Protecting your Airport network.

20 Comments

I saw this up on CNN today: Man charged with stealing Wi-Fi signal

This had to happen eventually. I was particularly struck by this part of the story:

Innocuous use of other people’s unsecured Wi-Fi networks is common. But experts say that illegal use often goes undetected, such as people sneaking on others’ networks to traffic in child pornography, steal credit card information and send death threats.

Security experts say people can prevent such access by turning on encryption or requiring passwords, but few bother or even know how to do so.

You’d better believe that I’ve got encryption running, MAC address filtering turned on and my SSID hidden. I live in a block of row-style townhomes where I can “see” at least one other wireless network regularly from my living room couch (it has WEP turned on.) In my last episode of apartment living, I decided to see how many networks I could pick up on my 15″ PowerBook. I saw about six that regularly popped up in the Airport menu, and half of those hadn’t even had their default settings changed. To be fair, though, the other three were locked down with at least WEP turned on and I picked up on another three that weren’t broadcasting their SSID. (Hiding your network by itself isn’t a perfect fix, though, as WEP was off on one of the non-broadcasters, which allowed me to log on and pick up an IP without being asked for my password.)

Long story short, if you’re running wireless, learn how to protect it before you turn it on or else someone will steal it, or worse, compromise your network. Here’s a few things to know about protecting your Airport base station.

1. Hide your network’s name (aka SSID) – One of the best ways to keep other people from stealing your WiFi is to make sure they don’t know it’s around to steal. Pick a name that’s different from your base station’s default name, and then check the checkbox in the Airport Admin program to set your base station to be a closed network. That will stop your base station from broadcasting its name for anyone to pick up. Now anyone who accesses your base station will need to know the specific name of your base station before they can access it.

2. Encrypt your wireless traffic – To protect the communication on your wireless network, turn on data encryption on your base station. Users who attempt to join your wireless network will be asked for a password before they can access your network.

There are four types of encryption you can choose to protect your Airport network:

128-bit or 40-bit Wired Equivalent Privacy (WEP)
Choose either of these options to protect your network with a Wireless Equivalent Protection (WEP) password. Choose standard 40-bit encryption for maximum compatibility, or choose 128-bit encryption, which provides maximum WEP security.

If you choose 128-bit encryption, only computers with 128-bit encryption-capable wireless networking cards will be able to join your network. If you choose 40-bit encryption, computers with 40-bit and 128-bit encryption-capable wireless networking cards will be able to join your wireless network, but they will join with only 40-bit encryption. (Unless you have a very old third-party wireless card, you’ll be able to use 128-bit encryption on your Airport network without a problem.)

WPA (Wi-Fi Protected Access) Personal
Choosing this option gives you a stronger method of encryption than WEP does. Why? WEP uses 64- or 128-bit encryption keys, but WPA offers up to 256-bit encryption keys, which are exponentially harder to decode. Also, while the WEP key is static, the WPA key is dynamic—it automatically changes on a regular basis (For example, Linksys’s WPA-compatible access points change theirs by default every 50 minutes.) This foils would-be hackers’ attempts to figure out the WPA key by eavesdropping on your network traffic. By the time they can decode your old WPA key, your network has already switched to a new WPA key, so WPA is significantly better than WEP, which uses the same WEP key repeatedly.

WPA Enterprise
This option is available if you are setting up a network that includes a RADIUS server, which most home networks don’t, but I wanted to mention it all the same. Essentially what a RADIUS server does is provide a central authorization server for wireless access, so that access can be controlled on a per-user basis. I don’t believe that Apple currently sells a RADIUS server solution, but they do build support for it into the Airport Extremes and Expresses so that those base stations can be integrated into a network that has a RADIUS server controlling who can and can’t access the wireless network.

There are a couple of caveats to keep in mind with encryption on an Airport network. The original Graphite Airport base station only supported 40-bit WEP, which is reportedly easy to crack. The 2nd generation Snow Airport supports both 40-bit and 128-bit WEP but doesn’t support WPA. The Airport Extremes and Expresses support all four kinds of encryption. Fortunately, to avoid confusion, the Airport Admin software tailors what options are available to the kind of base station it’s connecting to and doesn’t give you the option of trying to enable WPA personal on a Graphite.

Also, all Airport cards support both WPA and WEP, in addition to LEAP (Cisco’s proprietary encryption scheme.) So even if you have one of the first 802.11b Airport cards, thanks to the joys of the firmware update it can talk to any Airport base station no matter what encryption is being used.

3. Use Access control (aka MAC address filtering) – This is one of the better ways I’ve found to restrict access to your network, as enabling this will allow your base station to check the MAC address of your wireless card against a stored list of authorized devices. Not on the list? Can’t get access. One thing to remember is that if you are using access control in an Airport network that’s using Wireless Distribution System (WDS), copy the access control list to all base stations on the network. This is vulnerable to MAC address cloning, where someone makes their wireless card falsely report the MAC address of an authorized card, so use it in combination with strong encryption.

Anybody have any additional tips, horror stories, or tales of stealing WiFi from the unwary? Let me know the details down in the comments.

20 Comments

Gvadi Bigva

Hi, all.
I can see from the above posts, that you guys all are very advanced in network issues, and if not strong solutions, you seem to have strong questions. Mine is very simple. I have a MacBook and router and airport express. My nephew has a Dell laptop with wireless card. We want to set up the closed network so that our neighbours would not allowed in and use our traffic. Please, give us a simple advice how to set up a closed natwork, as we are not very advanced in IT technologies, there are not sophisticated issues of either wep or wap as our neighbours are on the same level of IT skills and if they encounter the closed network they won’t go online to find the crack to intrude. thanks in advance.

p.s. I tried to lock the network from applications/utilities/airport set up assistant, but then my nephew cannot access the internet.

dalia

i read your article and i see many of your readers are interestings about the HYDROCODONE,
so im going to giv eyou some information about it

What is the most important information I should know about hydrocodone and acetaminophen ?

