WiFi -- What your neighbors see... Is it safe? Encryption that works; don't hide SSID

[Justin]

Some of you have asked me about the best WiFi settings to use, if your neighbors can see you, see your computers or files, or bum your bandwidth. So here are some of my answers shared for everyone to see...

WiFi can be very secure or not secure at all depending on what you do, and is a great way to share internet to other computers in those difficult-to-string-an-ethernet-cable locations. With that said, always use an ethernet cable (CAT5 or CAT6) cable if you can because while it won't make your Internet experience faster it will make file transfers between computers significantly faster as well as assure security concerns in every way except physical access. A cable is generally more reliable as well. That said, WiFi definitely has its place and by following a few basic rules you can rest assured it's safe.

Now, even if you use ethernet cables only, if your router has antennae on it, you have WiFi, and that WiFi signal may create an opening on your network unless you turn it off or secure it as discussed below:

There are several speed classifications for modern WiFi, designated as 802.11 (the WiFi general standard) b, g, or n type. 802.11g is plenty fast, and 802.11 is even faster. If your router says 802.11b/g, then it supports both standards in order to support older computer systems. The n standard is new and still under official development (I get n from my new Airport Extreme router from Apple that also acts as a printer or network drive server), and on some routers is limited to supporting either all n-systems or all b/g-systems, but not both at the same time. There are older standards still out there as well. The normal standard of 802.11b provides up to 11 Mbits/second, whereas 802.11g offers up an impressive 54 Mbits/sec. Type 802.11n brings that speed all the way up to 248 Mbits/sec. However, it's important to point out that actual throughput is less, at about 4 Mbits/sec for b, 19 Mbits/sec for g, and 74 Mbits/sec for n. Throughput are the numbers you actually care about!

So deceptive advertising aside, compare these numbers to standard Ethernet speeds of 100 Mbits/sec (actual throughput at around 95 Mbits/sec), or the new Gigabit 1000Base-T Ethernet's 1000 Mbits/sec (actual throughput ranges from 400 Mbits/sec on up depending on hardware configurations).

As you can see, 802.11 is about 1/5th the file transfer speed of standard 100BASE-T Ethernet, and even the brand new 802.11n is still around 2/3 that of Ethernet, and only a fraction of modern Gigabit Ethernet. That said, Gigabit Ethernet requires that ethernet port, your router/hub, and your cables all be 1000Base-T rated.


WiFi -- What your neighbors see:

WiFi can be open or closed, invisible or visible.

Open WiFi means there's no encryption, so all data not encrypted between computers itself that travels over the WiFi airwaves are visible to anyone within range---typically about 150 feet indoors and as much as 300 feet outdoors. If you live in an apartment building, ranges are probably more like 80 to 100 feet because there's more walls to penetrate. But even at 100 feet, that could be quite a few neighbors not just to either side of you, but also above or below you depending on your building layout.

Open WiFi also means that anyone can easily attach to your network and sap your bandwidth, sharing it for their Internet needs. If several people do this, you might find your otherwise fast cable or DSL Internet seemingly slow.

Visible WiFi is the default and means that your WiFi Access Point (AP, which is generally your router or a repeater) broadcasts its 'name' to anyone who can receive the signal.

Invisible WiFi means your router hides its SSID (the router's "name") so that the average person nearby doesn't even know you have a WiFi network. Note that I said "average person", and not a hacker or wily one. Anyone who knows anything about networking knows how easy it is to discover your "invisible" router. The average Joe, however, won't see it and will leech Internet bandwidth from someone else.

Closed WiFi means that whether visible or not, all WiFi signal data is encrypted and requires a passphrase to decode and view.


WiFi -- How to protect it and keep it secure:

Protecting WiFi requires only one thing: encryption. Hiding your SSID (making your WiFi 'invisible') doesn't help you and you're more likely to just fill your networking life with headaches (see below).

Encryption means that you have WEP or WPA or WPA2 encryption enabled. Virtually all computers support WEP encryption, and specially patched/updated Windows XP PCs will work with WPA2. All Modern Macs within the last few years as well as Windows Vista work with WPA2.

WEP Encryption: WEP is the minimal entry-level encryption type, long since hacked. WEP will work to keep the majority of your neighbors off your network, but won't even slow down someone even remotely savvy with networking. WEP-cracking tools are available on the Internet for anyone to easily learn and use. Chances are, your neighbor doesn't know this and so WEP is good enough for some people. However, I strongly recommend not putting any sensitive information across WEP---such as checking your unencrypted email which would give a hacker access to your bank account by requesting a password reset and then intercepting your email since your unencrypted email sent to you by the bank is available for all to see.

