Skip to content
← pwnsy/blog
beginner24 min readMar 10, 2026Updated Mar 11, 2026

How to Secure Your WiFi Network in 2026

network-security#wifi#network-security#router-security#wireless#home-network

Key Takeaways

  • Understanding who you are defending against determines how much effort to invest in each control.
  • WPA2-Personal uses a Pre-Shared Key (PSK) — your WiFi password — to derive encryption keys through a process called the 4-way handshake.
  • Router firmware contains the operating system, the wireless driver stack, the web-based admin interface, and the UPnP implementation.
  • Router manufacturers ship every unit with documented default credentials.
  • Wi-Fi Protected Setup (WPS) was designed to simplify device pairing.
  • A guest network creates a separate wireless network on your router.

In October 2016, a botnet of 600,000 compromised IoT devices — home routers, IP cameras, baby monitors, DVRs — launched a 1.2 Tbps DDoS attack that took down Twitter, Netflix, Reddit, and GitHub for most of the US east coast. The devices were recruited by the Mirai malware using a script that tried 61 default username/password combinations. The owners of those devices had no idea their home hardware was participating in one of the largest cyberattacks in history.

In 2021, researchers from the University of Maryland found that exposed internet-connected devices experience an attack attempt every 39 seconds on average. The vast majority of these are automated scanners looking for routers with default credentials, WPS enabled, or known CVEs in unpatched firmware.

Your home router is not a passive device that just routes your Netflix streams. It is a Linux computer running a web server, a DNS resolver, a DHCP server, a firewall, and in some cases a VPN server — all exposed to the internet, potentially running years-old unpatched software. If it is compromised, everything on your home network is compromised: your laptop, your NAS, your smart home devices, and any corporate resources you access remotely.

This guide explains how wireless attacks actually work, which security controls are effective versus theatrical, and the exact configurations to apply to harden your network.

Your Threat Model: Who Is Actually Attacking Home WiFi

Understanding who you are defending against determines how much effort to invest in each control.

Opportunistic Drive-By Attacks (Most Common)

These are automated scanners and humans with a laptop in your neighborhood or building. They are looking for:

  • WEP encryption (crackable in under 10 minutes with aircrack-ng)
  • Default router credentials (admin/admin, admin/password, etc.)
  • WPS-enabled routers (crackable in under 4 hours with Reaver)
  • Known CVEs in specific router models (automated exploitation)

They want: free internet access, a pivot point to attack other networks, or a node to add to a botnet. They do not specifically want your data — you are just convenient infrastructure.

Defense: WPA3 or strong WPA2 passphrase, disabled WPS, updated firmware. These controls are sufficient for this threat.

Passive Eavesdroppers

Someone capturing wireless frames without connecting — a neighbor, someone in the parking lot. Against a properly configured WPA3 network, captured frames are useless — they cannot be decrypted without the session key, which is ephemeral and was never transmitted.

Against WPA2-Personal with a weak passphrase, captured 4-way handshake frames can be attacked offline using GPU-accelerated hashcat at 300,000-600,000 guesses per second.

Defense: WPA3-Personal, or WPA2 with a 16+ character random passphrase. Hashcat at 600,000 guesses/second against a 16-character random alphanumeric password would take longer than the age of the universe.

Targeted Attacks (Rare but Higher Impact)

An adversary who specifically wants access to your network — a stalker, a corporate competitor, a state actor, or a sophisticated criminal. They use:

  • PMKID attacks against WPA2 (captures hash without waiting for a client to connect)
  • Evil twin attacks (fake AP with your network name, waits for your device to connect)
  • Deauthentication flood (forces your devices off the real network, potentially onto a fake one)
  • Router exploitation (using known CVEs against your specific router model)

Defense: WPA3-only mode (no SAE offline attack surface), firmware updates, disabling remote management, physical network monitoring.

The Insider Threat: Your Own Devices

Smart TVs, IP cameras, smart bulbs, thermostats, and connected appliances are running outdated Linux kernels with hardcoded credentials and no update mechanism. An exploited IoT device on your main network has direct access to your laptop, your NAS, your router's admin panel.

The 2020 Verkada breach (a corporate security camera company) compromised 150,000 cameras worldwide, including those inside Tesla factories, hospitals, and jails — in part because cameras that were supposed to be on isolated network segments had broader access than intended.

Defense: Guest network with complete LAN isolation for all IoT devices.

