What's the real scoop on wireless security?

Many articles make reference to the vulnerability of
going wireless (in my case, a wireless 802.11g-enabled PC
to DSL router connection inside the house).

But what are the numbers? For example, in a suburban-
type housing development, what is the range for someone
to hack in? Should I be concerned about my neighbors or
someone passing by on the street? Or is it wider, like a
few blocks? I plan to install WEP, but I'm interested in
what the vulnerability is without it.

Thanks,

dag

Patrick
Sun Apr 18 07:52:05 CDT 2004

"Wireless Wonder" <anonymous@discussions.microsoft.com> writes:

> But what are the numbers? For example, in a suburban-
> type housing development, what is the range for someone
> to hack in? Should I be concerned about my neighbors or
> someone passing by on the street? Or is it wider, like a
> few blocks?

With a high-gain antenna pointed at your house, a hacker might attack
you from 1-2 kilometers away. Most "war drivers" are idiot children
with a laptop, though, so they probably need to get within 100 meters
or so.

> I plan to install WEP, but I'm interested in what the vulnerability
> is without it.

WEP has been broken, both in theory and in practice. Automated
software for cracking WEP is readily available. It does require
intercepting a lot of traffic, so if you do not use your wireless very
much, that helps mitigate the risk.

If you really care about security, buy equipment which supports WPA.
Unlike WEP, WPA is a well-designed protocol which uses real
encryption; it is unlikely to be broken for the foreseeable future.

- Pat

Robert
Sun Apr 18 09:24:55 CDT 2004

Wireless Wonder wrote:
> Many articles make reference to the vulnerability of
> going wireless (in my case, a wireless 802.11g-enabled PC
> to DSL router connection inside the house).
>
> But what are the numbers? For example, in a suburban-
> type housing development, what is the range for someone
> to hack in? Should I be concerned about my neighbors or
> someone passing by on the street? Or is it wider, like a
> few blocks? I plan to install WEP, but I'm interested in
> what the vulnerability is without it.

The vulnerability with or without WEP is extreme, "secure wireless
communication" is a sick joke unless you are prepared to spend a lot of time
updating all your wireless equipment to support WPA and get that working and
even then, I hear that the vendors are working on a new version of this
secure standard, which makes me wonder if they know something bad about it
that they haven't told the rest of us yet.

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

Patrick
Sun Apr 18 11:10:48 CDT 2004

"Robert Moir" <bofh@mvps.org> writes:

> The vulnerability with or without WEP is extreme, "secure wireless
> communication" is a sick joke unless you are prepared to spend a lot
> of time updating all your wireless equipment to support WPA and get
> that working and even then, I hear that the vendors are working on a
> new version of this secure standard, which makes me wonder if they
> know something bad about it that they haven't told the rest of us
> yet.

You are correct about WEP, but your concerns about WPA are nonsense.

WPA is *extremely* secure assuming you choose a strong passphrase
(duh) and assuming the encryption itself remains unbroken. The WPA
standard requires that devices support TKIP (based on RC4), and it
permits but does not require them to support AES.

WPA2 is due later this year, but all it will do is make AES mandatory
for compliant devices. Since most WPA devices already offer AES
(e.g., see <http://support.microsoft.com/?id=815485> or
<http://www.linksys.com/download/vertxt/wrt54g_ver.txt> or your own
wireless product's documentation), WPA2 will not provide any
additional security for such devices.

Even TKIP (RC4) has not been broken yet, although there are signs it
could happen in the next few years. AES is unlikely to be broken for
at least a few decades (except possibly by NSA). If either is broken
publicly, I guarantee you will hear about it, especially since RC4 is
commonly used for SSL connections.

In summary, if you:

1) use WPA (preferably with AES); and

2) choose a long passphrase with lots of random characters

...then your wireless communications will be completely secure against
any attacker short of a major world government.

