Saturday, June 11, 2005

WiFi Security

James McMurry is reminding us of many security issues at hand with WiFi while giving us an interesting overview of some research being done in this field.

While I can live with an open network infrastructure that doesn't require passwords or encryption, encouraging its users to use secure protocols and encryption at the application layer, such methods still don't address issues of open user-run WiFi access points, and the dangerous liability they may represent.

If I access a WiFi network that is owned and operated by the city I live in, or some other private entity, it then becomes clear that any mischief perpetrated by some other user of this infrastructure is not my responsibility, there is clearly no reason for feds to come knocking at my door, because hey, it's not my network. Feds will be knocking at somebody else's door.

Now, I have a DSL connection, all traffic that goes through it is clearly traceable directly back to me. For convenience, I decide to open a WiFi hotspot that's linked to my DSL connectivity. Because I'm lazy, I don't bother locking it down with WEP or WPA. An online thief drives by my house, picks-up my signal, uses my connectivity to "get online" and hack a bank. Since all criminal traffic was easily traced back to me, the next morning the Feds are knocking at my door, my computer equipment is seized, and I'm finding myself obligated to defend myself for a crime I didn't commit. Some will argue I have "plausible deniability". Hey, whatever, I'd much rather lock my sh*t down in the first place.

As much as I'd like to live in zeroconf utopia, I believe being wirelessly connected to a network presents additional accountability challenges most end-users aren't prepared to face, and shouldn't have to face. I entirely agree with James that makers of end-user home broadband routers have a responsibility to strongly encourage, facilitate, if not enforce some level of encryption/password protection. Here are a few possible steps I'm just throwing out there without that much thinking:

- A WiFi access point/router would by default allow unencrypted WiFi connectivity to facilitate initial set-up
- Until encryption and a password has been set-up, the router side of the device would hijack all HTTP traffic to present the user with a warning message: "YOUR DEVICE HAS NOT YET BEEN CONFIGURED. Please use the Wizard provided to you on the Welcome CD to set-it up. Or you may click here to set it up manually"
- Upon successfully configuring the router, the Wizard software would trigger the user's operating system's WiFi support to reconnect to the newly created SSID with the correct encryption scheme and pass phrase. On OS X, ensure that stuff gets stored in the keychain.

Of course none of this would really help me when I buy a hybrid WiFi/SIP/3G Phone from SK-EarthLink while hoping to roam around neighborhoods leeching open WiFi access points to make free phone calls. But these phones should come with the easy ability to create multiple WiFi profiles with support for any level of encryption.


Daryll Strauss said...

But, WEP isn't good enough.

It is trivial to crack WEP. There are now tool kits that do it fairly automatically.

Now if someone is going to rob a bank, they are even better off if they crack your WEP security first. When the authorities come knocking at your door, it makes you look MORE guilty since who else could get in to your "secure" network.

Chris Holland said...

ah yeah. okay. well replace WEP with something that doesn't suck then. Like some of the stuff James mentioned in his article.

Daryll Strauss said...

Yes, but consider the social implications of WEP sucking.

Few people put any WiFi protection at all. Anything more than plug it in and turn it on is too hard.

Some of them realize that they should use protection, so they turn on WEP. Unfortunetly, for someone doing hi tech crime, WEP is almost as soft a target.

That poor user is bamboozled. He thought he was being good and paying attention to security, but unless you follow the tech trade, there's no way he'd know it.

James says it's shame vendors aren't turning on at least WPA, and he's right, but that's even more complicated to set up. Vendors really need to put a lot more work in to making it easy to setup and available on a large variety of platforms.

And although this is good for the user that turns on WPA, it doesn't deal with the general problem. There will always been plenty of soft targets for the bad guy to use. Which leads to:

Two guys are in the woods when they run in to a bear. They both start running away and the bear chases them. One of the guys says "I don't think we can out run the bear." The other says "I'm not worried. I don't have to out run the bear, I just have to out run you."