WPA2 vs WPA3: Why the Protocol Choice Determines Your Actual Security Level

How WPA2-Personal Authentication Works (And Why It Is Breakable)

WPA2-Personal uses a Pre-Shared Key (PSK) — your WiFi password — to derive encryption keys through a process called the 4-way handshake. When a client connects to a WPA2 network:

Client                          Access Point
  |                                 |
  |  <-- ANonce (random nonce) --   |
  |                                 |
  | Derives PMK from PSK+SSID       |
  | Derives PTK from PMK+ANonce+SNonce
  |                                 |
  | --- SNonce + MIC ---------->    |
  | (MIC proves client knows PSK)   |
  |                                 |
  |                          AP verifies MIC
  |                          Derives same PTK
  |                                 |
  | <-- Group Key Handshake ---     |
  | --- ACK ------------------>     |
  |                                 |
  |  [Encrypted communication]      |

The attack: anyone with a WiFi adapter in monitor mode can passively capture this 4-way handshake when any device connects. The captured handshake contains enough information to test password guesses offline:

# Attacker's attack sequence (educational — shows the mechanics)
 
# Step 1: Put wireless adapter in monitor mode
airmon-ng start wlan0
 
# Step 2: Scan for nearby networks
airodump-ng wlan0mon
 
# Step 3: Capture packets on the target network and channel
airodump-ng --bssid TARGET-BSSID --channel 6 -w capture wlan0mon
# Wait for a client to connect, or send a deauth packet to force reconnection
 
# (Optional) Step 3b: Force a client to disconnect and reconnect
# This triggers a new 4-way handshake without waiting
aireplay-ng --deauth 5 -a TARGET-BSSID -c CLIENT-MAC wlan0mon
 
# Step 4: The captured file (capture-01.cap) contains the handshake
# Transfer to a powerful machine for offline cracking
 
# Step 5: Crack with hashcat (using GPU)
hashcat -m 22000 capture-01.cap /usr/share/wordlists/rockyou.txt
# Against rockyou.txt (14 million passwords), this runs in seconds
 
# Against exhaustive 8-character lowercase: ~208 billion combinations
# At 600,000/sec: ~4 days
# Against 16-character random: essentially infinite time

The PMKID attack (published 2018 by Jens Steube, who wrote hashcat) is even more efficient — it extracts a hash directly from the Access Point's EAPOL frame without waiting for any client to connect:

# PMKID attack — no client connection needed
# hcxdumptool captures the PMKID hash directly from the AP beacon
hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=3
 
# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 capture.pcapng
 
# Crack
hashcat -m 22000 hash.hc22000 wordlist.txt

This attack works against most WPA2-Personal networks without any clients ever connecting. An attacker driving past your house can capture the PMKID hash in seconds.

WPA3-Personal: Simultaneous Authentication of Equals (SAE)

WPA3 replaces the PSK 4-way handshake with SAE — also called Dragonfly. SAE is fundamentally different:

The key exchange is interactive. Both parties contribute to deriving the key. The password is never transmitted in any form. A captured frame exchange contains no hash that can be cracked offline. Every attempt to guess the password must be made against a live access point.

Forward secrecy. Each session generates a fresh, ephemeral key. A captured session cannot be decrypted even if the attacker later learns the WiFi password. With WPA2, knowing the password lets you decrypt any previously captured sessions.

Online-only attack rate. Because offline cracking is impossible, an attacker must try each password guess against the live AP. With rate limiting (most APs limit failed authentication attempts), brute force against WPA3 is effectively infeasible even with short passwords.

WPA2-Personal:
  Attack: Capture handshake (passive, seconds) → crack offline indefinitely
  Short password: crackable in minutes
  12-character random: may be crackable in days with powerful GPU

WPA3-Personal:
  Attack: Must try each guess live against the AP
  Rate limited by AP (typically 1-5 attempts/second maximum)
  12-character random: would take centuries even online
  Short password: still crackable online, but very slowly

Router Configuration: Setting Protocol

In your router admin panel (typically accessed at 192.168.1.1 or 192.168.0.1):

Wireless Settings → Security

Mode options (choose the highest your devices support):
  ○ None/Open         ← Never. All traffic visible to anyone.
  ○ WEP               ← Never. Broken. Crackable in minutes.
  ○ WPA-Personal      ← Never. Deprecated.
  ○ WPA2-Personal     ← Acceptable only if some devices don't support WPA3
  ● WPA2/WPA3-Mixed   ← Best for mixed device environments
  ○ WPA3-Personal     ← Best if all devices support WPA3

Cipher:
  ● AES/CCMP          ← Always
  ○ TKIP              ← Never. Deprecated, has known vulnerabilities.
  ○ Auto/TKIP+AES     ← Avoid. TKIP fallback weakens security.

