How to Fix: Stop Neighbors Stealing WiFi

Dennis Faas's picture

Infopackets Reader Steve J. writes:

" Dear Dennis,

A few weeks ago my neighbor hit my car parked on the road. I've tried to settle this amicably but now he's threatening to (among other things) hack into my computer and delete my files. Since then, my Internet has been slow and I suspect that my neighbor is stealing my WiFi signal. I have searched all over the Internet on how to stop someone from stealing WiFi, but the solutions are not effective. I am scared to death he may get into my machine and cause havoc. Can you PLEASE help me? I'm desperate for help and you are the ONLY one I trust! "

My response:

I asked Steve if he would like me to connect to his computer using my remote desktop support service in order to have a closer look, and he agreed.

Below I will discuss my findings.

Related:

How to Fix: Stop Neighbors Stealing WiFi

Update 20191222: Since publishing this article I've received additional suggestions based on what I originally wrote, and also some criticism.

Before I get into the meat of this article, let me be clear: there is not a single quick-fix solution that is going to stop neighbors (or "hackers") from stealing your WiFi, but instead a mix of options. The options you choose will depend on a number of things, including: (a) your technical expertise and willingness to implement these suggestions, and (b) the technical expertise of others (your neighbors) trying to get into your network and steal your WiFi.

Certain options may make things extra-difficult for your neighbor to steal your WiFi, or it may make it impossible. Or it may not be effective at all. Also, depending on which options you choose, it may be incredibly difficult to add new devices to the network - especially guests visiting your house.

Lastly, many of the options I'm suggesting are set via the router administration page. Since each make and model of router is different, this is no way for me to explain step-by-step how to do this. Therefore, I can only provide suggestions on options you might look for, assuming you can access the router administration (which also assumes you know the user name and password). If in doubt, contact a professional - my contact link is here.

Here are some of the best ways to stop neighbors from stealing wifi, based on readers suggestions as well as mine:

  1. Use WPA2 + AES (security) whenever possible, and even WPA3 (routers circa 2018 and on) if you have it.

    WPA is the method in which devices communicate wirelessly with the router and is considered relatively secure. Most new routers choose this by default. That said, WPA / WPA2 protocol can be cracked, but in order to do so it requires (a) a solid connection to the router remotely and (b) lots of time to crack the password. If your router doesn't offer WPA2 then it's time to upgrade the router. WEP is by far the worse protocol to use.
     
  2. Ensure your router firmware is up to date.

    Router firmware runs the router operating system and patches any vulnerabilities. To patch your router, visit the router manufacturer's website to find the latest firmware, download, and apply it via the router administration page. Note: you will need to know your router model number and hardware revision. Caveats: (a) if you have an old router, there may not be any updates available, and (b) applying new firmware will effectively reset the router settings. Depending on how your router is set up, resetting it may lose your Internet connection altogether, so be careful here. If in doubt, hire a professional to do this - my contact link is here.
     
  3. Use an incredibly long password when connecting devices to the router.

    If your neighbor claims he or she is a s00per hack0rz ("super hacker") and is using Kali Linux (an operating system used for cracking router passwords), then using an incredibly long (and strong) password will make gaining access to the network extra difficult. The caveat here is that you will need to enter in the same long password for every device that connects to the network wirelessly. This only happens once, and then the device will remember the password. An example of a strong password might be 0123456905551234aBCYourName, as an example. It's super long, uses upper and lower case, but is also relatively easy to type in.
     
  4. Change your router administrator user name and password; use strong passwords.

    Many routers use "admin" as the default user name and "admin" as the password. Once someone has access to the router administration page, they can pretty much do whatever they want to your network, including installing router firmware to leak passwords or even redirect you to malicious sites. The best advice here is to use an obfuscated admin user name, such as YourNameABC123, for example, and an equally obfuscated password.
     
  5. Disable or restrict remote management to the router (I.E.: the router administration page).

    This option may or may not be available depending on your router make and model. Restricting access to a specific IP address to the router administration page means that only your machine can make changes to the router. In this case you will want to specify your device using a static IP address so that the IP doesn't change and will always be valid when attempting to manage the router remotely.
     
