« Peek, Poke | Main | Thanks for the new look! »
Wireless Access Pointless
Mark Ayzenshtat has written about his adventures leeching wireless internet connectivity while driving through the pre-apocalyptic landscape of suburban California. I'm not sure if this is a good or bad thing.
Setting up Wireless Access Point (WAP) security is pretty cumbersome and the results are brittle. Wireless devices randomly stop working and need to have their encryption keys re-entered. What's worse, different manufacturers seem to use different passphrase hashing algorithms, so you pretty much always wind up manually typing in hex strings. To make the process extra-tragic, some confused product designers have tried to "add security" to the process by making the GUI key entry boxes display only blanks (like most password fields) and/or disabling cut-n-paste functionality. This guarantees that you'll have to type in a long string of numbers and letters several times, and still never be exactly sure of why your WiFi doodad isn't working. Whenever I see such design, I am tempted to violence.
Not only is securing a wireless LAN difficult for most mortals, but there's very little motivation to actually make the attempt. You probably won't notice the bandwidth drain of someone leeching from you, and virus and worms are best combated at the firewall and PC level. You and your neighbor might actually be better off sharing the same access point and not having two separately encrypted networks fighting for the radio spectrum.
When something is both difficult and unrewarding, the masses will eschew it. That’s why most people don't read the fine print on medical forms and why they don't secure their wireless networks. My own 802.11b access point recently gave up the ghost host, and I haven’t bothered to replace it because I can usually see three or four unprotected wireless networks just sitting in my living room.
Of course, if you keep your wireless network unsecured, you never know who might get on it. That’s a little disconcerting, but the physical network has always been a weak security link because it’s hard to know who’s listening in; and that goes double for wireless. You need to secure each computer and the important data regardless of whether you turn on encryption on your WAP or not.
Who suffers from this furtive air sharing? I suppose the WAP manufacturers would sell more hardware if everyone had to buy their own access point, but that doesn’t seem like a good enough reason. After all, the pump lobby doesn’t get to force all of us to dig our own water wells. Internet Service Providers (ISPs) suffer some economic damage, because they typically charge a flat monthly fee for unlimited data usage and freeloaders, err, cause more load. For free. ISPs can try switching to a metered rate, but that approach hasn’t worked well in the U.S. market. A couple of years ago most service providers solved this problem by restricting access to just one or two specific computers registered to each account. That cost too much money in tech support calls when stymied customers tried to hook up new computers, so the practice has been mostly dropped. Either way, economic damage to the ISPs is a business issue, not a security problem. The companies should figure out how to fairly charge for their services, not lecture consumers on sloppy prevention. There are enough real security issues vying for consumer attention as is.
I’m looking forward to the day where I can reliably get wireless data service everywhere, without having to build my own private piece of infrastructure. A crisper understanding of who we’re trying to protect, better adherence to standards and some smart new technology will get us there. A chicken in every pot, not a mini broadcast tower under every desk.
Mmmmmmm, potted chicken.
[Brant Chamberlain wins the impromptu, "Quick, i need a geeky euphemism for a piece of hardware dying" office contest. His first suggestion was even funnier but, alas, not suitable for general audiences.]
May 13, 2004 | Permalink
Comments
Phil,
Interesting post. Joy Larkin makes some interesting counter-points here, though. It seems that there are legitimate security concerns beyond the issue of reduced bandwidth.
Posted by: James Joyner | May 13, 2004 11:55:50 AM
James,
Joy makes a good argument, but I’m going to stick by mine.
I never said that people shouldn’t secure their WAPs. I think that people *don’t* secure their WAPs because the technology is poorly implemented and frustrating. If WiFi security was more robust and easier to use, it would naturally be in everyone’s advantage to use it.
However, if I’m going to ask average consumers to spend a few hours on computer “security”, I’d much rather they first install the latest OS patches, turn off file sharing, install a firewall at the network and on every computer, learn a bit about “phishing” and other scams (and maybe download SpoofStick), install an anti-virus program and get the latest signatures, check for spyware and rethink their passwords. When they’ve done with all that, they can monkey around with their WiFi network. All the other stuff is more important, more effective and easier to do.
Even if you manage to keep your WiFi access point encrypted, you’re not really adding a whole lot of security. Everything just reverts right back to plaintext as soon as it goes from the WAP to the ISP, all your HTTP and FTP and email is bouncing around the guts of the web for anyone to see. If you’ve got data worth protecting, use SSH or SSL or a VPN – then it doesn’t matter if you’ve secured your WAP. If a non-SSL site asks you for a password, assume that everyone can see it. If you send out unencrypted, unsigned email, assume that there’s going to be a searchable trail of everything you’ve ever written somewhere or another.
As for the legal aspects, I don’t buy it. Internet access is not a firearm, and I don’t have any responsibility to make sure others can’t use the bits my access point decides to shoot out into the air. If my ISP has a problem with this, they should figure out how to restrict access on their side. I shouldn’t have to waste my time setting up “security” to solve their billing problem. If a crime is committed in my neighborhood, it’s not up to me to prove that I didn’t do it. It’s up to the authorities to find whoever did – and to prove it. Of course, you’re right that this area is “undefined” and it may take an unpleasant case or two to iron things out. If you’re concerned about being blamed for the actions of others on “your” wireless network, by all means take the appropriate precautions. For what it’s worth, I’ve found that MAC filtering works better than WAP encryption.
So, bottom line: we need better security technology that takes the burden of securing all data away from the user. In the mean time, locking down residential wireless access points is not my top security priority, and may not be a good way to spend finite security resources.
Posted by: Phil Libin | May 14, 2004 1:25:30 AM
Great post (as usual), this is particularly relevent to me because I just set up my first WiFi network at home.
I have always used wired networks and avoided wireless, but my wife insisted on wireless in the new house, and the installation process is a mess.
I know a little about network security and I figured the technology was mature enough that it should be a snap...no chance.
I got the Apple Airport, logged in with my iBook and did the configuration, I created a closed network and used 128-bit WEP authentication. No problem...then I went to configure my Windows boxen and everything fell apart.
The Windows boxes steadfastly refuse to connect to a closed network, even when the SSID has been given to them. They also don't like my WEP password -- because it is not enough characters for 128-bit encryption?
I had to open my network and drop to 40-bit WEP encryption -- which took MacStumbler all of 30 minutes to crack.
Posted by: allan | May 14, 2004 12:52:12 PM