To determine if your devices support WPA3:

  • iPhone 7 and later: WPA3 supported
  • Android 10 and later: WPA3 typically supported
  • Windows 10 1903+: WPA3 supported with compatible WiFi adapter
  • macOS Catalina (10.15)+: WPA3 supported
  • Older IoT devices: Almost certainly WPA2 only

If any device shows WPA3 support in its specification but cannot connect to WPA3, update the device firmware. If it still cannot connect and you cannot replace it, use WPA2/WPA3 Mixed mode and put that device on the guest network (which can run WPA2-only without affecting the main network's WPA3 clients).

Choosing a Strong WiFi Passphrase

For WPA2 networks, the passphrase is the last line of defense against offline cracking. The requirements:

Length matters more than complexity. A 16-character lowercase string is harder to crack than a 10-character string with uppercase, numbers, and symbols.

Avoid anything dictionary-related. Rockyou.txt (14 million common passwords), Crackstation (1.4 billion passwords), and custom wordlists with your publicly known information (name, address, birthdate, spouse's name, pet's name) will be tried before exhaustive search.

Random is the only safe approach. Use a password manager to generate 20+ character random passphrases.

# Generate a strong WiFi password
# Option 1: Using /dev/urandom
< /dev/urandom tr -dc 'a-zA-Z0-9' | fold -w 24 | head -1
 
# Option 2: Using openssl (available on most systems)
openssl rand -base64 24 | head -c 24
 
# Option 3: Using Python
python3 -c "import secrets, string; print(secrets.token_urlsafe(24))"
 
# Examples of what you get:
# 3xKqN7mP9vLwR2hT8jFbYcZs     (24 chars, highly random)
# Not: "MyWiFiPassword123!"      (dictionary + predictable substitutions)

Store your WiFi password in your password manager. You access it rarely — when setting up a new device — so a long random string is not inconvenient.

Firmware Updates: The Single Highest-Value Action

Router firmware contains the operating system, the wireless driver stack, the web-based admin interface, and the UPnP implementation. All of these have documented histories of critical vulnerabilities.

Why router firmware matters:

  • Netgear Nighthawk R7000 (CVE-2021-34991): Remote code execution via the admin interface, CVSS 9.8. Affected millions of deployed units.
  • TP-Link TL-WR841N (CVE-2020-9375): Authentication bypass allowing full admin access without credentials.
  • D-Link DIR-825 (CVE-2019-10891): Command injection via diagnostic page — no authentication required.
  • Asus RT-AX88U (CVE-2022-26376): Memory corruption vulnerability in the httpd admin server, remotely exploitable.
  • Linksys EA7500 (CVE-2018-6692, multiple): Multiple RCE vulnerabilities, unpatched for extended periods.

The Mirai botnet variants that dominated 2018-2022 recruited primarily through unpatched router vulnerabilities. An infected router intercepts DNS queries (redirecting you to phishing sites), captures unencrypted credentials, participates in DDoS attacks, and serves as a pivot point for internal network access — all invisibly.

Checking and Updating Firmware

Router Admin Panel → Administration → Firmware Update

Check:
  Current Firmware: [version number and date]
  Latest Available: [check manufacturer website]

If auto-update is available:
  [x] Enable automatic firmware updates
  [x] Notify when update is available

If manual:
  1. Note your current firmware version
  2. Search manufacturer's support site for your exact model number
  3. Download the latest firmware
  4. Upload via admin panel Firmware Update page
  5. Router reboots with new firmware

Finding your router's exact model number:

  • Look for a label on the bottom or back of the router (hardware version matters — different versions may have different firmware)
  • Admin panel → System Information

Verifying download integrity:

Router manufacturer pages often provide SHA256 checksums for firmware files. Verify before flashing — a corrupted or tampered firmware file can brick your router or install malware:

# Verify firmware file integrity
sha256sum TP-Link_Archer_C7_v5_210104.bin
# Compare output against the checksum published on the manufacturer's support page

End-of-life routers:

If your router has not received a firmware update in over 18 months and the manufacturer has not committed to continued security updates, it is end-of-life. There is no safe way to run an EOL router that is connected to the internet. Replace it.

