news / tech talk

Is WI-FI Secure?

by Lee LeClair
03/15/2005
As seen in Inside Tucson Business

WI-FI has become a consumer mainstream hit. Walking into any Best Buy, CompUSA, etc. one can barely find a wired switch anymore. The appeal is obvious, why bother with messy wires when every laptop you can buy comes with wireless support built in? Its incredibly handy at hotels, coffee shops, etc. There is no doubt that wireless technology provides great benefits.

Some questions you might ask are: 1) Is the technology secure? 2) Should I care? 3) What should I do then?

The short answer to “is the technology is secure” is no. At least not yet. You might argue that your wireless router has lots of security features including password protection, encryption, MAC address filtering, etc. Let’s look at these. When you buy your new wireless router, you generally want to plug it in and use it. The manufacturer wants to make this as easy and simple as possible for you so you remain a happy purchaser, not a cranky help desk caller. So your wireless router comes with a default password and no security features turned on. You can typically plug it in to power and your cable modem and you are in business. Unfortunately, anyone nearby can also get on and can capture whatever traffic you are sending or receiving as well as simply use your connection. They can also log in to your router and modify its configuration.

Perhaps you are a more prudent person and you change the router password, enable WEP encryption, and even find your laptop’s MAC address and set the filter to only allow your PC to use the connection. Is it secure yet? It is from someone with a wireless laptop and no knowledge but not from anyone with a moderate amount of technical knowledge. There are “weaponized” tools that allow relatively unskilled people to exploit the well-known weakness of WEP encryption, monitor wireless traffic for MAC information, and “spoof” or fake the authorized MAC address. What if you use the more advanced WPA-PSK encryption? It’s better but still breakable unless you use a really long password (i.e., at least 20 characters).

That brings us to the second question, “should I care”? The short answer is yes. There are a couple of reasons. The first is that you should be aware that your traffic could be “sniffed” before it even leaves your home. Forewarned is forearmed after all. The second reason is that having an “open” Internet connection is a frequently exploited means that crackers use to untraceably attack other systems and illegal porn rings use to anonymously push and pull data. Few people want to have the FBI busting down their door.

Finally, then “what should I do”? Long term - new technologies and standards are emerging with stronger security. The 802.11i standard incorporates a stronger form of the WPA encryption standard; one that uses the new government standard AES encryption algorithm instead of the weaker RC-4 algorithm. Until that arrives, evaluate your needs against the risks. If the risks of wireless are worth it to you, then use the strongest encryption available (WPA-PSK for home) with a long (20 character) password/passphrase.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business