Wireless Networks Offer Flexibility, Potential Snooping
Special to Consumer Reports WebWatch
|Sidebar: Which Encryption Tool Is Best?
|Sidebar: Glossary of Terms
With a laptop and a wireless home network, you can e-mail or surf the Web from virtually anywhere in and around your home – even your backyard. But so can an online intruder who’s tapped into your network by parking nearby with nothing more than a computer, wireless network card, antenna, and software downloaded from the Internet.
And serious hackers can do more than just piggyback onto your service. Given an unsecured network, hackers may be able to obtain valuable personal or financial data from your computers – or use your network for illegal activities of their own. Take Nicholas Tombros, the first person convicted under the new federal Can-Spam Act, in September 2004, who sent pornographic spam by tapping into wireless networks in Venice, Ca.
“For some, it’s a sport,” says Beth Givens, Director of Privacy Rights Clearinghouse, a San Diego-based consumer advocacy group. “But for others, there is a malicious intent to it.”
The growing popularity of wireless networks – called “WiFi,” short for “wireless fidelity,” and a generic term for local networks using the popular 802.11 technical standards – makes their security an increasingly significant consumer issue. About 7.5 million homes in the U.S. currently have wireless home networks, according to technology analysts Jupiter Research of Darien, CT. By 2009, 34 million homes will have access to WiFi, Jupiter predicts.
But at least half of all wireless home networks lack any basic security measures, says Jason Evans, a network engineer at the Wireless Network Security Center at the Stevens Institute of Technology in Hoboken, N.J. And millions of people already use public wireless networks, via laptops in cafés, hotels or airports – where network security is virtually nonexistent and online privacy can be compromised.
The nature of wireless networks makes them vulnerable to unauthorized use. While wired networks are limited to those computers physically connected to them via cables, home wireless networks typically feature a wireless router connected to a broadband modem, which emits radio waves stretching about 100 yards. This means anyone can park down the block from an unsecured home WiFi network and log into it within minutes. Indeed, WiFi has spawned “war driving,” when hackers cruise around in cars, locating wireless hotspots.
“War driving is a popular phenomenon,” says Marty Lindner of the CERT Coordination Center, a computer security institute at Carnegie-Mellon University in Pittsburgh. “The tools for doing it are freely available.” Sites like www.netstumbler.com and www.wifimaps.com even provide the software and maps for wireless network snooping.
Thus, by ignoring security on your own Wi-Fi network, Lindner notes, “You’re making it relatively easy for the motivated intruder to sit outside your house and learn about you.”
Simple Safety Solutions
If all this sounds alarming, however, the consensus among security experts is that a few practical Wi-Fi security solutions do exist, and can make your wireless network a far less inviting target.
First, use the security features on your network setup software. “Do not just install the wireless access point with the default settings right out of the box,” suggests Tom Karygiannis, a computer scientist in the Computer Security Division of the National Institute of Standards and Technology, a government agency in Gaithersburg, Md. The default settings of equipment manufacturers are common knowledge in the hacker community. You or the service representative installing the network can change the default password for the network.
Additionally, change the Service Set Identifier (SSID), which is the name of your wireless network. Do not give your SSID an obvious title, like your name or street address, since a war driver who can determine those things separately – by looking in the phone book, for instance – will have confirmation the network he has tapped into belongs to you. Turn off the feature automatically broadcasting the SSID throughout the range of the network as well.
You can also activate the Media Access Control (MAC) address feature, which assigns a numeric code for each computer on the network and seeks to limit network activity to those machines. This is not foolproof, however. “A MAC address can be spoofed,” says Evans, meaning an intruder can give his own machine a duplicate MAC address from your network – although it takes a good hacker to do this.
Consumer advocates also say home network users should demand these stronger security measures from their service providers. “Companies have taken too cautious an approach to security,” says Givens. As she notes of service representatives installing home networks: “They’re still setting the settings for you, whether they make them strong or weak.”
