Wireless Security: Did you know?

Based on my unscientific quick straw poll, the majority of computer-literate people have no idea how WLAN / wifi / wireless LAN security works and – worse – are actively exposing all their data and passwords to all services, having convinced themselves that they are “mostly” safe or secure.

I’m posting this in the (possibly vain) hope that it might persuade some more people to stop being foolish and/or lazy and perpetrating embarassingly poor security with their own and other people’s systems. I’m going to (hopefully) blow apart a popular myth. And hopefully get a decent Google ranking for it, which I’ll explain in a moment.

So what? I’ve been going around gently advising friends, colleagues, and acquaintances that they should make some minor changes that make all the difference and left it at that.

But then I went to a conference run by Sony (of Playstation fame) where they were running an unsecured network right on London’s South Bank, within easy reach of a vast number of cafe-goers and laptop users.

Oh – but they weren’t just running it unsecured, they were pumping out it’s SSID to all and sundry, offering a blatant invitation: they’d named it “DevStation 08”, broadcasting from a large building with 6-foot-high letters and logos on the outside and inside proclaiming the same name and advertising that DevStation was the Sony PlayStation developer conference. Um. Maybe not such a good idea? (and this is far from the first or only conference I’ve been to that’s done this – I’m not criticising the organizers of that conference in particular, it’s just a great concrete example showing that even well-funded orgs are making these very basic mistakes)

The worst thing…

…is that if you google wireless security you find many many pages and sites that advise on it, the vast majority of which avoid telling people the one thing they need to know – how to secure a wireless network the easy way? – and many of which veer so far clear of telling the truth it’s clear that the people writing them don’t have a clue about wireless security.

I’m no expert in wireless security, but … I have spent some years in online security and especially server security, so I have a fairly good idea what to look for and what to expect. I used some of my standard tools and knowledge to test out what I thought was going on with with wifi networks, and it’s proved very helpful. I’ve proved some of my suspicions, without having to rely on the vast number of incorrect and misleading websites out there. I may have made some stupid mistakes in this post (I’d welcome corrections…) but I’ve waited several months until actually trying out the various obvious attacks before having the courage to post about it, so I’m reasonably confident I’m not talking crap here :). Hopefully no-one’s going to shoot me down in flames here :).

The first few times I encountered people claiming that their networks were “secure enough” in ways that I found suspicious, I tried googling to confirm/deny what I thought was going on. I must have looked at close to a hundred odd webpages on the topic, and not ever found a straight answer. Argh.

The most important thing you need to know: if you are not using ENCRYPTION KEYS then you are GIVING AWAY ALL YOUR PASSWORDS, no matter what you think you have in place that is making it “not as bad as that”. You’re wrong. Trust me.

Levels of wireless security

Level 1 – switch it on and see if it works

This is really important when you buy a new computer / laptop / wireless router and need to find out if the damn hardware actually works and is all “compatible” with each other. There are many websites talking about things to do to make this work.

Sadly, very few of them (actually, no more than one that I’ve seen so far IIRC), tell you the most important final step:

Immediately disable everything, and start again from scratch with it all encrypted

Level 2 – hide the SSID

This is a good move – it stops your router from actively telling every computer (and – incidentally – many mobile phones (!)) in the area that you have a wireless network, that it’s free, and that they are welcome to use it.

What is an “area”? Well, with modern computers, it’s about 200 metres. That should be long enough to reach the length of your garden, into the garden of the house behind you, and out into the next street over. Quite a long distance. In most cases we’re talking *considerably further* than you could shout or see from your home, far enough that it would take you the best part of a minute just to run to the most distant point your wifi is reaching.

Unfortunately, anyone who knows anything about computers and who wants to get a free network will require approximately 10 minutes with google to find various tools that will give away your network anyway. But … it was a good first step – well done!

For most people, it’s *not worth the effort* of hiding the SSID, because you need to do the other steps anyway, and those “other” steps make you so secure that it doesn’t matter whether people can see your SSID. Many home users keep the SSID on just because it’s a pain in the ass to have it turned off when a friend comes round and wants to use their laptop etc.

Level 3 – force people to use a username and password to “login” before using the network

This is what the Sony conference did. It’s what several other conferences I’ve been to in the last few years have done. It provides … no security at all.

Did you read that correctly? I’m going to repeat:

A webpage with username and password provides NO SECURITY AT ALL to a wireless network

I don’t mean “because someone could guess the username/password” (they’re usually the same as the SSID name, sob).

I also don’t mean “because someone could casually ask anyone at the conference and probably be told straight away the correct answer” (although I’ve noticed that ten times out of ten that works. Easy!)

