Securing your Wi-Fi® connections is an important element of securing your personal data. A Wi-Fi network using WPA2™ provides both security (you can control who connects) and privacy (the transmissions cannot be read by others) for communications as they travel across your network. For maximum security, your network should include only devices with the latest in security technology – Wi-Fi Protected Access® 2 (WPA2). Wi-Fi CERTIFIED™ devices implement WPA2.
Most Wi-Fi equipment is shipped with security disabled to make it very easy to set up your network. Most access points, routers, and gateways are shipped with a default network name (SSID), and administrative credentials (username and password) to make configuration as simple as possible. These default settings should be changed as soon as you set up your network.
It’s also important to consider employing other measures to secure your communications after they travel beyond your Wi-Fi network. Tools like personal firewalls, Virtual Private Networks (VPNs) and HTTPS can help reduce the risk of compromised privacy and security for internet traffic.
Security made easy: Wi-Fi Protected Setup™
Wi-Fi Protected Setup is an optional feature that simplifies and standardizes the process of configuring and securing a Wi-Fi network. It configures the network name (SSID) and WPA2 security for the gateway and client devices on a network and makes adding a new device to your network as easy as pushing a button or entering a personal information number (PIN). Products certified for Wi-Fi Protected Setup are available at major electronics retailers and display this identifier mark on their packaging.
Securing a new network
- Change the network name (SSID) from the default name
- Change the administrative credentials (username and password) that control the configuration settings of your Access Point/Router/Gateway
- Enable WPA2-Personal (aka WPA2-PSK) with AES encryption
- Create a network passphrase that meets recommended guidelines
- Enable WPA2 security features on your client device and enter the passphrase for your network
Checking security on an existing network
When you add a new device to your Wi-Fi network, it’s a great time to make sure you’re taking advantage of the highest level of security. Take the opportunity to ensure your network is configured for WPA2.
If your network was set up some time ago, or a service provider (e.g consultant or cable provider) configured your home network, it may be worth checking that it’s configured for the highest level of security. If your network is configured for an older generation of security (WEP or WPA), Wi-Fi Alliance® recommends you move to WPA2. WPA2 has been required on all Wi-Fi CERTIFIED products since 2006 – the vast majority of Wi-Fi CERTIFIED devices in service today are capable of WPA2.
Passphrase quality & lifespan
A secure network passphrase greatly enhances network security, so it is important to select an effective passphrase. In general, increasing length, complexity and randomness all improve the quality of a passphrase. Wi-Fi Alliance recommends that a passphrase is at least eight characters long, and includes a mixture of upper and lower case letters and symbols. A passphrase should not contain a word found in a dictionary and should not include personal information (identification number, name, address, etc).
Periodically changing the passphrase on your network also increases security.
Once users have experienced the convenience and freedom of working wirelessly, they want to take their Wi-Fi devices on the road. Here are some tips for securing your Wi-Fi devices when using them away from your home network.
- Enable WPA2 security: All of your Wi-Fi client devices (laptops, handsets, and other Wi-Fi enabled products) should use WPA2.
- Configure to approve new connections: Many devices are set by default to sense and automatically connect to any available wireless signal. Configuring your client device to request approval before connecting gives you greater control over your connections.
- Disable sharing: Your Wi-Fi-enabled devices may automatically enable themselves to sharing / connecting with other devices when attaching to a wireless network. File and printer sharing may be common in business and home networks, but you should avoid this in a public network such as a hotel, restaurant, or airport hotspot.
|Wi-Fi Protected Setup-certified products|
- Technical Note: Removal of TKIP from Wi-Fi® Devices
- Wi-Fi Simple Configuration Technical Specification v2.0.5
- Wi-Fi CERTIFIED Wi-Fi Protected Setup™: Easing the User Experience for Home and Small Office Wi-Fi® Networks (2014)
- The State of Wi-Fi® Security: Wi-Fi CERTIFIED™ WPA2™ Delivers Advanced Security to Homes, Enterprises and Mobile Devices (2012)
- What are Protected Management Frames?
