Slashdot Mirror
Study: Wi-Fi users Still Don't Encrypt
Shackleford writes "SecurityFocus has an article saying that two days of electronic eavesdropping at the 802.11 Planet Expo in Boston last week sniffed out more evidence that most Wi-Fi users still aren't securing their networks. Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors at opposite corners of the exhibit hall at the Boston World Trade Center, the site of the conference, and for two days analyzed the traffic flowing between conference-goers and 141 unencrypted access points set up by the conference for public use, and by vendors on the floor.
What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel. Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day."
Yes, this doesn't surprise me at all. 68 WAP's in my community - none broadcasting WEP.
A similar survey would be to test how many POP3 servers out there support SSL. I suspect that it's on the low side of 3%. POP3 with SSL is a trivial, easy alteration that many POP3 clients support, instantly securing the network without layering on a secondary encryption layer (VPN/PPTP/IPSec) when all you want is to check you email, which is what probably 99% of the users do at trade shows like this.
And with some patience, very little in fact, your car door can be opened, and your car stolen, or your house door opened, and your house cleaned out... but that doens't mean we run around leaving our doors unlocked and open.
Furthermore... there are legal implications. Is sniffing out POP passwords in this way illegal? Probably, but maybe not.. but is doing so off an encrypted channel illegal? Most certainly... as there is no logical way you can deny that you kneew the signal was supposed to be private.
And you can guess IPSec keys too, eh? :) There are effective standards, just the majority doesn't use them. 802.x works well when you use a VPN.
--
"I'm not bright. Big words confuse me. But Wanda loves me and that should be enough for you." - Cosmo
With all the media hype about wireless, a growing number of people are simply buying an access point and a couple of NICs, flicking through the manual, and then running default configurations, because the average user probably isn't aware that what they are doing *is* insecure, and has never heard of WEP. No doubt this (and newer ideas such as 802.11x) will be in the 'advanced' section at the back of the manual with bluntly technical instructions filled with acronyms and concepts that a non-IT savvy person would simply skip over.
Once it 'works', the majority set-it-and-forget-it - no different to the populous of home users running xDSL without a firewall, or those who never patch their boxes. A quick drive round your local residential area with a copy of Kismet proves this point for anyone with any doubt =)
On the flipside of the coin, in the corporate world, sales reps, engineers, and other 'road warriors' should really be given this advice from their support teams, and have their machines configured appropriately in advance by someone knowledgeable - they really can't be held responsible for the lack of action by the correct department.
The point of this analysis was that when people used unencrypted wifi in public places, they used open and unencrypted channels to communicate sensitive information such as email passwords. i.e. They didn't establish an encrypted VPN session first, or their organizations don't use IPSec/POP3 SSL. The net effect is that they're publicly broadcasting all of their information.
Of course I wouldn't see it much differently if the conference hall had CAT5 jacks that you could plug into: You still should have no faith in the people running the show, or anyone capable of putting in a wire shunt, who have every ability to log and trace all of you messages: You should always presume that someone is listening. This is just another reminder that the world needs to move to secured application layer transport protocols as mandatory (or blocking external access apart from through a VPN) as quickly as possible, because the human element will always take the easiest route, and the natural human instinct, barring a case of paranoia, is to presume that nothing will ever happen to them- Every victim is someone who thinks it'll only happen to the next guy.
How can they tell how many people encrypted their email checking when you can't tell what goes over an encrypted link?
I have of course not read the article, so it could be the submitter.. But anyway, 3 and then 12 percent of the people who checked their email without using a totally encrypted transport (SSH-tunnel, VPN..), which just isn't the same thing..
Kinda like how's happening with illegal p2p usage? oh wait...
If people don't think wireless security is imporant and we make a law that forces them to implement it then respect of law will suffer. Just like how it's happening with p2p. And do you really want to waste police resources to triangulate source of wifi signal? And even if they do that they'll still have to get a warrant to make sure the signal comes from the place they think it's coming. Whoops, you can't get a warrant for a crime that only has fines as a punishment. Let's put those who run unsecure wifi to jail! What a great idea!
Only way to solve this problem is to make it illegal to sell wifi equipment without auto-enabled encryption. People don't care about the issue so any attempt to force them to care will be wasted. Attempts to force them to use will just be met with contempt.
And with some patience, very little in fact, your car door can be opened, and your car stolen, or your house door opened, and your house cleaned out... but that doens't mean we run around leaving our doors unlocked and open.
