Home

Home
Press Articles Involving Nigel
About Nigel
Going Green
J'habite dans NoPo
Mesh Radio
Got Wi-Fi? Sticker
Free For All Wi-Fi
Greenpeace Gets Wi-Fi
Unlicensed Mobile Access
WiMAX 802.16e
Wireless White Papers
IP Tools
Aural Excitement
Contact Nigel
WSJ on Security

The Wall Street Journal Home Page

Technology (A Special Report)

The Best Way To Protect Your Wi-Fi Connection  By Nick Wingfield

The Wall Street Journal

DESPITE A SURGE of interest in wireless Internet access using the Wi-Fi standard, there's been one black cloud over the technology: security.

Wi-Fi networks are more vulnerable than wired connections, because Wireless signals can easily be picked out of the air with the right equipment. And once a hacker has gained access to your network, he or she can tie up your Internet connection, eavesdrop on your communications and maybe even rummage around on the hard drives of your computers.

Yet the first generation of Wi-Fi gear especially products aimed at consumers came with security features that were easily compromised by hackers and often clumsy to set up. Indeed, Wi-Fi gear is often sold with all the security settings deactivated, to save buyers the hassle, and a lot of users never bother to set them up.

The latest batch of Wi-Fi products is coming out with far more effective technology for scrambling data sent over the airwaves, making it more difficult for interlopers to decipher. And further improvements in Wi-Fi security that will mostly benefit corporate users are expected by early next year. There's no need to wait, though. Users can take a handful of steps now if they're willing to take the trouble  that will act as effective deterrents to hackers.

The first thing users can do is make their networks a little less visible to the outside world. This can be done by adjusting the settings on your home network's access points, the antennas that you set up to link your Wi-Fi equipped wireless devices to your wired Internet connection. The settings are reached through one of the computers on the network, by typing in a private Internet address that is accessible only on that network. That will open a window where you can enter a password that will allow you to adjust the settings.

All access points let users create a unique name called an SSID, for service set identifier for their Wi-Fi networks. For a computer to gain access to the network, its Wi-Fi adapter card must be set up with the network's SSID. The adapter card's settings typically are reached through an icon for the card on your computer. Once the SSID on the card is set to match the SSID on the access point, the computer will automatically connect with the network each time you use it.

Users should create an SSID that isn't totally obvious, and change it on a regular basis. Don't rely on the default settings. Most Wi-Fi products leave the factory with network names that are easy to guess. The default SSID on Linksys products sold by Cisco Systems Inc., for instance, is "Linksys."

In many cases, hackers don't even have to guess at network names they're handed to them. That's because most access points are automatically set up to transmit their network names to other Wi-Fi products in the vicinity, to make tapping into the network easier for legitimate users. But this also means any joker sitting in front of your house with a wireless device can borrow your Internet connection. This can be discouraged by disabling the "SSID broadcast" option on a network's access points, a change that will make the network invisible to most but not all  types of equipment.

The settings on access points also should be protected from tampering, by changing the password that allows access to them. Most access points come from the factory with a standard password that, like the network's SSID, can be easily guessed  "admin" is a common one. Unless the password is altered, it's a cinch for someone to make unauthorized changes to an access point's settings, like deactivating encryption  the scrambling of network communications that keeps them from being read by outsiders.

Another form of protection involves creating the equivalent of an invite list for a Wi-Fi network. On an access point's settings, users can specify which machines are permitted to connect to the Wi-Fi network. This feature is known as MAC address filtering, a reference to the so-called media access control address a unique set of numbers and letters that manufacturers assign to all networking devices, including the Wi-Fi adapter cards that go inside laptops.

The MAC address is usually found printed on the back of a Wi-Fi card or by looking up the card's settings on the computer in which it's installed.

Filtering by MAC address works best for home networks that have a regular set of users, but it can be a hassle in situations where, say, lots of different guests are coming over with their laptops to use the Internet. It's also not foolproof, since a hacker can forge the MAC address in his Wi-Fi card's settings, thereby impersonating an authorized user. One more password will help maximize your protection.

If a hacker taps into your network, he or she not only can use your Internet connection  which can bog down your network or even make it the launching pad for the hacker to attack other computer systems or Web sites or eavesdrop on your e-mail. The hacker also might be able to rummage through the files in one or more of your network computers. This is a danger when a computer has been configured to share its entire Hard drive with all users on the network without requiring a password. Such sharing can be useful for, say, easily grabbing digital music off a PC in the den and putting it onto a laptop in the bedroom. However, it's best to share only those folders on the hard drive that really need to be shared, and to require user names and passwords from anyone who wants to connect to your PC.

Again, you can't rely on preset protection. Access points usually come with firewall software that will prevent intrusions on a home computer's files over the wired Internet connection coming into the house, but won't prevent attacks over the wireless network. Even with all these barriers in place, a determined hacker could still eavesdrop on your network unless your access point is set to scramble all communications.