- Pat
MVP, Windows Server - Setup/Deployment
http://unattended.sourceforge.net/

Robert
Sun Apr 18 12:02:02 CDT 2004

Patrick J. LoPresti [MVP] wrote:
> "Robert Moir" <bofh@mvps.org> writes:
>
>> The vulnerability with or without WEP is extreme, "secure wireless
>> communication" is a sick joke unless you are prepared to spend a lot
>> of time updating all your wireless equipment to support WPA and get
>> that working and even then, I hear that the vendors are working on a
>> new version of this secure standard, which makes me wonder if they
>> know something bad about it that they haven't told the rest of us
>> yet.
>
> You are correct about WEP, but your concerns about WPA are nonsense.

You mean, you don't understand why I'm as complacent as you.

Correct, there are currently no issues with WPA's security when implemented
properly. (we'll leave aside the fact that this is currently far too complex
for most home and even small business users shall we? see -
http://www.theregister.co.uk/2004/04/15/adsl_wireless_virgin/ for a story
relating an all too common experience from end users.)

However, none of us know what will happen tomorrow, and your explanation of
why we need WPA2 is nice and in line with the corporate line on such things
but assumes again that there are no problems that we have not yet heard
about.

When something is currently secure, that is no guarantee at all about its
status tomorrow or next week. I remember when computers were secure online
without a firewall. I remember when you could say to someone "No, its not
possible to have a virus embedded in an email so that you get infected just
by reading the email". You can't say either of those things now.

Never say "never".

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

jcochran
Sun Apr 18 13:59:09 CDT 2004

On Sat, 17 Apr 2004 21:17:13 -0700, "Wireless Wonder"
<anonymous@discussions.microsoft.com> wrote:

>Many articles make reference to the vulnerability of
>going wireless (in my case, a wireless 802.11g-enabled PC
>to DSL router connection inside the house).
>
>But what are the numbers? For example, in a suburban-
>type housing development, what is the range for someone
>to hack in? Should I be concerned about my neighbors or
>someone passing by on the street? Or is it wider, like a
>few blocks? I plan to install WEP, but I'm interested in
>what the vulnerability is without it.

Quickie test on my own setup, I could get a signal at five of my
neighbor's front doors. That's about 220 feet at the longest. I
could only get a signal of 50% or better about 90 feet out. That's
with a standard wireless PCMCIA card, a directional high-gain antenna
could theoretically get me a half mile or more away.

As a side note, wandering the neighborhood with laptop in hand, I
picked up two other wireless signals, one with no WEP and pure default
Linksys setup. :)

Jeff

Patrick
Sun Apr 18 14:10:19 CDT 2004

"Robert Moir" <bofh@mvps.org> writes:

> Patrick J. LoPresti [MVP] wrote:
>
> > You are correct about WEP, but your concerns about WPA are
> > nonsense.
>
> You mean, you don't understand why I'm as complacent as you.

No, I mean that your concerns are unfounded. Which is what I should
have said in the first place, since "nonsense" has an overly hostile
connotation.

> Correct, there are currently no issues with WPA's security when
> implemented properly. (we'll leave aside the fact that this is
> currently far too complex for most home and even small business
> users shall we? see -
> http://www.theregister.co.uk/2004/04/15/adsl_wireless_virgin/ for a
> story relating an all too common experience from end users.)

Well, we were talking about the security of WPA.

I agree that user interface is a huge issue for any cryptographic
technology. Even if devices were "WPA only", with no support for open
or WEP at all, the user would still need to pick a strong shared key.
I do not see any way around this, except maybe to have the user plug
the devices together for an initial automatic key negotiation... Hm.
Actually, that might be a good design...

> However, none of us know what will happen tomorrow, and your
> explanation of why we need WPA2 is nice and in line with the
> corporate line on such things but assumes again that there are no
> problems that we have not yet heard about.

It may be the "corporate line", but in this case it is also a
well-founded position. Read up on the history and intended purpose of
AES to learn why I am so confident.