Hydrocodone is habit forming. It is possible become physically and/or psychologically dependent on the medication. Do not take more than the prescribed amount of medication or take it for longer than is directed by your doctor. Withdrawal effects may occur if hydrocodone and acetaminophen is stopped suddenly after several weeks of continuous use. Your doctor may recommend a gradual reduction in dose.

Avoid alcohol while taking hydrocodone and acetaminophen . Alcohol can increase drowsiness and dizziness caused by the medication, possibly resulting in unconsciousness and death. Also, acetaminophen can be damaging to the liver when taken with alcohol.

hydrocodone and acetaminophen may increase the effects of other drugs that cause drowsiness, including antidepressants, alcohol, antihistamines, pain relievers, anxiety medicines, seizure medicines, and muscle relaxants. Dangerous sedation, dizziness, or drowsiness may occur if hydrocodone and acetaminophen is taken with any of these medications. Tell your doctor about all medicines that you are taking, and do not take any medicine without first talking to your doctor.

hydrocodone and acetaminophen may cause constipation. Drink plenty of water (six to eight full glasses a day) to lessen this side effect. Increased fiber in the diet may also help to alleviate constipation.

If you want more information about that you can check in the website http://www.crdrx.com about that medication and another ones, and about prices and systems to payment and delivered

have a great day

dale

is there a way to see if people are leeching off your network? I have an airport extreme base station and macbook pro.

thanks

Cindy

I can’t figure out how to even start. I have a powerbook G4 and an airport extreme but I don’t know if it is private access or public. I don’t want anyone else to jump into my network. I went into system pref and under network, but I don’t see anything that I can click on to make my network/wireless private. could you tell me step by step, how to do prevent others from joining?

Thanks

TiM

is it possible for someone to steal your wireless signal and then password protect it so that you cannot access it? if so how would you be able to take it back and set up a WEP password to prevent this?

Mac4L1ph3

..in addition to all the above, I also turn off DHCP, and limit the number of IP’s that get handed out to exactly the number of physical machines in my home.

Rich Trouton

bibb,

On the road, your level of authentication is determined by the wireless access point you’re connecting to, so that’s by and large out of your control. At home though, I would definitely set my Airport base station to use either WPA or WPA2 authentication (WPA2 compatibility was just introduced by Airport 4.2 this past week for Airport Extreme cards.) That way, you have a more secure encryption scheme than is possible with WEP encryption.

Getting back to being on the road, especially at areas offering free WiFi, you’ll run into some security worries, since those networks may be essentially wide-open with no protection against other people also on that network from trying to intercept your connection’s traffic for nefarious purposes. One safeguard I’d recommend is to sign up with a VPN provider. Using a VPN will allow you to encrypt your traffic being sent over the WiFi connection, making it secure against someone who’s trying to scan your network traffic to pick up passwords or other information. If you have a VPN account from your school or workplace, this will work to protect your connection. If you don’t have one, two providers of public VPN services that I know of are HotSpot VPN and Public VPN.com.

bibb

thanks, rich. if i’m understanding your answer correctly, i think it means that, while i’m at home, wpa is ideal; but if i’m on the road and hit one of those access points that can’t understand wpa, i’ll need to use wep.

Rich Trouton

bibb,

The main reason to choose WEP over WPA is compatibility. Almost all wireless cards on the market today can use and understand 128-bit WEP, no matter what access point it’s being served from. That’s not necessarily the case with WPA, as not all wireless cards and access points can understand and use WPA.

From the Mac perspective, all Apple Airport cards running on OS X can use WPA. For those using other cards, check the manufacturer’s website to see if they have been WPA certified by the WiFi Alliance, the standards group for WiFi. The WiFi alliance also maintains a listing of WPA-certified equipment on its website.

bibb

if wpa is the strongest method of encryption, are there any down sides? in other words, is there a reason why you wouldn’t choose this option? thanks.

Jacob

Thanks for the reply. The reason I was interested is it would seem like an interesting and useful project to set up a neighborhood wireless network so that a large area could share one access point. But the most obvious concern is that each users connection be secure and one user not be able to take up all the bandwidth downloading from BitTorrent.

Rich Trouton

Jacob,

Yes, it’s possible, but it’s something that takes more expertise than I have with networking to do, so I can only give you the broad outlines of how to do it. What you can do is have two separate wireless networks running, one “private” and the other “public. You’d then have the “public” network be run through a proxy server or VPN which would have bandwidth throttles running on it. The proxy or VPN would also have to be on a different subnet from the “private” network and so not allow access to that network, but would still be configured so as to have access to your internet connection.

Jacob Albertson

I have a pretty simple. Is it possible to share you wireless internet while still maintaining a secure connection for your data and possibly controling the bandwidth of other users sharinig your network.

Rich Trouton

MAC filtering, by itself, isn’t the end-all and be-all of security. Neither is encryption (though it’s the best at standing alone), and neither is SSID hiding, when each method is used by itself in isolation. Combining all three makes your wireless network a much tougher nut to crack.

Twist

For people using any base stations change your network name, login, and password. I have seen many running with the factory defaults for login and password. I have actually logged in to a few and “fixed” a setting or two.

Also a little performance hint is use some scanning software like KisMAC to see what channels other wireless networks in the area are using and pick a different channel than any of them for your network. This will help increase your range and connection speed (this is the issue I have “fixed” on a few “open” basestations).

Comments are closed.