On The Current State of WiFi Security 300
An anonymous reader writes "A Flexbeta article covers the basics of WiF security. The article mentions mentions various ways of securing a WiFi network, how easy it is to crack WEP, and what the IEEE is doing about WiFi security. From the article: 'In order to address the security issues of WEP and the current Wi-Fi standards of 802.11a/b/g, the Institute of Electrical and Electronics Engineers (IEEE) is developing a new standard that is called 802.11i. This standard was developed with security in mind. The new standard implements new security entitled Wi-Fi Protected Access (WPA), which takes advantage of the Temporal Key Integrity Protocol (TKIP), is easier to setup using a pre-shared key, and can use RADIUS authentication.'"
None of which will matter (Score:2, Insightful)
Re:None of which will matter (Score:2)
Fortunately, MAC filtering and turning off the SSID makes it LESS likely that someone is going to set up outside their house and use their connection, but I still have the has
Re:None of which will matter (Score:2, Informative)
It doesn't make it less likely that someone will go out of their way to use it, because those people have things like Kismet [kismetwireless.net] on hand. It only prevents the people who have naïve Windows XP boxen from accidentally connecting.
Re:None of which will matter (Score:2)
It makes it _slightly_ less convenient for people (who know what they're doing) to connect. But possibly more to the point, it shows anyone who's trying to connect that it's not a public AP - you have at least done something (although not much) to secure it. Locks keep honest peopl
Re:None of which will matter (Score:2)
Some options spring to mind:
1. Scan the network for unpassworded printers (network printers or SMB shares) and print an easy to understand, polite message, explaining the problem. If you're feeling really friendly you cou
Re:None of which will matter (Score:2, Insightful)
I've got a great idea for how you can handle this situation.
You can mind your own business.
If there's a sudden rise of criminals using home WiFi all over the country, there will be a
Re:None of which will matter (Score:2)
So you don't believe in education?
If noone had educated you to lock your door, how would you know to do it? Or would it be ok to live in ignorance until someone actually wandered into your home and stole all your stuff?
And in any case, I think you can take the current state of the Internet (with the millions of rootkitted and virussed Windows boxes connected to it) as a good indication that:
1. If crime does reach epidemic proportions then the majority of people are still igno
Re:None of which will matter (Score:2)
I think (part of) my suggestion still stands - if you can identify the model then step-by-step instructions would be good (there aren't that many different models out there so you're not dealing with a massive set of different instructions).
Obviously be polite and clearly explain (in terms your grandmother could understand) what the problem is and why they need to fix it.
I think using it to advertise your services would be seen as
Re:None of which will matter (Score:2)
Unless of course you're using an unpatched old Linksys router, which had a bug that allowed access over the WAN.
Re:None of which will matter (Score:5, Informative)
and Some sensible advice on how really to secure it [lanarchitect.net]
Mind you I don't recommend that you turn on SSID broadcast, or turn off mac addr. filtering, but, these options will diter only novice users from stumbling accidently on your WLAN.
But security is not about stopping these novice users, who are less likely to cause any damage in the first place, It's more about stopping someone who is really determined to get in, in order to at best steal your bandwidth or at worst do some real damage like get sensetive data from your PCs.
Re:None of which will matter (Score:5, Insightful)
Isn't that the point? If a knowledable and determined hacker wants to break into your network, chances are they're going to succeed unless you're a security expert yourself and highly vigilent.
I could write an article entitled "The six dumbest ways to secure your house." I'd start out with something like: "Locking your front door. People put strong locks on the door, when right next to it you have a windows made of fragile glass! Hello?!? Anyone with a brick can knock out the glass and walk right in!!!"
No, a MAC filter doesn't make your network impregnible. And locking your front door doesn't turn your house into Fort Knox. But if you're not Fort Knox, you don't need to have Fort Knox security. Make breaking into your network and effort and most people want bother. There's likely someone down the street that's broadcasting their SID and has no security at all. Why are they going to bother messing with you?
Re:None of which will matter (Score:4, Insightful)
I've got to argue with this - stepping back from the whole wireless thing and talking about security in general, I can tell you that the crackers that cause the most damage are the ones who really don't know what they're doing and have just picked up a cracking toolkit (i.e. script kiddies). The script kiddies frequently end up leaving a machine they've attacked in a completely destroyed state _by accident_ (their intention is to use the machine, not destroy it but frequently it ends up trashed). On the other hand, if your system is attacked by people who know what they're doing the chances are you won't notice for a long time.
