On The Current State of WiFi Security

An anonymous reader writes "A Flexbeta article covers the basics of WiF security. The article mentions mentions various ways of securing a WiFi network, how easy it is to crack WEP, and what the IEEE is doing about WiFi security. From the article: 'In order to address the security issues of WEP and the current Wi-Fi standards of 802.11a/b/g, the Institute of Electrical and Electronics Engineers (IEEE) is developing a new standard that is called 802.11i. This standard was developed with security in mind. The new standard implements new security entitled Wi-Fi Protected Access (WPA), which takes advantage of the Temporal Key Integrity Protocol (TKIP), is easier to setup using a pre-shared key, and can use RADIUS authentication.'"

None of which will matter

[HUADPE]

None of which will matter if people do not put passwords on their networks that arent "default" "administrator" or "home." Oh, first post!

Re:None of which will matter

[ThinkingInBinary]

Fortunately, MAC filtering and turning off the SSID makes it LESS likely that someone is going to set up outside their house and use their connection

It doesn't make it less likely that someone will go out of their way to use it, because those people have things like Kismet on hand. It only prevents the people who have naïve Windows XP boxen from accidentally connecting.

Re:None of which will matter

[frodo+from+middle+ea]

6 dumbest ways to secure WLAN

and Some sensible advice on how really to secure it

Mind you I don't recommend that you turn on SSID broadcast, or turn off mac addr. filtering, but, these options will diter only novice users from stumbling accidently on your WLAN.

But security is not about stopping these novice users, who are less likely to cause any damage in the first place, It's more about stopping someone who is really determined to get in, in order to at best steal your bandwidth or at worst do some real damage like get sensetive data from your PCs.

Re:None of which will matter

[B'Trey]

Mind you I don't recommend that you turn on SSID broadcast, or turn off mac addr. filtering, but, these options will diter only novice users from stumbling accidently on your WLAN.

Isn't that the point? If a knowledable and determined hacker wants to break into your network, chances are they're going to succeed unless you're a security expert yourself and highly vigilent.

I could write an article entitled "The six dumbest ways to secure your house." I'd start out with something like: "Locking your front door. People put strong locks on the door, when right next to it you have a windows made of fragile glass! Hello?!? Anyone with a brick can knock out the glass and walk right in!!!"

No, a MAC filter doesn't make your network impregnible. And locking your front door doesn't turn your house into Fort Knox. But if you're not Fort Knox, you don't need to have Fort Knox security. Make breaking into your network and effort and most people want bother. There's likely someone down the street that's broadcasting their SID and has no security at all. Why are they going to bother messing with you?

Re:None of which will matter

[FireFury03]

But security is not about stopping these novice users, who are less likely to cause any damage in the first place

I've got to argue with this - stepping back from the whole wireless thing and talking about security in general, I can tell you that the crackers that cause the most damage are the ones who really don't know what they're doing and have just picked up a cracking toolkit (i.e. script kiddies). The script kiddies frequently end up leaving a machine they've attacked in a completely destroyed state _by accident_ (their intention is to use the machine, not destroy it but frequently it ends up trashed). On the other hand, if your system is attacked by people who know what they're doing the chances are you won't notice for a long time.

Re:None of which will matter

[Golias]

I was thinking of more, how can I phrase a flyer to put in people's mailboxen (God, am I a geek...) and on bulletin boards. I'm not really comfortable sending stuff to people's computers, because, although the threshold of legal/illegal use of someone's WiFi is fuzzy, I would consider that past it, or at least quite suspicious.

I've got a great idea for how you can handle this situation.

You can mind your own business.

If there's a sudden rise of criminals using home WiFi all over the country, there will be a crackdown, and people will learn to take the steps they need to. Until then, there are bigger things in the world to be concerned about.

Re:None of which will matter

[FireFury03]

I guess what I am trying to say is security is not absolute, but a relative measure. There is no checklist that you can tick away and say OK I am now secure.

Absolutely - security is always a balancing act between security and usability. On one end of the scale we have the most secure setup - you have everything unplugged and turned off all the time. Obviously whilest that's completely secure from remote attack it's also completely unusable. On the other end of the scale is no security and everything's really easy to use.

A check list of _possible_ security measures and their repercussions would probably be a good thing to make someone look through when they're installing a wireless network though.