Router EOL check resources:

  • Manufacturer's support page: look for "End of Support" or "End of Life" notices
  • site:nvd.nist.gov "TP-Link [your-model-number]" to find unpatched CVEs
  • site:exploit-db.com "[your-router-brand] [model]" for published exploits

Recommended replacement routers with good long-term support: ASUS with AiMesh, Netgear with Insight, Ubiquiti UniFi (professional grade), or a self-managed setup using OpenWrt on supported hardware.

Default Credentials: Change These Before Anything Else

Router manufacturers ship every unit with documented default credentials. Changing them is the first thing you do after plugging in a new router — before connecting a single client device.

The scope of the problem: Shodan (shodan.io), a search engine for internet-connected devices, returns thousands of results for queries like product:"TP-Link", http.title:"NETGEAR Router", or product:"Linksys". A significant portion of these devices respond to their documented default credentials. Attackers use the same Shodan queries.

What to change:

  1. Router admin username and password — The credentials used to access the admin panel (typically 192.168.1.1 or 192.168.0.1). Change from admin/admin, admin/password, admin/1234, or whatever the manufacturer shipped.

  2. WiFi SSID (network name) — Router model names in the SSID (NETGEAR-5G, TP-Link_2.4G_A4E3) identify your exact hardware to an attacker. They can look up the model number on CVE databases, Shodan, and exploit databases. Use a neutral name that reveals nothing.

  3. WiFi password — Whatever the manufacturer printed on the sticker (typically a short, weak string). Replace with a 20+ character random string.

Router Admin Panel:

Administration → Admin Login
  Username: [change from "admin"]
  Password: [generate 20-character random string — store in password manager]

Wireless Settings → SSID
  Network Name: [neutral name — not your surname, address, or router model]
  WiFi Password: [generate 20+ character random string — store in password manager]

Save changes and reconnect devices with new password.

Why the admin password matters even if your admin panel isn't exposed to the internet:

Your admin panel is accessible from any device on your LAN — including any IoT device, any laptop visiting your home, or any browser tab running malicious JavaScript. Browser-based credential theft via Cross-Site Request Forgery (CSRF) can change router settings from a web page you visit without you knowing. Some CSRF attacks against routers with default admin credentials have changed DNS settings, routing traffic through attacker-controlled resolvers.

A strong, unique admin password prevents:

  • IoT devices from querying the admin panel directly
  • CSRF attacks from malicious web pages
  • Insider threats (guests using your WiFi)
  • Attackers who find the admin panel is exposed to WAN (you should check this separately)

WPS: Disable It Unconditionally

Wi-Fi Protected Setup (WPS) was designed to simplify device pairing. The PIN method has a fundamental mathematical flaw that makes it attackable regardless of your WiFi password strength.

The WPS PIN Vulnerability

WPS uses an 8-digit PIN (00000000 to 99999999 — 100,000,000 possible values). This should require 10^8 attempts to crack. The flaw: WPS validates the PIN in two halves. The first 4 digits are validated separately from the last 4 digits. This reduces the effective keyspace:

  • First half: 10^4 = 10,000 possibilities
  • Second half: 10^3 = 1,000 possibilities (the 8th digit is a checksum)
  • Total: 10,000 + 1,000 = 11,000 attempts maximum

Using Reaver or Bully, a brute-force attack against WPS runs at approximately 1 attempt per second (limited by WPS rate-limiting in most APs). 11,000 attempts = approximately 3-5 hours per AP.

# Attacker discovers WPS-enabled networks
wash -i wlan0mon --survey
# Shows: ESSID, BSSID, RSSI, WPS Version, WPS Locked, ESSID
 
# WPS brute force with Reaver
reaver -i wlan0mon -b TARGET-BSSID -vv
# Output shows:
# [+] Trying pin 12345670
# [+] Trying pin 12345671
# ...eventually...
# [+] WPS PIN: '12345670'
# [+] WPA PSK: 'YourWiFiPassword'  ← Your password, regardless of its length or complexity

The Pixie Dust attack (CVE-2014-9763 and relatives) is faster against vulnerable chipsets — it extracts the WPS PIN offline in seconds by exploiting predictable nonces used by specific chipset implementations (Realtek, Ralink, Broadcom chipsets used in millions of routers):