  6. Disable the Guest Network on the router if the option is enabled.
     
  7. Restrict access to the network using DHCP and static IP pool.

    This is defined in the router administration page. DHCP is what provides devices an IP address to use the network. If you restrict the number of IPs allowed to connect to the network, then you limit the possibilities of outsiders gaining access to the network. This was originally my focus of this article but drew too much criticism.

    There are two issues with this approach. If you restrict DHCP to limit available IPs, then this method assumes your devices will always be powered on and connected to the router. With smartphones and tablets, that may not be the case as they tend to go to sleep and lose connection to the router. As such, the IP may become available, which means an incoming connection can overtake the available IP (but only if the router password was known).

    Others suggested disabling DHCP altogether, and use only static IPs. Essentially any incoming connections to the router won't work unless the devices are pre-configured to connect to a specific subnet (192.168.x.x). This is fairly good protection on its own, but there are some caveats.

    First, each device connecting to the router will need to be configured as a static IP. This can be problematic to implement on tablets or phones since configurations pages vary; also, this would not be convenient when guests are visiting. Secondly, if the device loses connection to the router (sleeps) then the IP would technically become available - but again, only if the router password is known.
     
  8. Hide your SSID.

    The SSID is the router name that is broadcasted wirelessly. Without the SSID, the router appears to be "hidden". This provides some protection against relatively ignorant neighbors, though more savvy ones will use freeware to find hidden SSIDs and attempt to connect that way.
     
  9. Use MAC addresses to connect to the router.

    This is similar to limiting the DHCP pool, sort of. Most routers will show MAC addresses alongside the IP addresses of all connected hosts to the router via the router administration page. From there you can copy the MAC address and add it to the list of allowed devices. The issue here is that MAC addresses can be spoofed. So, for example, if your neighbor managed to gain access to your router administration page and copied the list of allowed MAC addresses (or even added one for himself) and he knew your router passwords, then that would be all he would need to gain access to the network.

    Another issue with this approach is that you will have to go into the router administration page every time you want to add a MAC address to the list of accepted devices.
     
  10. Disable WiFi entirely. If you do this then your neighbor certainly won't be able to steal your WiFi signal. If you go this route then you won't be able to use WiFi yourself. Only use this option if you are paranoid, but also understand the consequences.

I hope that helps.

When in Doubt, Hire a Professional

As I mentioned at the top of the article: securing your network depends on a number of options, as well as your willingness to implement those options. If in doubt, hire a professional to manage securing your network.

Additional 1-on-1 Support: From Dennis

If all of this is over your head, or if you need help configuring your router to stop your neighbor from stealing your WiFi, I can help using my remote desktop support service. Simply contact me, briefly describing the issue and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas

is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 3.2 (14 votes)

Comments

e5chultz_3890's picture

I would advise a different tack to limit unauthorized wifi users. Most routers have the option to talk only with devices with specific MAC addresses. Enable that, then disable broadcasting SSID, disable guest net, then ensure that you have a strong password. Be sure to change the admin name - many routers use 'admin'. That should substantially reduce outside attacks.

Dennis Faas's picture

MAC addresses can be spoofed using drivers / freeware, so in my opinion this isn't as good as limiting the DHCP IP pool / static IPs. SSIDs can be sniffed even if hidden, though does provide some protection through obfuscation.

LouisianaJoe's picture

The router administration page can be used to see what is connected to your router.

beach.boui's picture

Limiting the IP pool assumes that the homeowner has x number of WiFi devices in the house at any given time. In my home, and I suspect it would be the same in most modern homes, devices that use WiFi connectivity come and go on a regular basis. Rokus, laptops, game devices, cell phones, WiFi outlets and other "smart" devices, etc. Assigning a dozen items a static IP address is chore not for the faint of heart.

I would think using the router configuration console to block devices that are unknown to the homeowner, or using Mac filtering would be a better solution.

YankeeVictor's picture

i do understand everything explained here, and replacing 'admin' + strong router password should be the very first action to take when you set up a new router, but is a strong wifi password and guest access disabled not the easiest solution for most situations ?

