Every week, there's another article on
digg explaining how to either hack a wireless router, or secure a wireless router, or some story of some guy bragging about the wireless router he just hacked. The purpose of this article is to outline how easy it is to hack onto a wireless network, and the most effective ways to protect against it. I'm not going to give a line by line description of how to use some of the networking tools, but I will explain what can be used. Note that in many jurisdictions, logging onto someone else's network without their consent is a crime. People have been
arrested for using wifi that didnt belong to them.
..:: Security is a Wall
Anyone who has worked in IT or software engineering can tell you that a perfect analogy of security is a wall. The question is how high you want to make this wall. The height of this wall typically depends on what is being held behind it. In the grand scheme of things, your grandma's photos have no value to another. A script kiddie might enjoy watching you wallow in sorrow over your lost pics, but no real hacker is going to go after such a silly target. On the other hand, the NSA probably has some pretty important documents, and so they have every interest in building a wall past the moon.
..:: Beating the Wall
In order to beat the wall, one can choose between two different methods:
- Exploit the wall itself: One can build a tall ladder, walk around the wall, or find a weak spot to pound in, essentially investing more time and energy than the one who set up the wall. In security terms, this is usually abused wherein the person setting up the wall just doesn't know how easy it is to exploit the security, or the security is set up generally as an illusion for a deterrent effect. Most real world security measures fall into this category, because policy enforcement is often overlooked during implementation. Many walls also have cracks waiting to be exploited. In the real world, these cracks are usually unintended, and typically come from an accidental deficiency in the implementation. It's a lot like picking a lock.
- Social engineering: Often times, one can actually persuade a gatekeeper to allow the intruder into the secure area. Many organizations have been infiltrated solely because someone called up claiming to be someone they were not. Most viruses spread this way, basically, by tricking someone into installing them. Remember the old Trojan Horse from second grade history class? Well, that's where the present day virus gets its name from.
With that said, the goal in most hacking is to break in using the quickest, cheapest, and simplest means. Applying these general concepts to WiFi security, one starts to see the myth of wireless security exposed.
Using social engineering to get onto someone's home network isn't particularly easy. Usually, there's just an SSID for the router. You can pinpoint the router with the doppler effect or triangulation, and then knock on a few doors claiming to be from the cable company or something. Once inside, you fidget with the computer and essentially enable your outside link. However, this is usually much more work than the other methods require. Additionally, the risk of getting caught is rather high.
Most people don't realize that there are ways to limit accessibility to their router, but some are slightly informed. However, most are still not aware of the tools available to beat the protections available. The most common wireless protection methods are:
- MAC filtering: MAC addresses are a number that is individually and uniquely assigned to every single piece of networking hardware. The idea is that you tell your router to only accept connections from a few MAC addresses and then disallow everyone else. The problem is that your hardware must broadcast it's MAC address, and therefore anything can pick it up and it can be spoofed. Want to beat MAC filtering? Try out netstumbler and any basic MAC spoofing program (some OSs even have native packages for altering MAC addresses).
- Encryption: Try out Aircrack-ng, Wireshark, Airsnort, or Kismet and you can break WEP and WPA in minutes if not seconds. If you want a decent guide for the purposes of security auditing, see how to crack WEP and WAP wireless networks. I am not responsible for you whatever you do with this guide. It has very legal purposes, but breaking into your neighbor's wireless is most likely illegal in your country. WEP encryption is inherently flawed and can be broken always because of the flaw in implementation. WPA-RADIUS is one of the strongest wireless encryption protocols, but like any encryption, can be brute-forced. Additionally WPA-RADIUS is rarely even an option in consumer electronics. WPA-PSK is the more common version, but many routers do not support it, and even some wireless clients fail to support it. Even then, one can crack WPA-PSK with crack time inversely proportional to network traffic.
Essentially, employing MAC filtering and WPA-PSK encryption creates a wall, but that wall can still be beaten.
Additionally, a significant number of people don't even bother to change their
default password for their router, so no amount of encryption or MAC filtering will save them.
..:: Raising the Wall
One of the most effective ways to secure your wireless is to have the wireless router not act as your home's main router, and use another box acting as a VPN server and router. Essentially, you have your cable or dsl modem plug into a computer with two network cards. The card not plugged into the modem plugs into a network switch. That computer will act as the gateway between the network and the modem. With a VPN server like OpenVPN or pptpd, joining the network requires VPN authentication. So, when you plug in the wireless router to the switch, the wireless clients can get onto the wireless router's subnet, but without the VPN login information, there's essentially another wall up between your network and the wardrivers. This wall is subject to all of the vulnerabilities of VPN implementations, so it's not an impermeable barrier - just another wall.
..:: Practicality
First off, most people live in range of only a few dozen people at most. Further, unless you live in Silicon Valley, or near the MIT or GA Tech campuses, you don't have to worry about many of these people being as knowledgeable as us geeks. At this point, everyone should apply the Expected Value Rule of Life (tm). In other words,
(resources to invest) ~ (probability of damage) * (magnitude of damage)
If the left side is greater, then you're finished after expending those resources. If the right side is greater, then you need to invest more resources in securing the system. So how do you really secure your network? You can't. You can make the wall taller and wider, but there will always be someone who can invest more time to get through. The key is to find the balance of risk and damage versus the resources you must spend to protect yourself. For most consumers, the probability of damage and the magnitude of damage are incredibly low. As a result, simply turning on basic MAC filtering provides the security necessary for most people. It's not an impenetrable barrier, but if we worried all day about being damaged, no one would get out of bed in the morning. Now that the myth has been dispelled, go outside.
Post Last Updated: Feb 22, 2007 6:59 pm