# Pixie Dust attack — cracks WPS in seconds on vulnerable chipsets
reaver -i wlan0mon -b TARGET-BSSID -vv -K 1  # -K 1 enables Pixie Dust
# On vulnerable devices, this completes in 5-30 seconds

Disabling WPS

Router Admin Panel → Wireless Settings → WPS

WPS Status: ● Disabled  ○ Enabled

Verification that WPS is actually disabled:

Some routers report WPS as disabled in the admin panel but continue advertising it in probe responses. Verify with wash:

# Install aircrack-ng suite
apt-get install -y aircrack-ng
 
# Put adapter in monitor mode
airmon-ng start wlan0
 
# Scan for WPS-enabled networks
wash -i wlan0mon --survey
# Your SSID should not appear in this list after disabling WPS
 
# If it still appears:
# Option 1: Update firmware (some firmware versions have a bug where WPS
#            cannot be truly disabled via the admin interface)
# Option 2: Install third-party firmware (DD-WRT, OpenWrt) which has
#            reliable WPS disable functionality

Third-party firmware for WPS-stubborn routers:

  • OpenWrt: Open-source router firmware. Check compatibility at openwrt.org/toh/start. Supports most major router hardware. WPS can be completely removed, not just disabled.
  • DD-WRT: Alternative open-source firmware with broad hardware support.

Warning: Flashing third-party firmware incorrectly can brick your router. Follow manufacturer-specific instructions for your exact hardware version.

Guest Network: The IoT Isolation Strategy

A guest network creates a separate wireless network on your router. Clients connected to the guest network can access the internet but are completely isolated from devices on your main LAN — they cannot reach your NAS, laptop, printer, or any other main LAN device.

This is the most important defense against your own smart home devices being used to attack your other devices.

The IoT Security Problem

Smart home devices — bulbs, plugs, thermostats, cameras, doorbells, robot vacuums, speakers — typically run:

  • Embedded Linux with a kernel version from 2-6 years ago
  • A hardcoded or easily guessable default password
  • No automatic update mechanism
  • Software that communicates with manufacturer cloud services using unencrypted protocols
  • A web admin interface with documented vulnerabilities

In 2021, Verge researchers found that many popular smart bulbs ran without any WiFi encryption on their local API endpoints. In 2022, Wyze cameras suffered a breach affecting 2.4 million customers. In 2023, Ring cameras (Amazon) were used in swatting attacks enabled by credential stuffing. In 2024, Ecovacs robot vacuums were found to have a Bluetooth vulnerability that allowed remote activation of the camera and microphone.

An IoT device on your main LAN has direct Layer 2 access to every other device. If it is compromised, it can:

  • ARP spoof your laptop and intercept traffic
  • Port scan and attack other LAN devices
  • Access your router's admin panel on its LAN IP
  • Exfiltrate data from your NAS

An IoT device on the guest network, with proper isolation, can only reach the internet through the gateway. Your laptop is unreachable from the guest network.

Guest Network Configuration

Router Admin Panel → Wireless → Guest Network

Enable Guest Network: ● Enabled

Guest SSID: [IoT-network-name]  # Something you'll recognize
Security: WPA3-Personal (or WPA2/WPA3-Mixed — WPA2 is acceptable here)
Password: [different from main network — 16+ chars]

Network Isolation Settings:
  [x] AP Isolation (prevents guest clients from talking to each other)
  [x] Block guest access to LAN  ← This is the critical isolation control
  [ ] Allow guests to access router admin panel  ← Leave unchecked
  [ ] Allow access between guest and main network  ← Leave unchecked

Bandwidth (optional):
  [x] Limit guest network bandwidth  ← Prevents IoT devices from consuming all bandwidth
  Limit: 50 Mbps down / 10 Mbps up

What to put on the guest network:

  • All smart home devices (bulbs, plugs, thermostats, locks, switches)
  • Smart TVs and streaming devices (Roku, Fire TV, Chromecast, Apple TV)
  • IP cameras and video doorbells
  • Gaming consoles (unless they need LAN access — most games only need internet)
  • Any device running embedded Linux that receives infrequent updates
  • Devices belonging to visitors

What stays on the main network:

  • Laptops and computers
  • Phones you use for 2FA and sensitive apps
  • NAS and local storage
  • Network printers (if you need them accessible from your laptop)