Re:None of which will matter (Score:2)
but my intent was not to tell everone "don't disable SSID broadcast or don't use mac filtering",
My point was rather, that you can't call your WLAN secure , just because you took some very basic measures, and even you can concur, even script kiddies can get past these things, so just having them is not going to do any good either.
I guess what I am trying to say is security is not absolute, but a relative measure. There is no checklist that you can tick away and
Re:None of which will matter (Score:3, Insightful)
Absolutely - security is always a balancing act between security and usability. On one end of the scale we have the most secure setup - you have everything unplugged and turned off all the time. Obviously whilest that's completely secure from remote attack it's also completely unusable. On the other end of the scale is no security and everything's re
It's like swimming with sharks (Score:2)
There's a saying among scuba divers, how do you fend off a hungry shark with a 2 inch knife? You stab your buddy and swim away.
Re:It's like swimming with sharks (Score:5, Funny)
But how do you get the knife away from the shark?
Admin, admin (Score:2)
I'd put more blame on companies that put "out-of-the-box" ahead of security... ship the damn thing secured and have it run a "first-time setup" utility from CD-ROM for the newbies.
WPA2, not WPA (Score:5, Informative)
WPA2 overview [zdnet.com].
If your hardware supports it, use WPA2. If not, settle for nothing less than WPA, as WEP is a joke and trivial to break into.
Re:WPA2, not WPA (Score:4, Informative)
Re:WPA2, not WPA (Score:2)
Re:WPA2, not WPA (Score:2)
Re:WPA2, not WPA (Score:2)
True (except for Gentoo users like myself, who'll be using text config files anyway). Why isn't there an easier way than manually writing a wpa_supplicant
Re:WPA2, not WPA (Score:2)
Re:WPA2, not WPA (Score:2)
Direct Link (Score:2)
Re:WPA2, not WPA (Score:2)
Re:WPA2, not WPA (Score:2)
Given the limited spectrum and bandwidth for wireless networking, as well as the fact that you are broadcasting, I think it is best to use wired networking for any device that isn't mobile. That gives both higher bandwidth to the stationary devices, and potentially frees up bandwidth to the wireless devices.
Re:WPA2, not WPA (Score:2)
Re:WPA2, not WPA (Score:2, Interesting)
That's exactly what the parent said, not by moving to WPA[2], but rather by running a VPN/IPSec over the WEP link. I would consider this to be almost a better solution than solely WPA2 (without question VPN over WPA2 is the best solution). The VPN provides an additional, *alternate* security layer.
Re:WPA2, not WPA (Score:2)
Most of the time the lack of security on the networks is down to the administrators (who are often just home-users or small businesses with no IT knowledge) not bothering to turn the existing systems on. There's no point in inventing shiny new security protocols if noone bothers turning on the existing ones. This is at least partly the fault of the manufacturers for making it possible (or at
Re:WPA2, not WPA (Score:2)
Now, at home I have to run WEP. I am running very old AP hardware, and don't have much inclination to upgrade. On the other hand, I keep the machines on my home network resonably secure. The only thing you could re
End user has the burden (Score:2, Informative)
Re:End user has the burden (Score:2)
Re:End user has the burden (Score:2)
Re:End user has the burden (Score:2)
I found it quite easily. But then, I was using the Neatgear drivers on Windows 98 - and then a second time on Windows XP with some other hardware-provider-supplied configuration tool. I've never had to use the Windows XP native tools - presumably they're your problem. Isn't progress wonderful?
Re:End user has the burden (Score:2, Interesting)
Ugh... I think it has more to do with people don't know how or why to secure it.
I have helped a couple friends out with small computer problems. The Following Conversation Has happend a couple times
ME:ohh.. Who has the laptop? you might want to get them to Secure the Wireless on this Router.
Clueless Friend: umm.. wireless??? Laptop???
Me: Yeah.. you have a wireless router and it's not encrypted and you still have all the deafault passwords.
Clueless Friend: ohh.
Re:End user has the burden (Score:2, Insightful)
After all, wifi and computers nowadays get sold as something easy to use and setup. Just plug it in and it works.
Unfortunately, the reality doesn't really live up to the promises.
That is, even if the just works part is true (which of course everyone who has been the resident computer geek for friends and family knows isn't always the case, to put it mildly), in many cases the default setup is simply unbelievably insecure.
