Protecting your Airport network.

I saw this up on CNN today: Man charged with stealing Wi-Fi signal

This had to happen eventually. I was particularly struck by this part of the story:

Innocuous use of other people’s unsecured Wi-Fi networks is common. But experts say that illegal use often goes undetected, such as people sneaking on others’ networks to traffic in child pornography, steal credit card information and send death threats.

Security experts say people can prevent such access by turning on encryption or requiring passwords, but few bother or even know how to do so.

You’d better believe that I’ve got encryption running, MAC address filtering turned on and my SSID hidden. I live in a block of row-style townhomes where I can “see” at least one other wireless network regularly from my living room couch (it has WEP turned on.) In my last episode of apartment living, I decided to see how many networks I could pick up on my 15″ PowerBook. I saw about six that regularly popped up in the Airport menu, and half of those hadn’t even had their default settings changed. To be fair, though, the other three were locked down with at least WEP turned on and I picked up on another three that weren’t broadcasting their SSID. (Hiding your network by itself isn’t a perfect fix, though, as WEP was off on one of the non-broadcasters, which allowed me to log on and pick up an IP without being asked for my password.)

Long story short, if you’re running wireless, learn how to protect it before you turn it on or else someone will steal it, or worse, compromise your network. Here’s a few things to know about protecting your Airport base station.

1. Hide your network’s name (aka SSID) – One of the best ways to keep other people from stealing your WiFi is to make sure they don’t know it’s around to steal. Pick a name that’s different from your base station’s default name, and then check the checkbox in the Airport Admin program to set your base station to be a closed network. That will stop your base station from broadcasting its name for anyone to pick up. Now anyone who accesses your base station will need to know the specific name of your base station before they can access it.

2. Encrypt your wireless traffic – To protect the communication on your wireless network, turn on data encryption on your base station. Users who attempt to join your wireless network will be asked for a password before they can access your network.

There are four types of encryption you can choose to protect your Airport network:

128-bit or 40-bit Wired Equivalent Privacy (WEP)
Choose either of these options to protect your network with a Wireless Equivalent Protection (WEP) password. Choose standard 40-bit encryption for maximum compatibility, or choose 128-bit encryption, which provides maximum WEP security.

If you choose 128-bit encryption, only computers with 128-bit encryption-capable wireless networking cards will be able to join your network. If you choose 40-bit encryption, computers with 40-bit and 128-bit encryption-capable wireless networking cards will be able to join your wireless network, but they will join with only 40-bit encryption. (Unless you have a very old third-party wireless card, you’ll be able to use 128-bit encryption on your Airport network without a problem.)

WPA (Wi-Fi Protected Access) Personal
Choosing this option gives you a stronger method of encryption than WEP does. Why? WEP uses 64- or 128-bit encryption keys, but WPA offers up to 256-bit encryption keys, which are exponentially harder to decode. Also, while the WEP key is static, the WPA key is dynamic—it automatically changes on a regular basis (For example, Linksys’s WPA-compatible access points change theirs by default every 50 minutes.) This foils would-be hackers’ attempts to figure out the WPA key by eavesdropping on your network traffic. By the time they can decode your old WPA key, your network has already switched to a new WPA key, so WPA is significantly better than WEP, which uses the same WEP key repeatedly.

WPA Enterprise
This option is available if you are setting up a network that includes a RADIUS server, which most home networks don’t, but I wanted to mention it all the same. Essentially what a RADIUS server does is provide a central authorization server for wireless access, so that access can be controlled on a per-user basis. I don’t believe that Apple currently sells a RADIUS server solution, but they do build support for it into the Airport Extremes and Expresses so that those base stations can be integrated into a network that has a RADIUS server controlling who can and can’t access the wireless network.

There are a couple of caveats to keep in mind with encryption on an Airport network. The original Graphite Airport base station only supported 40-bit WEP, which is reportedly easy to crack. The 2nd generation Snow Airport supports both 40-bit and 128-bit WEP but doesn’t support WPA. The Airport Extremes and Expresses support all four kinds of encryption. Fortunately, to avoid confusion, the Airport Admin software tailors what options are available to the kind of base station it’s connecting to and doesn’t give you the option of trying to enable WPA personal on a Graphite.

Also, all Airport cards support both WPA and WEP, in addition to LEAP (Cisco’s proprietary encryption scheme.) So even if you have one of the first 802.11b Airport cards, thanks to the joys of the firmware update it can talk to any Airport base station no matter what encryption is being used.

3. Use Access control (aka MAC address filtering) – This is one of the better ways I’ve found to restrict access to your network, as enabling this will allow your base station to check the MAC address of your wireless card against a stored list of authorized devices. Not on the list? Can’t get access. One thing to remember is that if you are using access control in an Airport network that’s using Wireless Distribution System (WDS), copy the access control list to all base stations on the network. This is vulnerable to MAC address cloning, where someone makes their wireless card falsely report the MAC address of an authorized card, so use it in combination with strong encryption.

Anybody have any additional tips, horror stories, or tales of stealing WiFi from the unwary? Let me know the details down in the comments.


Comments have been disabled for this post