Slashdot Mirror
CNN Notices that WiFi is Insecure
josh3736 writes "From CNN comes an article that makes painstakingly obvious to the public what we already knew: 802.11 security is horrible. The article points out that nearly 40% of wireless network APs haven't even been changed from defaults and as many as 80% of home APs have encryption disabled. The article goes on to say that '[t]o make matters worse, users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software.' It also accuses WiFi manufacturers of disabling security measures by default to make wireless easy to the lowest common denominator. My favorite quote? 'Experts say that while Wi-Fi hardware makers have made initial setup easy, the enabling of security is anything but. Meanwhile, average users are no longer tech savvy.' Which is to say that they at one point were?"
One major flaw I see in telling people to enable WEP on their WiFi is the first question I'm sure to get back is "How do I do that?" and, well, the instructions for doing that are different for each and every item on their network.
What's more annoying is that people think the "passphrase" they type into their router a the WiFi key rather than what it usually really is, the random seed from which their router generates the actual keys. They type their passphrase into their other devices when they're supposed to type a key value, and then they wonder why it doesn't work anymore when it was working just fine before they tried this security stuff.
I've had friends who I thought were tech savvy get tripped up over this stuff. I blame the router-makers for not providing software that makes this a whole lot more of a user-friendly experience. We as the IT industry are badly failing at this... and having a lot of open WiFi points will just make our other headaches such as spam and viruses worse in the end. This really needs to be addressed for the good of the Internet.
Of course they were. Around the time of the Apple I. Since then, the average cluefulness of computer users around the world has been plummeting because computers have been getting easier to use and the bar to entry has been lowered, with humorous results such as people using clueless people's WAPs.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I think the point is that before the mass-mass marketing of wifi, the average user of wifi was a much more computer-security literate person.
The very reason that Wi-Fi networks exist is that they provide simple, easy-to-use network connectivity wherever you are. Security takes a backseat to ease of use. The equipment manufacturers don't want to have to deal with the support calls if they would enable security features, such as WEP, out of the box. Adding security to Wi-Fi networks makes them harder to use and less appealing to the average consumer. Thus, it's easier for manufacturers if consumers remain blissfully unaware of the huge backdoors into their networks. But then again, anonymous internet access from my neighbor isn't that bad.
Once the 'puter became a household appliance instead of a hacker's toy, that's when things started to go downhill.
Yeah, right.
Not only depressing: Despite your shiny new WEP key, if 'god' is smart enough to use google to find a WEP crack script, and to not announce his presence in future, he's probably *still* logged into your system. There is no WiFi security at present - do it all elsewhere (firewall, encrypted protocols, VPN).
I don't regularly wardrive, because I don't own a car; I use pubtrans. Anyways, in Houston, Texas, between Gessner and I-10 and Kirkwood and Memorial, I counted no fewer than ten open networks, all running Linksys G routers. All of them had their DHCP servers up and running, and all had the default admin passwords up.
Admittedly, it's nice to have open connections, but if people don't bother to secure them... well, people could do nasty things to the routers and screw with the connections.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
... has the not surprising statistic that 90% of home users DONT GIVE A FLYING FUCK if the family PC (which they consider no more than an expensive Nintendo/source of free music) is hacked.
I don't need no instructions to know how to rock!!!!
WiFi without security "just works".
WiFi with security is a configuration nightmare.
So people keep things "just working". When this becomes a problem, we'll see things change. That's how it actually works in security -- be the problem dozens of open daemons on Unix hosts, canary-less stacks in executable code, or a lack of significant checking for airline contraband, the problem is not addressed until it's exploited. When people start getting hacked through their open wireless, we'll see open wireless shut down. For the moment, they'll worry about real problems, like worms and spyware (aka corporate virii).
Ironically enough, it was bluetooth's security model that made it such a nightmare to work with -- the whole pairing process increased the setup load by several orders of magnitude. They're finally going to fix this with Near Field, but it'll take a while for them to get it out (have they even admitted it's for secure key exchange yet?).
Note, I've never said this is how things should be. Ought is not is.
--Dan
Yeah, back before the 70's or so, when those who used computers had to know what they were doing. Count mine as a vote for discontinuing the trend for allowing people to dumb themselves down. When you gear everything for the lowest common denominator, everyone sinks to that level. And really, businesses *did* survive without computers as little as 10-15 years ago. I'm tired of hearing about people here on /. who have a laptop, pda, cellphone, and various other things they carry around with them everywhere all the time. Come on, people. There are still roses out there.
Meanwhile, average users are no longer tech savvy
perhaps the article means the average users of wifi are no longer tech savy, i.e. it has become mainstream. not that average users of technology are no longer tech savy....
just my 2c
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
If you've ever dealt with the frustrations of supporting access to secure systems, you'll know first hand that security is not convenient. The addition of security at airports is a perfect example. It's a lot less convenient now to fly than it used to be. But the security is necessary. Manufacturers are simply trying to sell their products. With the thin margins these networking devices have, mass appeal is necessary. And mass appeal equals ease of use in the consumer market.
