Slashdot Mirror
CNN Notices that WiFi is Insecure
josh3736 writes "From CNN comes an article that makes painstakingly obvious to the public what we already knew: 802.11 security is horrible. The article points out that nearly 40% of wireless network APs haven't even been changed from defaults and as many as 80% of home APs have encryption disabled. The article goes on to say that '[t]o make matters worse, users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software.' It also accuses WiFi manufacturers of disabling security measures by default to make wireless easy to the lowest common denominator. My favorite quote? 'Experts say that while Wi-Fi hardware makers have made initial setup easy, the enabling of security is anything but. Meanwhile, average users are no longer tech savvy.' Which is to say that they at one point were?"
One major flaw I see in telling people to enable WEP on their WiFi is the first question I'm sure to get back is "How do I do that?" and, well, the instructions for doing that are different for each and every item on their network.
What's more annoying is that people think the "passphrase" they type into their router a the WiFi key rather than what it usually really is, the random seed from which their router generates the actual keys. They type their passphrase into their other devices when they're supposed to type a key value, and then they wonder why it doesn't work anymore when it was working just fine before they tried this security stuff.
I've had friends who I thought were tech savvy get tripped up over this stuff. I blame the router-makers for not providing software that makes this a whole lot more of a user-friendly experience. We as the IT industry are badly failing at this... and having a lot of open WiFi points will just make our other headaches such as spam and viruses worse in the end. This really needs to be addressed for the good of the Internet.
...I kept my Linksys WAP11 box wide open until one day I sat down at my computer to see that some fellow using the machine name "god" had joined the network and sent me a NetBIOS "net send" message. Ho ho, how clever.
Sigh... OK, fun time's over, no more sharing, hook up USB cable, generate hex key, etc. Kind of depressing.
The Army reading list
Of course they were. Around the time of the Apple I. Since then, the average cluefulness of computer users around the world has been plummeting because computers have been getting easier to use and the bar to entry has been lowered, with humorous results such as people using clueless people's WAPs.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Yes, believe it or not, at one point your average user was at least marginally tech savvy.
That point in time was somewhere around 1985, and possibly on upwards to the early to mid 1990's. Not so, since Windows became synonymous with PC, and the Internet began to define personal computing.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Not only do WiFi equipment manufacturers disable most of the security by default. Some blame any connectivity issues you are having on the encryption (see How stable is WEP).
Personally, I would love to see some more options when it comes to turning WEP on. Since my laptop connects in both a wired and wireless manner to my network, it would be great is some software generated a new WEP key to use each time I went wired. I see no reason that the end user would need to be involved, any weakess on the part of the pseudo-random generation of a new WEP key would be less insecure than having the same one for months on end.
paul reinheimer
The very reason that Wi-Fi networks exist is that they provide simple, easy-to-use network connectivity wherever you are. Security takes a backseat to ease of use. The equipment manufacturers don't want to have to deal with the support calls if they would enable security features, such as WEP, out of the box. Adding security to Wi-Fi networks makes them harder to use and less appealing to the average consumer. Thus, it's easier for manufacturers if consumers remain blissfully unaware of the huge backdoors into their networks. But then again, anonymous internet access from my neighbor isn't that bad.
I enjoy the fact that most idiots have wifi encryption disabled and the defaults set. It makes my life easier when I'm biking or traveling with my laptop or ipaq.
Most residential and a lot of commercial areas give me free access to the internet - they may or may not know it, I don't really care.
I don't check my email or browse until I vpn into my home network. Just in case someone is sniffing packets - lets not make it that easy.
And the reason that Linksys and the rest of them don't enable it by default - tech support costs.
users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software
I wonder if this would be a new, easy way for people to start a new worm/virus infection. Wardrive down the street, map a few hundred potential victims, and come back later and put the bugger in the "Startup" menu on Windows PCs. Ack.
Once the 'puter became a household appliance instead of a hacker's toy, that's when things started to go downhill.
Yeah, right.
I don't regularly wardrive, because I don't own a car; I use pubtrans. Anyways, in Houston, Texas, between Gessner and I-10 and Kirkwood and Memorial, I counted no fewer than ten open networks, all running Linksys G routers. All of them had their DHCP servers up and running, and all had the default admin passwords up.
Admittedly, it's nice to have open connections, but if people don't bother to secure them... well, people could do nasty things to the routers and screw with the connections.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
... has the not surprising statistic that 90% of home users DONT GIVE A FLYING FUCK if the family PC (which they consider no more than an expensive Nintendo/source of free music) is hacked.
