20 Comments

Summary:

I saw this up on CNN today: Man charged with stealing Wi-Fi signal This had to happen eventually. I was particularly struck by this part of the story: Innocuous use of other people’s unsecured Wi-Fi networks is common. But experts say that illegal use often goes […]

I saw this up on CNN today: Man charged with stealing Wi-Fi signal

This had to happen eventually. I was particularly struck by this part of the story:

Innocuous use of other people’s unsecured Wi-Fi networks is common. But experts say that illegal use often goes undetected, such as people sneaking on others’ networks to traffic in child pornography, steal credit card information and send death threats.

Security experts say people can prevent such access by turning on encryption or requiring passwords, but few bother or even know how to do so.

You’d better believe that I’ve got encryption running, MAC address filtering turned on and my SSID hidden. I live in a block of row-style townhomes where I can “see” at least one other wireless network regularly from my living room couch (it has WEP turned on.) In my last episode of apartment living, I decided to see how many networks I could pick up on my 15″ PowerBook. I saw about six that regularly popped up in the Airport menu, and half of those hadn’t even had their default settings changed. To be fair, though, the other three were locked down with at least WEP turned on and I picked up on another three that weren’t broadcasting their SSID. (Hiding your network by itself isn’t a perfect fix, though, as WEP was off on one of the non-broadcasters, which allowed me to log on and pick up an IP without being asked for my password.)

Long story short, if you’re running wireless, learn how to protect it before you turn it on or else someone will steal it, or worse, compromise your network. Here’s a few things to know about protecting your Airport base station.

1. Hide your network’s name (aka SSID) – One of the best ways to keep other people from stealing your WiFi is to make sure they don’t know it’s around to steal. Pick a name that’s different from your base station’s default name, and then check the checkbox in the Airport Admin program to set your base station to be a closed network. That will stop your base station from broadcasting its name for anyone to pick up. Now anyone who accesses your base station will need to know the specific name of your base station before they can access it.

2. Encrypt your wireless traffic – To protect the communication on your wireless network, turn on data encryption on your base station. Users who attempt to join your wireless network will be asked for a password before they can access your network.

There are four types of encryption you can choose to protect your Airport network:

128-bit or 40-bit Wired Equivalent Privacy (WEP)
Choose either of these options to protect your network with a Wireless Equivalent Protection (WEP) password. Choose standard 40-bit encryption for maximum compatibility, or choose 128-bit encryption, which provides maximum WEP security.

If you choose 128-bit encryption, only computers with 128-bit encryption-capable wireless networking cards will be able to join your network. If you choose 40-bit encryption, computers with 40-bit and 128-bit encryption-capable wireless networking cards will be able to join your wireless network, but they will join with only 40-bit encryption. (Unless you have a very old third-party wireless card, you’ll be able to use 128-bit encryption on your Airport network without a problem.)

WPA (Wi-Fi Protected Access) Personal
Choosing this option gives you a stronger method of encryption than WEP does. Why? WEP uses 64- or 128-bit encryption keys, but WPA offers up to 256-bit encryption keys, which are exponentially harder to decode. Also, while the WEP key is static, the WPA key is dynamic—it automatically changes on a regular basis (For example, Linksys’s WPA-compatible access points change theirs by default every 50 minutes.) This foils would-be hackers’ attempts to figure out the WPA key by eavesdropping on your network traffic. By the time they can decode your old WPA key, your network has already switched to a new WPA key, so WPA is significantly better than WEP, which uses the same WEP key repeatedly.

WPA Enterprise
This option is available if you are setting up a network that includes a RADIUS server, which most home networks don’t, but I wanted to mention it all the same. Essentially what a RADIUS server does is provide a central authorization server for wireless access, so that access can be controlled on a per-user basis. I don’t believe that Apple currently sells a RADIUS server solution, but they do build support for it into the Airport Extremes and Expresses so that those base stations can be integrated into a network that has a RADIUS server controlling who can and can’t access the wireless network.

There are a couple of caveats to keep in mind with encryption on an Airport network. The original Graphite Airport base station only supported 40-bit WEP, which is reportedly easy to crack. The 2nd generation Snow Airport supports both 40-bit and 128-bit WEP but doesn’t support WPA. The Airport Extremes and Expresses support all four kinds of encryption. Fortunately, to avoid confusion, the Airport Admin software tailors what options are available to the kind of base station it’s connecting to and doesn’t give you the option of trying to enable WPA personal on a Graphite.

Also, all Airport cards support both WPA and WEP, in addition to LEAP (Cisco’s proprietary encryption scheme.) So even if you have one of the first 802.11b Airport cards, thanks to the joys of the firmware update it can talk to any Airport base station no matter what encryption is being used.