To sum it u
Re:End user has the burden (Score:2)
Re:End user has the burden (Score:2, Informative)
All that being said, the real "solution" to all this is to get the manufacturers to configure their install programs to make you set up security (or at least make "secure" the default)
I work for a large Canadian ISP, one of the products we now sell is our "home networking" package, this is basically an ADSL modem
General Security (Score:3, Insightful)
Take box home
Plug in box
let windows xp do it's thing
Use.
Clearly for these advances to be of any use, customers must be informed of their necessity and setup must be kept as simple as possible (helped, i suprisedly add, by XPSP2's wireless configuration app)
The technology is all well and good, as long as it's being used.
Re:General Security (Score:2)
Re:General Security (Score:3, Interesting)
Re:General Security (Score:2)
Plug in box
let windows xp do it's thing
Use.
5. Wonder why your neighbours snicker when you walk past.
WPA and the Linux Kernel (Score:2)
Re:WPA and the Linux Kernel (Score:2)
Why should I care? (Score:4, Interesting)
Re:Why should I care? (Score:2)
Because although you'll probably get off in the end, things will get sticky when somebody knocks on your door with a warrant/subpoena for all of the music/kiddy porn "you" have been downloading?
Re:Why should I care? (Score:2)
Re:Why should I care? (Score:2, Interesting)
Re:Why should I care? (Score:2)
For the purpose of having authorities banging on your door they are in the same category.
Re:Why should I care? (Score:2)
If you have a firewall between your AP and your computer, you're a step ahead of most people anyway.
Re:Why should I care? (Score:4, Insightful)
And how secure do you think your computer really is? When it is behind your router it has the advantage of being somewhat obscured to the rest of the world by NAT. A hacker inside your own network just has your software firewall to break down - one step closer. Furthermore, if he is able to get access to your router he probably also has access to everything you send - are you sure you want all that to be logged?
You are very naive.
Re:Why should I care? (Score:2)
If the protocols (eg, alternative to TCP/IP) could be reworked so that concepts like person-to-person, person-to-service, and service-to-service connections were possible (and unspoofable), that'd go a long way towards allowing us to build enormous, decentralized mesh networks where Inter
Re:Why should I care? (Score:3, Interesting)
Haha, heh...wait, are you serious?
While we're on the subject of naivete...I really don't get the whole idea of "wireless security." People should be focusing on secure end-to-end protocols, not trying to secure the link that goes from your computer to the next hop. You do realize that everything is sent in the clear after that hop, right?
While making the wireless connection as secure as a wired connection (i.e. not very) may impede the casual traffic sniffer, it's really rather silly to think that it
Re:Why should I care? (Score:2)
Re:Why should I care? (Score:2)
Re:Why should I care? (Score:2)
What means this term "wireless security"? (Score:3, Insightful)
When my folks go to the car lot, they know to look at the Buicks. When they go to Best Buy, they don't know they're looking at the equivalent of a crotch rocket motorcycle that will surely get them killed.
Ship APs with WPA Enabled? (Score:3, Interesting)
On many sites, you sign up, and get given a random password. How hard would it be for manufacturers to ship AP's with a WPA enabled with a random password/key which is printed on the back of the user manual? (this is a genuine question) XP asks for a password when u try to connect to it automatically, and if you are using linux etc then you know know what the deal is anyway.
Re:Ship APs with WPA Enabled? (Score:4, Informative)
on the back of the modem is the MAC address of the eth0 port, and the default
WEP/WPA key.
Went in and changed it and everything is happy. But the thing shipped with WPA
enabled and the default (which looks random..) key next to the serial number.
Neko
Re:Ship APs with WPA Enabled? (Score:2)
In some sense, having the password at all is a step up from none at all. If I was wardriving or using a local AP, my first targets would be non-encrypted networks, and then WEP networks. If it was a WPA network (even with a short password) it would probably discourage me more and I might move on to
Re:Ship APs with WPA Enabled? (Score:2)
Though that may be true, it kind of misses the point of the whole exercise. If there is a legitimate need to secure WiFi APs in the first place (which in many cases is arguable), then someone ne
Re:Ship APs with WPA Enabled? (Score:2)
Current State: Safe (Score:2, Insightful)
A Real Question (Score:2, Interesting)
What's the bottom line for my home network? I've got WPA on my 802.11g network. I changed the default passwords, etc. Is there any realistic chance of being compromised?
Also, as an individual and not a business, what motivation would someone have for doing so?
Re:A Real Question (Score:3, Informative)
Re:A Real Question (Score:2)
The motivation? Perhaps ID theft. More likely so that a bored nerd could say he is a 1337 haxor. If you have internet access, maybe one of your neighbors wants free internet.