I don't need no instructions to know how to rock!!!!
WiFi without security "just works".
WiFi with security is a configuration nightmare.
So people keep things "just working". When this becomes a problem, we'll see things change. That's how it actually works in security -- be the problem dozens of open daemons on Unix hosts, canary-less stacks in executable code, or a lack of significant checking for airline contraband, the problem is not addressed until it's exploited. When people start getting hacked through their open wireless, we'll see open wireless shut down. For the moment, they'll worry about real problems, like worms and spyware (aka corporate virii).
Ironically enough, it was bluetooth's security model that made it such a nightmare to work with -- the whole pairing process increased the setup load by several orders of magnitude. They're finally going to fix this with Near Field, but it'll take a while for them to get it out (have they even admitted it's for secure key exchange yet?).
Note, I've never said this is how things should be. Ought is not is.
--Dan
The WAP I'm using is in out-of-the-box factory default insecure mode.
I really wish I knew which of my neighbors owns it.
-JDF
Yesterday while watching TV over a buddies house I saw a commerical that Verizon is going to be giving away (after you mail in the rebate) a wireless hub with all their new DSL subscribers.
This just frightens me.
I'm just imaging the sheeple who will order DSL, get this wireless router, follow the nice glossy fold out instructions and set the thing up, with no understanding of wireless security whatsoever.
Yes Francis, the world has gone crazy.
He said, "As long as I live in this city, I'll never pay for Internet again." We'll see if that remains true when consumers with wireless routers wise up and turn on some of the security features.
--Residential Interior Design
I have intentionally left WEP off on my AP at home. I use ssh or https for anything sensitive, but I want my visitors to be able to connect via my home
network without sophisticated configuration on their side (and of course, without telling them my WEP password).
My home network is connected via Linux firewall, so I can cut the access or install traffic shaping when the problem occurs.
-Yenya
--
While Linux is larger than Emacs, at least Linux has the excuse that it has to be. --Linus
Did they also notice the sky is blue?
I like to place meaningful quotes in my sig, so people will know that I know what meaningful quotes are.
Once upon a time, the average user *was* tech-savvy.
Back before computers put a pretty appearance on everything with Windows XP wizards, or even 98, you had to know DOS to get anything done on a computer system, you had to know keyboard commands, and a basic idea of what the ports on your PC did.
The "average user" was more tech-savvy because there were fewer uses back then, since the learning curve was higher.
Now, with everything plug-and-play, it's much easier to not understand what's really going on inside the magical blue-and-black or grey box with a pair of antenna sticking up from the sides of it.
On my system, I use a Belkin 54G access point. SSID belkin54g. No crypto, no authentication, no MAC filtering. But, you're not going to get anywhere off the wireless segment if you connect to it. The firewall behind the WAP is configured to drop all traffic except the encrypted PPTP tunnels which the wireless clients actually use to connect to the wired infrastructure and the external router. Thus, anyone is welcome to try and get onto my network, but without having a valid account on the 2K3 Enterprise Server box playing router/connection master, and knowing the encryption keys, they're going to get precicely nowhere.
I agree with some of the other posts on the main thread, I don't so much care about people trying to see what I'm doing, I have SSH, VPNs, PGP, and other mechanisms that can do that for me when I really need to send passwords and other sensitive information over the internet. My main insentive for securing my wireless AP is so that people can't use my connection for illegal purposes.
It's a liability issues, and it doesn't seem like a big deal until one day you have to find a way to prove to the Feds and your ISP that it wasn't you sending kiddie porn to some offshore server in Eastern Europe. If your name is on the bill for that connection, I'm sure you signed a contract somewhere that states you are responsible for not allowing illegal activity on your connection.
ce n'est pas un Sig.
CNN is an American TV network. The average American thinks that Bill Gates invented the personal computer (and that he is a national hero and a role model to be looked up to), that Excel is a general-purpose database program, that SQL is a Microsoft product ("SQL Server"), and that there is some inherent difference between Dell and Compaq. They randomly attribute any type of computer flakiness to "viruses" or "hackers", since those are the only causes for bork-ups that they understand. And just now their mass-market news network is discovering that WiFi is insecure. Is this any surprise? I'm just hoping that some day CNN will "discover" that Microsoft didn't invent the GUI, and that AOL isn't the Internet...
Honey, I shrunk the Cygwin
Wi-Fi out of the box is of course insecure. It can be made secure with a number of different methods (WEP not being one of them, heh, but there is WPA and other things). I believe one of the best features of Wi-Fi is its ease of setup and use -- if you have an open AP, anyone who comes over to your house can just use it with no or almost no configuration. It's incredibly easy and convenient.
