On The Current State of WiFi Security

An anonymous reader writes "A Flexbeta article covers the basics of WiF security. The article mentions mentions various ways of securing a WiFi network, how easy it is to crack WEP, and what the IEEE is doing about WiFi security. From the article: 'In order to address the security issues of WEP and the current Wi-Fi standards of 802.11a/b/g, the Institute of Electrical and Electronics Engineers (IEEE) is developing a new standard that is called 802.11i. This standard was developed with security in mind. The new standard implements new security entitled Wi-Fi Protected Access (WPA), which takes advantage of the Temporal Key Integrity Protocol (TKIP), is easier to setup using a pre-shared key, and can use RADIUS authentication.'"

is this really new?

I've been using WPA with TKIP over 802.11g for almost 2 years now. It works great.

(This is with Windows XP and a Microsoft MN-700.)

WPA2, not WPA

[JemVai777]

The real contender is WPA2, which employs the far stronger AES symmetric algorithm in place of RC4, and adds much-desired features such as fast roaming:

WPA2 overview.

If your hardware supports it, use WPA2. If not, settle for nothing less than WPA, as WEP is a joke and trivial to break into.

Re:WPA2, not WPA

[marcantonio]

Actually 802.11i is WPA2.

End user has the burden

[Oostertoaster]

Wireless security is a huge issue these days. When I set up my wireless network, I made sure to get equipment capable of working with WPA encryption, and turned the SSID off, etc. From where I am sitting right now, however, I can access 2 of my neighbor's unsecured, unencrypted Wi-Fi networks. And that will always be the problem. We have the capability to secure wirless networks these days with a reasonable degree of security, but people just refuse to do it.

Re:End user has the burden

[green1]

Don't look at the unencrypted network next door as a problem, it actually INCREASES your security, now there's another, much easier target right nearby for anyone who just casually wants on the net.

All that being said, the real "solution" to all this is to get the manufacturers to configure their install programs to make you set up security (or at least make "secure" the default)

I work for a large Canadian ISP, one of the products we now sell is our "home networking" package, this is basically an ADSL modem with built in 4 port router and built in wireless router. The install wizard for this device automatically sets up encryption and forces the user to change the default password on the device it then gives the user a page to print out with all those settings so they can give them to the wizard when it runs on the other computers to set them up, all in all a pretty slick system for people who don't know what they are doing with technology. As a result of this setup we have the same "clueless users" that would normally have an unsecured network with the SSID of "linksys" or "default", no encryption, and a password of "admin" but OURS have a different SSID, an encrypted network, and a password that they chose.

I find this is proof that the problem doesn't have to be the user, transfer some of that responsibility to the manufacturer who doesn't make security a priority, if "secure" is the default, people WILL use it. (and yes, if you know what you're doing, and really do, for whatever reason, want an unsecured network, you can simply log in to the router and configure it that way...)

Not necessarily

[JemVai777]

doesn't .11g have WPA TKIP

The 802.11g spec does not mandate WPA; however, most modern cards and APs support it. While WPA has no known serious weaknesses, choose WPA2-compatible hardware if you're yet to purchase wireless equipment.

Re:Not necessarily

[Redshift]

While WPA has no known serious weaknesses, ... apart from being vulnerable to dictionary attacks against the password. So don't choose stupid easy passwords!

Re:None of which will matter

[ThinkingInBinary]

Fortunately, MAC filtering and turning off the SSID makes it LESS likely that someone is going to set up outside their house and use their connection

It doesn't make it less likely that someone will go out of their way to use it, because those people have things like Kismet on hand. It only prevents the people who have naïve Windows XP boxen from accidentally connecting.

Re:Why should I care?

[ghee22]

If someone is piggybacking on your network, all of their traffic leads to your IP address. If they are hosting illegal music, the RIAA will get a subpeona for the IP carrying it... YOURS. You get the 4500 $ fine.

by telling you this, i may be saving you a lot of trouble by not being ignorant about your property. but then again, "why should i care?"

Re:A Real Question

[Tiberius_Fel]

Depends on who the people in your neighbourhood are. ;-) Offhand, I can think of several reasons: 1) "Free" internet. Some people avoid paying $X per month for internet service when the guy next door has a wireless router and a 3 Mbit line he's barely using. (Disclaimer: I don't do this; I pay for Bell Sympatico DSL in Ontario, Canada) 2) Proving Oneself. Somebody in range wants to consider himself a hacker so he or will try to break into your network just to prove he/she can. 3) Activities not so legal. Somebody could conceivably use the wireless network to do something illegal. If the Feds come looking for somebody based on IP they're coming to you and not to his home address. You know what I mean? 4) Identity theft. Somebody might want to pick up your credit card / financial information and use it to rip you off. The list goes on, as you can imagine. There's really no such thing as being 100% secure, but there's making yourself a poor target. IMHO with WPA and passwords changed etc. you are a much less likely target than all the unsecured / WEP / default password / etc. networks out there. Much like a car, no anti-theft system will make the car completely theft proof. But it can make you a less lucrative target. :-)

Re:Ship APs with WPA Enabled?

