Home Wireless Security
Posted by Dan Draney on February 22, 2006
I’ve had a home wireless router for almost 3 years now, in various states of non-security along the way. Lately, I’ve been learning about this topic for myself, so I thought I’d pass along what I’ve learned.
Why bother? It’s certainly simplest to run your wireless network completely open, and that idea may be tempting. Internet access should be “free,” right? What difference does it make if a neighbor, or even a stranger, mooches a little of your bandwidth? Well, what if the neighbor, or neighbor kid, or stranger is sharing pirated music over your access point? What if he’s downloading or distributing kiddie porn? If anyone traces that traffic, they’ll trace it back to your IP address and to you. It was without your knowledge, but, since your ISP’s records will show it all came from your house, good luck convincing people it wasn’t you.
Secondly, all traffic between your router and your wireless computer travels through the air in the clear. Anyone nearby can “sniff” the packets and determine exactly what’s in them. Your email (and password), what web sites you visit, all your internet activities are open to the world. Information you enter in a secure webpage (one that starts with “https://…”) is still secure, but most other things are open.
So what can be done to make it harder for uninvited guests to join and/or monitor your wireless network, and how effective are these steps?
- Changing default names
- SSID hiding
- MAC address filtering
- WEP encryption
- WPA encryption
New Names. The first thing to do is to change the default name of your network and the administration password for the router. This is easy to do, and it at least prevents accidental access. It’s also more fun than having your network named “Linksys” or “Belkin54g.”
SSID Hiding. The SSID is the name you give your network. The router may broadcast that name or “hide” it. In practice hiding the SSID provides very little security, as the network can still easily be detected. I actually turned the SSID broadcasting back on, because it’s more convenient to be able to see the network is available.
MAC Address Filtering. Each machine on a network has a Machine Address Code (redundantly called “MAC address”). It possible to set most routers up to only accept connections from computers with specific MAC addresses. This is the system used by the U of Neb and also by the college Tycho attends. This seems to be super safe, since the network administrator has to affirmatively add a MAC address to the approved list to grant access. In fact, this is not secure at all against a determined, semi-sophisticated hacker. The problem is that the MAC addresses themselves are traveling through the air in the clear. A hacker with a packet sniffer can quickly compile a list of approved MAC addresses for the network. Setting his machine to spoof an approved MAC address is also easy. Since this approach is also a pain in the neck to administer, there’s really no reason to consider using it, if you have any better options.
WEP. Wired Equivalent Privacy (WEP) encrypts the data that passes between your machine and your router. The encryption can use either a 40-bit or 128-bit key. The encryption algorithm used is strong, but the implementation is severely flawed. Someone who knows what they’re doing can break WEP encryption in less than an hour, perhaps a lot less, depending on the passphrase you choose. WEP is good enough to stop the casual cyber trespasser, but it will not hold up against a sustained attack. If that’s the best your systems support, go ahead and use it. It’s certainly a lot better than nothing.
WPA. The encryption system to use, if your network supports it, is WPA (aka WPA-PSK). You establish a good, long, random “passphrase” and enter it on the router and on each machine that will have wireless access. All the traffic is strongly encrypted and can’t be read without knowledge of the passphrase (“pre-shared key”).
The WPA encryption works fine with my Belkin router (set to “AES” encryption) and my PowerBook running Mac OS 10.4 (“Tiger”). Apple calls it “WPA-Personal,” as opposed to the “WPA-Enterprise” system which uses a server. Presumably, the encryption/decryption adds some overhead, but there seems to be little or no impact on bandwidth on my 802.11g/DSL network.
So if your wireless hardware and software supports WPA encryption and you’re not yet using it, make the switch today.
Much of the information here is culled from the excellent Security Now! podcasts on this topic. See episodes 10, 11, and 13 in particular for more information.