8 Terrifying Security Flaws in Your Wi-Fi—And How to Fix Them
Your network may have holes that could bring hackers and federal agents to your front door.
Jun 18, 2021 | Share
There’s a good chance your internet service provider sent out a technician to install your modem and router—or a single modem/hybrid unit. You connected your wired and wireless devices and never gave the network a second thought outside of adding other devices. If that’s the case, there may be several security holes you need to fix right now to thwart hackers and block unwanted access to your network.
Even if you installed a router you purchased, you should still verify that it’s healthy and that you’re not opening the doors for anyone to download whatever they want using your network, which could result in federal agents at your front door.
One of the best routers for security is the Google Nest Wi-Fi mesh router system.
Flaw: Outdated firmware leaves you vulnerable to hacking
Firmware is software that manages hardware. It’s the operating system that provides instructions for the router’s processor to execute, such as relaying internet traffic, assigning private addresses, and so on. But like any other operating system, firmware is never bulletproof—there’s always a gap in the code that can give unwanted hackers access to your network.
The good news is that software engineers continuously fill these holes with new updates. The bad news is that your router may not automatically update the firmware to the latest, most secure version, leaving your network wide open for a remote attack.
For instance, a hacker could change your router settings to direct all your internet traffic to nefarious websites. They could also control your computers and siphon sensitive information like bank account logins, or use it to distribute malware to other compromised networks.
To check your router’s firmware status, access the router’s settings using a mobile app or a web browser, depending on the manufacturer.
For example, the Linksys mobile app includes a toggle under Network Administration that switches automatic firmware updates on and off. The web interface is different.
The following instructions are based on a Linksys router, so the method may differ depending on your model.
Step 1: Open a browser and enter your router’s IP address. We provide instructions on how to retrieve your router’s IP address, but in most cases, you will find the information printed on the router.
Step 2: Enter the credentials on the router’s login screen.
Step 3: Click Connectivity listed on the left.
Step 4: The Connectivity section loads with the Basic tab selected by default. Click on the box next to Automatic listed under Router Firmware Update if it’s not checked already.
By checking this box, the router updates the firmware automatically. You can click on the optional Check for Updates button, but chances are you’ll receive a “no updates found” message.
You have the option to install firmware manually using a downloaded file. Use this tool if the router has problems updating the firmware automatically.
Flaw: An easy or absent password invites strangers and hackers
Creating an easily guessed password based on something familiar—like a child’s name, a pet, or your address—is convenient for sure, but it also leaves your network vulnerable to hackers and other nefarious individuals walking along outside. Moreover, not securing your network with a password is just bad news—you might as well post a big Times Square–style billboard reading, “Get Your Free Access Here!”
Use a password manager to create a strong password for your network and then share it as needed using built-in tools for Android, iOS, and iPadOS.
To share a Wi-Fi password from iOS/iPadOS to Android, you must use a third-party app, like Qrafter or Visual Codes. You can always text the password, but that leaves it open to sharing with other individuals you may not know. Additionally, sharing the Wi-Fi password from one Apple device to another does not require a third-party app.
If your router’s manufacturer provides a mobile app, typically you can change the password from your smartphone or tablet. Otherwise, you can change the password using the router’s web browser interface.
Flaw: Using the router’s default login leaves you open to hackers
Your router faces two audiences: the public (internet) and your devices (home network). That means anyone can gain access to your router—whether it’s remotely or locally—if you never changed the out-of-the-box default login info, such as “admin” and “password.”
Moreover, anyone can easily find all router default login details on the internet even if routers don’t use the “admin” and “password” combo.
We provide instructions on how to log in to your router so you can change the default username and password. Be sure to use a password manager to create and store unique login credentials.
If you use a mesh networking kit, there typically is no web-based back end (for simplicity). You must change the username and password using the supplied app.
Flaw: WPS opens your network to hackers
Wi-Fi Protected Setup (WPS) helps devices connect to your wireless network upon first use without the need for a password. You either press a button on the router or use an eight-digit PIN.
But there’s a consequence for that ease of use: WPS is vulnerable to brute-force attacks, which is a trial-and-error method to determine login info.1 A hacker could discover the PIN’s first four digits—there are only 11,00 possible combinations—and then uncover the next four. Free tools you can easily download from the internet can crack the PIN in 4 to 10 hours.