Verifying isolation is working:

# From a device on the guest network (phone connected to guest SSID)
# Try to ping devices on the main LAN
ping 192.168.1.100  # Your laptop's LAN IP
# Should fail: Request timeout / Destination Host Unreachable
 
# Try to access the router admin panel via its LAN IP
curl -m 5 http://192.168.1.1
# Should fail if "Allow guests to access router admin panel" is unchecked
 
# From the main network, verify you cannot see guest network devices
ping 192.168.2.100  # A guest network device IP
# May succeed via the gateway — true AP isolation prevents guest-to-guest
# and guest-to-LAN traffic but the gateway itself can still reach both

DNS Security: Stop Using Your ISP's Default DNS

Your router's default DNS configuration sends every domain lookup to your ISP's servers. ISPs log these queries and in the United States, can legally sell them to data brokers or use them for ad targeting. Additionally, ISPs redirect NXDOMAIN (non-existent domain) responses to their own search pages.

Beyond privacy, your default ISP DNS provides zero protection against malicious domains — your browser will happily resolve malware-distribution-site.ru because your ISP's resolver will answer.

| Provider | IPv4 Primary | IPv4 Secondary | Features | |---|---|---|---| | Cloudflare | 1.1.1.1 | 1.0.0.1 | Fast, privacy-focused, DoH/DoT | | Cloudflare Family | 1.1.1.3 | 1.0.0.3 | Malware + adult content blocking | | Quad9 | 9.9.9.9 | 149.112.112.112 | Malware domain blocking, privacy-focused | | Google | 8.8.8.8 | 8.8.4.4 | Fast, reliable, but Google collects data | | NextDNS | Custom | Custom | Highly configurable, detailed logging control | | Pi-hole | Self-hosted | — | DNS-level ad and malware blocking for your whole network |

Quad9 (operated by a Swiss non-profit) is recommended for the combination of malware blocking and privacy — it filters over 100 million malicious domains daily based on threat intelligence from multiple sources.

Router DNS Configuration

Router Admin Panel → WAN Settings → DNS

DNS Server 1: 9.9.9.9
DNS Server 2: 149.112.112.112

Advanced:
  [x] Enable DNS over HTTPS (DoH)  ← If your router supports it
  [x] Override DHCP clients' DNS  ← Force all LAN devices to use these servers

Pi-hole: Network-Wide DNS Filtering

Pi-hole is a DNS sinkhole that runs on a Raspberry Pi or any Linux machine on your network. It blocks ads, tracking domains, and malware domains at the DNS level — for every device on your network, with no per-device configuration.

# Install Pi-hole on a Raspberry Pi or any Debian/Ubuntu machine
curl -sSL https://install.pi-hole.net | bash
 
# After installation, update blocklists
pihole -up
pihole -g  # Update gravity (blocklist database)
 
# Check current stats
pihole -c  # Chronometer (live stats)
pihole -q malicious-domain.com  # Check if a domain is blocked
 
# Add custom blocklists for additional coverage
# Edit /etc/pihole/adlists.list and add:
# https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
# https://v.firebog.net/hosts/Easyprivacy.txt
# Run pihole -g to update
 
# Configure your router to use Pi-hole as DNS
# Router Admin Panel → WAN Settings → DNS
# Primary DNS: [PI-HOLE-IP-ADDRESS]
# Secondary DNS: 9.9.9.9  # Fallback if Pi-hole is offline
 
# Enable DNS over HTTPS on Pi-hole using cloudflared
apt-get install -y cloudflared
cloudflared service install --legacy
# Configure Pi-hole to use cloudflared as upstream

DNS over HTTPS (DoH) and DNS over TLS (DoT)

Traditional DNS queries are sent in plaintext over UDP port 53. Anyone between you and the DNS server can see every domain you resolve — your ISP, anyone on your network path, anyone running a rogue DNS resolver.

DoH (port 443) and DoT (port 853) encrypt DNS queries, preventing eavesdropping:

Traditional DNS:
[Your Device] --[UDP 53, plaintext: "what is the IP of example.com?"]-- [DNS Server]
Anyone on network path can read this

DNS over HTTPS (DoH):
[Your Device] --[HTTPS port 443, encrypted]-- [DNS Server]
Looks identical to regular web browsing traffic — cannot be identified or read

Configure DoH on individual browsers as a backup to router-level DNS:

Firefox:

about:preferences → Privacy & Security → DNS over HTTPS
Mode: ● Max Protection
Provider: Cloudflare

Chrome/Edge:

Settings → Privacy and security → Security → Use secure DNS
Use with: Cloudflare (1.1.1.1)

Disabling Remote Management: Block WAN Access to Admin Panel

Router admin panels accessible from the internet are indexed by Shodan, actively scanned by exploit bots, and targeted specifically when CVEs are published for router models.

