Popularity of Wi-Fi breeds big holes in security
Monday, June 7, 2004
SAN JOSE, Calif. -- With a laptop perched in the passenger seat of his Toyota 4Runner and a special antenna on the roof, Mike Outmesguine ventured off to sniff out wireless networks between Los Angeles and San Francisco. He got a big whiff of insecurity.
While his 800-mile drive confirmed that the number of wireless networks is growing explosively, he also found that only a third used basic encryption -- a key security measure. In fact, in nearly 40 percent of the networks not a single change had been made to the gear's wide-open default settings.
"They took it out of the box, powered it up, and it worked. And they left it alone," said Outmesguine, who owns a technical services company. He frequently goes out on such "war drives" in search of insecure networks. And while Outmesguine says he doesn't try to break in, others aren't so benign.
While Wi-Fi is hot, security is not.
Even the makers of Wi-Fi routers, access points and other gadgets privately say that as many as 80 percent of home users don't bother to enable basic encryption or other protections against connection theft, eavesdropping and network invasion.
Experts say that while Wi-Fi hardware makers have made initial setup easy, the enabling of security is anything but. Meanwhile, average users are no longer tech-savvy. The gadgets are mainstream, appearing on the shelves of Wal-Mart and other mass retailers.
During his war drive, Outmesguine counted 3,600 hot spots, compared with 100 on the same route in 2000. Worldwide, makers of Wi-Fi gear for homes and small offices posted sales of more than $1.3 billion in 2003, a 43 percent jump over 2002, according to Synergy Research Group.
The result? A lot of wide-open networks that offer anyone within range of the Wi-Fi signal free access to a high-speed Internet connection. Any hacking is unlikely to be noticed, while illegal activity would be traceable only to the name on the Internet account.
"What we probably really have here is a whole bunch of very vulnerable systems exposed to attack or infection over a network that has no access control," said Al Potter, manager of technical services at the security firm TruSecure's ICSA Labs.
Companies that sell Wi-Fi products want their hardware to be simple and interoperable, especially as more than just computers -- wireless TV monitors, digital music receivers, DVD players and game consoles, for example -- are wirelessly connecting to home networks.
At the same time, they want to keep support calls and returns low, so they turn off security by default.
"We've been putting friendly front ends in front of technology for a long time," said Peter Evans, vice president of business development at AirDefense Inc., a wireless security firm. "I'm not sure why the industry has not yet made those tools much easier to use."
Yet even knowledgeable consumers find it frustrating to set up security. It can involve punching in dozens of characters as the passphrase for each connected device, and navigating screens filled with a dizzying set of acronyms for encryption and authentication.
Typically, there isn't much explanation about what they are and why they're needed.
Problems grow when consumers try to mix a laptop wireless card from one vendor with a Wi-Fi access point from another. With security turned off, everything works fine. With basic encryption turn on, the headaches begin.
Because his Linksys access point and Gateway notebook used different techniques for generating the "key" to scramble and unscramble the data, Victor Miller of Princeton Junction, N.J., learned he had to twice punch in dozens of characters using the hexadecimal numbering system.
That process is prone to typing errors, which aren't apparent since Windows XP doesn't display the characters as they're entered. Also, Miller said, the user guides did not say that the computer would require a restart.
Miller, who is a cryptography expert, eventually got it working.
"I'm not sure many people would have the fortitude to actually copy down 26 hex digits twice," he said. "They'd just say, 'To hell with it."'
Some manufacturers are beginning to tout security features as a selling point, just as they market faster speeds and greater signal range. Microsoft Corp., for instance, made the transfer of keys fairly easy by copying the key and other settings to a floppy disk that could then be used to configure wireless laptops. The company, though, announced in May that it was getting out of the Wi-Fi hardware business.
Buffalo Technology Inc. has introduced a one-touch security system that exchanges keys between wireless devices and the wireless access point within a two-minute window after a button is pressed. Critics point out, however, that the system requires the manual entry of keys on non-Buffalo devices. And not all of Buffalo's products support the technology, called AOSS.
Meanwhile, Broadcom Corp., the leading supplier of Wi-Fi chips, has announced a software feature called SecureEZSetup that generates the encryption key based on answers to simple, easy-to-remember questions. Still, any device that's not supported must be manually set up, and no equipment vendors have embraced it yet anyway.
The Wi-Fi Alliance, an industry group that certifies Wi-Fi-labeled gear, has posted educational videos on its Web site and recommends that vendors use automated setup tools in their products. But it has stopped short of mandating specific interfaces, said Frank Hanzlik, the group's managing director.
In addition, not all vendors agree there's a major problem.
"Key to our strategy is consumer education," said Darek Connole, media relations manager at D-Link Systems Inc. "If the consumer knows why it's important, why it's easy to do, it becomes something they implement."
That's no excuse for not making setups more simple, objects Potter of TruSecure.
"The right instructions, the right help screens that ask the right question at the right time can go an awfully long way to keep those eyes from glazing over," he said.
On the Net:
Wi-Fi Alliance: http://www.wi-fi.org