3. Use Access control (aka MAC address filtering) – This is one of the better ways I’ve found to restrict access to your network, as enabling this will allow your base station to check the MAC address of your wireless card against a stored list of authorized devices. Not on the list? Can’t get access. One thing to remember is that if you are using access control in an Airport network that’s using Wireless Distribution System (WDS), copy the access control list to all base stations on the network. This is vulnerable to MAC address cloning, where someone makes their wireless card falsely report the MAC address of an authorized card, so use it in combination with strong encryption.

Anybody have any additional tips, horror stories, or tales of stealing WiFi from the unwary? Let me know the details down in the comments.

  1. For people using any base stations change your network name, login, and password. I have seen many running with the factory defaults for login and password. I have actually logged in to a few and “fixed” a setting or two.

    Also a little performance hint is use some scanning software like KisMAC to see what channels other wireless networks in the area are using and pick a different channel than any of them for your network. This will help increase your range and connection speed (this is the issue I have “fixed” on a few “open” basestations).

    Share
  2. Here is a GREAT URL which dispels some myths about wireless security; READ!

    http://blogs.zdnet.com/Ou/index.php?p=43

    MAC filtering isn’t so great, unfortunately.

    Share
  3. Rich Trouton Monday, July 11, 2005

    MAC filtering, by itself, isn’t the end-all and be-all of security. Neither is encryption (though it’s the best at standing alone), and neither is SSID hiding, when each method is used by itself in isolation. Combining all three makes your wireless network a much tougher nut to crack.

    Share
  4. Jacob Albertson Monday, July 11, 2005

    I have a pretty simple. Is it possible to share you wireless internet while still maintaining a secure connection for your data and possibly controling the bandwidth of other users sharinig your network.

    Share
  5. Rich Trouton Tuesday, July 12, 2005

    Jacob,

    Yes, it’s possible, but it’s something that takes more expertise than I have with networking to do, so I can only give you the broad outlines of how to do it. What you can do is have two separate wireless networks running, one “private” and the other “public. You’d then have the “public” network be run through a proxy server or VPN which would have bandwidth throttles running on it. The proxy or VPN would also have to be on a different subnet from the “private” network and so not allow access to that network, but would still be configured so as to have access to your internet connection.

    Share
  6. Thanks for the reply. The reason I was interested is it would seem like an interesting and useful project to set up a neighborhood wireless network so that a large area could share one access point. But the most obvious concern is that each users connection be secure and one user not be able to take up all the bandwidth downloading from BitTorrent.

    Share
  7. if wpa is the strongest method of encryption, are there any down sides? in other words, is there a reason why you wouldn’t choose this option? thanks.

    Share
  8. Rich Trouton Monday, July 18, 2005

    bibb,

    The main reason to choose WEP over WPA is compatibility. Almost all wireless cards on the market today can use and understand 128-bit WEP, no matter what access point it’s being served from. That’s not necessarily the case with WPA, as not all wireless cards and access points can understand and use WPA.

    From the Mac perspective, all Apple Airport cards running on OS X can use WPA. For those using other cards, check the manufacturer’s website to see if they have been WPA certified by the WiFi Alliance, the standards group for WiFi. The WiFi alliance also maintains a listing of WPA-certified equipment on its website.

    Share
  9. thanks, rich. if i’m understanding your answer correctly, i think it means that, while i’m at home, wpa is ideal; but if i’m on the road and hit one of those access points that can’t understand wpa, i’ll need to use wep.

    Share
  10. bibb,

    On the road, your level of authentication is determined by the wireless access point you’re connecting to, so that’s by and large out of your control. At home though, I would definitely set my Airport base station to use either WPA or WPA2 authentication (WPA2 compatibility was just introduced by Airport 4.2 this past week for Airport Extreme cards.) That way, you have a more secure encryption scheme than is possible with WEP encryption.

    Getting back to being on the road, especially at areas offering free WiFi, you’ll run into some security worries, since those networks may be essentially wide-open with no protection against other people also on that network from trying to intercept your connection’s traffic for nefarious purposes. One safeguard I’d recommend is to sign up with a VPN provider. Using a VPN will allow you to encrypt your traffic being sent over the WiFi connection, making it secure against someone who’s trying to scan your network traffic to pick up passwords or other information. If you have a VPN account from your school or workplace, this will work to protect your connection. If you don’t have one, two providers of public VPN services that I know of are HotSpot VPN and Public VPN.com.

    Share

Comments have been disabled for this post