For example:

1. (ignoring it's security weaknesses for a moment) WEP is remarkably easy to set up and has very few usability problems so that's quite high on the list. The only usability problems I can think of is the effort of typing your passphrase into new machines when you connect them to the AP.

2. MAC filtering is slightly more complex to set up since you have to extract the MAC from a new machine and then configure the AP to allow it. If you have a reasonably static network setup then that might be the option for you, but if new machines are coming and going all the time then probably not.

These are the sort of thins which people who are setting up a network really need to think through. It's really not that different from securing your house:

1. Do we want a lock on the door? It has the disadvantage that if you lose your keys then you're screwed.

2. Do we want bars on the windows? It increases security but also increases the risk of you not being able to escape a fire.

etc.

At the moment, a large proportion of people are handed an access point that's pre-configured to be fully open and they are never made to think of the security questions - it's like going out and buying a front door for your house, getting it fitted and noone mentioning that it doesn't have a lock on it as standard.

WPA2, not WPA

[JemVai777]

The real contender is WPA2, which employs the far stronger AES symmetric algorithm in place of RC4, and adds much-desired features such as fast roaming:

WPA2 overview.

If your hardware supports it, use WPA2. If not, settle for nothing less than WPA, as WEP is a joke and trivial to break into.

Re:WPA2, not WPA

[marcantonio]

Actually 802.11i is WPA2.

Re:WPA2, not WPA

[joel48]

"you would upgrade your infrastructure"

That's exactly what the parent said, not by moving to WPA[2], but rather by running a VPN/IPSec over the WEP link. I would consider this to be almost a better solution than solely WPA2 (without question VPN over WPA2 is the best solution). The VPN provides an additional, *alternate* security layer.

End user has the burden

[Oostertoaster]

Wireless security is a huge issue these days. When I set up my wireless network, I made sure to get equipment capable of working with WPA encryption, and turned the SSID off, etc. From where I am sitting right now, however, I can access 2 of my neighbor's unsecured, unencrypted Wi-Fi networks. And that will always be the problem. We have the capability to secure wirless networks these days with a reasonable degree of security, but people just refuse to do it.

Re:End user has the burden

[Chaotic+Spyder]

Phaser® 750 Color Printer
Ugh... I think it has more to do with people don't know how or why to secure it.
I have helped a couple friends out with small computer problems. The Following Conversation Has happend a couple times

ME:ohh.. Who has the laptop? you might want to get them to Secure the Wireless on this Router.
Clueless Friend: umm.. wireless??? Laptop???
Me: Yeah.. you have a wireless router and it's not encrypted and you still have all the deafault passwords.
Clueless Friend: ohh.. we just bought the best router Future Shop had.. I dident know it had wireless
....
...
... Yeah Security needs to be better.. But The problem you speak of is not a problem with the protocall but how it is used...

Re:End user has the burden

[Knome_fan]

While I agree in general, I don't think blaming the end user is really fair.

After all, wifi and computers nowadays get sold as something easy to use and setup. Just plug it in and it works.

Unfortunately, the reality doesn't really live up to the promises.
That is, even if the just works part is true (which of course everyone who has been the resident computer geek for friends and family knows isn't always the case, to put it mildly), in many cases the default setup is simply unbelievably insecure.

To sum it up, people are told things about computers and wifi that simply aren't true. As most people are not interested in computers and shouldn't be just to be able to use them, it's really unfair to blame them for believing the hype.

Re:End user has the burden

[green1]

Don't look at the unencrypted network next door as a problem, it actually INCREASES your security, now there's another, much easier target right nearby for anyone who just casually wants on the net.

All that being said, the real "solution" to all this is to get the manufacturers to configure their install programs to make you set up security (or at least make "secure" the default)

I work for a large Canadian ISP, one of the products we now sell is our "home networking" package, this is basically an ADSL modem with built in 4 port router and built in wireless router. The install wizard for this device automatically sets up encryption and forces the user to change the default password on the device it then gives the user a page to print out with all those settings so they can give them to the wizard when it runs on the other computers to set them up, all in all a pretty slick system for people who don't know what they are doing with technology. As a result of this setup we have the same "clueless users" that would normally have an unsecured network with the SSID of "linksys" or "default", no encryption, and a password of "admin" but OURS have a different SSID, an encrypted network, and a password that they chose.