My point is that lumping WPA (with AES) in with WEP is misleading at
best. It is like comparing a wooden door to a bank vault just because
"either can be broken". Worse, even, since the best cryptographers in
the world have worked very hard to ensure that AES *cannot* be broken.

> When something is currently secure, that is no guarantee at all
> about its status tomorrow or next week. I remember when computers
> were secure online without a firewall.

> I remember when you could say to someone "No, its not possible to
> have a virus embedded in an email so that you get infected just by
> reading the email". You can't say either of those things now.

I remember people saying that, too, but nobody with even the slightest
knowledge of computer security ever agreed with them.

> Never say "never".

I did not say "never". I said "unlikely to be broken within the next
few decades" and "completely secure against any attacker short of a
major world government". I stand by those claims.

I would be happy to put my money where my mouth is by making a bet
with you. What odds and time frame would you consider fair?

- Pat

Robert
Sun Apr 18 14:51:52 CDT 2004

Patrick J. LoPresti wrote:
> "Robert Moir" <bofh@mvps.org> writes:
>
>> Patrick J. LoPresti [MVP] wrote:
>>
>>> You are correct about WEP, but your concerns about WPA are
>>> nonsense.
>>
>> You mean, you don't understand why I'm as complacent as you.
>
> No, I mean that your concerns are unfounded. Which is what I should
> have said in the first place, since "nonsense" has an overly hostile
> connotation.

Yes and i was foolish enough to reply in the same vein. I think its best we
leave it at that.

Bill
Mon Apr 19 01:56:36 CDT 2004

Everyone who works in the tech business, and especially
in administration and security, should know that if you
have an experienced "hacker" "cracker" or whatever term
you wish to apply such a person, they will eventually get
through your security either through social engineering or
simple network exploit. As far as home security goes. Do
you do online transactions that need to be 100% secure?
If so, take the basic steps, WPA, strong passwords
including special characters, number and upper and lower
case. At lest 8 characters long. Do MAC address
filtering, and assign static IP address to particular
machines. Do not use the defauly SSID and do not use the
default ip ranges. Make sure you change the IP for you
router and do NOT leave the default password. These are
the basics, there are whole books out there though, feel
free to get one if you feel so inclined. Hope this helps.

-Bill

Patrick
Mon Apr 19 07:57:21 CDT 2004

"Bill" <bbonner@pullman.com> writes:

> Everyone who works in the tech business, and especially
> in administration and security, should know that if you
> have an experienced "hacker" "cracker" or whatever term
> you wish to apply such a person, they will eventually get
> through your security either through social engineering or
> simple network exploit.

The usual formula is "make the attack more expensive than the fruits
of the attack are worth".

> As far as home security goes. Do you do online transactions that
> need to be 100% secure? If so, take the basic steps, WPA, strong
> passwords including special characters, number and upper and lower
> case. At lest 8 characters long.

The point is that WPA with strong passwords is both necessary AND
SUFFICIENT.

> Do MAC address filtering, and assign static IP address to particular
> machines.

These actions add almost no security relative to using WPA.

> Do not use the defauly SSID and do not use the default ip ranges.
> Make sure you change the IP for you router

These actions add none.

> and do NOT leave the default password.

Ditto. If you enable WPA, changing the password on the router buys
you precisely nothing. The router password is only useful to someone
who is ALREADY on your network. With WPA, that simply will not happen
unless they have physical access. Any attacker who is inside your
home has much better things to do than reconfigure your router, and he
can even do that simply by resetting the router itself.

> These are the basics, there are whole books out there though, feel
> free to get one if you feel so inclined. Hope this helps.

Why confuse people? The nice thing about WPA is that you do not need
to know very much to secure your home network.

I already gave the best summary:

1) Use WPA (preferably with AES).

2) Pick a long password with lots of random characters (and make
sure nobody untrusted knows it).