WPA Encryption: WPA is good. It's not perfect, but it's good. It will block out even people who are network savvy, but it won't stop a highly skilled hacker. It may slow down a good hacker, adding a couple hours to an otherwise immediate process. WPA is therefore a good standard to rely on for MOST people. WPA is slightly less secure than the connection you get to secure online banking.

WPA2 Encryption: WPA2 is currently uncrackable, and will likely remain as such for many years to come. It's based on AES-128 encryption---among the best in the business and generally better than that used for online banking.

AES-128 (that used by WPA2) is so good in fact, that the US Department of Defense and National Security Agency (NSA) publishes the following too its personnel:

Quote:

"NSA Data Security Requirement: The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."

Furthermore, even cryptography experts admit that no one has ever cracked AES-128---excepting any claims that the NSA possesses quantum computing machines able to. There have, however, been several side channel attacks that were successful, which attacks either end of the communication pipe---such as cipher system implementations that leak data and are thus of poor hardware or firmware design.


Turning on Encryption, even WPA2, DOES NOTHING practical to help you against hackers if you use a bad password:

Passwords are EVERYTHING when it comes to encryption. Even WPA2 will be brute-forced in seconds if your password is insufficient. Effective passwords must NEVER contain any full or partial dictionary word in any language (even Latin). Also, Password Length is FAR more important than using special characters in it. For example, the password of t5*W%z can be hacked in minutes to hours because it's too short and special chars and cap letters don't introduce enough additional entropy combinations. Meanwhile, the password of mdagw1th2tcsom would take decades to brute-force attack because passwords of 13 to 14 characters (even just all lower case and numbers only) introduce too many mathematical combinations. Furthermore, the latter password can be VERY EASY for you to remember!, because it stands for a nonsensical sentence of: My Dog Always Growls When 1 Take Him 2 The Corner Store On Mondays. Therefore, using a password like this that only you can remember (and which is comparatively easy to remember) is your best protection for either WPA or WPA2 encryption, as well as banking websites, your computer's log on password, and so on.


HUGE Misinformation surrounds those who rely on MAC-Address filtering; it doesn't work:

Many people get a false since of security by turning on MAC-Filtering on their routers. MAC-Addresses (not be confused with, and which have nothing more to do with Mac computers than PCs) are quasi-unique serial numbers programmed into each networking device, be it your Ethernet port, your WiFi card, your router's WiFi antennae, and so on. Most routers possess settings you can enable that instruct the router to only talk to computers if they submit a MAC-Address that you've identified in your router's list of acceptable and safe.

Because your computer must submit its MAC address to the router for 'clearance', that MAC address is sent over the air in plain text for all to see. It's a simple matter for a hacker to identify your MAC-Address and then spoof it. Many utilities on the Internet allow you to change your MAC address on your computer's WiFi card. In less than a few minutes, a hacker has cloned your MAC-Address and is now safely into your network unless you're using unbreakable encryption such as WPA2.

Therefore, the only thing you've accomplished by MAC-Filtering is make your own life harder by requiring you to edit your MAC-Address list every time you want to make your network/Internet available to another computer or visiting friend's computer.


Hiding your SSID ONLY protects you from people you don't have to worry about hacking your network in the first place:

The average and/or clueless user will ignore your network if they can't see it. But if you're using encryption, which you better be by now, they can't attach to your network anyway. Therefore, what's the point of hiding your SSID (router's name from being broadcast)? It's senseless to introduce the possibility of increased incompatibility with your own computers by turning off SSID, as some computers will more frequently lose connectivity as a result. Hackers (the people who know what they're doing and are determined to hit the area your wireless signal resides in) won't even be slowed down by turning off your SSID because your network traffic (what they scan for) is still there to see. Of course, if encrypted they'll see only meaningless garbage, but all traffic is 'visible' regardless of your SSID broadcast, and moreover your SSID is contained in the visible traffic.

That means that only standard computer utilities that report to average users which networks it has detected won't see your invisible network. Anyone savvy with networking will see your plain as day.


Never mind my network, what about surfing someone else's open WiFi network for free Internet?