I like what Buffalo Technologies has recently come out with. They've got a pushbutton process to set up WEP between a client and the access point. I spoke to one of their reps at a show recently and they said they were trying to make security easy enough so Mom could set it up. The demo looked easy enough...
The basic message here is that if you force people to enable security, they won't buy your product. If you don't force them to enable security, they might as well leave their front door open. And most people won't enable security because they either a) don't think anything is going to happen to them or b) don't understand what COULD happen if they don't. Articles like this one from CNN are great because it has a wide audience.
I agree with some of the other posts on the main thread, I don't so much care about people trying to see what I'm doing, I have SSH, VPNs, PGP, and other mechanisms that can do that for me when I really need to send passwords and other sensitive information over the internet. My main insentive for securing my wireless AP is so that people can't use my connection for illegal purposes.
It's a liability issues, and it doesn't seem like a big deal until one day you have to find a way to prove to the Feds and your ISP that it wasn't you sending kiddie porn to some offshore server in Eastern Europe. If your name is on the bill for that connection, I'm sure you signed a contract somewhere that states you are responsible for not allowing illegal activity on your connection.
ce n'est pas un Sig.
I thought that with WEP and MAC address filtering, you could lock it down pretty tight? Not having sniffed wireless traffic yet, I don't know if it's 100% encrypted, so that even MAC addresses would be encrypted. Otherwise, if MACs are still publicly available for sniffing, then you're right, there's 0 security.
The cesspool just got a check and balance.
so what about all the non SSL sites you visit which "need" passwords.
Most of these are not encrypted, and ask for the password in plaintext - are you happy to have this information public?
It may not sound important (due to the stupidly high number of websites which need membership to see some lame front page), but if you ever reuse a password [like I do - and most others do, come on... admit it], you could be cracked quite easily.
You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
I live in an apartment complex, and I was stunned to see not only how many people had wireless, but how many ran w/o WEP and w/o changing defaults-last count in my largish apartment complex, better than 20 visible from street level (i.e. not right under their bedroom windows) and a good 40-50% of those completely unprotected. I use WEP and I changed the defaults but I'm under no illusions that this makes me safe. What I think helps, though, is that in my case there are at least 4 other WiFi users in my apartment building alone that are wide open. So as long as there are easier targets, I think WEP's done its job as well.
I have two WiFi APs at home. One of these has a WEP key, and is the one all of my devices use. It bridges directly to my "real" network. The other one I leave open just out of the goodness of my heart. I have a dedicated NAT router behind it, and connections coming in on the open access point are the only things that use that router.
So far, no problems, and people have thanked me heartily for giving them internet access in a pinch.
Given this setup, what risks do I run? The only one I can think of is that someone has a bunch of kiddie porn torrents just waiting to start up in a server in a van somewhere. Does that really happen? If Osama Bin Laden walks down my street (he'd probably strut, actually), and uses my "free" WiFi to send threatening emails to major governments, do I go to Guantanamo Bay?
How is this different from NYC offering free WiFi access in Bryant Park?
Yeah, and then you can also claim innocence via ignorance when the RIAA or MPAA comes a-knockin... Unless they find the bits on your computer, they'd have no way of proving in court that you did the downloading.
Obviously you should change your password on the router itself so that random drivebys don't screw with your settings.... but if you're running ssh, ssl, etc. how dangerous is it to leave your access point open? There seems to be a group of people in the thread that are like "geeze idiots, my AP is like fort knox". The other crowd says "I leave mine open INTENTIONALLY".
I'm sort of one of these people that dreams of the day when we have a huge community mesh and people can tell their cell phone carriers to piss off.... but I don't want to leave my access point open if some bonehead is going to hack my box.
Anyway, I've never seen anybody tell me the difference between 1) plugging your machine into your cable modem directly and walling up your machine by shutting ports down, etc. and 2) having a wireless access point. Is having a machine on an insecure access point any more dangerous than having a machine hooked up to the open internet on a cable modem or some such?
I mean, the wired internet really is one big network after all, and there are risks associated with being on it. If you're not behind a firewall, wired or wireless, what's the difference?
Now, I might be wrong about this, but I am willing to bet that all access points, WNIC's and other accessories come with something called a "manual"! If you were to actually *read* one of those, by accident or intent, you might discover how to acutally use your newly accuired product!
That is so very true. The average person (not just computer user, I'm talking average PERSON) is horrified at the thought of having to read a manual in order to understand how to use a gadget. When I'm working in someone's house, I am often asked silly questions like how to hook up a stereo or how to set the time on a desk clock, or how to get picture-in-picture on their snazzy new HDTV. I like to suggest that they check the manual that came with their device, because it will certainly be in there, and then watch the look of horror on their face as they realize they have to learn something now. It's really quite amusing.
And if they're a computer user, they're no different. They can have a nice big fold-out diagram of their new HP PC with color-coded connectors and nice pretty pictures and they still don't want to read that, they want a person who already knows how, to set it up for them. The average person wants to do the least amount of work to be able to use their tools, that's the bottom line.
