CNN Notices that WiFi is Insecure

josh3736 writes "From CNN comes an article that makes painstakingly obvious to the public what we already knew: 802.11 security is horrible. The article points out that nearly 40% of wireless network APs haven't even been changed from defaults and as many as 80% of home APs have encryption disabled. The article goes on to say that '[t]o make matters worse, users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software.' It also accuses WiFi manufacturers of disabling security measures by default to make wireless easy to the lowest common denominator. My favorite quote? 'Experts say that while Wi-Fi hardware makers have made initial setup easy, the enabling of security is anything but. Meanwhile, average users are no longer tech savvy.' Which is to say that they at one point were?"

Just how do you setup WEP anyway?

[LostCluster]

One major flaw I see in telling people to enable WEP on their WiFi is the first question I'm sure to get back is "How do I do that?" and, well, the instructions for doing that are different for each and every item on their network.

What's more annoying is that people think the "passphrase" they type into their router a the WiFi key rather than what it usually really is, the random seed from which their router generates the actual keys. They type their passphrase into their other devices when they're supposed to type a key value, and then they wonder why it doesn't work anymore when it was working just fine before they tried this security stuff.

I've had friends who I thought were tech savvy get tripped up over this stuff. I blame the router-makers for not providing software that makes this a whole lot more of a user-friendly experience. We as the IT industry are badly failing at this... and having a lot of open WiFi points will just make our other headaches such as spam and viruses worse in the end. This really needs to be addressed for the good of the Internet.

Re:Just how do you setup WEP anyway?

[Oxy+the+moron]

I own a linksys 802.11b router and it came with an 802.11b PCMCIA card. I had no problems getting WEP to work on either the router or my laptop. Linksys did a great job making the process easy with the router's web-based config and the configuration tool software that is provided in the package for the card. I came up with a passphrase and I could easily apply it across the board.

However, when I bought a new laptop with 802.11g wireless built-in (not from Linksys) I started having all sorts of problems trying to get the new laptop connected. I have to use the default Windows XP configuration tool (which sucks, IMO) and even when I do get connected with WEP enabled, the speed is horrible. And I'm of much higher technical aptitude than those mentioned in the article.

My point? I think the ease of configuring wireless depends totally on the manufacturer, and whether or not you have all your products from the same manufacturer. And none of them do a very good job of telling the consumer how to protect themselves.

Re:Just how do you setup WEP anyway?

[Minna+Kirai]

One major flaw I see in telling people to enable WEP on their WiFi is the first question I'm sure to get back is "How do I do that?

So what? It's not like WEP provides security. It's a fundamentally broken protocol.

CNN is engaging in dangerous misreporting. They spun it so that insecurity is the AP vendors' fault by making WEP difficult to activate. This will lead viewers to believe that once they manage to enable WEP, they're safe. And that's just absolutely wrong. You'd be safer with no WEP and higher-level encryption (although running secure application protocols is even further outside the imagination of typical consumers).

Re:Just how do you setup WEP anyway?

[sadler121]

WEP is completly insecure, and can be broken really easily, its really not worth it. I think making sure you are not broadcasting your ID, and setting up MAC address filtering, is the way to go. That would keep war drivers from 1)Finding your network, and 2) Connecting to it.

As for war drivers sniffing passwords and stuff out of the air, all you would have to do is make an effort to use secure methods of transport, like SSL,TLS, etc, which is way stronger and harder to crack. we forget that plain text passwords, etc. are just as harmful on a wired network then on wireless network. Would you submit your CC information to a company, on a WIRED network, that sent your information with out encrypting it via SSL? Of course not! Same as with Wireless networks.

Re:Just how do you setup WEP anyway?

[VivianC]

My in-laws just got high speed access through Comcast. Instead of a standard cable modem, they were given a Linksys wireless router (branded as Comcast). I placed the order so I know we didn't ask for this, since I went out a bought a wireless router for them already. So now I get there and they have a wireless router with WEP turned on but no key entered and no one bothered to leave the password so I could set it up properly. It took me an hour on tech support before they could get me the login and password. I can't imagine many of the non-tech savy people going through all of this.

Re:Just how do you setup WEP anyway?

[pe1rxq]

WEP can be cracked... but it requires an effort.
The key in protecting something is to make the time needed to get in as long as possible.
Without wep most cards will join a network within seconds, with wep you are already save for most wardrivers (they are usually not warparkers).

MAC filtering as you mentioned is an even bigger security hole than wep. Look up the 'hwaddr' option in the ifconfig man page.

