Hey, I actually work in the security field and have done corporate wifi penetration testing etc in the past. A lot of the advice here is unfortunately poor and comes from a concept of applying logic, rather than understanding the security underpinning WPA2 encryption.
So to set things straight:
1) MAC address filtering does absolutely nothing for security.
As an example, my network name is BTHub6-6S4Z. When I bring my iPhone home, it transmits a signal effectively in all directions of every WiFi name it has ever connected to, in the hope it finds BTHub6-6S4Z. It also broadcasts its MAC address. My iPad does the same, my macbook, my PS4, Printer etc.
As an attacker what I can do is listen to the wireless traffic around me - this is called "monitor mode." In the case above, say I had an attacker living next door to me. The attacker would be able to see my iPhone is looking for BTHub6-4S4Z, and they also can see my iPhone MAC (lets say it's 11:22:33:44:55:66).
If I had MAC address filtering enabled, it is bypassed with no hacking at all. The attacker can see my iPhone with MAC address 11:22:33:44:55:66 is requesting BTHub6-4S4Z. All the attacker needs to do is pop in the properties of their network card, and change their MAC to be 11:22:33:44:55:66, and connect to BTHub6-4S4Z. In they go, 15 second job.
Same applies for "hiding your SSID." Say I hide my SSID for my BTHub6-4S4Z network... My iPhone, iPad, Macbook, PS4, Printer, Work Laptop etc will still connect in, and in doing so they will push out this data in every direction asking for this network. Once they connect, they will push out data saying the SSID they are associated with. The attacker can see every device in my home effectively calling out for BTHub6-4S4Z... They can even see a list of every device in wireless range of themselves that is associated with my network name, and all of the MACs. The SSID is hidden, but it is literally being broadcast in every direction by every device I own, in clear text, unencrypted form. Easy to figure out my networks name right
Point is, hiding your SSID, and MAC filtering do nothing to solve security. This data is literally pushed out by every device, in every direction, and is never "hidden." The WiFi specification is not designed to hide this data, as it was never a security measure.
2) A strong WPA2 password is important, although most hackers will not exploit the password, but rather exploit flaws in WPS or the PINs. On older devices, these can often be exploited in less than 2 minutes... Even if I had a 50 digit WPA2 password, if I exploited WPS, this would just hand over the 50 digit password. WPS exploits are no slower/faster depending on password complexity.
This is why disabling WPS is real important. It is recommended to change the WPA2 password and have a length of 16+ characters (if you know you are being compromised, set a super long PW e.g. 60 characters), and it is recommended to change the SSID from the vendor default also. WPS should not be used / enabled... This applies to all WiFi extenders / booster type devices also.
NOTE: On many devices when you turn off WPS, it does not actually disable. This is a flaw in design, and applies to older devices again.
When an attacker sees an SSID of BTHub6-XXXX, it tells them 1) The device to be compromised is a BT Smarthub and 2) The password is most likely 10 characters (the default length used on all BT Smarthubs). This severely reduces the possible password combinations. This is why changing SSID/password is important as now the attacker has a much bigger job on their hands to test all possible passwords.
Unfortunately, authentication is totally flawed on WPA2 implementations. What this means is, as an attacker I can basically send a request to your router, and ask it to disconnect every single device, it will respond by doing just that. There is no protection of this mechanism where devices connect / disconnect.. If you have a very malicious attacker, they could get "angry" and retaliate by constantly sending requests to your AP to disassociate every device, resulting in the user being unable to ever connect to the WiFi. This is highly illegal, but does occur at times.
WPA3 will resolve this flaw, apparently.
WPS etc is getting more secure, for various reasons, but I would still disable it.
In your shoes I would do the following:
1. Reset the router to factory defaults - the reason I say this, attackers can setup remote management which enables them to get into your routers settings from anywhere in the world. E.g. they could go into the settings from Australia... In the settings would be any wifi password.
Everytime you change the password, the attacker just logs into the router from another network (e.g. mobile phone data), pops in the settings and brings up the new password. Then they connect in...
Hence, it is worth resetting with a pin in the reset button to ensure they have not installed any of these "back doors."
2. As soon as the router is reset, login to the router, and change the admin password of the device to something complex e.g. a 16 digit random password.
3. Login to the router with the new admin password, navigate to the WiFi settings, disable WPS/WPS PINs.
4. Change the SSID to something else, keep SSID broadcast on, there is no security benefit disabling this. Do not bother with MAC filtering, there is no security benefit.
5. Set the router to WPA2-AES only, NOT WPA / WPA2 Mixed Mode. Set a password of 16+ characters (or 60 if you don't mind entering it one time on every device). Ensure no dictionary words are used e.g. Football10 and do not use common variations of words e.g. F00tb4ll10.
6. Double check remote access is disabled on your device (if your device supports it). Double check changing the SSID/Password has not re-enabled WPS.
7. If you can, reduce the WiFi AP power, so it only covers the property as required.
8. Apply any firmware updates to your device, in case there are inherent security weaknesses on your APs WiFi setup. If there is an auto update function, enable it. If you have ISP kit, this should get updates automatically...
If your device is end of life and not supported by the vendor, consider replacement with a new piece of kit, or a latest and greatest ISP device which will likely meet a much higher security standard out of the box (e.g. enhanced WPS pin lockout etc - still disable WPS).
At this point, it is likely the attacker will move onto an easier to compromise device. Your AP becomes a huge headache to get into...
Edited by ukhardy07 (Sun 13-Jan-19 21:51:01)