That really is all you have to do. Every other measure you name is
negligible in comparison.

- Pat

Bill
Mon Apr 19 11:29:56 CDT 2004


>-----Original Message-----
>"Bill" <bbonner@pullman.com> writes:
>
>> Everyone who works in the tech business, and
especially
>> in administration and security, should know that if you
>> have an experienced "hacker" "cracker" or whatever term
>> you wish to apply such a person, they will eventually
get
>> through your security either through social engineering
or
>> simple network exploit.
>
>The usual formula is "make the attack more expensive than
the fruits
>of the attack are worth".
>
>> As far as home security goes. Do you do online
transactions that
>> need to be 100% secure? If so, take the basic steps,
WPA, strong
>> passwords including special characters, number and
upper and lower
>> case. At lest 8 characters long.
>
>The point is that WPA with strong passwords is both
necessary AND
>SUFFICIENT.
>
>> Do MAC address filtering, and assign static IP address
to particular
>> machines.
>
>These actions add almost no security relative to using
WPA.
>
>> Do not use the defauly SSID and do not use the default
ip ranges.
>> Make sure you change the IP for you router
>
>These actions add none.
>
>> and do NOT leave the default password.
>
>Ditto. If you enable WPA, changing the password on the
router buys
>you precisely nothing. The router password is only
useful to someone
>who is ALREADY on your network. With WPA, that simply
will not happen
>unless they have physical access. Any attacker who is
inside your
>home has much better things to do than reconfigure your
router, and he
>can even do that simply by resetting the router itself.
>
>> These are the basics, there are whole books out there
though, feel
>> free to get one if you feel so inclined. Hope this
helps.
>
>Why confuse people? The nice thing about WPA is that you
do not need
>to know very much to secure your home network.
>
>I already gave the best summary:
>
> 1) Use WPA (preferably with AES).
>
> 2) Pick a long password with lots of random
characters (and make
> sure nobody untrusted knows it).
>
>That really is all you have to do. Every other measure
you name is
>negligible in comparison.
>
> - Pat
>.
>
Sorry, but I am a fan of redundant security. I do not
beleive in one single measure used to protect a network,
and I know that I am not in the minority on the subject.
Every competent technician I have ever worked with has
agreed that redundancy in security is often times worth
while and in some cases neccessary. It is possible to
bypass anything out there, but if you have several things
to bypass it takes much longer and is much easier to find
the person who is making the attempted intrusions.

-Bill

Patrick
Mon Apr 19 11:59:15 CDT 2004

"Bill" <bbonner@pullman.com> writes:

> Sorry, but I am a fan of redundant security. I do not
> beleive in one single measure used to protect a network,
> and I know that I am not in the minority on the subject.
> Every competent technician I have ever worked with has
> agreed that redundancy in security is often times worth
> while and in some cases neccessary. It is possible to
> bypass anything out there, but if you have several things
> to bypass it takes much longer and is much easier to find
> the person who is making the attempted intrusions.

True, redundant security is good in general. But it really only makes
sense for measures of comparable strength.

Let me put it this way. If you were going to store some valuables in
a bank's safety deposit box, would you first put them in a metal tin
container with a little lock? After all, that would be "redundant
security". It would also be a waste of time, since anybody who broke
into the bank would not be stopped by a tin can.

The difference between WPA and everything else you named really is
that large. By far the best advice for novices is not to confuse them
by rattling off twenty different band-aid measures; it is to say
simply "use WPA and pick a good key".

Not that there's anything wrong with changing the password on the
router. :-)

If the equipment does not support WPA, that's different. Then you
want to layer on as many band-aids as you can: Filtering MAC
addresses, disabling DHCP, picking unusual IP address space, whatever.
A tin can is better than nothing.

But with WPA, you've got the bank vault. Just make sure nobody knows
enough to impersonate you...

Cheers!

- Pat