The combination of no beacons, mac filtering and wep will make your network such a hard target that it will take a considerable effort for someone to use it.

Jeroen

Re:Just how do you setup WEP anyway?

[Ummagumma]

"It actually disconnects from and reconnects to the AP every minute or two, with predictable results (stutter, even disconnection from the server.)"

You may want to check your hardware. Mine (on 4 different machines, home and work) does not act like this.

"To make things even more fun, it prevents third party configuration tools from working (like linksys' for example, though I believe Intel's will work properly.) There aren't even any usable workarounds."

You can simply uncheck 'Use Windows to configure my Wireless Settings', and third party tools work perfectly fine. As a matter of fact, Im typing this on an 802.11g network, on WinXP, using a Netgear with the Netgear utility, and not XP configuring my settings.

I get the feeling you either have bad hardware, or don't know what you are doing.

Re:Just how do you setup WEP anyway?

[Lodragandraoidh]

This is precisely why I standardized my whole network on Linksys products. Once I did, all of my compatability problems went away - and administration is a breeze.

I have a carboard box full of old NICs that I acquired cheaply, thinking at the time that I would be able to save a buck. What I saved in money, I lost in time trying to get all the disparate cards to work on various machine architectures and operating systems. I finally broke down and bought all Linksys - at the time a basic 10/100 ethernet NIC was only $10 (now they are $25...must have caught them on sale at the time...) I plugged them in my Linux and Windows machines - and they just worked, right out of the box.

Re:Just how do you setup WEP anyway?

[austad]

It's better than nothing though. If I go wardriving, I'm not even going to bother with networks that have WEP enabled, because in my experience, about 70% of the networks are completely open. Why not just use one of those?

Enabling WEP is a deterrent. No one is going to waste the time breaking your WEP key unlesss there is some reward for it that they can't get elsewhere. It's just like locking the door on your house, it's a deterrent. If someone wants to get in, they will kick the door in or break a window.

Being a lazy fellow...

[tcopeland]

...I kept my Linksys WAP11 box wide open until one day I sat down at my computer to see that some fellow using the machine name "god" had joined the network and sent me a NetBIOS "net send" message. Ho ho, how clever.

Sigh... OK, fun time's over, no more sharing, hook up USB cable, generate hex key, etc. Kind of depressing.

Re:Being a lazy fellow...

[Coos]

Not only depressing: Despite your shiny new WEP key, if 'god' is smart enough to use google to find a WEP crack script, and to not announce his presence in future, he's probably *still* logged into your system. There is no WiFi security at present - do it all elsewhere (firewall, encrypted protocols, VPN).

Re:Being a lazy fellow...

[dilweed]

Are you there Kent?

It's me, God.

Stop Touching yourself Kent...

Re:Being a lazy fellow...

[ch-chuck]

Have you actually done it? I have been running Airsnort in my apartment with two encrypted nets visible and have had absolutely no results so far. Probably not enough traffic, but also thought THIS article interesting. Would be nice to hear if anybody has actually been successful or just repeating the 'myth'(?).

It gets worse

[PktLoss]

Not only do WiFi equipment manufacturers disable most of the security by default. Some blame any connectivity issues you are having on the encryption (see How stable is WEP).

Personally, I would love to see some more options when it comes to turning WEP on. Since my laptop connects in both a wired and wireless manner to my network, it would be great is some software generated a new WEP key to use each time I went wired. I see no reason that the end user would need to be involved, any weakess on the part of the pseudo-random generation of a new WEP key would be less insecure than having the same one for months on end.

Why They Aren't Secure

[monkeyman_67156]

The very reason that Wi-Fi networks exist is that they provide simple, easy-to-use network connectivity wherever you are. Security takes a backseat to ease of use. The equipment manufacturers don't want to have to deal with the support calls if they would enable security features, such as WEP, out of the box. Adding security to Wi-Fi networks makes them harder to use and less appealing to the average consumer. Thus, it's easier for manufacturers if consumers remain blissfully unaware of the huge backdoors into their networks. But then again, anonymous internet access from my neighbor isn't that bad.

New malware vector?

[bpfinn]

users who don't secure their networks are often the very people who don't keep their computers up to date with the latest security patches and antivirus software

I wonder if this would be a new, easy way for people to start a new worm/virus infection. Wardrive down the street, map a few hundred potential victims, and come back later and put the bugger in the "Startup" menu on Windows PCs. Ack.

