“$9.95 Plug and Play Wireless Router… What a STEAL!”
Wireless technology is becoming more and more popular... especially in homes with multiple computers in different rooms, when you don't want to drill holes in the wall... For this reason, apartment buildings seem to be ripe for the picking... I recently moved (yesterday and today) and apart from a $580 bill from the movers, things well relatively well... except the box containing my "networking components" is buried... That's fine... Tomorrow is dedicated to packing but my computers were disconnected on Friday and for a geek that's a long time to go with next to no internet access.... ok... maybe not such much geek and a little more addict... but whatever.
So we needed the movie listings.... (We saw Wild Hogs today) and realized we had a problem.... well two problems..
- The box with the "networking components" was buried
- The phone book was at the bottom of a box somewhere
Solution? Open the laptop and check out what's around... nothing fancy (no looking for hidden SSIDs or anything like that) just a simple connect dialog.. The result... 8 APs... 4 WEP, 1 WPA and 3 Unsecured.... Sure enough, I had my movie listings in under 5 minutes.
Now, I was borrowing the internet and had no malicious intentions... but what if I did... or what if I'd forgotten torrents open and left my laptop on while I went to the movie.... and let's say I did that... What if you had a 2GB cap because you paid less for it since you were just checking your email occasionally... At $1 / 100 MB for overage fees... that could cost the person.. With a truly malicious individual you're entering a whole new ball game.
It amazes me that this happens... The technology is cheap and people want plug and play... It should "just work".... Those famous, or perhaps infamous, words... "I don't care as long as it works"... "Do what you need to I just want it to work". The home user doesn't care about security and doesn't want to be hindered... And with parents getting their kids the DS Lite or the PSP (which both support wifi) it's getting worse... My older linksys wireless router requires, and nintendo tells me to do this, that I disable WEP in order to connect the DS.
So what do we do about wireless security?
- Solution: Hide (don't broadcast) the SSID
- Problem: A tool like kismet is going to find the "hidden" SSID in less time then it took you to check the "Don't broadcast my SSID" checkbox.
- Solution: Enable MAC Address Filtering
- Problem: It's relatively simple to watch the traffic for a valid MAC Address and then change your MAC. Hell, all it takes in linux is ifconfig
hw ether
- Solution: Enable WEP
- Problem: It can be easily cracked.
- Solution: Enable WPA
- Problem: You may need to buy a new router (this is enough of a deterrent for many people) and in many cases the password is trivial to crack (short passwords / dictionary worsds)
- Solution: Enable WPA2
- Problem: You may need to buy a new router
- Solution: Disable DHCP
- Problem: A smart attacker will figure this out and start testing standard "router-assigned" addresses... or even watch traffic for valid IPs..
Really... there isn't a great solution for people that "just want it to work" and to keep out the malicious people... My personal preference however is 802.11x (which most people don't have at home) or a captive portal... This isn't for the non-geek usually though... Ideally I'd like to see something better... but in the mean time people do what you can to protect yourself....
A car alarm doesn't always stop a car from being stolen but thieves will most likely go for the running car with the unlocked doors sitting next to it. Wireless is really the same way...
Like you say, people just want it to work. They either can’t get the security to work because they don’t understand it (or more likely, they have trouble configuring Windows to connect properly) or they get it to work without security first, and just never get around to securing it. “Why tinker with it when it works now?”
I am not as lucky. Only sometimes will I get an unsecure, faint wireless connection in my apartment complex. The other 7 or so are secured, albeit almost all with WEP. (Not that that really stops me, but at least my neighbors know I’m around as I have a big hack sticker on my car).
I don’t know how wireless security can solve this, oddly. What makes things easy for users also makes things easy for attackers. I think the best bet would be to require just a simple passkey in the router setup and that simple passkey in the laptop. But even that is prone to problems as you still need to have people understand their SSID vs someone else. And while there may be unity in wireless router GUIs, client-side, setting things up is still very different vendor to vendor. Hell, even on Windows if you come to me with a laptop with some weird wireless driver/mgmt interface, even I can struggle for a bit.
LonerVamp,
“A simple passkey on the router / laptop” — Sounds to me like WEP
Ultimately wireless is like satellite… It’s floating throw the air and as long as people have access to a portion of it (encrypted message/signal)… they’ll find a way to access the rest…
Ultimately it comes down to the balance game. Let’s go with a home robbery scenerio…
I’m walking down the street and there are five houses (A, B, C, D, E). All 5 homes contain the same items as far as I know…
House A has the doors wide open and a giant neon “steal from me” sign..
House B has the doors and windows shut… but they aren’t locked..
House C has locked their doors and windows
House D has locked their doors and windows and has an alarm system and a guard dog.