I actually mean because I verifiably was able to read all the internet traffic of everyone at each of these conferences WITHOUT LOGGING IN. This is using basic tools which are so common and widely used that I have them installed on all machines in the office *automatically* as part of the basic software install for new employees – no-one who does any multiplayer game development or online development (even webserver development!) would go without these tools.

The most common of all is Wireshark, an excellent network diagnosis tool which shows you all the traffic on the local network. Automatically. And … it has a nice feature where you click on some interesting traffic, and if it’s using TCP (note: all web traffic uses TCP) then Wireshark decodes all the information and reconstructs the stream of web-page requests and responses – including ALL THE FORM DATA YOU FILLED OUT, etc. On these “password-protected” wireless networkgs I ran WS just long enough to see that someone was logging in to their webmail (without reading the username and password, I just checked those fields were present), and then shut it down and wiped the data – I don’t want to know anyone else’s passwords, and don’t want to see anyone else’s private data.

Level 4 – turn on MAC authentication: only specific laptops / computers / etc can use the network

OK, so this seems REALLY secure. Several friends of mine use this, believing themselves safe. Um. Ahem. No. Sorry! If the data is not encrypted, then you have a setup that is no better than the one above – your router is still happily broadcasting (that means “shouting at the top of its voice”) all traffic to every wireless device in the immediate vicinity.

This is one of those things I googled extensively – at first, I thought surely routers wouldn’t be dumb enough to broadcast everything to all the EXPLICITLY DENIED wireless computers too? – and had no luck with finding simple answers (I didn’t want to try reading through the detailed hardware specs of wireless networking standards – there are too many of the things :( ).

Of course, unless they are implementing some key-exchange protocol, there’s no way they could stop themselves. And since I’m 99% certain that the MAC authenticated clients are using the same basic wireless protocol as the normal ones, which doesn’t include ANY key exchange, I’m pretty sure that MAC filtering is entirely pointless (from a “keeping your passwords private” point of view).

My friends are happily sending their hotmail passwords and all their private emails (you do realise, don’t you, that if you view an email in hotmail, your wireless router BROADCASTS that email to every wireless computer within a couple of hundred metres of you?) to their neighbours, their neighbours’ neighbours, and even to THEIR neighbours – and of course to every random person sitting in any cafe within a few hundred metres and who has randomly got their laptop out to do some work while they sip their coffee.

Level 5 – firewall

Some friends feel secure because they have a firewall. Windows Firewall now comes as standard on all Windows XP and Windows Vista machines. Apple computers running OS X have their own firewall built-in, and linux users generally know enough about networking to have implemented their own following one of the surprisingly easy-to-follow HOWTO documents on the web.

These all do … absolutely nothing.

As stated above…(sorry, going to repeat myself here)

if you view an email in hotmail, your wireless router BROADCASTS that email to every wireless computer within a couple of hundred metres of you

The firewall will stop some hacker/cracker from trying to break in to your computer. However, most crackers aren’t stupid enough to waste their time breaking in to your computer if you’ve already given them the password to every online service you ever use, especially your primary email address. Being able to SEND AND RECEIVE email from your inbox is normally enough for them to steal all the passwords to all your other online systems, including important ones like, oh, your bank account.

Worried yet? You should be.

Level 6 – WEP and WPA – encryption key-based, protected wireless network

Here’s the secret: security Levels 1 to 5 don’t really exist. They have practically nothing to do with wifi security. Some of them are very effective … at solving different problems. Unfortunately, too few people realise that there is more than one problem when it comes to security when using a wireless internet card – and that the main problem (can everyone else see your username and password? Can they read all your emails? etc) isn’t being solved by those other solutions.

If your wireless data is not encrypted, then it doesn’t matter whatever else you do – you’re giving away everything.

In case you were wondering how easy it is for people to find your non-secure network, think about this: All Windows and Apple computers automatically show the user which networks in range are secured, and which are unsecured. Yep. They make it *real easy* to find the ones that are crying out “please abuse me”.

What you should do next. Do it. Do it NOW.

Now, if you google, you can actually find many many websites / pages talking about the differences between WEP and WPA, and the comparitive advantage and disadvantages, and advice on how to get them working between, say, a Netgear router, a Linksys network card, a Windows PC, and a Mac Airport device. That’s fantastic – well done, teh interweb! (no seriously – I’m delighted).

Now, please, everyone STOP AVOIDING WEP/WPA. Actually, please just use WPA: it works on *everything*, and there’s a vast number of HOWTO’s, FAQ’s, and troubleshooting guides to get you up and running on every conceivable combination of hardware and software.

And if I’m wrong, if you can’t get it working, please feel free to comment here, and I’ll do my best to help you. Because, frankly, I don’t ever want to fire up OS X again and see in the list of nearby wireless networks any of them without that little padlock icon that tells me they’re using encryption.