The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Securing wireless networks is far too difficult

Tuesday, March 07, 2006 by Ed Finkler
in Infosec Education, Policies & Law, Secure IT Practices
Share:

This story at the NYT web site (registration might be required—it seems kind of random to me) about the prevalence of “piggybacking” on open wireless networks.  Most of the article deals with the theft of bandwidth, although there are a couple quotes from David Cole of Symantec about other dangers of people getting into your LAN and accessing the Internet through it.  Something that really struck me, though, was the following section about a woman who approached a man with a laptop camped outside her condo building:

When Ms. Ramirez asked the man what he was doing, he said he was stealing a wireless Internet connection because he did not have one at home. She was amused but later had an unsettling thought: “Oh my God. He could be stealing my signal.”

Yet some six months later, Ms. Ramirez still has not secured her network.

There are two problems highlighted here, I think:

  1. We haven’t done enough to make it clear why encrypting your wireless network is important.
  2. More importantly, wireless routers need to be secure out of the box.  Users will not change their behavior unless the barrier for wireless network security is lowered as far as possible, and that includes shipping routers with:
    • WPA encryption enabled
    • a unique shared key
    • a unique router admin password (the fact that millions of routers ship with the same default admin password is embarassing)
    • a unique SSID
    • SSID broadcast disabled

Think about it: if you purchased a car that came with non-functioning locks and keys, and it was your responsibility to get keys cut and locks programmed, would you be satisfied with purchase?  Would it be realistic to expect most consumers to do this on their own?  I think it’s not.  But that’s what the manufacturers of consumer wireless equipment (and related products, like operating systems) ask of the average consumer. With expectations like that, is it really a surprise that most users choose not to bother, even when they know better?

More: Hey Neighbor, Stop Piggybacking on My Wireless - New York Times »

Tags for this post:

Leave a comment (9 so far) »

Comments

Posted by Anon Y. Mouse
on Monday, March 20, 2006 at 06:55 AM

your points are generally good, except for the disabling the SSID broadcast one.

while workable in theory (it would stop Windows machines from even seeing the network), disabling SSID broadcast in practice can cause serious problems with link reliability at long range, or when there is any significant kind of interference - I found that out back in the early break of WEP days when I tried to disable it on a home network to provide more defense than WEP allowed.

if you have WPA2-PSK on by default with a sufficently long and random key, and a custom router password, that is more than sufficent security to stop most Wi-fi browsers.

in fact, AFAIK, there are no public known attacks against WPA2-PSK except for dictionary attacks against the password/phrase, and I believe such attacks are far more difficult than they are against WPA-PSK, since WPA-PSK had a weakness that made them much more practical on shorter passphrases.

Posted by CERIAS Weblogs » Illinois WiFi piggybacker b
on Friday, March 24, 2006 at 12:47 PM

[...] “Easy” is very relative. It’s “easy” for guys like us, and probably a lot of the Ars audience, but try standing in the networking hardware aisle at Best Buy for about 15 minutes and listen to the questions most customers ask. As I’ve touched on before, expecting them to secure their setups is just asking for trouble.  Tags for this post: best practices, personal security, piggybacking, wardriving, wifi, wireless, WPA Related posts: [...]

Posted by EDUARD NOLASTNAME
on Tuesday, April 18, 2006 at 10:24 AM

I have a wireless conection for my two home computer, when I set up my connection the software ask me to set a 60 bytes or something password key.It have to contain letters from a to f and numbers from 1 to 0
(thats is 1234567890) NO capitals letres,I try to do this and I couldt’n do it for some reason so now I have a unsecured network and I’m worry.

Posted by Henrik Vendelbo
on Monday, April 24, 2006 at 11:54 PM

A bit of devil’s advocate:

Why do I need to secure my home WiFi LAN ?

I use my PC to:

Browse Web
Check Email
Write a poster for kids birthday/...
Play a game
Log into company VPN

Ok, so I don’t. But loads of people have that level of usage.

Posted by Dan Halford
on Sunday, April 30, 2006 at 12:29 PM

Disabling the SSID is a bad idea. Ignoring one commentator’s response that disabling SSID broadcast will stop a Windows box from even seeing the network in question, disabling SSID boradcast also makes your network non-compliant with the various 802.11 RFCs.
It might not sound important (and it might not be) but standards are there for a reason.
Disabling SSID broadcast also does virtually nothing to maximise security. I did read somewhere of a way to find out the SSID of such a network by simply using two machines. One broadcasting on the same WiFi channel (with the antenna gain boosted) and another laptop listening on that channel. As soon as the SSID-disabled access point gets drowned out, clients will try to connect to it again. And guess what, the SSID of the network is contained, in clear text, in the packets.

Posted by Ed Finkler
on Tuesday, May 2, 2006 at 03:54 AM

Dan,

Few things, on their own, “maximize security.”  Some help more than others, for sure, but a multilayered approach to security is far more effective.  That’s why I didn’t just say “disable SSID and you’re kosher.”  I also encourage people to turn off/modify server signatures on ther www servers, but that’s certainly not going to stop a determined, targeted attack.  What both actions do is make it less likely that you’ll be targeted by a random attacker.

If someone is so determined to break into your home wireless network (remember, I was talking about ease of use from an average consumer standpoint) as to set up a multi-system coordinated attack, you’ve got bigger problems, and certainly disabling SSID on it’s own won’t help.

As for non-compliance with standards: standards are sometimes wrong.  I don’t think that being standards-compliant is, in and of itself, a goal.  Interoperability is a goal, one that hopefully not interfere with security needs.  When it does, though, sometimes the “standard” needs to be modified, and that may not happen fast enough to address real problems.  That’s not to say that this is the necessarily the case with SSID broadcast.

FWIW, I have three Windows (XP SP2) machines and two Macs at home that can connect to my non-broadcasting WAP with no problems.  If there are issues with it under previous versions of Windows, though, that would fall under the part where I mention OS manufacturers as part of the problem.

Posted by Bryan
on Wednesday, May 3, 2006 at 02:40 AM

You don’t need a “multi-machine coordinated attack” to figure out an SSID, though.

All you need is the ability to listen for 802.11 management frames, and the ability to send them.  You send a Deauthenticate frame to a random client, making it look like it’s coming from the AP.  The client will disassociate, then reassociate.  Sniff the reassociation request (or response), and you have the SSID.

(We’ve also had problems with clients not roaming when SSID broadcasts are disabled, even when the client’s AP goes down.  But we have 6-7 APs, so roaming wouldn’t be an issue in most “normal” home environments.)

Posted by Ed Finkler
on Wednesday, May 3, 2006 at 03:33 AM

Fair enough.  Focusing on disabling SSID broadcast is specious, though—as I mentioned above, it’s like modifying your WWW server signature.  Camouflage, if you will, so folks who are just looking for a quick hit and run attack are much more likely to bypass you.  It’s very foolhardy to rely on it solely, but in conjunction with other solid security practices, I think it’s a legitimate recommendation for home users.  Corporate/large org use is another situation entirely, though, where targeted attacks are far more likely and compatibility issues are much more serious.

Posted by Jim Calvert
on Saturday, March 17, 2007 at 05:07 AM

You are absolutely correct. Achieving either wireless or wired internet connectivity is beyond the ability of the average user. How many know how to ping or know anything about an IP address or a gateway or a 128 bit WEP key? My guess is: very, very few.

My sharp born-with-computers college-attending grandchildren don’t understand how to do it, and must rely on IT experts to get the task done. What chance do other individuals have who are not surrounded by experts?

Internet connectivity has been way too difficult for far too long. By now it should have been a plug-in fait accompli.

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry