The Year 2003 in Wireless Network Security

OenMarK writes "I ran into an article that is basically an overview of events, software releases, and happenings related to wireless security. There's also a Q&A with some wireless security experts, one of which is from IBM. What's your take on wireless security? Are we there yet?" This is the same site that also hosts the look back at Linux security we posted earlier. They complement each other well.

Not a very informative article.

[plover]

I would much rather more information about attacks and their severity.

A study of honeypot projects that showed most wi-fi abuse was "bandwidth stealing" doesn't exactly fill me with a sense of dread. More useful would have been a list of attempts hackers sitting outside of unsecured businesses trying to get at the corporate data.

Or are they trying to lull potential customers into a false sense of security?

Wireless security is an oxymoron

[Punk+Walrus]

I have as of yet, found no way that you can make a wireless system secure. Sure, you could say the same with wired, but at least you can contain wired security. Someone has to break into the building, or use "social engineering." Some personal contact has to be made.

Wireless has no such limits. This is even skript kiddie level stuff.

This is my report on it.

Easy Setup and Mantainance of Security is Key!

[dduardo]

On Linksys' site they have 7 things people should do to keep their wireless network safe:

1. Change the default SSID.
2. Disable SSID Broadcasts.
3. Change the default password for the Administrator account.
4. Enable MAC Address Filtering.
5. Change the SSID periodically.
6. Enable WEP 128-bit Encryption. Please note that this will reduce your network performance.
7. Change the WEP encryption keys periodically.

Now your telling me average joe (or administrator) is going to preform all these tasks, and remember to regularly change the WEP encryption keys. This is a problem, and until security setup and mantainance is automated and/or easy enough for the everyday folk, there is going to be a continual growth of attacks on these type of networks.

------------

2003 was the start, and 2004 will be the explosion

[freeweed]

Up here in central Canada, early 2003 showed a nice, gradual uptake in wireless equipment by the business sector, and a few tech-heads putting it in their houses. Now that xmas is over, and stores were selling APs for as little as $15 (cdn) after rebates, I'm seeing almost a 10-fold increase in the number of hotspots compared to June of this year.

I see a couple of trends on the horizon:

1. Just as you can no longer buy a 10mbit hub, because a 10/100 switch costs pennies more to make, soon all home cable/DSL routers will come with 802.11b at the very least. The "premium" models will include g for $5-10 more, to keep some price differentiation happening.

2. Back when it was us geeks and businesses, the WEP/non-WEP ratio seemed to hover around 50-75%, depending on area. Driving around last night, it's below 10%. This could be an indication of new xmas presents that the owner hasn't had time to configure, but really: how many people actually change from the default settings? (On that note, thank you SMC for having a blank default password and an SSID of "SMC" :)

Just the changes in the past 12 months have convinced me that 2004 will be the year wireless really takes off everywhere up here, and as long as it's still being shipped unsecured to the consumer, we're soon going to have a LOT more opportunity for this sort of thing.

My wireless network is now totally secure

[Waffle+Iron]

I made my wireless network secure this year. After a couple of years of use, my wireless adapters are now sitting in the bottom of a drawer, and I tacked a Cat5 ethernet cable to my ceiling and walls to replace them.

No more worries about wireless security alerts, finicky configurations, key management, weird drivers, setting up VPNs within my own house, strange network freezeups or having to read articles to keep on top of it all.

To me, keeping my mind uncluttered and free from all that minutia is worth the ugliness of a few network cables.

WEP has its uses

[freeweed]

WEP works just fine for certain things. For example, keeping people from abusing my internet connection, downloading child pornography, etc. In order to crack a 128-bit WEP key, last I checked, you need something like 5-10 GIGABYTES of traffic to analyze. I don't use that much bandwidth in a year over wireless - it's just to be able to surf from the living room, etc.

I've checked out the range on my AP using some nice high-gain antennas, and seeing as it's in the basement, someone would have to be within 3 or 4 houses of me. That's a pretty limited range, so I can narrow it down to say 100 of my neighbours. And one of them would have to sit and passively sniff my traffic for an ENTIRE YEAR. Answer: change my WEP key every few months, and unless I'm not up to date with the latest security issues, I'm virtually immune. Sure, they can sniff my SSID. Big whoop if they can't get on it.

Disclaimer: I haven't played with Kismet in over 6 months, so if there's some new "grab 10 packets and crack the WEP key" setting that I haven't heard about, please correct me :)