[NekoXP]

I bought a Speedtouch 580 DSL modem as I just moved to Speakeasy, and lo and behold
on the back of the modem is the MAC address of the eth0 port, and the default
WEP/WPA key.

Went in and changed it and everything is happy. But the thing shipped with WPA
enabled and the default (which looks random..) key next to the serial number.

Neko

Re:Does this make me incredibly stupid?

[Redshift]

Now... How insecure is this really? And what does it really mean? It's not like the access point has unlimmitted range. I don't even think my nextdoor neighbor could hijack my connection. Should I worry that some dude is gonna park in front of my house and start leeching my connection?

Yes.

Have a look at this

Re:None of which will matter

[frodo+from+middle+ea]

6 dumbest ways to secure WLAN

and Some sensible advice on how really to secure it

Mind you I don't recommend that you turn on SSID broadcast, or turn off mac addr. filtering, but, these options will diter only novice users from stumbling accidently on your WLAN.

But security is not about stopping these novice users, who are less likely to cause any damage in the first place, It's more about stopping someone who is really determined to get in, in order to at best steal your bandwidth or at worst do some real damage like get sensetive data from your PCs.

good cheap wifi hardware - AirLink101

[Tumbleweed]

I recently got my first laptop, and did some wifi hardware research. What I wound up buying are products from AirLink101(.com). I got a Super-G card for my laptop, and two Super-G access points. One is set up as an access point, and the other is set up as a bridge (receives the signal from the AP, goes out the cable into my switch, and into my desktop machines with NICs but no wireless cards; I didn't want to have to buy wireless cards for anything but the laptop). These products support WPA with AES, and work quite well through several walls between the AP and the NIC. Two antennas on the AP/bridge units, and they're removable, so one could add better antennas if needed. This is the only wireless AP I know of that can be configured as a bridge - you normally need to buy a more expensive bridge to get bridge functionality. Also note - these are Super-G units, not just G (108Mbps, not 54). They use the Atheros (sp?) chipset, so should be Super-G compatible with anything else using that chipset.

Prices? The AP/bridge units were $70 each at outpost.com. I can't remember how much the laptop card was - $30 or $40 as I recall, very reasonable.

You will be able to find cheaper wifi hardware, but it won't be Super-G, and it won't be this capable.

Linux and WPA (Slightly Offtopic)

[Halo-]

Okay, I admit it. People think I'm a security freak, but I still run 802.11b with WEP enabled at home. I've got strong keys, I filter MACs, I disable beaconing, and have put up other minor fortifications, but I still know I'm running pretty open.

So why haven't I improved things?

Simple. Even though I'm a pretty technical Linux user, I've been unable to really feel confident going out and buying 802.11g stuff with WPA, because the existing documentation on the net is pretty bad.

I'm waiting for the mythical "someone else" to set up a nice, straight-forward site that says "here are the cards you can buy at store X which support Linux and don't require binary drivers, patched kernels, and other crap" Sure, there are lists of chipsets, but the actual stores don't list the chipset in particular products often, and the vendors often have multiple versions of the same card with different chipsets.

I think a lot of the problem is the actual hardware industry itself. 802.11b wasn't hard to get Linux support for, but because of the software controlled radio in 802.11g chipsets, it's a bit tricker legally.

And don't get me started on Bluetooth. I got a new phone which has it, and I'd love to buy a little USB Bluetooth dongle so I can play with it, but right now the main Linux Bluetooth page has been asked to take down their list of devices known to work under Linux, because someone in the Bluetooth SIG complained the devices weren't technically qualified. (link) What a load of crap! So instead of getting a dongle which might not work, I'm just not going to get one at all. Everyone loses.

PCMCIA Firewire card is marginally easier, but again, trying to track down and actual card for sale which matches the user-reported specs and models is pretty damn hard. I spent conservatively 3 hours online and in Fry's reading before I got a card which works great until you eject it and panic the kernel.

I guess where I'm going with this rant is that wireless security (in the non-Windows world) would probably be better if the "standards" followed went a bit deeper and were more open to allowing outsiders to confidently buy products. All I'm asking for is a label or a sticker on the box telling me what chipset and version the device uses. It's not hard, and it shouldn't be a secret. Anyone technically savvy to make a purchasing decision based on chipset is technically savvy to figure out what chipset is in a device once they've bought it and spread the word.

Wow... my first rant. Sorry about that....