Some tips? Stick with WPA protection, of course. It is also a good idea to set your local IP address r
Re:A Real Question (Score:2)
MAC Filtering? overcome by MAC spoofing
Change your IP Address range? Don't bother, if you can break the Encryption, simple packet sniffing will give it to you
Disable Beaconing? Stops Netstumbler but Kismet will see the network the moment you send anything over it. (Although if you have an open network do everyone a favour and disable
Re:A Real Question (Score:2)
My thoughts exactly. While these measures CAN be compromised with a lot of effort, most people will move on to the unprotected network unless they're in it for the challenge of getting on. I know before I paid for my broadband, I had MANY networks to choose from in my apt. building. If it had WE
Waiting for the hardware to catch up (Score:2)
Can a broadcast signal ever be secure? (Score:3, Insightful)
As inconvenient as wires are (and even they are not totally secure), they do reduce the amount of one personal information freely broadcast into the ether.
waste of time (Score:2)
simpler passphrases? (Score:2)
So even beyond the fact the encryption ain't much good, open networks tend to win out because everything else
help a clueless guy? (Score:2)
good cheap wifi hardware - AirLink101 (Score:3, Informative)
He's trying to win a video card (Score:2)
He's just trying to win something. He's certainly not a subject matter expert
There's no way to secure a WiFi network? (Score:2)
It's virtually impossible to keep unauthorized parties off of your AP using out of the box software.
WEP? Known cryptographic challenges, can be cracked in a trivial amount of time using automated tools.
Access list of MAC addresses? Almost every wireless NIC allows you to watch traffic, and many allow you to reprogram the MAC address. You can watch someone authenticate at Starbucks, record their MAC address, then when they walk away, you just set your MAC address to theirs and you continue using their
Re:There's no way to secure a WiFi network? (Score:2)
This doesn't solve the problem at Starbucks though (since a pre-shared key wouldn't really work in that setup) but it makes a home wireless network a hell of a lot more secure.
Terrorists and pedophiles are everywhere... (Score:2)
Unimpressive article (Score:2)
For example, he doesn't seem to know what an IV is, and suggests there's something fundamentally wrong with them:
Answer is quite simple. (Score:2, Insightful)
Here's why we need SOLID WiFi Security..... (Score:3, Interesting)
I point this out as I used to work for a VAR that sold WiFi products to businesses who would just order the products and throw them up onto their network rather than pay us to come in and properly install and secure the environment (which was usually Windows based). When this happened and I pointed it out to them that this could be them (or something worse might happen, such as the cops knocking on your door because they traced the downloads to their net connection), they changed their tune in a hurry and let us secure the networks.
Places like Best Buy should hand this article out to their customers. That would reduce the problem in a hurry.
Linux and WPA (Slightly Offtopic) (Score:4, Informative)
So why haven't I improved things?
Simple. Even though I'm a pretty technical Linux user, I've been unable to really feel confident going out and buying 802.11g stuff with WPA, because the existing documentation on the net is pretty bad.
I'm waiting for the mythical "someone else" to set up a nice, straight-forward site that says "here are the cards you can buy at store X which support Linux and don't require binary drivers, patched kernels, and other crap" Sure, there are lists of chipsets, but the actual stores don't list the chipset in particular products often, and the vendors often have multiple versions of the same card with different chipsets.
I think a lot of the problem is the actual hardware industry itself. 802.11b wasn't hard to get Linux support for, but because of the software controlled radio in 802.11g chipsets, it's a bit tricker legally.
And don't get me started on Bluetooth. I got a new phone which has it, and I'd love to buy a little USB Bluetooth dongle so I can play with it, but right now the main Linux Bluetooth page has been asked to take down their list of devices known to work under Linux, because someone in the Bluetooth SIG complained the devices weren't technically qualified. (link [holtmann.org]) What a load of crap! So instead of getting a dongle which might not work, I'm just not going to get one at all. Everyone loses.
PCMCIA Firewire card is marginally easier, but again, trying to track down and actual card for sale which matches the user-reported specs and models is pretty damn hard. I spent conservatively 3 hours online and in Fry's reading before I got a card which works great until you eject it and panic the kernel.
I guess where I'm going with this rant is that wireless security (in the non-Windows world) would probably be better if the "standards" followed went a bit deeper and were more open to allowing outsiders to confidently buy products. All I'm asking for is a label or a sticker on the box telling me what chipset and version the device uses. It's not hard, and it shouldn't be a secret. Anyone technically savvy to make a purchasing decision based on chipset is technically savvy to figure out what chipset is in a device once they've bought it and spread the word.