What's the drawback? Anyone in your neighborhood has access to your local network. But it's unlikely that someone who wanted to h4x0r you would drive up your street and sit in front of your house. It is of course possible, and depends on your neighborhood. If you're the type who locks the house even when you're at home, then definitely get a security protocol. If, like me, you leave the garage door open and doors unlocked, then securing your Wi-Fi isn't something I would worry about.
So this is no surprise, but neither (in my opinion) is it a big deal.
I just love how I can take my laptop almost anywhere and get Internet connectivity. Last week I was at my mom's house doing some work on geneaology with my laptop and when I booted up, lo and behold - a wireless connection that was wide open!! It was nice to be able to check my e-mail and look at research sites online right then and there rather than either having to dial in or wait until I got home.
I've seen the same thing lots of other places including a friend's apartment in Minneapolis where I found 3 wireless access points, only one of which was encrypted and at my own single family house, I get two open wireless connections besides my own encrypted one.
I have to agree that setting up the secured connection are not obvious, especially when you have one manufacturer's access point and another manufacturer's wireless product in your laptop. It took me a little head scratching and trial and error before I got mine working.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
The problem is not the product, but the consumers. Now, I might be wrong about this, but I am willing to bet that all access points, WNIC's and other accessories come with something called a "manual"! If you were to actually *read* one of those, by accident or intent, you might discover how to acutally use your newly accuired product! Only thing is that people don't bother anymore... They expect everything to be so userfriendly that it will install itself and automatically know how you want the settings to be!! Maybe they could put little warnings on the packs like with ciggaretts.. "warning, the DOJ says that not properly securing your accesspoint can be hazardous to your privacy bank account, and or bandwith".. Heh
so what about all the non SSL sites you visit which "need" passwords.
Most of these are not encrypted, and ask for the password in plaintext - are you happy to have this information public?
It may not sound important (due to the stupidly high number of websites which need membership to see some lame front page), but if you ever reuse a password [like I do - and most others do, come on... admit it], you could be cracked quite easily.
You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
I live in an apartment complex, and I was stunned to see not only how many people had wireless, but how many ran w/o WEP and w/o changing defaults-last count in my largish apartment complex, better than 20 visible from street level (i.e. not right under their bedroom windows) and a good 40-50% of those completely unprotected. I use WEP and I changed the defaults but I'm under no illusions that this makes me safe. What I think helps, though, is that in my case there are at least 4 other WiFi users in my apartment building alone that are wide open. So as long as there are easier targets, I think WEP's done its job as well.
If cheap-o consumer routers getting 0wned thanks to pathetic Wi-Fi security seems bad, consider this: at least one vendor of e-voting systems depends on WEP as the only security measure between their voting machines and the ballot-counting system.
Yes, that's right -- ballots are passed wirelessly, and only protected via standard 802.11 WEP. How long until someone tries to 0wn a polling place? Or, worse, just sniffs the ballots out of the air and dumps them to a log file (so much for the secret ballot), say?
I wrote the article linked to above when the systems were being evaluated in Fairfax County, Virginia -- a wealthy and populous suburb of Washington, DC -- but they've since been approved by the county board of elections and used in two elections to date. Who knows how many other local governments have bought into similar systems?
Read my blog.
My upstairs neighbor (apt. building) has an unencrypted Wireless Linksys router hooked up to his Broadband connection. If I wasn't hosting my domain's e-mail from one of my home machines, I would have cancelled my broadband a long time ago.
You're joking. C'mon, I mean... like, no way. It all makes sense now... if CNN is this far behind on technology, which moves pretty fast, then they are probably a good 25-30 years behind on their political reporting and viewpoints.
Damn hippies.
-- Liberalism is a mental disorder.
I have two WiFi APs at home. One of these has a WEP key, and is the one all of my devices use. It bridges directly to my "real" network. The other one I leave open just out of the goodness of my heart. I have a dedicated NAT router behind it, and connections coming in on the open access point are the only things that use that router.
So far, no problems, and people have thanked me heartily for giving them internet access in a pinch.
Given this setup, what risks do I run? The only one I can think of is that someone has a bunch of kiddie porn torrents just waiting to start up in a server in a van somewhere. Does that really happen? If Osama Bin Laden walks down my street (he'd probably strut, actually), and uses my "free" WiFi to send threatening emails to major governments, do I go to Guantanamo Bay?