A lot of people do leave their doors unlocked. Besides, your analogy is flawed because breaking into a car or house attracts people to the presense of the crime. Cracking WEP encryption is something that can be done in the privacy of your own home.
Is sniffing out POP passwords in this way illegal?
Maybe not, but using that sniffed POP password certainly is.
This all adds up to make it really easy to sniff usernames and passwords just by sitting in a campus hangout area with a packet sniffer.
I have whined at my University for IMAPS support and was told that, while they were interested, they couldn't roll it out because their servers couldn't handle the extra CPU load from all that encryption/decryption. I suspect the answer is the same in other places.
Doesn't really work in this case. It's the network at these shows that is untrustworthy not just the airwaves. The only thing the WEP (if it works right) is good for is keeping people you don't want off your network; it doesn't actually add any significant security for the user from the network. So as a user in 99% of all cases you want end-end security, not point-point; because at each of these points the traffic is unencrypted and can then be sniffed.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Most people don't care all that much about their home wireless networks (or their personal email) being encrypted, because there's no major threat. Sure, corporations need to protect their ever so secret information and precious bandwidth, but if someone near my house wants to go ahead and use my wireless connection, as long as it's not crippling my connection speed, so be it. Not a big loss for me. If someone is going to go through the effort to snoop my network, you're not going to find anything worth stealing that you couldn't get easier from Kazaa. If someone's going to be reading my personal email, well, they're going to be plenty bored. It's just not worth hacking into my computer, there's nothing of non-personal value on it.
Security isn't a major issue for home users. That's why they don't treat it as such. Sorry guys.
--
RumorsDaily
This shows the power of defaults. Anyone who has done any wardriving will notice that a lot of networks have the SSID "linksys" or "default".
Take it out of the box, plug it in, and it works. That's the beauty of wifi.
I'm sure we'll see a move my manufacturers towards secure-by-default (as secure as possible, that is) as we've seen Microsoft trying to do with IIS in Win2003.
That said, there is certainly a place for unencrypted open networks.
... did they mentioned that some access points go down to modem speed if WEP is on? The on board CPUs simply cant keep up doing WEP/64.
I think you should forget about WEP and use IPSeC and VPNs instead
All the "l33t hax0rs" (read: script kiddies) have the airsnort in their bag-of-scripts that they don't know how they work anyway, so why bother?
I don't see this as too surprising..most people think that by installing ZoneAlarm and buying a Linksys router, they're immune to any form of attack or subversion. This extends to both wireless and traditional setups.
As I see it, there are two very fundamental reasons for this: lack of awareness and lack of comprehension. The average day-to-day user doesn't even know what a firewall is..what are the chances that they'll have a clue about encryption? I mean, c'mon..we're living in a world of users who largely think that SSL means that they're safe as can be, that security is something you purchase, and the only difference between wireless and a traditional connection is a lack of cables.
Awhile back, I was going on a pretty big BSD advocacy kick..y'know what finally made me give it up and shut my mouth? One girl had a bunch of questions, so I tried to answer them as best I can. I also wanted to make sure that I made clear the differences between Windows and BSD, as most MS users aren't accustomed to the file system, configuration, etc. So, naturally, I bring up firewalls, and how you essentially write your own rules for it by hand (in this particular instance, I was covering ipfw).
Rather than take my advice, she immediately became defensive, ranting off about how she's not some AOL kid, and how she already has ZoneAlarm, so she won't need to worry about a firewall on BSD. I could go on and on with stories like this.
I realize that this isn't just about wireless, but I don't think the issue is that limited in scope. Computer security is taboo to a lot of people, and unfortunately, it's a problem that needs to be addressed...or taken advantage of by those with a greater sense of what the fuck is up.
I agree. WEP is good, if you have a situation where it's easy to set up, anyway. Copying those keys from one computer to another is quite a pain, and it's just plain impossible if you do a lot of roaming. Personally I have WEP on my home network, but I try to treat the network as though it's completely unsecured. Part of that means putting a random "answer" to those "recover your password" questions that my bank has. My email account is far too easy to break into to trust my life savings to. In the unlikely event that I forget my password I'll wait a week to receive a new one by mail.
The average non-technical user is happy enough just getting things working.
Home users want to take their notebooks anywhere in the house and be able to surf. Business travel through airports (interoperability) may not even be their priority.
Why should they be concerned about mac addresses or hex keys? Firmware upgrades to make things more compatible?
Lets make it easy for them. Vendors should sell wireless home networking kits that have all the encryption turned on in advance by default, with drivers that assume this also by prompting for the prepackaged keys at install time.
