Slashdot Mirror
CNN Notices that WiFi is Insecure
josh3736 writes "From CNN comes an article that makes painstakingly obvious to the public what we already knew: 802.11 security is horrible. The article points out that nearly 40% of wireless network APs haven't even been changed from defaults and as many as 80% of home APs have encryption disabled. The article goes on to say that '[t]o make matters worse, users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software.' It also accuses WiFi manufacturers of disabling security measures by default to make wireless easy to the lowest common denominator. My favorite quote? 'Experts say that while Wi-Fi hardware makers have made initial setup easy, the enabling of security is anything but. Meanwhile, average users are no longer tech savvy.' Which is to say that they at one point were?"
Not only do WiFi equipment manufacturers disable most of the security by default. Some blame any connectivity issues you are having on the encryption (see How stable is WEP).
Personally, I would love to see some more options when it comes to turning WEP on. Since my laptop connects in both a wired and wireless manner to my network, it would be great is some software generated a new WEP key to use each time I went wired. I see no reason that the end user would need to be involved, any weakess on the part of the pseudo-random generation of a new WEP key would be less insecure than having the same one for months on end.
paul reinheimer
I enjoy the fact that most idiots have wifi encryption disabled and the defaults set. It makes my life easier when I'm biking or traveling with my laptop or ipaq.
Most residential and a lot of commercial areas give me free access to the internet - they may or may not know it, I don't really care.
I don't check my email or browse until I vpn into my home network. Just in case someone is sniffing packets - lets not make it that easy.
And the reason that Linksys and the rest of them don't enable it by default - tech support costs.
users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software
I wonder if this would be a new, easy way for people to start a new worm/virus infection. Wardrive down the street, map a few hundred potential victims, and come back later and put the bugger in the "Startup" menu on Windows PCs. Ack.
The average WiFi user was tech savvy too, back when only us computer geeks used it. But now that Best Buy is convincing people they need WiFi to hook up their printers, things are not so secure. Once a technology goes into mass use, the onus for security and functionality rapidly shifts to the manufacturer instead of the user. Unfortunately, most companies just shrug off these problems until we start seeing catastrophic side effects.
It would be nice if Homeland Security could take a break from trying to find terrrorists by which shoelaces they buy to enforce technological security mandates. Unsecured WiFi networks all over the country are very useful to criminals and terrorists.
Yesterday while watching TV over a buddies house I saw a commerical that Verizon is going to be giving away (after you mail in the rebate) a wireless hub with all their new DSL subscribers.
This just frightens me.
I'm just imaging the sheeple who will order DSL, get this wireless router, follow the nice glossy fold out instructions and set the thing up, with no understanding of wireless security whatsoever.
Yes Francis, the world has gone crazy.
He said, "As long as I live in this city, I'll never pay for Internet again." We'll see if that remains true when consumers with wireless routers wise up and turn on some of the security features.
--Residential Interior Design
I have intentionally left WEP off on my AP at home. I use ssh or https for anything sensitive, but I want my visitors to be able to connect via my home
network without sophisticated configuration on their side (and of course, without telling them my WEP password).
My home network is connected via Linux firewall, so I can cut the access or install traffic shaping when the problem occurs.
-Yenya
--
While Linux is larger than Emacs, at least Linux has the excuse that it has to be. --Linus
Is it legal to connect to open wireless acess points ?
What a step down in usability!!!!
Both products have a web site that you can go to to make changes. Neither has the address printed prominently on the outside of the unit along with the default user and pass, the first step in making it easy.
I always found the netgear configuration easy, intuitive, and with tons of help. On the other hand the linksys configuration is horrible.
Once upon a time, the average user *was* tech-savvy.
Back before computers put a pretty appearance on everything with Windows XP wizards, or even 98, you had to know DOS to get anything done on a computer system, you had to know keyboard commands, and a basic idea of what the ports on your PC did.
The "average user" was more tech-savvy because there were fewer uses back then, since the learning curve was higher.
Now, with everything plug-and-play, it's much easier to not understand what's really going on inside the magical blue-and-black or grey box with a pair of antenna sticking up from the sides of it.
On my system, I use a Belkin 54G access point. SSID belkin54g. No crypto, no authentication, no MAC filtering. But, you're not going to get anywhere off the wireless segment if you connect to it. The firewall behind the WAP is configured to drop all traffic except the encrypted PPTP tunnels which the wireless clients actually use to connect to the wired infrastructure and the external router. Thus, anyone is welcome to try and get onto my network, but without having a valid account on the 2K3 Enterprise Server box playing router/connection master, and knowing the encryption keys, they're going to get precicely nowhere.
