By Tyler W.
May 08, 2020
Keep your Wi-Fi Password Secure
You shouldn't share your wi-fi password...it's the gaewya to your network
A critical piece of property in any business is your Wi-Fi password, but how many businesses protect this with the level of security it deserves. Not many, and even I’ve been guilty of poor Wi-Fi password security in the past – handing it out as needed to business associates and clients alike. I also have little difficulty in obtaining a Wi-Fi password from other businesses. When in the waiting area, it is as simple as “I have an appointment with Bob shortly, but need to get something from an email he sent me for the meeting. Could I please just grab the Wi-Fi password to download this?” – People want to help, and it doesn’t seem an unreasonable request, so of course they oblige, unaware of the potential consequences. Thankfully, we then get to educate these staff at the end of the engagement and ensure these lapses do not occur again.
As my knowledge in cybersecurity has improved I have come to appreciate just how sensitive this data is, and once someone is on your network, there are multiple ways they can bunny hop across to other devices, infect or control your network. A Wi-Fi password is more than the characters on a sheet of paper.
If you need to share your password for patrons, set up a guest network where you can make the password disposable and restrict components of that network such as bandwidth and downloads (and certainly deny uploading). Most routers are sophisticated enough to handle this.
Setting up a guest network: note the time the network exists can be set.
So, if a password protected network is risky, what about open networks, the ones you might use at a cafe? Well, don’t use them…not unless you want to risk everywhere you visit being snooped. It is easy as using a free tool called Wireshark (that is not designed to be used for nefarious purposes, but rather for network administrators to monitor traffic) and simply monitoring for all connected clients. If you can’t help yourself and need to join these free networks, then you really must be using a VPN (virtual private network) to protect your browsing. I encourage you to use a VPN whenever possible; it’s a bit like keeping your front door locked during the day. Not really needed, not 100% convenient, but adds that extra layer of protection that will do more good than harm
When selecting a VPN, there is a genuine challenge about getting the right one. Pretty simply, do not use a free one (because of the old saying, “if it’s free, you are the product”), and make sure the one you pick does not keep logs. If you want to add an extra layer of confidence, check where the VPN head offices are located. Even this is not a solve all, as their “head office” may not be an office at all. The ‘no logs’ policy is your failsafe though, as if they are required to hand anything over to authorities, there would be an empty server, on account of the no log policy.
This is not to suggest you, or I, are up to no good, but every person deserves a certain expectation of privacy and that is why you need to treat your Wi-Fi password like your bank card pin number. Even if you are diligent with your Wi-Fi password still use a VPN so if your password is ever leaked or stolen it won’t mean much to anyone as your web data will be encrypted. It will not solve the risk of network penetration, but keeps your data secure, and something is better than nothing in the security department.
“Stealing” a Wi-Fi password can be done without much difficulty and below is the approach I most commonly use. It relies on the user not knowing what their router update page looks like, and capitalising on the fact that they want to be good internet citizens and update their router when prompted. Unknowingly it is me in the shadows, spoofing the update as a means to obtain your password. I must stress that I never, and you must never too, attack a network you have not first obtained authority to do so. We get signed letters of engagement prior to undertaking any penetration test, and having something in writing is the only way to ensure your actions are legal and ethical.
Below is the video of me performing an attack on myself.
I cannot stress the importance of your data security, and your Wi-Fi password is data; you need to protect it, to protect everything else on your network!
If you want to learn more about cybersecurity or have your systems stress tested do reach out and we can chat further about it.