How is this different from NYC offering free WiFi access in Bryant Park?
My brother got a call a few months ago. They were having trouble with their Internet connection dropping all the time. He went to the site and found a brand new Dell with a wireless card. When he asked where the access point was, they looked at him like he was from Mars.
They had ordered their machine with a wireless card and thought that was all they needed. They were obviously piggy-backing onto a neighbor's wireless LAN but when my brother tried to explain that to them, they accused him of lying to them.
Couple of years ago when 802.11b was kinda new, i did some testing of this sort of thing.
The fast crack using weak frames worked then. It doesn't work much now, if the boxes are using newer hardware.
The slow crack where you get enough packets to figure out the key worked then and now, but in order to actually do it back then I had to set up some continous traffic to get enough packets to make it work. We're talking millions of packets here, and it just takes forever to see enough to do it, with 112/128 bit WEP.
Can they get in? Sure.
Will they get in? They're going to have to really want in pretty badly or live nearby and be bored enough to capture for a long period of time. And if they just want free network access, they'll find the easier target like the unsecured one down the street. Or pay the 3 bucks at the nearest hotspot for the hours worth of access.
WEP is not secure, but in 99% of cases, it's secure *enough*.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Which is to say that they at one point were?
The average computer user in 1970 could probably figure out how to turn on WEP, were he/she transported to the present day. This is the same thing that happened with automobiles. In the early days, automobile owners had to be adept at mechanical repairs. If you read "The Grapes of Wrath" , at one point one of the characters is honing the valve seats on his truck in a campground. That was the 30's. By 1960 you'd be hard pressed to find a car owner that could do a valve job on his car. Computers have become a commodity item, just as cars did.
If a job's not worth doing, it's not worth doing right.
Technology used to be the domain of technologists.. then it became popular and that's when "Joe Sixpack" got online.
Nothing wrong with Joe Sixpack, per se, he's a good guy but he doesn't know the first thing about his car, except where to put the gas, and he doesn't know the first thing about his computer, except how to surf the net. And the scary part is that he doesn't *want* to know anything more.
When things go wrong, he hasn't the first clue of what to do, with the car or the comptuer. All he knows is that he wanted to surf the net at high speed from his Lay-Z-Boy. Ever since he and his cronies got on board, the technological per capita IQ on the internet plummeted.
There has been a long standing computer security axiom that states: "There is no such thing as absolute anonymity, in real life, or on the web."
Well, now there's a caveat to that axiom that I have coined, that states: "Unless you use someone else's unsecured wireless network."
Joe Sixpack is not only providing the foothold that spammers need to purvey their ilk, but also the perfect foundation from which criminals can perpetrate fraud and theft.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I run an open access point and my neighbor does as well. Anything (and I mean anything) more than computer games and unimportant chat sessions I tunnel through ssh/ssl or something similar.
/. aren't in favor of open access points. They seem to fit very well into the whole 'information should be free' value system that many geeks have.
Why do I leave my access point open then? Because on average I only use maybe 3% of my bandwidth and I don't see any reason that one of my neighbors shouldn't be allowed to use some of it when I don't need it. When I first moved in and didn't have my own broadband yet I was very happy one of my neighbors left his router unsecured.
I'm actually quite suprised that more people on
So why is it so bad if my network is not secured? I leave it open on purpose.
One Word: Spammer.
You really want someone from the street to use your open net connection to send 10 gig of spam? It's your bandwith, not mine...
Of course, if you live on the 14th floor, then it's a VERY slim possibility, so you're mostly OK...
I live in Soviet Canuckistan you insensitive clod!
It is hard to break WEP. Even though attacks are theoretically possible, my experience is that it takes too long to collect enough packets. I let AirSnort run for most of a day. It collected nothing. On a low traffic home network, WEP is quite good.
I really do not know the details of attacking WEP, so maybe there are fast cracking approaches. Writing as someone who uses WEP and casually tried to break WEP, WEP provides a high barrier to network infiltration. A stranger would have to make a lengthy effort to do it.
It's not actually a trailer, it's a duplex.
:)
I was referring to the type of neighborhood with the trailer park comment. It's all really old, cheaply built houses with beat up cars in the driveways/yards, and in the summer, when it gets nice and warm at night, the drunks down the street take their domestic disputes for a walk.
No real worries about crime though. Our landlords kids and their friends would sit in their old storage garage every night smoking weed, so we'd have anywhere from 3 to 7 kids keeping an eye out till 2 or 3 in the morning