I don't use it, either. I've checked the range, and it doesn't reach to any neighboring houses. If someone wants to hang around on my porch and use my Internet access, then good for them. If you think I'm worried about someone finding my house through "war driving", you must be nuts. I don't live in Manhattan. You'd be wasting your time driving around where I live looking for free WiFi.
I'm guilty of it myself. I set up a wireless access point for my mom a couple years ago. Changed the SSID name, changed the default pw on the router and let her have at it. No problem.
Of course, as the next year rolled on, more and more wi-fi users were born. Wireless starts becoming standard with new laptops. Almost once a week someone calls in on TechTV and asks about wireless networking. I start hearing more and more about WEP encryption and MAC filtering, and eventually head back over to my mom's to redress my mistakes.
Sure enough, there were several leeches to knock off, but the point remains. As the technology grows, the users become more savvy, and these current security holes should diminish significantly.
Wi-Fi out of the box is of course insecure. It can be made secure with a number of different methods (WEP not being one of them, heh, but there is WPA and other things). I believe one of the best features of Wi-Fi is its ease of setup and use -- if you have an open AP, anyone who comes over to your house can just use it with no or almost no configuration. It's incredibly easy and convenient.
What's the drawback? Anyone in your neighborhood has access to your local network. But it's unlikely that someone who wanted to h4x0r you would drive up your street and sit in front of your house. It is of course possible, and depends on your neighborhood. If you're the type who locks the house even when you're at home, then definitely get a security protocol. If, like me, you leave the garage door open and doors unlocked, then securing your Wi-Fi isn't something I would worry about.
So this is no surprise, but neither (in my opinion) is it a big deal.
I just love how I can take my laptop almost anywhere and get Internet connectivity. Last week I was at my mom's house doing some work on geneaology with my laptop and when I booted up, lo and behold - a wireless connection that was wide open!! It was nice to be able to check my e-mail and look at research sites online right then and there rather than either having to dial in or wait until I got home.
I've seen the same thing lots of other places including a friend's apartment in Minneapolis where I found 3 wireless access points, only one of which was encrypted and at my own single family house, I get two open wireless connections besides my own encrypted one.
I have to agree that setting up the secured connection are not obvious, especially when you have one manufacturer's access point and another manufacturer's wireless product in your laptop. It took me a little head scratching and trial and error before I got mine working.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
The problem is not the product, but the consumers. Now, I might be wrong about this, but I am willing to bet that all access points, WNIC's and other accessories come with something called a "manual"! If you were to actually *read* one of those, by accident or intent, you might discover how to acutally use your newly accuired product! Only thing is that people don't bother anymore... They expect everything to be so userfriendly that it will install itself and automatically know how you want the settings to be!! Maybe they could put little warnings on the packs like with ciggaretts.. "warning, the DOJ says that not properly securing your accesspoint can be hazardous to your privacy bank account, and or bandwith".. Heh
Have you actually done it? I have been running Airsnort in my apartment with two encrypted nets visible and have had absolutely no results so far. Probably not enough traffic, but also thought THIS article interesting. Would be nice to hear if anybody has actually been successful or just repeating the 'myth'(?).
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I have to use the default Windows XP configuration tool (which sucks, IMO)
I've often thought Microsoft should rename their "Wireless Zero Configuration" utility to "Wireless Zero Connectivity."
Because that's what you end up with: an intermitent link that you can't troubleshoot because you just can't get enough information out of it. To make matters worse, when you have this "service" enabled, it makes multiplayer gaming impossible. It actually disconnects from and reconnects to the AP every minute or two, with predictable results (stutter, even disconnection from the server.) To make things even more fun, it prevents third party configuration tools from working (like linksys' for example, though I believe Intel's will work properly.) There aren't even any usable workarounds.
Linux may not support nearly as many devices as Windows does, but at least YOU can decide who's tools you want to use to control them!
What part of "shall not be infringed" is so hard to understand?
> Which is to say that they at one point were?
I knew DOS, Windows 3.1 and Windows 95 inside and out. As the OS interface and glitches have lessened (yeah yeah, no really, there simply are fewer conflicts in recent versions of Windows), my need to understand how the OS functions has diminished. I'm just another dumb Windows user now. When I need to futz with my wireless router, I grab the manual to remember how the damn thing works.
In the end, I prefer it this way. Life is easier when technology just works and I don't need to understand why. Geeks aside, that's how most people want to live their lives.
My in-laws just got high speed access through Comcast. Instead of a standard cable modem, they were given a Linksys wireless router (branded as Comcast). I placed the order so I know we didn't ask for this, since I went out a bought a wireless router for them already. So now I get there and they have a wireless router with WEP turned on but no key entered and no one bothered to leave the password so I could set it up properly. It took me an hour on tech support before they could get me the login and password. I can't imagine many of the non-tech savy people going through all of this.
Viv
Gmail invites for ip
Whatever, wi-fi security should be easy to configure. It's not the users fault, but the manufacturers.
So, whatever, the lowest common denominator is always a marketing priority and if it werent then tech enterprises would all go broke.
Software and hardware providers should be smarter when designing their products so that anyone and absolutely anyone can configure them and use them with ease. Maybe the idiots are the arrogant nerds in charge of design instead of the common everyday users?
I have to agree with this. A few years ago, nobody would even think of setting up a network in their house unless they already worked as a system administrator, or other heavy-duty IT professional. Nowadays everyone who owns more than one computer wants to hook them together.
It's not that the overall level of savy has decreased, it's that the definition of "average user" has spread to the technopeasant masses.
Wake up - the future is arriving faster than you think.
SSH and SSL encryption migh make your connection slow... but usually only if you are pumpint huge amounts of data or your computer is crap.
But most Wireless chipsets have WEP in the hardware (or atleast in firmware) and don't give a performance loss at all.
Jeroen
Secure messaging: http://quickmsg.vreeken.net/
I do a fair bit of house-call work in my area. (Pays the bills...) I've set up a fair number of WiFi networks at homes and offices over the past few years. Most of the home networks do not have WEP enabled.
Contrary to popular belief, WEP is quite useful. Unless you have a script, you probably won't break the key. Getting and using the script is a malicious act... And there are so many other EASIER targets.
For businesses, I enable WEP by default. (Actually, I recommend that they stick to wired networks when possible... but these days, they don't listen. When they ask "but can you do this?" I say yes.) WEP is a pain to setup for the business owner... so I get repeat business when they add another station. I've tried writing instructions, but I usually end up visiting anyway. WEP is a bitch for endusers.
For home users, I give them a choice. I say, "do you want me to setup this feature?" and they say "How much?" (I bill hourly for this). I bet you all can figure how it ends.
WEP is simple to setup for a single NIC to a single WAP. In fact, MAC whitelisting also works well here. But for networks with 3 or more stations, or with NICs of different makes, or with more than one installed OS type, setup, configuration and testing of WEP (or similar encryption) is time consuming. Time is money. Consumers make a consumer decision... probably a GOOD consumer decision. Ask an economist.
I suppose I could work for free. Or I could estimate more time (and money) to begin with and lose out on the business. But I'd rather work than whine about not having enough work.
TANSTAAFL
Couple of years ago when 802.11b was kinda new, i did some testing of this sort of thing.
The fast crack using weak frames worked then. It doesn't work much now, if the boxes are using newer hardware.
The slow crack where you get enough packets to figure out the key worked then and now, but in order to actually do it back then I had to set up some continous traffic to get enough packets to make it work. We're talking millions of packets here, and it just takes forever to see enough to do it, with 112/128 bit WEP.
Can they get in? Sure.
Will they get in? They're going to have to really want in pretty badly or live nearby and be bored enough to capture for a long period of time. And if they just want free network access, they'll find the easier target like the unsecured one down the street. Or pay the 3 bucks at the nearest hotspot for the hours worth of access.
WEP is not secure, but in 99% of cases, it's secure *enough*.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I use a dell 802.11b wireless router I never had a problem either setting up wep. The only thing that annoyed me was I had to type in my own key rather than having one generated randomly. Sadly I can very easily seeing the average computer user just typing in all 2's for his/her wep key. I don't know if other manufacturers are the same in regard to creating your own key rather than having one generated? Redardless I'm not at all worried about wireless secruity in my house. My room faced the rear of the house and I have a big back yard. I can't get a signal from across the end of my house so the only way someone can access my wireless network is to stand literally next to my window in which case he'll be shot on site :). I guess its a hidden advantage having a semi-crappy wireless router....
I am more systems than network and one thing missing here...
I have been told that WEP isn't worth the trouble, and I generally agree. The net is a hostile place anyway... you just plain shouldn't be transmitting sensitive data unencrypted.