House E has the doors and windows shut, an alarm system, a guard dog, razor wire fencing, and armed sentries…
Which house do you rob?
Ultimately, it’s house A because it has the weakest security… However House B is only safe because of House A’s existence… However by House D it’s no longer worthwhile for the attacker to break in… it’s more effort than the gains…
So House D and E seem to be the better bets… The problem is that the sentries at house E check your ID every time you come and go… so suddenly they’re hindering the access to your house… With House D you control the alarm and the dog is friendly… So House D is a nice trade off between security and accessibility.
Instead of providing “cheap” products, the vendors should be providing secure products… Here’s my dream AP / router…
- 802.11x (Port-Based Authentication)… Each username allowed to be authenticated only once… dead sessions can be timed out from the router interface.
- MAC Address filtering… while usernames don’t have to be tied to a MAC Address, once that username is entered it is tied to that MAC address and only that address until it is reset in the user interface.
- Requirement for alpha-numeric-symbol 10+ character passwords on router interfaces HTTPS / SSH required… HTTP / Telnet gone completely..
-Wireless ‘ports’…. Wired ports are limited by the number of physical connections… I’d like the AP to have a customizable number of virtual “Wireless ports”… If you have only 1 wireless PC, you have only one wireless virtual port…. no one else can connect..
If this isn’t cost effective for the vendors, then they can raise their prices… Or… Option B
OTP (One-Time-Passwords)… What if the WEP key was a One Time Password… each router comes with a couple of OTP dongles… users have to generate the key each time they connect and it’s valid only for that session…
Security protocols are only as safe as the Perp lets them be. Time and knowledge will break down any wall, any security. I have a 2 tier system; 1 private network, 1 public.
I prefer to just disable SSID (that way average users are now disabled), apply WEP (for those that can scan) and then disable DHCP (remove any clients automation, making it time consumption game). Beyond these (WPA) you will find yourself pulling your hair out. Really, only malicious intentions excist when someone runs Unix with a wep scanner. So you maybe could stop them in realtime if you caught them.
For the public, I have an old linsys 802.11b router that I run open, shared. That alleviates the thurst for tresspassing. Its already worked. I’ve found people parked on my street browsing the net, and I know they’re on my network; no problem i don’t mind. Because their on a totally different ip.
Cogeco, Rogers give multiple IP’s, so perhaps its time to let users divvy them up.
And for those thinking of the responsibility I’m taking for those on my public network, no worries. Being a seperate www IP, router logs, and syslog, my browsing (and 3 people in my house network on the private network) we are covered for where and when we’ve been somewhere. … I hope … as long as guests have stayed to THEIR public network and not hacked me. …
just helps as a deteriant.
LonerVamp,
"A simple passkey on the router / laptop" — Sounds to me like WEP
Ultimately wireless is like satellite… It's floating throw the air and as long as people have access to a portion of it (encrypted message/signal)… they'll find a way to access the rest…
Ultimately it comes down to the balance game. Let's go with a home robbery scenerio…
I'm walking down the street and there are five houses (A, B, C, D, E). All 5 homes contain the same items as far as I know…
House A has the doors wide open and a giant neon "steal from me" sign..
House B has the doors and windows shut… but they aren't locked..
House C has locked their doors and windows
House D has locked their doors and windows and has an alarm system and a guard dog.
House E has the doors and windows shut, an alarm system, a guard dog, razor wire fencing, and armed sentries…
Which house do you rob?
Ultimately, it's house A because it has the weakest security… However House B is only safe because of House A's existence… However by House D it's no longer worthwhile for the attacker to break in… it's more effort than the gains…
So House D and E seem to be the better bets… The problem is that the sentries at house E check your ID every time you come and go… so suddenly they're hindering the access to your house… With House D you control the alarm and the dog is friendly… So House D is a nice trade off between security and accessibility.
Instead of providing "cheap" products, the vendors should be providing secure products… Here's my dream AP / router…
- 802.11x (Port-Based Authentication)… Each username allowed to be authenticated only once… dead sessions can be timed out from the router interface.
- MAC Address filtering… while usernames don't have to be tied to a MAC Address, once that username is entered it is tied to that MAC address and only that address until it is reset in the user interface.
- Requirement for alpha-numeric-symbol 10 character passwords on router interfaces HTTPS / SSH required… HTTP / Telnet gone completely..
-Wireless 'ports'…. Wired ports are limited by the number of physical connections… I'd like the AP to have a customizable number of virtual "Wireless ports"… If you have only 1 wireless PC, you have only one wireless virtual port…. no one else can connect..
If this isn't cost effective for the vendors, then they can raise their prices… Or… Option B
OTP (One-Time-Passwords)… What if the WEP key was a One Time Password… each router comes with a couple of OTP dongles… users have to generate the key each time they connect and it's valid only for that session…