I find this is proof that the problem doesn't have to be the user, transfer some of that responsibility to the manufacturer who doesn't make security a priority, if "secure" is the default, people WILL use it. (and yes, if you know what you're doing, and really do, for whatever reason, want an unsecured network, you can simply log in to the router and configure it that way...)

General Security

[agarrett]

Standard setup for the average home network user seems to be

Take box home
Plug in box
let windows xp do it's thing
Use.

Clearly for these advances to be of any use, customers must be informed of their necessity and setup must be kept as simple as possible (helped, i suprisedly add, by XPSP2's wireless configuration app)
The technology is all well and good, as long as it's being used.

Re:General Security

[Mr.+Shiny+And+New]

There was an article in an IEEE magazine about this sort of thing not long ago. Basically a network admin wanted to set up WPA on his network using encryption and certificates etc. But the normal installation mode was too complex for his users, who happened to mainly be PhD research types (i.e. not dumb, but not computer nerds). So they ended up writing a little program that you put on the notebook computer, you bring the notebook into a room, point the IR at the computer in that room, press a button, and the notebook downloads the certificate and installs it and configures it.

How hard would it be to include functionality like that into every WiFi device? Heck, you could do it without a line of sight if the router and client communicate by radio, and require confirmation at both ends that the right computer is talking to the right network. It wouldn't be that hard, really.

Why should I care?

[Robertatwork]

I read a lot about wi-fi security. However, it keeps coming down to, why should I care? Yes, at work it is important to be very security aware. However, at home, I really don't care if someone is using my connection. If they are doing something that is hogging bandwidth, when I want to use it, I can boot them. My computer is protected and on the other side of a firewall. Information that passes over the router does not touch any storage device. So, back to the question, why should I care? (as a home user)

Re:Why should I care?

[Redshift]

Supposing it was a terrorist or a pedophile? How would you like Homeland Security or the FBI knocking on your door, asking you deep questions and impounding all your computer equipment for investigation? The suspicious activity did all originate from your IP address, after all.

And how secure do you think your computer really is? When it is behind your router it has the advantage of being somewhat obscured to the rest of the world by NAT. A hacker inside your own network just has your software firewall to break down - one step closer. Furthermore, if he is able to get access to your router he probably also has access to everything you send - are you sure you want all that to be logged?

You are very naive.

Re:Why should I care?

[truedfx]

Uh, you place child porn in the same category as downloading music (without even specifying that you're referring to illegally downloading music)?

Re:Why should I care?

[wandernotlost]

Haha, heh...wait, are you serious?

While we're on the subject of naivete...I really don't get the whole idea of "wireless security." People should be focusing on secure end-to-end protocols, not trying to secure the link that goes from your computer to the next hop. You do realize that everything is sent in the clear after that hop, right?

While making the wireless connection as secure as a wired connection (i.e. not very) may impede the casual traffic sniffer, it's really rather silly to think that it affors the user a "secure" connection to anywhere but that router in your house.

If you're worried about terrorists and pedophiles creeping into your backyard and sneaking into your wireless network, you need to be concerned with access control, not secure communication.

Besides, are you really comfortable with the idea that everything that goes across your network is loggable and directly traceable back to you? Kind of sounds like Big Brother to me. I'd rather we have a little bit of ambiguity here and there. I'll still be leaving my access point wide open, thanks.

What means this term "wireless security"?

[$RANDOMLUSER]

The problem with wireless isn't people who read Slashdot, it's my parents going down to Best Buy and grabbing a wireless router, plugging it in and using it. Most people don't realize what they're broadcasting, or how easy it is for other people to tap into their home network, nor even why this would be a Bad Thing.

When my folks go to the car lot, they know to look at the Buicks. When they go to Best Buy, they don't know they're looking at the equivalent of a crotch rocket motorcycle that will surely get them killed.

Not necessarily

[JemVai777]

doesn't .11g have WPA TKIP

The 802.11g spec does not mandate WPA; however, most modern cards and APs support it. While WPA has no known serious weaknesses, choose WPA2-compatible hardware if you're yet to purchase wireless equipment.