Those are starting steps. The most comprehensive protection for a wireless network is an encryption program to shield the flow of data moving on it. Essentially, the effect of encrypting data is that a hacker can still see traffic exists on your home network but will not be able to view the content of that traffic, whether it’s your online banking or surfing habits. (See Sidebar: Which Encryption Tool Is Best? )
On the Road
These adjustments should help protect your home network. However, if you use your laptop in cafes or on business trips, you will use networks lacking those safety features – precisely to allow widespread use.
“What people have to watch out for is when they start turning on the wireless in their laptop in hotels, for instance,” says Lindner. “Because that’s purely unencrypted.”
Moreover, wireless hotspots can potentially be subject to sophisticated methods of hacking. Researchers at Cranfield University in England have shown that hackers using their own access points in the vicinity of wireless hotspots can re-direct traffic at those hotspots, from its intended path to their own computers -- thus obtaining personal information without consumers being aware of their presence.
To protect your computer on the road, most security experts recommend installing a Virtual Private Network (VPN) application on your machine. This encrypts your activity and limits access to authenticated users, so you can send and receive data while maintaining privacy.
All these steps may seem like a hassle, given a potential security problem that might never affect you. But due to the nature of wireless networks, security analysts think it is the right approach. “You’ve got to take the almost paranoid stance, and try to do it the correct way, no matter what,” says Joshua Lackey, a Senior Ethical Hacker at IBM.
“There are so many unsecured networks. If you have any level of security, people are going to turn away and try somewhere else,” concludes Evans. “Multiple security features should be enough to make a home network safe.”
And then you can continue your backyard Web-surfing in peace.
Sidebar: Which Encryption Tool Is Best?
An encryption program can provide solid protection for users. However, the standard encryption tool of recent years, Wired Equivalent Privacy (WEP), “has been busted wide open,” according to Joshua Lackey, a Senior Ethical Hacker at IBM. Methods for breaking WEP have been posted on the Internet and shared among the hacker community. A better, newer protocol is Wi-Fi Protected Access (WPA), say experts.
While businesses should consider using WPA, home Wi-Fi users can probably stick with WEP. A hacker needs to monitor 24 hours of steady data from a network to break WEP – a bar higher than almost anyone will hurdle for a home account, notes Jason Evans, a network engineer at the Wireless Network Security Center.
“If you’re going to install a wireless network, then you should turn it on with the highest possible encryption that you can, based on the hardware that you have,” says Marty Lindner of the CERT Coordination Center at Carnegie-Mellon University.
The cost of switching from WEP to WPA varies. Some wireless routers support both types of encryption, and some manufacturers provide free upgrades via software that can be downloaded from their Web sites. But other wireless routers support only one kind of encryption, so consumers would need a new router equipped with WPA to make the upgrade; retail prices range from about $60 to $200.
Sidebar: Glossary of Terms
802.11 -- Series of technical standards for wireless networks; variations include 802.11b, 802.11g, and 802.11n.
Wireless Network Card -- Device in computers allowing them to pick up signals from a wireless router, and thus operate wirelessly.
Wireless Router -- A device usually connected to a broadband modem in a wireless network, which uses a radio signal to transmit data wirelessly over a relatively small area.
War Driving -- Term for hackers who drive around searching for wireless networks. Term coined as a variation of "war dialing," a phrase from the 1983 hacker movie "War Games."
WiFi -- Short for wireless fidelity, a term meant to refer to the various forms of 802.11 wireless networks. use of the term has been promoted by the Wi-Fi Alliance, an industry group.
WLAN -- A Wireless Local Area Network, such as one linking multiple computers in a home.
WEP -- Stands for Wired Equivalent Privacy. An encryption scheme meant to safeguard the flow of data over wireless networks. Researchers have discovered how to crack it.
WPA -- Stands for Wi-Fi Protected Access. A new encryption scheme intended as an upgrade for WEP.