While I won't discuss new laws popping up in MANY cities and states that declare this practice illegal and punishable by jail time :-O , what I will discuss is how safe it is for you to do:

Browsing the web via someone else's open or WEP-protected WiFi can be very dangerous in two ways: A) Any page you visit that's not encrypted (doesn't have https in the URL) leaves all communication between you and the site open to capture/recording including usernames/passwords. B) EVEN if the page is encrypted (such as the one used by your bank or PayPal, etc.), sophisticated hackers can capture via spoofing and here's how:

An unscrupulous provider of free WiFi sets up a server with a rule: If anyone using this network asks for any webpage, just route/forward them to the real Internet. But, if anyone types in https://www.paypal.com then instead route them to a copy of the PayPal site on their server with a security cert set up to validate https as secure (an unverifiable cert warning may appear in some browsers). Then, you type in your username/password and they'll capture both, and then pass along a page (usually like: loading error, please try again) after which point you're redirected to the real PayPal site where everything works fine. And, of course, the hacker now has your money.

It's therefore "okay" from a security standpoint only to surf sites that don't require any login or password when leeching free Internet from a neighbor who may or may not be a clever hacker. So feel free to read news at CNN.com, check out the latest sports scores, read a movie review and check showtimes, but don't even think about visiting your online banking site, these forums, or anywhere else that requires a password.

That said, I don't want to create paranoia and so will preface the above WiFi leeching practice with the fact that in most cases it's safe---even for online banking. In fact, https (banking, etc.) sites are generally the safest to do over someone else's open or WEP site because it requires a high-calibre hacker to spoof and capture your login ID this way. To clarify, your https (SSL encrypted web site) will be unbreakable between you and the web server, the problem is that the web server you're going to belongs to the hacker and not the bank. For more mid-level hackers (the prevalent kind), the unsafe sites for you to visit aren't https (which are safe), but rather http sites that require a username and password, such as your email!! So be careful where you check email.


THE MOST IMPORTANT PASSWORD IS YOUR EMAIL PASSWORD:

Finally, one password that can in fact be THE MOST IMPORTANT of all passwords is your email password! What happens when you go to your bank site and click "I forgot my password"? That's right, they send an email to you to reset it to a temporary password you can then use to log in. In many ways, your email password should be your most important password of all for this and many other reasons. However, don't forget that you don't want to enter your email login password into a page that's not secure. Hushmail, Google's Gmail (via https://mail.google.com/mail rather than the normal http: Google login page) helps ensure that all data (login and email reading itself) remains completely secure. Why is it important to encrypt email contents itself in addition to your already encrypted email login & password when Google already encrypts your form post Google login ID/PW at the normal http: page? Because, again, your temporary login password for your bank, etc., will be sent across the net in plain text if you don't

In fact, when it comes to email, you need to worry not just about the network you check it over, but also the computer! If the person's or public computer you're using isn't secure or has been hacked or contains savvy spyware, your login ID and password could easily be keylogged and mailed off to a remote hacker without you or even the computer's owner knowing! How secure and savvy is the owner of the computer you borrow from time to time---especially your non-technical grandmother's Windows PC? Something to think about.



Hope this all helps in the realm of Internet security. As always, keep your computer frequently patched with Apple's security updates (I set mine for daily checking rather than the default weekly) or Windows Update service and maintain use of a router (hardware firewall). And, above all, don't get paranoid.. Most of these scenarios are rare on a per capita basis despite becoming increasingly commonplace---such as how many hackers now hang out at hotspots to capture data---it's just not likely the hotspot you're at will have a hacker nearby... but it can and does happen every day. Good precautions for us all

--Justin
:SantaGrin

[Jedilaw]

Thanks for that. I use WPA2 at home, but I was not aware of how easy MAC address filtering is to defeat. Of the two, better to be wrong on MAC address filters and not on the encryption scheme to use, I guess...

[Justin]

Precisely. The only thing that matters is using the right kind of encryption and using a good password with it.

Hiding SSID, MAC-Address filtering, and the like only stop the people who'd never know how to hack you in the first place LOL. So yeah, you got it.

[spudmonkey]

SSID hiding and WiFi in Vista is a particularly bad combination at the moment anyway for people who are that way inclined...

WEP can now be cracked in around 120 seconds just through packet sniffing, so it's certainly not that secure, but try to remember that not everyone in your street is going to be a hacker, but you should play safe, just in case!

Edit: actually, hacker is the wrong word. Curse you Hollywood. That used to be a coding term and not associated with illegality until the film makers got hold of it and corrupted it... Grrrrrrrrr!

[Sphynx]

Just one additional point on the legality issue of using someone elses WIFI router for surfing - particularly in the UK.

Successful prosecutions have already taken place in the UK regarding this issue and it most certainly should be regarded as illegal. Regardless of your viewpoint on this, as Justin says (and we don't really want to hear it, this is a technical discussion), at the end of the day you are using a communications medium being paid for by someone else, without their permission.

