Module 5: Securing Your Home Wi-Fi

The Bottom Line

Setting up your home Wi-Fi router to optimize your privacy and cybersecurity in crucial. This guide will provide you with the minimum essential steps that you must take to ensure that your router doesn’t introduce any unnecessary cybersecurity risks.

The Problem

If you don’t secure your home Wi-Fi network, cyber threat actors can perform a number of operations that are detrimental to your privacy and security.

For high-risk communities in particular, securing your home network is important to prevent threat actors from gaining access to your network and reading any unencrypted data that you send over the network. If you’re interested learning more about the risks associated with Wi-Fi, see CISA’s Securing Wireless Networks blog.

The Solution

Routers are devices that enable your other devices (e.g., phones, laptops, desktop computers, and smart devices) to connect wirelessly to the internet. This guide will help you adjust settings that are common to all routers for better privacy and security.

Setting Up

Before you make any changes to your network, here are a few quick tips and facts to make the process easier:

Note: Each router is different. For a step-by-step guide to performing these instructions, please refer to your own router’s user guide.

1. Find your router. It may have a sticker on it with the default setting information. While this information may vary, it typically includes the following:
   1. IP address
   2. Service set identifier (SSID)
   3. Key (password)
   4. MAC address
   5. Account name
2. To access your router, reference the manufacturer’s user manual and follow directions for making changes to the settings described below.

Router Settings Essential for Your Cybersecurity

At a minimum, you must ensure that you take the following steps to protect your network’s security:

1. Change your router login username and password.

Your default router information may be publicly available for anyone to find, so it is crucial to change your credentials. Create a password that is long, random, and unique.

2. Check your router firmware for updates.

Routine updates will protect you against known vulnerabilities. Some routers even allow you to set up automatic updates. 

3. Change your default SSID.

In other words, change the name of your Wi-Fi network. The default SSID could potentially alert a threat actor to known vulnerabilities associated with the router you are using. (Note:Do not give your Wi-Fi network a name that includes sensitive or identifying personal information.)

4. Change your Wi-Fi password.

This is the password that someone must enter to access your Wi-Fi. To make your Wi-Fi password both secure and accessible, try creating a memorable passphrase using 5 to 7 unrelated words totaling at least 16 characters. Do not use this passphrase for other accounts. 

5. Change your Wi-Fi encryption.

Check to make sure your router uses WPA3 Personal or WPA2 AES (also referred to as WPA2 Pre-Shared Key [PSK] or WPA2) encryption. These are the only two forms of encryption that are considered safe and secure against threat actors who might attempt to see what data you are sending across your network. If your router is open (meaning it doesn’t have encryption and is not secure), or uses an older generation of encryption such as WEP, WPA, or WPA2 Temporary Key Integrity Protocol (TKIP), you should contact the internet service provider (ISP) that provided your router to request an upgrade―or consider purchasing a new router.

6. Disable remote management.

This setting allows you to log in to your router over the internet to make changes. Disabling this setting can prevent threat actors from making changes to your router without connecting to your network first, either wirelessly or via cable.

7. Disable Wi-Fi Protected Setup (WPS).

This setting increases the likelihood that a threat actor could gain unauthorized access to your Wi-Fi network. See CISA's blog on Home Network Security to learn more.

8. Disable Universal Plug and Play (UPnP).

UPnP allows you to easily connect smart devices in your home (e.g., your smart speaker or dishwasher) to your Wi-Fi network. However, threat actors can use UPnP to spread malware to devices in your network and control them remotely. (See CISA’s blog on Home Network Security to learn more.) In some cases, you may need to enable UPnP to initially add your device to the network, but you should disable UPnP after doing so.

9. Store your router in a secure physical location.

Anyone with physical access to your router could perform a factory reset and use the default information displayed on the router to gain access to the network.

10. Create a “Guest” Wi-Fi option.

If your router has a “Guest” Wi-Fi option, you should enable it! Make a separate password that is long, random, and unique for accessing your Guest Wi-Fi.

1. Your Guest Wi-Fi should be used by anyone who does not routinely connect to your home Wi-Fi.
2. Additionally, connect any smart home and other IOT devices to your Guest Wi-Fi if internet access is the only thing they require. This will prevent these devices from discovering other devices on your home network, accessing your router settings, and potentially introducing vulnerabilities into your network.

Takeaways

Do

• Change your default router username and password.
• Regularly update your router firmware and install automatic updates, if possible.
• Change your default SSID (i.e., Wi-Fi name).
• Change the default Wi-Fi password.
• Ensure that your router uses WPA3 Personal encryption or WPA2 AES (sometimes seen as WPA2 PSK or WPA2).
• Disable remote management.
• Disable WPS setup.
• Disable UPnP.
• Put your router in a secure physical location.
• Create a Guest Wi-Fi.

Do Not 

• Use your router’s default settings.
• Include personal information in your Wi-Fi name.
• Use the same username and password for your router account and administrative account.
•  Leave your router somewhere that is easily accessible to others.

Project Upskill is a product of the Joint Cyber Defense Collaborative.