The Fortinet FortiGate admin panel vulnerabilities in 2022-2023 (CVE-2022-40684, CVE-2023-27997) were exploited within hours of CVE publication. These are enterprise firewalls — your home router receives less attention but the same principles apply.

Router Admin Panel → Administration → Remote Management

Enable Web Access from WAN:  ● Disabled  ○ Enabled (only if you run a business from home)
Enable SSH from WAN:          ● Disabled  ○ Enabled
Enable Telnet from WAN:       ● Disabled  ○ Enabled (this should never be enabled)
Enable SNMP from WAN:         ● Disabled  ○ Enabled

Verifying from outside your network:

# Test from a VPS, phone on cellular, or external scanner
# None of these should respond to connections from the internet
nmap -sV -p 80,443,8080,8443,22,23,161 YOUR-PUBLIC-IP
# All ports should return "filtered" or "closed"
# Any "open" result is a misconfiguration
 
# Or use Shodan to check what's exposed (one-time lookup)
# shodan host YOUR-PUBLIC-IP (requires free account)

If you need legitimate remote access to your router:

Use a VPN (WireGuard running on the router or a separate device on the same network) and access the admin panel through the VPN tunnel. This means the admin panel is only accessible after authenticating to the VPN — a much higher barrier than direct internet exposure.

Disabling UPnP: The Silent Port Opener

Universal Plug and Play (UPnP) allows LAN devices to automatically open inbound ports on your router without any user interaction or authentication. A device sends a UPnP request to the router: "Please open port 8080 and forward it to my local IP." The router complies. No password. No confirmation.

The security problem is obvious: any malware on your network can open inbound ports. A compromised device can create a persistent backdoor that survives reboots by re-registering its UPnP mapping each time it starts.

The 2016 Mirai botnet exploited UPnP on hundreds of thousands of routers to open ports for command-and-control communication, making infected routers reachable from the internet even when behind NAT.

Router Admin Panel → Advanced Settings → UPnP

Enable UPnP:  ○ Enabled
              ● Disabled

What breaks when you disable UPnP:

Some applications relied on automatic UPnP port forwarding:

  • BitTorrent clients (configure manual port forwarding instead)
  • Some older console gaming features (most modern games use relay servers instead)
  • Some VoIP software
  • Xbox Live and PlayStation Network (most features still work without UPnP)

For applications that genuinely need inbound ports:

Router Admin Panel → Advanced Settings → Port Forwarding

Add Rule:
  Service Name: [BitTorrent]
  External Port Range: 51413-51413
  Internal IP: 192.168.1.50  (your specific PC's LAN IP)
  Internal Port: 51413
  Protocol: TCP/UDP

This is more secure than UPnP because:

  • Only you can configure it
  • It is locked to a specific internal device
  • It requires conscious effort to add rules (no automated backdoors)

MAC Address Filtering and Hidden SSIDs: Why These Don't Work

These are the two most commonly recommended "security" controls on WiFi routers that provide essentially zero actual security. Understanding why saves you from investing effort in security theater.

MAC Address Filtering

MAC address filtering maintains a whitelist of device hardware addresses. Only devices on the whitelist can connect.

The attack:

# Step 1: Attacker passively monitors your network with a WiFi adapter
# 802.11 management frames (beacon, probe, association) contain MAC addresses
# These frames are transmitted BEFORE any authentication or encryption
sudo airodump-ng wlan0mon
# Output shows every connected device's MAC address in plaintext
 
# Step 2: Attacker clones a whitelisted MAC address
# Takes 3 seconds and is natively supported in Linux
sudo ip link set dev wlan0 down
sudo ip link set dev wlan0 address AA:BB:CC:DD:EE:FF  # Cloned MAC
sudo ip link set dev wlan0 up
 
# Step 3: Attacker connects with the cloned MAC — whitelist check passes
# If they also need to crack the WiFi password, that's still a separate step
# But MAC filtering provided zero additional security
 
# Verification: check your adapter's current MAC
ip link show wlan0 | grep "ether"

The administrative cost: you must add every new device's MAC address manually. New phone? New laptop? Guest's device? All require admin panel access to add to the whitelist. This creates friction for you with no security benefit.