Very often, just like the theft of electricity etc. it very often comes under the conventional theft laws, let alone the specific laws that are now being passed regarding this issue.

[Hobbes]

Awesome Justin, I've worked for IBM for 2 years and still learned a lot from this

[Zabiegly]

This is really a great article, thanks for that.

But I can't stop wondering why in hell do people ask you what WiFi settings to use? I never got asked that... maybe except for my cousing but he doesn't count.

[Justin]

Quote:

Originally Posted by Zabiegly

But I can't stop wondering why in hell do people ask you what WiFi settings to use?

Hehehe... bah.. dunno.. prolly my general reputation for knowing computer security and cryptography. I find cryptography and cryptanalysis very interesting as a field of study... since all computer encryption is breakable; it's only a matter of time spent on it. The goal is to use AES-128 or other methods that would require the best computer networks hundreds of years to crack. The only type of encryption that is full proof is a one-time number pad principle, which anyone can do like this: Take the game of scrabble, put all letters into a box, shake the box violently, then open and remove one letter, write it down beneath the written alphabet's first letter A, then replace the letter, shake, and repeat. You'd have the entire alphabet repeated hundreds or thousands of times, with random scrabble result running continously. Then, once you've done this a thousand times, you make a copy of your key and hand it to the recipient. Then, each time you send them a coded message simply substituting the random letters for the letters in your real message, you cross off the letters and never use them again and the recipient crosses off the first use of each letter he comes across as well. Even this method isn't true chaos given minute differences in scrabble letter wood weights, box imperfections, and the like, the mathematical model to account for this is effectively impossible especially if the original scrabble letters and box used can't be precisely measured. In the end, it's the one and only perfect code. In computers, there is no such thing as truly random because of how computer bits work, and so that's why we use one-way algorithms and one-way hashes. The problem is, as mathematics become more and more sophisticated, we may in fact discover a way to factor these quickly and break them. Nevertheless, algorithms such as AES-128 (the kind used by WPA2 and for Macintosh .dmg encrypted files) is perfect and will likely remain so for at least our lifetimes.

[Jedilaw]

Quote:

Originally Posted by Sphynx

Just one additional point on the legality issue of using someone elses WIFI router for surfing - particularly in the UK.

Successful prosecutions have already taken place in the UK regarding this issue and it most certainly should be regarded as illegal. Regardless of your viewpoint on this, as Justin says (and we don't really want to hear it, this is a technical discussion), at the end of the day you are using a communications medium being paid for by someone else, without their permission.

Very often, just like the theft of electricity etc. it very often comes under the conventional theft laws, let alone the specific laws that are now being passed regarding this issue.

Brief follow up: U.S. federal law forbids accessing a computer network without permission. I believe it's called the NET Act. Piggybacking on someone's WiFi almost certainly counts. So don't even wonder whether your local U.S. jurisdiction has a law on the books: the feds already do.

[Blade]

Quote:

Originally Posted by Justin

( ... )
Nevertheless, algorithms such as AES-128 (the kind used by WPA2 and for Macintosh .dmg encrypted files) is perfect and will likely remain so for at least our lifetimes.

Slight clarification of that: There is no such thing as perfect in the security business. Just because an algorithm hasn't been broken yet doesn't mean there is no viable attack (OTP excepted, but then there's the key distribution problem etc). It might also mean that someone -has- a working attack but simply managed to shut up about it.. Bit of a long shot though, but not impossible.
Believing anything else is sheer arrogance, but as always it depends on what your threat level happens to be.

Still, the algorithms used today are probably sufficiently secure for quite a few years into the future - the problem usually lies in the implementation, like you mentioned, or in the wet-ware handling the equipment/application. Typically its a lot easier to do a bit of social engineering (with or without strong-arming or a chocolate bar ..) to get what you need rather than take your chances and try to break heavy crypto. Amazing what people will disclose when prodded in the right direction..

Or you could resort to any of the other gazillion tricks in ye olde black book. Eavesdropping on the display, for instance (since there's about a snowballs chance in hell 98% (percentage pulled out of my arse) of users will shell out the cash for tempest-protected kit).

Crypto is important, but so is locking your door at night. Security is an evolving system, a constant work in progress.. and the failure to realise that and act/plan accordingly is usually what causes breaches.


Oh almost forgot; a little addendum on MAC spoofing; If you're on a *nix system (including osx), the 'builtin' ifconfig allows you to change the mac all you want, takes a few seconds tops. Mac spoofing in general is relatively easy to detect though, assuming the net admin isn't completely incompetent.