or software version date is recent and not before October 2017.
Which wireless security standard should I use?
Modern routers usually have a Wi-Fi a password set by default, and that's used for various protocols to encrypt the data you send across the web. Here are some of the terms you'll see knocking about for consumer-grade Wi-Fi:
Wired Equivalent Privacy (WEP) was the norm back in 1997 when the 802.11 Wi-Fi standard was introduced. This is now deemed insecure and was subsequently replaced in 2003 by WPA through the TKIP encryption method.
Temporal Key Integrity Protocol (TKIP) is now also being phased out, but unlike WEP is still seen in most modern routers.
Advanced Encryption Standard (AES) was introduced shortly after TKIP in 2004 along with WPA2, the new and improved WPA standard. Select this level of encryption where possible, but note that your wireless devices will also need to support it in order to talk to your router (most do, but some older kit may not).
Despite the hack as outlined at the top of this article, WPA2 is still said to be the best way to secure Wi-Fi. Nowadays router manufacturers and ISPs typically use WPA2 by default; some use a combination of WPA2 and WPA to ensure compatibility with the widest range of wireless kit.
You may also see an option with the suffix ‘-PSK’ which is short for Pre-Shared-Key or Personal Shared Key. If you're offered the choice then choose WPA2-PSK (AES) over WPA2-PSK (TKIP), but if some older devices cannot connect instead choose WPA2-PSK (TKIP); it still uses the newer WPA2 encryption while enabling older devices that might be stuck with TKIP to connect to your router. You may find it listed as WPA2-PSK (mixed mode).
How to secure your Wi-Fi
WPS stands for Wi-Fi Protected Setup, and it was created to make configuring Wi-Fi connections easier. It sounds great, but it creates an easier entry point for hackers - with an eight-digit PIN it’s easy to hack through brute-force techniques.
The easiest way to know if you’ve got WPS enabled is to look on your router or the box it came with, as it often has a distinct logo and a physical button located on your router. It is good practice to disable it, especially if you don't think you'll ever use it.
If you’re still unsure, you can go into your router settings, which is usually accessed by typing 192.168.1.1 or 192.168.0.1 (or other, depending on your ISP and router’s manufacturer) in your URL address bar and logging into your router’s admin panel.
Change the admin password
As you’ve now logged into your router’s settings, you’ll also be able to see an option to change the router’s admin login details. We recommend changing this, as it’s simple to do so and protects you from anyone wanting to mess with your router's settings.
Some routers (though not usually those which are provided by your ISP) still come with a generic username and password, typically ‘admin’ and ‘password’. Changing this will mean it will become a lot harder and near impossible to hack into your router’s admin panel.