Absolutely

[Safety+Cap]

Back in the good old days of pre-Win 3.1, when people were using DOS + QEMM, the quality of calls on the old Q'Deq helpdesk were much higher. Instead of asking "what's an autoexec.bat?" the average user would be more interested in which interrupts we were tripping (for the record, int 21).

Once the 'puter became a household appliance instead of a hacker's toy, that's when things started to go downhill.

A follow up article...

[stratjakt]

... has the not surprising statistic that 90% of home users DONT GIVE A FLYING FUCK if the family PC (which they consider no more than an expensive Nintendo/source of free music) is hacked.

I'll believe it.

[foxtrot]

The WAP I'm using is in out-of-the-box factory default insecure mode.

I really wish I knew which of my neighbors owns it.

-JDF

Wide open in NYC

[chillmost]

A friend of mine moved to New York City and only kept a land line telephone so he could connect online with his modem. He used his cell for all his calls. I visited him a few months later and he had gotten rid of his telephone line because as soon as he got an Airport card he realized how many open routers there were all over the place.

He said, "As long as I live in this city, I'll never pay for Internet again." We'll see if that remains true when consumers with wireless routers wise up and turn on some of the security features.

Non-encrypted by choice

[Yenya]

I have intentionally left WEP off on my AP at home. I use ssh or https for anything sensitive, but I want my visitors to be able to connect via my home
network without sophisticated configuration on their side (and of course, without telling them my WEP password).

My home network is connected via Linux firewall, so I can cut the access or install traffic shaping when the problem occurs.

WiFi not for mainstream?

[Genoxide]

The problem is not the product, but the consumers. Now, I might be wrong about this, but I am willing to bet that all access points, WNIC's and other accessories come with something called a "manual"! If you were to actually *read* one of those, by accident or intent, you might discover how to acutally use your newly accuired product! Only thing is that people don't bother anymore... They expect everything to be so userfriendly that it will install itself and automatically know how you want the settings to be!! Maybe they could put little warnings on the packs like with ciggaretts.. "warning, the DOJ says that not properly securing your accesspoint can be hazardous to your privacy bank account, and or bandwith".. Heh

Re:WiFi not for mainstream?

[Feanturi]

Now, I might be wrong about this, but I am willing to bet that all access points, WNIC's and other accessories come with something called a "manual"! If you were to actually *read* one of those, by accident or intent, you might discover how to acutally use your newly accuired product!

That is so very true. The average person (not just computer user, I'm talking average PERSON) is horrified at the thought of having to read a manual in order to understand how to use a gadget. When I'm working in someone's house, I am often asked silly questions like how to hook up a stereo or how to set the time on a desk clock, or how to get picture-in-picture on their snazzy new HDTV. I like to suggest that they check the manual that came with their device, because it will certainly be in there, and then watch the look of horror on their face as they realize they have to learn something now. It's really quite amusing.

And if they're a computer user, they're no different. They can have a nice big fold-out diagram of their new HP PC with color-coded connectors and nice pretty pictures and they still don't want to read that, they want a person who already knows how, to set it up for them. The average person wants to do the least amount of work to be able to use their tools, that's the bottom line.

You think that's bad?

[jalefkowit]

If cheap-o consumer routers getting 0wned thanks to pathetic Wi-Fi security seems bad, consider this: at least one vendor of e-voting systems depends on WEP as the only security measure between their voting machines and the ballot-counting system.

Yes, that's right -- ballots are passed wirelessly, and only protected via standard 802.11 WEP. How long until someone tries to 0wn a polling place? Or, worse, just sniffs the ballots out of the air and dumps them to a log file (so much for the secret ballot), say?

I wrote the article linked to above when the systems were being evaluated in Fairfax County, Virginia -- a wealthy and populous suburb of Washington, DC -- but they've since been approved by the county board of elections and used in two elections to date. Who knows how many other local governments have bought into similar systems?

I'm posting from my neighbor's WiFi :)

[dioscaido]

My upstairs neighbor (apt. building) has an unencrypted Wireless Linksys router hooked up to his Broadband connection. If I wasn't hosting my domain's e-mail from one of my home machines, I would have cancelled my broadband a long time ago.

Oh... My... God... Really?!?!

[doppleganger871]

You're joking. C'mon, I mean... like, no way. It all makes sense now... if CNN is this far behind on technology, which moves pretty fast, then they are probably a good 25-30 years behind on their political reporting and viewpoints.

Damn hippies.

I did it in testing...

