Wireless Insecurity
A series on cracking wireless security that originated on our Tom’s Networking Site has got a few people steamed. And before you send me another nastygram, take a moment to hear me out.
Most wireless networks these days operate without any encryption whatsoever. And while security professionals (and even some journalists and the FBI) try to make the point that this is a foolish practice, very few of us take the time to do otherwise.
I can’t tell you the number of wireless networks that are running in the clear at people’s homes who should know better : IT executives, corporate titans of industry, and computing professionals who are familiar with PKI and hacking tools. Why do so many people forgo encryption ? There isn’t any one good reason. Setting up encryption over your wireless network often requires a Computer Science degree, plenty of patience, reading at least two manuals, or just dumb luck.
It could be that since setting up a wireless router has become so easy, and the routers themselves now retail at less than $100, that we have all become complacent. Maybe when you get unencrypted communications working you stop and are so thankful that you router is working at all.
Part of the problem is that there isn’t a single "encryption" technology that will protect your wireless network. Of course, there are several different standards and the implementations of these standards vary from complex to ridiculously impossible to implement.
One wireless encryption standard isn’t worth even trying, and that is Wireless Encryption Protocol or WEP. WEP in fact is so easy to break that our editor Humphrey Cheung wrote about how to do it. We posted these articles not to make it easier for people to hack WEP networks, but to demonstrate to IT managers and others In Charge that perhaps choosy corporations should choose another encryption scheme.
WEP has been broken for sometime and its replacement, WPA, has been available for at least two years. Yet manufacturers are still shipping products with WEP as their sole security scheme. They wouldn’t if people wouldn’t buy them. We hope this article helps people to not buy insecure products and to take the steps to properly secure their wireless LANs.
The holy grail of wireless encryption right now is setting up Wi-Fi Protected Access (WPA) encryption. This is the most secure method that is currently commercially available, and is getting wider support from the vendors and in more shipping products. However, getting WPA working isn’t easy, as I mentioned before. Not all vendors offer support for WPA either on all of their products.
But things are changing. Several vendors, especially those who sell chipsets into the lower-end home router lines, have stepped up to the challenge of making encryption more effortless.
The theory is to have a single button on the router that you can press to initiate the setup process. This, like the one-button backup on external hard drives, is easier said than implemented. This is because, like backups, you need to orchestrate the dance of the router and each client in a careful conversation ; otherwise the encryption won’t be work. While it is great to have a button to press, you have to make sure that your software macros can not only control these series of events to establish secure communications, but also handle all sorts of error conditions or exceptions as it goes through the process of changing the SSID of the router to something other than the vendor’s name or your address (neither of which are good ideas, BTW), and transferring the keys back and forth between client and router.
Of course, each vendor’s scheme is proprietary and not compatible with others, but so what else is new in the world of networking ? So far, we have schemes from :
Buffalo Technology’s AirStation OneTouch Secure System (AOSS) Atheros JumpStart Broadcom’s SecureEasySetup
There is actually a fourth scheme, and that is a software product from Interlink called LucidLink, which essentially runs a simplified RADIUS server on your network. They offer a free untimed three-user version for download .
As mentioned on our Tom’s Networking site, HP and Linksys have adopted Broadcom’s scheme, and the first routers from Linksys are now available as upgrades to the WRT54G models.
Now, normally having four different schemes isn’t big news in the networking world, as I just said. But the interesting twist is that Atheros is trying to make a difference by posting their scheme as open source on sourceforge’s Web site. Given that there is some early market momentum in the Broadcom camp, it isn’t entirely altruistic. But still, anything that will move encryption out of the PKI faithful and into the general user population is worthwhile.
In the meantime, if you are running a wireless router and haven’t bothered to turn on encryption, you shouldn’t wait for these one-button products to come out. Take the time to protect your network. And please, don’t use WEP or think of it as any protection. For some other great suggestions, you can also read this article .
- DVD format unity talks fail
- Yahoo! offers free security suite
- Microsoft hunts web nasties with honey monkeys
- OEM prices of DVD+R/-R discs to further rise next quarter
- WinHEC Taipei: AMD showcases four Turion 64-bit notebooks
- Olympus announces compact uDigital 800 digital camera
- 800 GByte on your LAN
- Asus first to integrate Ageia's physics chip
- HP revenues and earnings slightly up
- Intel's new desktop chips focus on manageability
- Propulsion breakthrough boosts Nasa robots
- Google unveils Desktop Search for the enterprise
- Yahoo adds teeth to messenger
- Gigabyte mobo supports DDR2-1066 memory
- Microsoft sued over Excel data-linking technology
- Behind the scenes of Star Wars Episode 3 - THG interviews animation lead Dan Gregoire
- Piracy seen going up
- WD intros SATA II and color-adjustable external harddrives