Which is to say that they at one point were?
The average computer user in 1970 could probably figure out how to turn on WEP, were he/she transported to the present day. This is the same thing that happened with automobiles. In the early days, automobile owners had to be adept at mechanical repairs. If you read "The Grapes of Wrath" , at one point one of the characters is honing the valve seats on his truck in a campground. That was the 30's. By 1960 you'd be hard pressed to find a car owner that could do a valve job on his car. Computers have become a commodity item, just as cars did.
If a job's not worth doing, it's not worth doing right.
Say I have my WIFI router opened up to the world and that I give free access to the person next door. So long as my personal computer is firewalled why should I care if he piggy backs my WIFI? I've got more than enough bandwith and really couldn't care less.
Anybody not using MAC filtering is asking for trouble. With MAC filtering, you exclude ALL users except for the ones you have previous allowed. By using WEP, MAC filtering and religiously following your router's documentation, you operate your router in "stealth" mode so that you don't even show up on a war driver's unit.
Yes, the instructions vary from makerto maker, but they ALL have the directions you need. All you have to do is follow it.
So? I don't have WEP enabled. WEP is not the be-all and end-all. WEP is crap, and introduces horrible cross-platform issues. Not to mention that vendors can't agree on how to specify it - 40 bit vs 56-bit vs 64-bit vs 128-bit - (hint: some of those refer to the same thing).
I have MAC address restriction enabled on my AP. And it works pretty well. Additionally, unknown clients to my DHCP server do not get an address from it. And there's only a /28 routed on the interface my AP is on.
So yes, it's unsafe in that someone can park outside my house, wait until I log on, sniff my MAC address, set his MAC address to that, and get bandwidth. Except that one of my devices will notice, since duplicate MAC addresses on the same segment can cause problems. Not to mention the reception outside my house is crap, so he'd have to park directly in front of my house, and if I notice the traffic indicators on my switch start going nuts, and look outside and see some nerd with a Pringles can, I can go kick his ass.
And the article is short on details. "40% had the defaults configured". What defaults? Passwords? If so, boo CNN for connecting to other people's APs without permission ("The door was unlocked" is not a valid reason for being in someone's house, no matter how stupid you think the homeowner is). If it's SSIDs, that's totally useless. My network name is "default", because I was feeling uninspired when I got my AP. Doesn't mean it's not secure. A friend of mine still has "linksys" for the same reason, yet he has WEP enabled.
There is no sig, there is only Zuul.
Technology used to be the domain of technologists.. then it became popular and that's when "Joe Sixpack" got online.
Nothing wrong with Joe Sixpack, per se, he's a good guy but he doesn't know the first thing about his car, except where to put the gas, and he doesn't know the first thing about his computer, except how to surf the net. And the scary part is that he doesn't *want* to know anything more.
When things go wrong, he hasn't the first clue of what to do, with the car or the comptuer. All he knows is that he wanted to surf the net at high speed from his Lay-Z-Boy. Ever since he and his cronies got on board, the technological per capita IQ on the internet plummeted.
There has been a long standing computer security axiom that states: "There is no such thing as absolute anonymity, in real life, or on the web."
Well, now there's a caveat to that axiom that I have coined, that states: "Unless you use someone else's unsecured wireless network."
Joe Sixpack is not only providing the foothold that spammers need to purvey their ilk, but also the perfect foundation from which criminals can perpetrate fraud and theft.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
So why is it so bad if my network is not secured? I leave it open on purpose.
One Word: Spammer.
You really want someone from the street to use your open net connection to send 10 gig of spam? It's your bandwith, not mine...
Of course, if you live on the 14th floor, then it's a VERY slim possibility, so you're mostly OK...
I live in Soviet Canuckistan you insensitive clod!
This isn't a case of fault or nonfault, but rather a problem with ease-of-use.
/. readership).
A medium-large corporation with a 20 person IT/support staff and lots of PHBs has the time and expertise to implement security policies (even broken ones like WEP are better than nada), but the home user doesn't. What would be incompetent if done by the IT department at Megacorp (tm) is simply "normal" for home users.
If you implement WEP (or whatever) you have a pile of administrative and technical overhead that simply IS NOT PRESENT in unsecured systems. The typical enduser just wants their new wifi printer to work. And if they get a wifi scanner 18 months from now, they just want that to work as well. And if their brother-in-law brings in his wifi PDA, then THAT should just work.
To have a secure system, it must be designed to NOT WORK except under specified conditions. (A password might be a condition) Security then works directly against ease-of-use. The easier it is to use an OS or Network Device or whatever, the less secure it must be.
If the administrative overhead involved in keeping passwords both secure and ready-on-demand isn't annoying to you, then you're probably PHB material.
If the technical aspects of setting up a new device dont bother you, then you are a geek (like the rest of the
If you don't want things just to work, you sure as hell aren't an average user.
TANSTAAFL