[Otto]

Couple of years ago when 802.11b was kinda new, i did some testing of this sort of thing.

The fast crack using weak frames worked then. It doesn't work much now, if the boxes are using newer hardware.

The slow crack where you get enough packets to figure out the key worked then and now, but in order to actually do it back then I had to set up some continous traffic to get enough packets to make it work. We're talking millions of packets here, and it just takes forever to see enough to do it, with 112/128 bit WEP.

Can they get in? Sure.
Will they get in? They're going to have to really want in pretty badly or live nearby and be bored enough to capture for a long period of time. And if they just want free network access, they'll find the easier target like the unsecured one down the street. Or pay the 3 bucks at the nearest hotspot for the hours worth of access.

WEP is not secure, but in 99% of cases, it's secure *enough*.

historical perspective

[Dun+Malg]

'...Meanwhile, average users are no longer tech savvy.'

Which is to say that they at one point were?

The average computer user in 1970 could probably figure out how to turn on WEP, were he/she transported to the present day. This is the same thing that happened with automobiles. In the early days, automobile owners had to be adept at mechanical repairs. If you read "The Grapes of Wrath" , at one point one of the characters is honing the valve seats on his truck in a campground. That was the 30's. By 1960 you'd be hard pressed to find a car owner that could do a valve job on his car. Computers have become a commodity item, just as cars did.

Re:Sure...

[Moraelin]

Rudeboy1, there is just one problem with this snotty "it's not our product that's crap, it's those idiot users" attitude that's plaguing the industry.

The problem is that those "idiots" are paying your salary. In fact, if the industry remained an exclusive club where only the High Priests of The Sun (or IBM) have access to the Sacred Computer Room, your employer likely wouldn't even be in business. We'd still not need much more than whatever proprietary peripherals are officially blessed by the computer's manufacturer.

The growth of the whole computer industry was done precisely by promising ease of use to idiots. The fact that you can sell hundreds of thousands of cards, and not just hundreds, is precisely _because_ you're selling stuff to those idiots. Under the explicit promise that it'll be secure enough and easy to use.

And I'd like to see the people in this industry actually keeping their promises for a change. Because what everyone, including your employer, is doing is _fraud_. They're making some very explicit promises to get those people's money, but have no intention of respecting those promises.

You know what's the only difference between the computer industry nowadays and the snake oil peddlers of the old days? The snake oil charlatans knew that they're frauds. They didn't feel a need to call their victims "idiots" and other insulting names. That's all.

In a sense, the snake oil con artists were actually more honest. And a lot less snotty.

Just something to keep in mind the next time you feel a need to insult the user for your product's shortcomings.

Is this a bad thing

[magicsloth]

I run an open access point and my neighbor does as well. Anything (and I mean anything) more than computer games and unimportant chat sessions I tunnel through ssh/ssl or something similar.

Why do I leave my access point open then? Because on average I only use maybe 3% of my bandwidth and I don't see any reason that one of my neighbors shouldn't be allowed to use some of it when I don't need it. When I first moved in and didn't have my own broadband yet I was very happy one of my neighbors left his router unsecured.

I'm actually quite suprised that more people on /. aren't in favor of open access points. They seem to fit very well into the whole 'information should be free' value system that many geeks have.

Have you ever tried?

[yet+another+coward]

It is hard to break WEP. Even though attacks are theoretically possible, my experience is that it takes too long to collect enough packets. I let AirSnort run for most of a day. It collected nothing. On a low traffic home network, WEP is quite good.

I really do not know the details of attacking WEP, so maybe there are fast cracking approaches. Writing as someone who uses WEP and casually tried to break WEP, WEP provides a high barrier to network infiltration. A stranger would have to make a lengthy effort to do it.

Re:Sure...

[timeOday]

It would be nice if Homeland Security could take a break from trying to find terrrorists by which shoelaces they buy to enforce technological security mandates. Unsecured WiFi networks all over the country are very useful to criminals and terrorists.

No, no, no, please don't ask for that.

Look, the Internet is not a secured network - not just WiFi but in general. Let's keep it that way.

I'm glad it doesn't take a license to make a telephone call or use the Internet, even though somewhere, some terrorist is making phone calls. Trying to turn the Internet into some little closed system would be cutting off your nose to spite your face.

As for WiFi security, it's funny how we're still getting this endless deluge of "OH NO! WIFI IS INSECURE!!!" alarmists. The reason people don't care is because it doesn't matter very much. There just aren't many good horror stories about somebody's life getting ruined because their wireless network was compromised.