Re:Not necessarily

[Redshift]

While WPA has no known serious weaknesses, ... apart from being vulnerable to dictionary attacks against the password. So don't choose stupid easy passwords!

Ship APs with WPA Enabled?

[domipheus]

As many people are saying, there is no point in advancing encryption standards if the average end user will not use it.

On many sites, you sign up, and get given a random password. How hard would it be for manufacturers to ship AP's with a WPA enabled with a random password/key which is printed on the back of the user manual? (this is a genuine question) XP asks for a password when u try to connect to it automatically, and if you are using linux etc then you know know what the deal is anyway.

Re:Ship APs with WPA Enabled?

[NekoXP]

I bought a Speedtouch 580 DSL modem as I just moved to Speakeasy, and lo and behold
on the back of the modem is the MAC address of the eth0 port, and the default
WEP/WPA key.

Went in and changed it and everything is happy. But the thing shipped with WPA
enabled and the default (which looks random..) key next to the serial number.

Neko

Current State: Safe

[Mensa+Babe]

According to Bruce Schneier, the security risks if WiFi are vastly exaggerated.

A Real Question

[L.+VeGas]

And I did RTFA.

What's the bottom line for my home network? I've got WPA on my 802.11g network. I changed the default passwords, etc. Is there any realistic chance of being compromised?

Also, as an individual and not a business, what motivation would someone have for doing so?

Re:A Real Question

[Tiberius_Fel]

Depends on who the people in your neighbourhood are. ;-) Offhand, I can think of several reasons: 1) "Free" internet. Some people avoid paying $X per month for internet service when the guy next door has a wireless router and a 3 Mbit line he's barely using. (Disclaimer: I don't do this; I pay for Bell Sympatico DSL in Ontario, Canada) 2) Proving Oneself. Somebody in range wants to consider himself a hacker so he or will try to break into your network just to prove he/she can. 3) Activities not so legal. Somebody could conceivably use the wireless network to do something illegal. If the Feds come looking for somebody based on IP they're coming to you and not to his home address. You know what I mean? 4) Identity theft. Somebody might want to pick up your credit card / financial information and use it to rip you off. The list goes on, as you can imagine. There's really no such thing as being 100% secure, but there's making yourself a poor target. IMHO with WPA and passwords changed etc. you are a much less likely target than all the unsecured / WEP / default password / etc. networks out there. Much like a car, no anti-theft system will make the car completely theft proof. But it can make you a less lucrative target. :-)

Can a broadcast signal ever be secure?

[G4from128k]

While I applaud attempts to secure WiFi, it would seem that wireless will always add another channel of vulnerability to any IT system, especially because WiFi is so often deployed inside the firewall. WiFi system are generally vulnerable to both internet-based attacks and wireless attacks. And even if the 802.11i protocol "secure," there is little guarantee that both the AP and the client wifi transceiver have a secure implementation of the protocol or that the user configures the system in a secure fashion.

As inconvenient as wires are (and even they are not totally secure), they do reduce the amount of one personal information freely broadcast into the ether.

Re:Does this make me incredibly stupid?

[Redshift]

Now... How insecure is this really? And what does it really mean? It's not like the access point has unlimmitted range. I don't even think my nextdoor neighbor could hijack my connection. Should I worry that some dude is gonna park in front of my house and start leeching my connection?

Yes.

Have a look at this

Re:is this really new?

[SecretSauce]

This article is very out of date. While there will never be enough articles out there about how insecure wireless *CAN* be, it seems very out of touch with current technology. For example, 802.11i is being called WPA2..........because there is already a WPA (TKIP+Radius).

It seems like the author used the wayback machine and had it set for 2002 when doing research for this project.

Re:It's like swimming with sharks

[jomegat]

There's a saying among scuba divers, how do you fend off a hungry shark with a 2 inch knife? You stab your buddy and swim away.

