Search

Subscribe

Enter your email address below to subscribe to our privacy and security newsletter.

Menu

• Home
• Business/Corporate
• Computer Security
• Digital Signatures
• Encryption
• Firewalls
• Intrusion Detection
• Just Plain Silly
• Personal Security
• Privacy
• Residential Security
• Security Blogs
• Security Consultants
• Spam/Anti-Spam
• Training
• Uncategorized
• Viruses
• Wireless Security

Adventures In Wireless Land

By Ian Scott

Some people have been following the recent case where a man plead guilty and was fined $250.00 for accessing a wireless network without permission in Winnebago County, Illinois.

This is the first time anyone in the United States has been charged and found guilty with this offence - and of course, in many circles, set off a lot of debate about the merits of this case. Indeed, if the accussed had fought the charges and had a decent legal defence, I wonder if he couldn’t have been found not guilty.

The debates on mailing lists that I subscribe to have revolved around insecure wireless networks being analogous to unlocked homes or cars while others believing the analogy is false. It is true that accessing a network without permission and downloading or uploading to the Internet is a theft of resources that have been paid for by someone else. Or is it? Again, some would argue that if an Internet customer is not using the bandwidth that has been allocated, then there has been no real theft of anything.

As well, we have the problem of determining where exactly radio waves fit into the debate about private or public property. A wireless network depends upon a device that sends out radio waves. Picking up those radio waves depends upon the strength of the signal. And once a signal is picked up, it’s only a matter of telling the receiving device to connect - which in reality is not a correct term. As soon as the wireless network has been detected by the receiving device, a connection has already been made.

With “hot spots,” areas in which people do have permission to access a network becoming more and more popular, determining which network you are allowed to connect to that has not been secured could be become an even more complicated affair. There are many businesses including coffee shops, hotels, and travel stops that provide “hot spots” for connectivity. Now, some municipalities want to get into the wirless networking game and provide freely accessible networks for anyone within range to be able to connect to without requiring permission or payment.

There are those who suggest that if you don’t want anyone to access your network, you have a “duty” to protect it. Others that use the “insecured home” analogy suggest that it is the duty of the person making the connection to first ensure they have permission. I personally lean towards this latter belief as accessing the Internet, arguably a “public” domain, requires going through a private network first when accessing via wireless. I also understand however that this is not a cut and dry issue. Radio waves that are available in the public sphere (outside of private property) are indeed easily picked up.

After my experience of setting up a wireless network in my home for the first time, I think that the manufacturers and distributors of wireless radio units must also bear some of the responsibility for securing a private wireless network. I live in a house that was built a century ago - there is no easy way to run ethernet cable from one end to the other. Most of the services to the house come in the back while the living and office spaces are at the front of the house. The back of the house has no basement area, so running cable under the floor is not an easy or simple task. There is no drywall - instead, this house consists of double-bricked walls and plaster. I got tired of trying to hide all the ethernet cable that is running from the back of the house to the front, and up the stairs and decided to try wireless.

I ended up purchasing a D-Link AirPlus XtremeG router and brought it home, along with a D-Link wireless PCI card. My SuSE 10 linux box immediately recognized the card, so there were no issues there. Next, I plugged in the router, plugged in ethernet cable between my other network card and the router, and proceeded to set up the router through the browser interface.

That was easy, but how do I “secure” this thing? The router came with a manual over 100 pages long - but hardly anything on how to secure the network. The manual has so many pages because it contains the Installation Guide seven different languates. What is written in the manual is unlikely to be understood by anyone not familiar with security. Heck, even I had a hard time understanding exactly what it was I was supposed to do. There are 5 steps in the “Setup Wizard,” and Step 4 says this:

“If you wish to use encryption for your 802.11b/g network, the DI-634 is capable of two levels of wireless encryption - 64-bit, and 128-bit (Ed. The box, however, claims 64/128/256-bit encryption). By default the encryption is disabled. you can change the encryption settings for more secure wireless communication.”

Well, that really doesn’t tell us much at all. “More secure?” More secure then what, exactly? The actual screen of the Setup Wizard asks you to select from a drop down box either 64-bit or 128-bit encryption, and then asks you to input “10 HEX charaters (Hex is 0-9, A-F, or a-f).”

And that is ALL there is about “securing” the wireless communications! With the setting defaulting to unencrytped, and the weirdness of this thing called “HEX characters” to most people, how many people are really going to bother learning more about the security of their wireless networks? All they probably want at this point is to celebrate the fact that their PC will soon be communicating without the need for ethernet cable.

Once the the “Setup Wizard” completes the five steps, there is a menu that one can view, including options for the LAN, WAN, and Wireless settings. But again, the “Help” sections are extremely poor. At first, I wondered, “If I set this, am I merely encrypting my data, or am I also securing my network?” I really didn’t know at first, what I was doing. And then I ran into more problems.

I finally was able to restrict access to the network, and was able to connect wirelessly from my SuSE box. However, the Windows XP box was not able to connect. It turned out that this laptop needs an update to support the encryption method, apparently more secure then the other options I had excluded, in order to connect. In the meantime, just to try to get some connectivity, I changed the encryption method, managed to get the Windows XP laptop connected, but when I did that, it seemed to throw my SuSE box off the network, and wasn’t able to connect as long as the XP laptop was connected.

Now admittedly, there is a more full manual in PDF format on the CD-ROM that came with the router, but the only reference to this electronic manual in the print Installation Guide is in a sentence that refers to setting each network adapter to automatically obtain an IP address. This is seriously a major problem for anyone that is setting up a wireless network in their home, and doesn’t understand the security implications. There are no warnings in the printed guide about what they are leaving themselves open to without further researching the securing of their network. The printed Installation Manual makes a very vague reference to “more secure wireless communications” and gives the end-user this option of entering 26 HEX code characters - is this really enough information on the part of the manufacturer?

I don’t think so. And as much as an individual is personally responsible for their own network, it seems to me it is incumbent upon wireless device manufacturers to warn consumers ahead of time about the possible risks of using their products and not securing them correctly. I’d hate to see laws or regulations created by governments that would probably do a lousy job at requiring this disclosure; instead perhaps a lawsuit against one of these companies (including Microsoft for creating a product that can so easily connect to private networks) for not fully disclosing the risks and clearly stating what needs to be done to minimize risk.

Now, after installing the Windows XP wireless upgrade, I’m going to see if I can finally get both the SuSE box and laptop connecting at the same time - cross your fingers for me!

What are your thoughts on responsibility for wireless security, the philosophy behind who is responsible, and do you agree manufacturers should be advising folks of the risk of using their products?

Read more in: Wireless Security |

© SecPriv.com | About/Disclaimer | Privacy Policy