Wow... my first rant. Sorry about that....
strong security over wireless is possible (Score:3, Insightful)
We setup such a configuration at DEFCON and despite various attacks against both AP and client, including evil twin, WDS exploits, traffic replay, etc. the network was absolutely impenetrable.
The only secure configuration I would consider would be WPA2 with RADIUS authentication. Pre-shared key is vulnerable to dictionary attacks so be sure to key with a good random string if you use this mode.
Not necessarily (Score:4, Informative)
The 802.11g spec does not mandate WPA; however, most modern cards and APs support it. While WPA has no known serious weaknesses, choose WPA2-compatible hardware if you're yet to purchase wireless equipment.
Re:Not necessarily (Score:2, Informative)
Re:Not necessarily (Score:2)
Re:Does this make me incredibly stupid? (Score:3, Informative)
Yes.
Have a look at this [www.ctv.ca]
Re:Does this make me incredibly stupid? (Score:2)
I wouldn't mind someone else using my connection, because "mother taught me to share" :) As long as they dont hog all of the capacity. I would hate it if people had to waste resources in building different wireless networks for each of them, when one would suffice.
This would be different if I used WLAN as a strictly local
Re:Does this make me incredibly stupid? (Score:2)
I did a couple of real basic things to secure the wireless segment of my home network.
Note that according to numerous articles my steps are mot going to stop anyone really (or even mildly) determined. But I am getting there! However I worry *slightly* less since I took these steps.
1) Changed the AP's admin username and password
2) Enabled 128 bit WEP
3) Enabled MAC ba
Re:Does this make me incredibly stupid? (Score:2)
Good job.
2) Enabled 128 bit WEP
Good job, but try enabling WPA if you can, a knowledgable hacker can break WEP encryption in only a few minutes.
3) Enabled MAC based access control
Rather pointless, anyone can change their MAC address, and once they break the encryption, they can see what MAC addresses are allowed by observing traffic.
4) Changed the default SSID
Pointless from a security perspective, although it's good to choose a unique SSID in case your neighbour
Re:Does this make me incredibly stupid? (Score:2)
On the other hand, people have been making long-range antennas out of Pringles cans for several years. So distance doesn't count for as much as you might think.
Re:Lock it all up == no free hotspots (Score:2)
Funny, I know a person who intentionally leaves his wifi at home open so if any of his neighbors want to use it they can. Personally I think it is a stupid idea, because if someone uses it for a nefarious purpose (terrorism, kiddy porn, etc) it his hardware they will seize. I told him this, and he
Re:is this really new? (Score:2)
It seems like the author used the wayback machine and had it set for 2002 when doing research for this project.
Re:is this really new? (Score:2)
The biggest risk of running an unsecured WLAN isn't that other people will use your bandwidth, it's that they're on the same LAN as your own system(s). At that point they can access your shared folders, run packet sniffers and log passwords, etc. Whatever gateway you have to the Internet is not the only way into your co
Re:is this really new? (Score:2)
Wait. No I don't. I don't care.
As for packet sniffers, unless they've figured out a way to "pwn" one of the systems on my (all-OS X) network and install it (in which case, a fabulous career in network security awaits them, because nobody's done that yet without crafty "social engineering" as the back door), they would need to be connected to the network at the same time as I am performing the
Re:is this really new? (Score:2)
When my ISP gets a subpeona to find out who is conducting that activity, it would be me who takes the blame. At that point, it would be hard to say that it was some anonymous person connecting to my network.
Re:is this really new? (Score:2)
If you have ever owned a Windows box and had it connected to the internet, you ran the risk of somebody "pwning" it and using it for a phishing scam. When something like that happens, it pretty much comes down to you telling the ISP and the bank being defrauded, "hey, what can I say? I got hacked," and as long as you put a stop to the offending activity it's all forgotten about.
Likewise with my WiFi. If some joker was to use it for illegal activity, and questions were asked of me,
Re:Why rtfa? (Score:2)
And every other week we get the same "WiFi security basics" article.
Have to agree. Just because 802.11i exists, doesn't make it that interesting.
Which you can tell by the rush to purchase 802.11i
Re:problems with using WPA with repeaters (Score:2)
The latest Airport Express firmware is supposed to allow this. I just don't feel like reconfiguring my wireless network right now. I have two Airport Express's that make up my wireless network. The one connected via WDS is in a back bedroom.
Until I reconfigure it, I'm using WEP and not broadcasting the SSID.