What Is Wi-Fi Security?

Wi-Fi security is the protection of devices and networks connected in a wireless environment. Without Wi-Fi security, a networking device such as a wireless access point or a router can be accessed by anyone using a computer or mobile device within range of the router's wireless signal.

How do unsecured Wi-Fi networks create risk?

When wireless devices in a network are "open" or unsecured, they're accessible to any Wi-Fi-enabled device, such as a computer or smartphone, that's within range of their wireless signals.

Using open or unsecured networks can be risky for users and organizations. Adversaries using internet-connected devices can collect users' personal information and steal identities, compromise financial and other sensitive business data, "eavesdrop" on communications, and more.

What are some ways to protect a Wi-Fi network?

One basic best practice for Wi-Fi security is to change default passwords for network devices.

Most devices feature default administrator passwords, which are meant to make setup of the devices easy. However, the default passwords created by device manufacturers can be easy to obtain online.

Changing the default passwords for network devices to more-complex passwords—and changing them often—are simple but effective ways to improve Wi-Fi security. Following are other Wi-Fi network security methods:

Media Access Control (MAC) addresses

Another basic approach to Wi-Fi security is to use MAC addresses, which restrict access to a Wi-Fi network. (A MAC address is a unique code or number used to identify individual devices on a network.) While this tactic provides a higher measure of security than an open network, it is still susceptible to attack by adversaries using "spoofed" or modified addresses.

Encryption

A more common method of protecting Wi-Fi networks and devices is the use of security protocols that utilize encryption. Encryption in digital communications encodes data and then decodes it only for authorized recipients.

There are several types of encryption standards in use today, including Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). See the section "Types of wireless security protocols" on this page for more details about these and other standards related to Wi-Fi security.

Most newer network devices, such as access points and Wi-Fi routers, feature built-in wireless-security encryption protocols that provide Wi-Fi protection.

Virtual private networks (VPNs)

VPNs are another source of Wi-Fi network security. They allow users to create secure, identity-protected tunnels between unprotected Wi-Fi networks and the internet.

A VPN can encrypt a user's internet connection. It also can conceal a user's IP address by using a virtual IP address it assigns to the user's traffic as it passes through the VPN server.

Security software

There are many types of consumer and enterprise software that also can provide Wi-Fi security. Some Wi-Fi protection software is bundled with related products, such as antivirus software. For more information about Wi-Fi security software, see the next question.

What is Wi-Fi security software?

A vast array of security software aimed at the consumer and enterprise markets can provide protection to wireless networks and Wi-Fi-enabled devices such as routers, switches, controllers, and access points. Many of these solutions are downloadable to wireless LANs (WLANs) and mobile devices.

Some newer software solutions designed to secure Wi-Fi are built into the backbone of the internet and are available via cloud platforms. These solutions provide a first line of defense against breaches of wireless networks by preventing users from accessing malicious sites.

Types of wireless security protocols

There are four main wireless-security protocols. These protocols were developed by the Wi-Fi Alliance, an organization that promotes wireless technologies and interoperability. The group introduced three of the protocols, described below, in the late 1990s. Since then, the protocols have been improved with stronger encryption. The fourth protocol was released in 2018.

WEP

The first wireless security protocol was WEP (Wired Equivalent Privacy). It was the standard method of providing wireless network security from the late 1990s until 2004. WEP was hard to configure, and it used only basic (64-/128-bit) encryption. WEP is no longer considered secure and should be replaced by a newer protocol such as WPA2, described below.

WPA

WPA (Wi-Fi Protected Access) was developed in 2003. It delivers stronger (128-/256-bit) encryption than WEP by using a security protocol known as Temporal Key Integrity Protocol (TKIP). Along with WPA2, WPA is the most common protocol in use today. But unlike WPA2, it is compatible with older software.

WPA2

WPA2, a later version of WPA, was developed in 2004. It's easier to configure and provides even greater network security than WPA by using a security protocol known as the Advanced Encryption Standard (AES). Versions of the WPA2 protocol are available for individual users and enterprises.

WPA3

A new generation of WPA, known as WPA3, is designed to deliver simpler configuration and even stronger (192-/256-/384-bit) encryption and security than any of its predecessors. It is also meant to work across the latest Wi-Fi 6 networks.

Types of Wi-Fi network security devices

Active device

There are several types of commercially available devices that can provide network security by blocking adversarial attacks and unwanted network traffic.

One type is known as an "active" device, which is hardware configured to block surplus network traffic. Examples of these devices for Wi-Fi network security include firewalls, antivirus scanners, and content-filtering devices.

Passive device

Passive Wi-Fi network security devices detect and report on unwanted network traffic. Passive devices use less power than other Wi-Fi devices. They also have an extra layer of security because they can communicate with Wi-Fi routers only when the routers are seeking them.

That extra layer makes man-in-the-middle (MITM) attacks more difficult. In an MITM attack, an adversary attempts to intercept communications between two parties to "listen in" on their activity or to modify the traffic traveling between them.

Preventive device

A preventive device, such as a wireless intrusion prevention system (WIPS), can scan networks to identify potential security issues. A WIPS can be integrated into networks or overlaid using standalone sensors. Some WIPSs, however, conduct only intermittent monitoring, leaving networks occasionally vulnerable.

Unified threat management (UTM) systems

UTM systems incorporate vital elements of network security: firewalls, content filtering, VPN, antivirus detection, and others. A UTM system offers a simplified way to integrate multiple security functions. It provides these functions at a single point on the network, eliminating the need for point solutions from multiple vendors.

UTM devices can be network hardware appliances, virtual appliances, or cloud services.

Examples of wireless security threats and risks

What are some security issues for Wi-Fi users?

Users of Wi-Fi networks are at risk of exposure to an array of cyber threats, especially as they expand their use of mobile technology to access the internet and conduct online transactions.

The global health crisis has helped to emphasize the importance of Wi-Fi security, since many organizations now need their employees to work from home. Home Wi-Fi networks that lack strong security are vulnerable to attack. That vulnerability can threaten the security of company networks.

The proliferation of public Wi-Fi also creates security issues for individual users and organizations. These networks are by definition "open" and, therefore, unprotected. Devices accessing public networks are highly susceptible to malware, spyware, and other malicious activity, such as the MITM attack described earlier.

Following are a few examples of other types of wireless security issues.

IP spoofing

Attackers use IP spoofing to penetrate wireless networks by impersonating trusted IP addresses. This approach may allow attackers to plant malware, initiate distributed-denial-of-service (DDoS) attacks, or carry out other nefarious acts.

DNS-cache poisoning

Wireless networks are also susceptible to a threat known as DNS-cache poisoning, often called DNS spoofing. This tactic involves hacking a network and diverting network traffic to an attacker's computer or server or to another out-of-network device. The risk for users is connecting to a malicious version of a legitimate network they want to access.

Piggybacking and wardriving

As noted earlier, bad actors can use open or unsecured wireless networks to conduct illegal activity, monitor web traffic, steal information, and more. They can do this by "piggybacking" on the internet service of real subscribers. The bad actors tap into the unsecure service to set up their own internet connections, without the legitimate users' knowledge.

There is another version of this practice, known as "wardriving." Individuals drive, walk, or cycle slowly through densely populated areas with wireless-equipped laptops or smartphones, searching for unsecured wireless networks to connect to. While instances of piggybacking and wardriving are often cases of people who are just seeking "free" internet connections, there's certainly a question of whether these practices are ethical. And many individuals who engage in these activities are intent on mischief. That's why Wi-Fi security should be a top-of-mind concern for all users of Wi-Fi networks.