Joe user could buy a box containing an access point with two pcmcia wireless nics. By default those two nics will be the only onces that can access the access point. The shiny box that says "easy install" will be what clinches the purchase.
Of course an advanced user could still change the defaults to suit their needs.. but that requires effort.
Joe User will always assume the defaults are good enough for him, and they should be.
It doesn't bother me if my wireless traffic is sniffed...anything important I'm doing over a wireless connection (Secure HTTP for online purchases, SSH for shell access, etc.) is already encrypted at a higher level than WEP works at. There's no need to encrypt the entire network, if you don't care about someone reading your e-mail.
Even if you do care, IPSec is probably a better choice than WEP is.
I even added "active" to "man in the middle attack", in case someone needs a hint that MITM doesn't just mean someone listens in. If the server can not ensure that the public key of the other party is in fact that of a legitimate user, then I can pose as a server and client respectively. The client thinks I am the server and tells me what it wants. The server thinks I am the client and gives it to me. All I have to do is forward the requests and answers. And because both parties share their individual secrets with me, I can decrypt everything. In essence, encryption without authentication is pointless (unless you REALLY know that nobody can actively compromise the communication channel).
You misunderstand. WEP was poorly designed and should not be trusted, but just because WEP is broken doesn't mean that all encryption is broken, and it doesn't stop me from sending securely ecrypted traffic over a completely open access point, or over a WEP access point.
At the moment I am sitting in a coffee shop with free, unencrypted, 802.11b internet access. My reading of slashdot, and the posting of this message, are quite readable by anyone nearby with motivation, a computer, and some brains.
But in another window I have an ssh session logged into my basement Linux server. When I logged in my notebook checked that the signature was as expected and therefore there was no man-in-the-middle attack going on. I am typing this on a notebook I control, I have high confidence that that session is as secure as my house (the weak link, my server is there). I don't need to trust the guy sitting a few chairs down, I don't need to trust the coffee shop.
If I really want to do some web browsing secure from local sniffers I could fire up netscape from my basement but with the display on my notebook. (X has some bebefits.) It would be slow, but it would work.
Encryption is not a magic bullet, but it is a very valuable tool.
What can you do? Don't use MS Windows. Don't use telnet for text logins, don't use plain POP or IMAP for reading e-mail--there are encrypted versions of both. Be worried about banking on open wires; if you see a padlock in the corner of your browser window it means (probably means, there could be bugs) it is encrypted and you have a secure connection to the other end--but who is on the other end? Is it *really* your bank? (This is the man-in-the-middle attack.) Think twice before typing important passwords on a keyboard you don't control. Twice in recent months there has been news of rogue technicians putting sniffers on keyboards, I think one was airport kiosks and one at some college.
Don't use one (or even two) passwords for everything. It is far better to write your different passwords down on a list and keep it in your wallet than it is to reuse passwords in different circumstances. If someone mugs you they can get the list and they might not appreciate its significance, but if you reuse a password one crooked or incompetent web site can leak and now anyone in the world might have your "master key". I keep my list of passwords encrypted with one nasty-ass-long password, and that one I don't write down. Pick good passwords, single words, names, dates, etc., are bad ideas.
Now think about all this advice. Think it through. Understand why I said what I said and whether it makes sense. There are no easy rules to computer security, you have to stop to understand the problem a bit.
One of the tasks involved in becoming an adult is to acquire an ability for "common sense", something that children don't have and take years to develop. Well, computer security has hit us and turned us all into children who have to learn a new kind of common sense. Don't just follow rules, learn and think. And don't be too paranoid.
-kb, the Kent who keeps his ssh related software up to date, and you should too.
You should always presume that someone is listening. This is just another reminder that the world needs to move to secured application layer transport protocols as mandatory
Of course there is always the alternative view that these people simply didn't care if someone was evesdropping on their email. I know I wouldn't be at all bothered.
People still send postcards - think of it - in this day and age when paper envelopes are so easily available...
why is it that i am not surprised at this stat? the problem with the current state of wi-fi is that it is generally insecure by default. if you want to increase security you have to fudge around with cryptic configuration settings, and if you don't know what you're doing you can make your network even less secure or fubar the whole thing. the mass market consumer -- and this would be the target audience if wi-fi were to really take off -- should not be expected to know what vpn stands for or what a tunnel is besides the big holes that trains and vehicles go through.
in an ideal world secure protocols would be built in and invisible to the user. out of the box all security measures would be enabled by default, so if you want to turn off encryption you'd have to turn it off manually. the dream of ubiquitous computing would be a nightmare without ubiquitous security.