You shouldn't be relying on routers to do your encryption. Use ssh, use https. End of story.
Me? I leave WEP turned off, and lock to mac address. Then take care of the rest properly. I am connected to a box on the net all day long. Frankly, I don't give a shit if some guy in a van can watch me reload slashdot all day long. He isn't
getting at my credit card information or my useful paswords. The worst he can do
is post a nasty message on slashdot or use up a few of my subscription page loads.
All that said..another service... slashdot should offer ssl to people with subscriptions. Afterall, I paid for the page loads, if someone sniffed my password or cookie, then they they could use my subscription on my dime.
Not cool. (then again, given that they could maybe cost me $10 in the course
of a year, I don't care that much, I probably lose more than that in gas while my car idles at red lights over the course of the year)
-Steve
"I opened my eyes, and everything went dark again"
This guy should buy an em meter and walk around the trailer park and see if there are any peculiar readings. Some of those aluminium frames if not grounded can pick up all sorts of em voodoo from buried mains or nearby radio towers.
An Education is the Font of All Liberty
Once upon a time someone who wanted to drive really had to know everything about how their car functioned before ever setting foot in it. Now you can just hop in your car and go without giving a second thought to any of it.
Now you can try to spin this such that people back then were safer because they were more "savy" with their cars but I call BS. Cars now are far safer than they were back then. Its all due to the engineering placed in the car. Not only are they more complex placing them out of the comprehension of the Average Joe but they are more reliable, durable, and in general a better driving experience than ancient vehicles.
You shouldn't need to be a super crypto-wireless-hacker guru to use a computer or wireless setup. Engineers should be designing these things to not only be simplier but more robust. Having a better and safer system has nothing to do with the "savy" user and everything to do with the manufacturers.
This is precisely why I standardized my whole network on Linksys products. Once I did, all of my compatability problems went away - and administration is a breeze.
I have a carboard box full of old NICs that I acquired cheaply, thinking at the time that I would be able to save a buck. What I saved in money, I lost in time trying to get all the disparate cards to work on various machine architectures and operating systems. I finally broke down and bought all Linksys - at the time a basic 10/100 ethernet NIC was only $10 (now they are $25...must have caught them on sale at the time...) I plugged them in my Linux and Windows machines - and they just worked, right out of the box.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
I just asked my brother-in-law, who is computer savvy, why he doesn't have encryption enabled on his home access point.
His answer: "unless some guy decides to enter my property and sit on my front porch with his laptop, my weak signal is all the security I need". He claims he's tested it with several laptops and the signal is too weak to be used beyond 10 feet away from his house.
I run an open access point and my neighbor does as well. Anything (and I mean anything) more than computer games and unimportant chat sessions I tunnel through ssh/ssl or something similar.
/. aren't in favor of open access points. They seem to fit very well into the whole 'information should be free' value system that many geeks have.
Why do I leave my access point open then? Because on average I only use maybe 3% of my bandwidth and I don't see any reason that one of my neighbors shouldn't be allowed to use some of it when I don't need it. When I first moved in and didn't have my own broadband yet I was very happy one of my neighbors left his router unsecured.
I'm actually quite suprised that more people on
Part of the reason why so many wireless networks are open is because some want to leave it partly open.
For example I don't use WEP because I find it just slows down your connection to nothing, I do agree that use MAC addresses (which I use) should be used, but reality is unless your encrypting everything its much easier to just encrypt the one or two things (say some banking information and that ascii porn, ok just kidding on last part but you get the point)
The other day I got a call from my broker/investment banker. This is unfortunately not a joke. He tells me he got a strange call from some kid at the coffee shop around the corner telling him his wireless network was wide open as well as the hard drive on his machine. Apparently this guy's office is around the corner from a coffee shop and he just plugged in a wireless router and didn't do any configuration to it and everyone at the coffee house has been slurping down their drinks while slurping down his hard drive at the same time.
What pisses me off is that I'm not so stupid as to use wireless, but the integrity of my own personal information is often compromised because of stupid people who may have access to my information and aren't responsible with technology.
Well this should be interesting. I am a resident of fairfax county, and on election day I will keep my laptop in the front seat and packet sniff for the time I am inside voting.
Then we can see how secure this voting stuff really is.
I've always found that disabling SSID broadcast is nothing but a false sense of security. It's going to do far more to block legitimate users than to keep out bad guys.
plus-good, double-plus-good