Wi-Fi CERTIFIED WPA2 with Protected Management Frames provides a WPA2-level of protection for unicast and multicast management action frames. Unicast management actions frames are protected from both eavesdropping and forging, and multicast management action frames are protected from forging. WPA2 with Protected Management Frames augments WPA2 privacy protections already in place for data frames with mechanisms to improve the resiliency of mission-critical networks.
- Are Wi-Fi CERTIFIED products protected by security?
Yes. All Wi-Fi CERTIFIED products are tested for the latest generation of Wi-Fi security: WPA2 (Wi-Fi Protected Access 2). The only way to be sure that product meets these standards is to only purchase Wi-Fi CERTIFIED products.
- How does Wi-Fi Protected Setup work?
There are three primary approaches to network setup within Wi-Fi Protected Setup: push-button, PIN entry, and Near Field Communication (NFC). PIN entry is mandatory in all Wi-Fi Protected Setup devices, while push-button and NFC are optional and may also be found in some devices.
Push-button configuration (PBC): in some Wi-Fi Protected Setup networks, the user may connect multiple devices to the network and enable data encryption by pushing a button. The access point/wireless router will have a physical button, and other devices may have a physical or software-based button. Users should be aware that during the two-minute setup period which follows the push of the button, unintended devices could join the network if they are in range.
PIN entry: in all Wi-Fi Protected Setup networks, a unique PIN (Personal Identification Number) will be required for each device to join the network. A fixed PIN label or sticker may be placed on a device, or a dynamic PIN can be generated and shown on the device's display (e.g., a TV screen or monitor). PIN is used to make sure the intended device is added to the network being set up and will help to avoid accidental or malicious attempts to add unintended devices to the network.
A registrar device (which could be an Access Point/wireless router, PC television, or other device) will detect when a new Wi-Fi device is in range, and prompt the user to enter the PIN, if he or she wishes to add the new device to the network. In this mode, Wi-Fi Protected Setup network encrypts data and authenticates each device on the network. The PIN entry method is supported in all devices.
Near Field Communication (NFC): A Near Field Communication interface can be used to transfer network settings to a new device without requiring manual entry of its PIN. The NFC method provides strong protection against adding an unintended device to the network. This is an optional method for Wi-Fi Protected Setup Access Points and devices.
- How do I make my wireless network secure?
Wireless security is important, and Wi-Fi wireless networks can enable WPA2, a sophisticated encryption technology that protects data flowing between Wi-Fi radios and access points. Wi-Fi devices are shipped with settings that will make setting up your Wi-Fi network as easy as possible - security is generally disabled. We recommend you take the following steps:
First, change the default network name (SSID) and credentials (username and password) used to manage the settings on your Access Point/Router/Gateway. This helps keep unauthorized users from getting access to your network. Wi-Fi equipment usually ships with a default network name out of the box. This should be changed immediately to make it easy to identify. Equipment also usually ships with default credentials (username and password) to make accessing the device's configuration settings easy. These default credentials should be changed as soon as you set up your network.
Second, enable strong encryption for your network: WPA2 security with AES. WPA2 security features support AES - a sophisticated form of encryption that is suitable for sensitive data communications. When WPA2 security features are enabled, the stream of communication between client devices (e.g. laptop, phone, printer, etc) and Access Points/Routers/Gateways is protected using AES.
These measures complement each other - implementing them all is the best way to protect your network. Wi-Fi CERTIFIED equipment comes with default settings that help you establish your network quickly and easily - it's important to enable the built-in security measures as soon as possible to protect your network.
- Please explain the various security standards & algorithms.
WPA2 is the latest version of Wi-Fi security, and it should be used to protect all Wi-Fi devices. WPA2 was introduced in 2004 and has been required in Wi-Fi CERTIFIED products since April 2006. It supports AES, the most advanced encryption standard. AES is the encryption standard endorsed by the US government. The Wi-Fi Alliance recommends that users select equipment supporting WPA2 to help protect their network from known attacks to their security and privacy.