Most Wi-Fi products have long relied on an encryption technology called Wired equivalent privacy, or WEP, to convert into gibberish all data transmitted back and forth between wireless-equipped computers and access points. For the average user, though, setting up WEP is no joy. In many cases, it involves entering a "key" a string of letters or numbers on the access point, and then typing the same key into all computers that are authorized to connect to the access point similar to the way you set up a network SSID. Like an SSID, once the key is in place on the access point and in the network's computers, there is no need to re-enter it unless you want to change it.

This doesn't sound so bad, but the strongest WEP on most wireless devices, dubbed 128-bit, requires a key 26 characters long. Since that's probably more digits than users can commit to memory, it can be a bit frustrating entering such a clunky key on multiple machines. (The process can be easier with some Wi-Fi equipment.)

Plenty of Wi-Fi users don't bother to enter encryption keys. That was clear on a sunny afternoon in Atlanta in early August, when David Thomas, an engineer for wireless-security firm AirDefense Inc., a local company, hopped into his sport-utility vehicle and drove downtown along a 10-mile stretch of Peachtree Street. Using a laptop outfitted with a Wi-Fi antenna and some specialized software, a passenger picked up signals from wireless networks emanating from office buildings alongside the road. The SSIDs being broadcast by the networks appeared in a window on the laptop's screen, and the special software allowed the passenger to tell whether the networks' communications were encrypted.

At the end of the journey, Mr. Thomas's crew tallied 444 Wi-Fi access points. Of those, only about a third had activated encryption, which means Mr. Thomas theoretically could have surfed their Internet connections or peeked at the content of communications on their networks. The exercise performed by Mr. Thomas, dubbed war driving, is a favorite of hackers, who say they do it to highlight security vulnerabilities on wireless networks, not to steal corporate data.

"I don't think I've ever done a war drive where I've found more than one-third of the access points to be encrypted," says Mr. Thomas, who has taken similar tours through San Francisco, Washington and New York.

More-scientific studies show that business users are generally best about taking security precautions. About 80% of large companies are doing a "pretty decent job" of protecting their Wi-Fi networks, while about 58% of small companies are taking the same steps, according to Julie Ask, a senior analyst at Jupitermedia Corp.'s Jupiter Research, which recently surveyed businesses about their wireless usage.

The most common wireless encryption technology isn't totally secure, though. In 2001, a group of researchers showed WEP could be compromised.

Essentially, any skilled user with basic Wi-Fi equipment could figure out the encryption key for a Wi-Fi network by intercepting and analyzing enough scrambled data passing over the network.

On a corporate Wi-Fi network, where large buckets of data are constantly Being shuttled around, a hacker sitting in a parking lot with a laptop could figure out a WEP key in under an hour. But it's a different story for home users, who tend to send far less data over their networks. "That means someone would have to sit in their driveway for a week," says Dennis Eaton, the chairman of the Wi-Fi Alliance, a wireless-industry organization.

It's doubtful, considering the effort required, that a snooper would bother trying to break the encryption on the average home user's network. What would they have to show for their work? Boring e-mails, instant messages, song downloads and Web page traffic, most likely. Credit-card transactions on most Web sites would be protected because of strong security features built into Web browsers.

For the vast majority of users, taking basic steps like the ones mentioned above to prevent unauthorized access to an access point and turning on encryption in the device will be plenty good enough security. "If people still want to crack into your network after you've done all that, then they should really just break in through your back window," says Nigel Ballard, Director of Wireless at Matrix Networks, a designer and provider of communications systems based in Portland, Ore.

Security is getting better in newer Wi-Fi products. Manufacturers are beginning to replace WEP with new data-scrambling software in their products called Wi-Fi protected access, or WPA, which eliminates the vulnerabilities of its predecessor. They also are beginning to offer this software for downloading from their Web sites, so users of their older products can benefit, too.

Even bigger improvements in Wi-Fi security are expected to come by early next year through a technology called 802.11i, which will further boost the strength of Wi-Fi encryption  improvements that will mostly benefit companies that want industrial-strength protection.

But while the security of office and home Wi-Fi networks is getting better, that still leaves questions about public Wi-Fi networks, one of the most talked-about aspects of the Wi-Fi phenomenon. Airports, cafes, hotels and other venues have begun to offer Wi-Fi access through so-called hot spots on their premises, with some charging for the service and others giving it away. But most hot spots don't activate security features like encryption, because that would make it trickier for users to get connected to the networks.

Mr. Wingfield is a staff reporter in The Wall Street Journal's San

Francisco bureau. He can be reached at nick.wingfield@wsj.com.

 
 

This is a personal web site and in no way reflects the views of my employer. Copyright 2008 - Do something pretty while you can