James McMurry is reminding us of many security issues at hand with WiFi while giving us an interesting overview of some research being done in this field.
While I can live with an open network infrastructure that doesn't require passwords or encryption, encouraging its users to use secure protocols and encryption at the application layer, such methods still don't address issues of open user-run WiFi access points, and the dangerous liability they may represent.
If I access a WiFi network that is owned and operated by the city I live in, or some other private entity, it then becomes clear that any mischief perpetrated by some other user of this infrastructure is not my responsibility, there is clearly no reason for feds to come knocking at my door, because hey, it's not my network. Feds will be knocking at somebody else's door.
Now, I have a DSL connection, all traffic that goes through it is clearly traceable directly back to me. For convenience, I decide to open a WiFi hotspot that's linked to my DSL connectivity. Because I'm lazy, I don't bother locking it down with WEP or WPA. An online thief drives by my house, picks-up my signal, uses my connectivity to "get online" and hack a bank. Since all criminal traffic was easily traced back to me, the next morning the Feds are knocking at my door, my computer equipment is seized, and I'm finding myself obligated to defend myself for a crime I didn't commit. Some will argue I have "plausible deniability". Hey, whatever, I'd much rather lock my sh*t down in the first place.
As much as I'd like to live in zeroconf utopia, I believe being wirelessly connected to a network presents additional accountability challenges most end-users aren't prepared to face, and shouldn't have to face. I entirely agree with James that makers of end-user home broadband routers have a responsibility to strongly encourage, facilitate, if not enforce some level of encryption/password protection. Here are a few possible steps I'm just throwing out there without that much thinking:
- A WiFi access point/router would by default allow unencrypted WiFi connectivity to facilitate initial set-up
- Until encryption and a password has been set-up, the router side of the device would hijack all HTTP traffic to present the user with a warning message: "YOUR DEVICE HAS NOT YET BEEN CONFIGURED. Please use the Wizard provided to you on the Welcome CD to set-it up. Or you may click here to set it up manually"
- Upon successfully configuring the router, the Wizard software would trigger the user's operating system's WiFi support to reconnect to the newly created SSID with the correct encryption scheme and pass phrase. On OS X, ensure that stuff gets stored in the keychain.
Of course none of this would really help me when I buy a hybrid WiFi/SIP/3G Phone from SK-EarthLink while hoping to roam around neighborhoods leeching open WiFi access points to make free phone calls. But these phones should come with the easy ability to create multiple WiFi profiles with support for any level of encryption.