MAC address randomization (enabled by default on iOS 14+, Android 10+, Windows 10+) changes devices' MAC addresses periodically or per-network. Your whitelist breaks when a device presents its randomized MAC instead of the hardware MAC. You spend time troubleshooting "why can't my phone connect" without realizing it is because iOS rotated its MAC address.

Hidden SSIDs

Hiding your SSID (disabling broadcast in beacon frames) makes your network name not appear in the list of available networks. The idea: if attackers can't see it, they can't attack it.

The reality: hidden SSIDs are trivially discoverable.

# Method 1: Passive monitoring — network still appears in airodump
airodump-ng wlan0mon
# Hidden SSIDs show up as "<length: X>" in the ESSID column
# The BSSID (AP's MAC address) is still fully visible
 
# Method 2: Watch for probe requests from your own devices
# Your devices broadcast the hidden SSID in probe requests everywhere they go
airodump-ng wlan0mon | grep -i "probe"
# Your hidden SSID name appears in probe requests from your phone
# at every airport, coffee shop, and office your device visits
 
# Method 3: When any device connects, the SSID appears in association frames
# Anyone running airodump-ng sees the hidden SSID revealed immediately

The hidden SSID probe request problem is worse than not hiding the SSID: your devices actively broadcast your home network name everywhere they go, potentially revealing your home address (if the network name includes your name) or giving attackers an evil twin opportunity (they set up a fake AP with your hidden SSID name and wait for your device to connect automatically).

Leave your SSID visible. Use a neutral name that does not identify your household, address, or router hardware.

The Full Security Checklist

Apply these in order — the earlier items have more impact than the later ones:

Critical (do these first):

  • [ ] Changed router admin username and password from defaults — stored in password manager
  • [ ] Changed default WiFi SSID to a neutral name with no identifying information
  • [ ] Set WiFi password to a randomly generated 20+ character string — stored in password manager
  • [ ] Set encryption to WPA3-Personal or WPA2/WPA3-Mixed
  • [ ] Cipher set to AES/CCMP only — TKIP disabled
  • [ ] Disabled WPS — verified with wash -i [interface] that it is actually off
  • [ ] Updated router firmware to latest version

Important:

  • [ ] Created guest network with full LAN isolation for IoT devices
  • [ ] Moved all smart home devices and TVs to guest network
  • [ ] Changed DNS servers from ISP default to Quad9 (9.9.9.9) or Cloudflare (1.1.1.1)
  • [ ] Enabled DoH on the router if supported
  • [ ] Disabled remote management (WAN access to admin panel)

Security hygiene:

  • [ ] Disabled UPnP — configured manual port forwarding for any applications that need it
  • [ ] Verified admin panel is not accessible from the internet (tested with external scanner)
  • [ ] Set up automatic firmware update notifications (or calendar reminder for manual checks)

Skip these — they are not security controls:

  • [ ] ~~MAC address filtering~~
  • [ ] ~~Hidden SSID~~

Long-term:

  • [ ] Check for firmware updates monthly
  • [ ] Check for CVEs affecting your router model quarterly
  • [ ] Review connected devices in admin panel quarterly — identify anything unexpected
  • [ ] Replace router if it reaches end-of-life (no firmware updates for 18+ months)

The most common home network compromise does not involve sophisticated attacks. It involves a router running three-year-old firmware with a known RCE vulnerability, default credentials, and WPS enabled. Eliminating those three conditions removes 95% of the attack surface. The remaining controls — guest network isolation, DNS security, disabling UPnP — address the scenarios where attackers have already reached your network and limit what they can do from there.

Sharetwitterlinkedin

Related Posts

What Is a VPN and How It Actually Works

VPNs are everywhere, but most explanations are wrong. Learn what a VPN really does, how the encryption works, and when you actually need one.

DDoS Attacks Explained: How They Work and How to Defend

DDoS attacks can take down any website in minutes. Learn the different attack types, how botnets operate, and the layered defenses that actually work.

Network Security Fundamentals: Firewalls, VPNs, and Zero Trust

Cut through the noise on firewalls, VPNs, and zero trust — what they actually protect, where they fail, and how to layer them effectively.