But how do you get the knife away from the shark?

good cheap wifi hardware - AirLink101

[Tumbleweed]

I recently got my first laptop, and did some wifi hardware research. What I wound up buying are products from AirLink101(.com). I got a Super-G card for my laptop, and two Super-G access points. One is set up as an access point, and the other is set up as a bridge (receives the signal from the AP, goes out the cable into my switch, and into my desktop machines with NICs but no wireless cards; I didn't want to have to buy wireless cards for anything but the laptop). These products support WPA with AES, and work quite well through several walls between the AP and the NIC. Two antennas on the AP/bridge units, and they're removable, so one could add better antennas if needed. This is the only wireless AP I know of that can be configured as a bridge - you normally need to buy a more expensive bridge to get bridge functionality. Also note - these are Super-G units, not just G (108Mbps, not 54). They use the Atheros (sp?) chipset, so should be Super-G compatible with anything else using that chipset.

Prices? The AP/bridge units were $70 each at outpost.com. I can't remember how much the laptop card was - $30 or $40 as I recall, very reasonable.

You will be able to find cheaper wifi hardware, but it won't be Super-G, and it won't be this capable.

Answer is quite simple.

[o517375]

Build a lightweight VPN server into every router, such as Openvpn which uses TLS/HMAC and RSA keys. The router could easily generate and distribute the keys (over the wire) for wireless encapsulation.

Here's why we need SOLID WiFi Security.....

[8127972]

There was a case of a guy downloading child pron in Toronto by driving around at night and finding open WiFi networks (You know the ones.... Their SSID's are Linksys and Default). Apparently when he was caught, he was naked from the waist down looking at explicit images. (Ooh. Bad image)

I point this out as I used to work for a VAR that sold WiFi products to businesses who would just order the products and throw them up onto their network rather than pay us to come in and properly install and secure the environment (which was usually Windows based). When this happened and I pointed it out to them that this could be them (or something worse might happen, such as the cops knocking on your door because they traced the downloads to their net connection), they changed their tune in a hurry and let us secure the networks.

Places like Best Buy should hand this article out to their customers. That would reduce the problem in a hurry.

Linux and WPA (Slightly Offtopic)

[Halo-]

Okay, I admit it. People think I'm a security freak, but I still run 802.11b with WEP enabled at home. I've got strong keys, I filter MACs, I disable beaconing, and have put up other minor fortifications, but I still know I'm running pretty open.

So why haven't I improved things?

Simple. Even though I'm a pretty technical Linux user, I've been unable to really feel confident going out and buying 802.11g stuff with WPA, because the existing documentation on the net is pretty bad.

I'm waiting for the mythical "someone else" to set up a nice, straight-forward site that says "here are the cards you can buy at store X which support Linux and don't require binary drivers, patched kernels, and other crap" Sure, there are lists of chipsets, but the actual stores don't list the chipset in particular products often, and the vendors often have multiple versions of the same card with different chipsets.

I think a lot of the problem is the actual hardware industry itself. 802.11b wasn't hard to get Linux support for, but because of the software controlled radio in 802.11g chipsets, it's a bit tricker legally.

And don't get me started on Bluetooth. I got a new phone which has it, and I'd love to buy a little USB Bluetooth dongle so I can play with it, but right now the main Linux Bluetooth page has been asked to take down their list of devices known to work under Linux, because someone in the Bluetooth SIG complained the devices weren't technically qualified. (link) What a load of crap! So instead of getting a dongle which might not work, I'm just not going to get one at all. Everyone loses.

PCMCIA Firewire card is marginally easier, but again, trying to track down and actual card for sale which matches the user-reported specs and models is pretty damn hard. I spent conservatively 3 hours online and in Fry's reading before I got a card which works great until you eject it and panic the kernel.

I guess where I'm going with this rant is that wireless security (in the non-Windows world) would probably be better if the "standards" followed went a bit deeper and were more open to allowing outsiders to confidently buy products. All I'm asking for is a label or a sticker on the box telling me what chipset and version the device uses. It's not hard, and it shouldn't be a secret. Anyone technically savvy to make a purchasing decision based on chipset is technically savvy to figure out what chipset is in a device once they've bought it and spread the word.

Wow... my first rant. Sorry about that....

strong security over wireless is possible

[PureFiction]

IPSec SHA256 AH AES128 ESP

We setup such a configuration at DEFCON and despite various attacks against both AP and client, including evil twin, WDS exploits, traffic replay, etc. the network was absolutely impenetrable.

The only secure configuration I would consider would be WPA2 with RADIUS authentication. Pre-shared key is vulnerable to dictionary attacks so be sure to key with a good random string if you use this mode.