Your best defense is to update your firmware and disable WPS (if possible). The method of disabling WPS is different on routers from other manufacturers, but here are instructions for NETGEAR models as an example:
Step 1: Open a web browser and type www.routerlogin.net into the address bar.
Step 2: Enter your login credentials.
Step 3: Select Advanced Setup.
Step 4: Select Wireless Settings.
Step 5: Under WPS Settings, check the box next to Disable Router’s PIN. If that option isn’t available, uncheck the box next to Enable Router’s PIN.
Some routers don’t have a WPS option, while others may have fixed the PIN issue with a firmware update. Check with the router’s manufacturer and documentation for more information.
Flaw: Guests can download illegal content
There’s nothing wrong with giving friends and external family members access to your home’s network. But what you don’t want is friends and family downloading questionable content using your internet connection. You certainly don’t want the FBI knocking at your door, and that could happen if guests download anything they want.
Establish a “guest” connection for everyone that lives outside your home. This subnetwork keeps visitors off your primary connections and limits the number of devices that have access. Plus, you’re not sharing your main network’s password.
With a guest network, you can limit bandwidth, block websites, set connection times, and more per device. We provide a separate guide on how to set up a guest Wi-Fi network.
Flaw: Children have unlimited access to explicit content
The internet is both a blessing and a curse for parents. On one hand, kids and teens can find the information they need. They can play online games with friends and take remote classes. Unfortunately, they can access inappropriate and unwanted content with just a single URL.
We provide a guide on how to set up parental controls on a router to protect your kids and teens. Here you can block and allow specific sites, block and allow specific devices, and set hours of use.
Some routers handle parental controls through a specific section within the router’s interface. You can also click on a device to manage the connection or use profiles to set the parental controls for each child.
Parental controls don’t necessarily need to apply only to children. You can use parental controls to restrict devices used by adults so you can limit when they can connect and what websites they can visit.
Flaw: Remote access invites hackers
Remote access allows you to load the router’s interface over the internet, like from a hotel room in another state. Combined with a default or lousy password, anyone can gain access from anywhere and change its settings to route all your internet traffic to nefarious websites.
You can typically find Remote Access controls in the router’s Administration section to disable this feature. You can switch it back on if you plan to travel and the family stays behind, and then toggle it off when you return.
Flaw: Your router broadcasts its model number
Click or tap on your device’s Wi-Fi icon, and chances are you’ll recognize some of the names on the resulting list: Linksys, NETGEAR, and so on. Owners of these routers never changed the default Service Set Identifier (SSID) name, which is the wireless network’s public name.
Why is that a problem? Anyone who sees “Linksys” or “NETGEAR” will know that someone owns one of these routers. You can easily search the internet for the default SSID and login pair and use that information to access that router and get the network’s login credentials.
Generally, you should always change the network name to something other than the default. You can rename it to anything, whether it’s something simple or a label just to annoy your neighbors. Have fun or be practical—it’s all up to you.
You can change the SSID through the mobile app provided by the manufacturer or by using the web interface. The following instructions use a Linksys router as an example.
Step 1: Connect to the router.
Step 2: Open a browser and type in your router’s IP address (or LinksysSmartWiFi.com).
Step 3: Select Wi-Fi Settings listed on the left.
Step 4: Enter a new name in both Wi-Fi Name fields (one each for 2.4 GHz and 5 GHz).
You can change the password and hide your network name by switching the Broadcast SSID from Yes to No. This makes your network harder to find but hackers can still find it with easy-to-find tools. Your best option is to broadcast a unique network name that doesn’t identify your router.
1. Cybersecurity & Infrastructure Security Agency, “Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack,” January 23, 2013. Accessed June 10, 2021.
Author - Kevin Parrish
Kevin Parrish has more than a decade of experience working as a writer, editor, and product tester. He began writing about computer hardware and soon branched out to other devices and services such as networking equipment, phones and tablets, game consoles, and other internet-connected devices. His work has appeared in Tom’s Hardware, Tom's Guide, Maximum PC, Digital Trends, Android Authority, How-To Geek, Lifewire, and others. At HighSpeedInternet.com, he focuses on network equipment testing and review.
Editor - Cara Haynes
Cara Haynes has been editing and writing in the digital space for seven years, and she's edited all things internet for HighSpeedInternet.com for five years. She graduated with a BA in English and a minor in editing from Brigham Young University. When she's not editing, she makes tech accessible through her freelance writing for brands like Pluralsight. She believes no one should feel lost in internet land and that a good internet connection significantly extends your life span.