Dennis Faas's picture

There are Linux distributions that will crack / hack router passwords (Kali linux), so to answer your question: no, disabling guest access and changing the admin password isn't enough. If you limit the DHCP IP pool / restrict static IPs, this is in my opinion the best approach.

Jim-in-kansas's picture

I used a good password and turned off the guest account and SSID.

Works fine here.

99% of people are not adept enough to hack even a mild password so, IMHO, almost any password will be good enough and if you use some capital letters and "special characters" thrown in that's more than enough..

James Douglass
Garden City, Kansas

Dennis Faas's picture

There are freeware programs that can sniff SSIDs, even if hidden. So, while most neighbors likely aren't savvy enough to figure it out, this wouldn't be enough to stop someone from hopping onto the network.

rpeltz's picture

Here are a few additional suggestions to those above.

On a number of routers you can lower the power of your wireless signal to decrease the range and potentially limit it to within the walls of your house.

You can change the web admin port used to access the admin page of the router to a completely different port, preferably not 81, 800, 8000 or 8080. This will take him additional time and effort to find the open port and require running port scans to find the open port.

If you do not have the need to directly connect to other wireless devices from your computer, see if your router has the option to turn on "AP Wireless isolation". If it does and you enable it, this will make it much more difficult to compromise your wireless connected PC from his wireless intrusion on your wireless network.

Install a software firewall on your PC to significantly limit incoming network access.

Lastly, if you can manually assign static IP addresses to your network devices; you could disable DHCP entirely too make it far more difficult to connect to and compromise your network.

If all else fails, get the police involved since unauthorized access to a computer or network is crime.

Cheers,

Ray

craipinpa_13094's picture

No offense, but limiting DHCP is a terrible way to prevent unauthorized access. Ignoring how this only works if every single device you own is always powered on and connected to the network, it's still trivially easy for another device to grab an existing devices IP before it gets renewed. IP leases were never intended for security, they were designed to ensure IP addresses get freed up when not in use. By design it defaults to reassigning IPs to new devices as quickly as possible. Anyone who has ever managed a large network knows that running out of IPs in a DHCP range doesn't prevent devices from connecting - it just winds up creating IP conflicts because it does nothing to stop devices from attempting to connect indefinitely.

As you yourself mention, anyone can simply set a static IP to connect. The concept that this is somehow INCREDIBLY RARE while simultaneously suggesting in the comments that sniffing SSIDs, spoofing MAC addresses or hacking Wifi passwords with Kali are somehow more of a risk than someone simply knowing how to enter a static IP address is baffling.

To prevent people from stealing your wifi, the most important advice BY FAR is simple.

Ensure that you have a router that supports WPA2 encryption and use it. Any certified router manufactured since 2006 supports WPA2. Older protocols like WEP contained vulnerabilities that tools like Kali can quickly and easily exploit. WPA2 is secure as long as you use a strong enough password.

CHANGE THE DEFAULT PASSWORD. Most routers have a default password printed on the router. Anyone who has ever been inside your home would have had access to it. Change it to something at least 12 characters long. It can be as simple as a long sentence such as 'My super strong neighbor proof password!' Special characters are helpful but not required. Just make it unique.

Disable any guest networks if they are turned on.

Next is to update the firmware and change the default admin password for your router. A quick google of your router make and model number should help locate instructions and the latest firmware from the manufacturers website.

THAT'S IT. Yes, you can hide your SSID, change ports, turn off remote access or any of dozens of other techniques that can harden it even further, but WPA2, updated firmware and strong unique passwords are BY FAR the most important.

Cyberentomologist's picture

You’re proposing a Layer 3 “solution” to a layer 1/layer 2 problem. This is not going to work the way you seem to think it will. By the time you’re talking about DHCP and IP addresses, your neighbor’s device is already connected to your network. All it takes to bypass this control is manually configuring an address in the requisite range.

As mentioned elsewhere, MAC authentication and SSID broadcast suppression are also not security measures.

The way you keep your neighbors off your WiFi is to not send the signal into their house in the first place (don’t put your access points on outside walls - this is the layer 1 approach), and then use WPA2 or WPA3 encryption with a good password (the longer, the better) to secure layer 2.

then use firewall access rules to secure layer 3.