WPA2 comes in Personal and Enterprise versions. WPA2-Personal uses a passphrase as a simple way to generate a shared key for encryption. The term passphrase refers to a single string of characters that the user enters into all their Wi-Fi devices on the same network. WPA2-Enterprise uses additional software and specialized server equipment to create encryption keys on demand and designed to support larger corporate networks.
WPA2-Personal using a passphrase is equivalent to using security doors with metal keys. All users use the same key. Changing the passphrase for the network requires changing the passphrase for all devices. WPA2-Enterprise is the equivalent to using security doors with electronic card keys. Each user has an individual card key. It is possible to change each user's card key or revoke their card key without disturbing the other users.
WPA (Wi-Fi Protected Access) is an earlier generation of Wi-Fi security certifications, it was introduced in 2003 as an interim solution. The WPA program added support for TKIP (Temporal Key Integrity Protocol) encryption. TKIP is an older form of security technology and has recently been demonstrated to have some vulnerability to cryptographic attacks. WPA is an older version of Wi-Fi security which was replaced in 2004 with more advanced protocols. Though the threat of a security compromise is small, users should not purchase new equipment which supports only WPA with TKIP.
WEP is the original security standard for Wi-Fi technology. The RC4 encryption algorithm that WEP is based on is no longer considered secure. WEP should not be used to secure your network.
- What does “security” mean in the context of Wi-Fi?
In the context of Wi-Fi technology, security means two things. First, controlling who can connect to and configure your network and equipment. Second, it means securing the data travelling wirelessly across your Wi-Fi network from unauthorized view.
Wi-Fi security is just one aspect of security for networks. A protected Wi-Fi network is a great start, but you should also consider measures to protect your computer (virus software, firewall, etc.) and your communications across the Internet (virtual private network (VPN), etc.)
- What security measures should I take when working away from my home?
Configure your Wi-Fi client devices (laptops, handsets, and other Wi-Fi enabled products) to enable security protections.
Configure for approved connections: Many devices are set by default to sense and automatically connect to any available wireless signal. The Wi-Fi Alliance recommends that you configure your device to not automatically connect to an open network without your approval.
Disable sharing: Your Wi-Fi enabled devices may automatically enable themselves to sharing / connecting with other devices when attaching to a wireless network. File and printer sharing may be common in business and home networks, but you should avoid this in a public network such as a hotel, restaurant, or airport hotspot
Some users may also wish to use complementary security measures to improve the security of their activity over the Internet including virtual private networks (VPNs), firewalls, etc.
- I have WEP equipment in my network and am not able to replace it. What should I do to protect myself?
Recognize that your network is vulnerable. Casual web surfing may not disclose anything private, but do not send any private data over the network or conduct activities such as banking or shopping, Realize that unauthorized users could capture valuable information transmitted over your network or use your network for illegal activities and use it accordingly.
- Does WPA2 have session keys?
WPA2 creates fresh session keys on every association. The benefit is that the encryption keys used for each client on the network are unique and specific to that client. Ultimately, every packet sent over the air is encrypted with a unique key. The ability to avoid key reuse and provide unique, fresh encryption keys is a basic tenet of good security practice and is why WPA2 offers such good security.
- I have equipment certified for WPA in my network and am not able to replace it. What should I do to protect myself?
Check with your equipment's manufacturers to see if an upgrade to WPA2 is available, and if it is, install and activate it on all the devices on your network. If no upgrade to WPA2 is available, check with your manufacturer for the availability of a patch for TKIP which addresses a recent vulnerability. If a patch is available, install and activate it. Use a strong passphrase, created from a combination of eight or more letters, numbers and symbols and which contains no words from any dictionary.
Consider implementing other security measures such as a firewall or VPN.