How would you feel if out of the blue you received a call from your ISP saying they just received a complaint and supporting documentation that you have been sharing copyrighted material over the internet? As an ISP we receive complaints weekly about users sharing movies or music. It costs valuable time to chase down these complaints; it’s also embarrassing for us and our customers when we have to make these calls. So does CISP have a bunch of hackers, law breakers and unscrupulous people as customers – not at all. In many cases, I believe that the source of the problem is a lack of understanding.
For less than $100 you can go to the store and buy a wireless router, plug it in and away you go; thinking boy that was easy. The manufacturers of wireless routers build them to be easy for anyone to plug in and use. These devices are also designed to be network sharing devices. They’re easy to setup, convenient, inexpensive; Americans and Europeans alike love ‘em. In fact the Pew Research Center’s Internet & American Life Project found that six in ten American adults now go online wirelessly. The majority of them think the same thing – boy that was easy.
The problem is, it’s also that easy for your neighbor or the guy parked a crossed the street to connect to your wireless as well. Many wireless access points (AP) have a range of up to 300’. An Accenture survey found that 12% of US and UK respondents have “borrowed” other people’s Wi-Fi. This illegal activity is also more likely to happen in the US than in the UK. The survey showed that in piggybacking off someone else’s Wi-Fi one in seven respondents were from the US while only one in eleven were in the UK (1).
It’s not just your neighbors either; even Google has been accused of drive by spying on members of Congress (2).
SNS Global LLC did some research and found that more than one of our Representatives had unsecured wireless networks in their homes. One of them was Rep. Jane Harman who heads the intelligence subcommittee for the House Homeland Security committee. Representative Harman was found to have two unsecured wireless networks in her home. This is not surprising when you consider that many studies show that 60% of all home wireless networks are unsecured. So who’s using your wireless network and for what purpose?
There is a lot of bad information and advice given on how to secure a wireless network. Just because the sales person works in an electronics store, does not make them a wireless security expert. Advice does not even have to come from an electronics store. The other day I was in one of the large home do-it-yourself stores and was surprised when I found an isle that had wireless routers. I was even more surprised to find a lumber salesman telling a customer all he needs to do to secure his wireless is hide the SSID (Service Set IDentifier). Even if you don’t broadcast your SSID, it’s still required for you to connect to your wireless router. So guess what, the minute a connection is made a hacker now has your SSID and can connect to it.
If you simply do plug and play with your wireless router, you probably still have the default password enabled as well. This means that a shady person could gain access to the inside of your network. Once inside your network they can create all sorts of havoc, viruses, spyware, and identity theft. They could crash your machine or lock you out of your own router. With that said I want to take some time to go over what you can do to protect yourself.
1. The first thing you should do is to lock down the administrative access to your router. As soon as you plug it in you should go to administrative section of your routers configuration and change the administrator’s password. I never leave the default user name either and I certainly don’t leave remote access turned on. If I need remote access I use a product like LogMeIn or Remote Desktop and access the router from a PC on the inside of my network.
2. Don’t broadcast your SSID. Although this is by far not a complete security measure; you’re at least not waving your arms and saying here I am hack me. If I was a hacker or someone just passing by looking for a quick mark there are plenty of obvious opportunities – don’t be obvious. It takes time to find the hidden Access Points. With the site survey software I use for wireless installations, it’s easy to see that there is an Access Point out there. I just don’t know right away what the SSID is. A hacker or someone looking to piggyback is generally going to pick on the easy ones first.
3. There are three types of security encryption WEP, WPA and WPA2
*802.11’s WEP (Wired Equivalency Privacy) was the first and is also the easiest to crack. It comes in two flavors 64 bit also called WEP-40 and 128 bit also called WEP-104. The 64 bit takes a 10 digit hexadecimal number or key (0-9 and A-F) that you supply. The 128 bit version requires a 26 digit hexadecimal key. With both WEP and WPA the keys on the Access Point and the wireless bridge or laptop must match, or you cannot connect. If you have an older router that only supports WEP check to see if there is a firmware update available. If not, or you still don’t have access to WPA then use WEP. Between hiding your SSID and WEP there is a good chance your network will be viewed as too much trouble. Especially if you combine this with MAC filtering which we will get too shortly. There are also many non-PC devices like Blu-Ray players, media players and other devices that may not support WPA. Remember that WEP is far superior to no encryption at all!
*WPA (Wi-Fi Protected Access) is my favorite for home networks. Most wireless routers produced after 2003 support it. It’s easy to implement, you can use a pass phrase instead of a hexadecimal number and it’s almost impossible to hack. In most cases it supports two authentication types PSK (Pre-shared key) also known as personal mode and EAP (Extensible Authentication Protocol). It also can support two ciphers TKIP (Temporal Key Integration Protocol) and AES-CCMP which offers a newer and much stronger encryption technology than TKIP.
*WPA2 is the new and improved WPA. It offers many new options, is backwards compatible with WPA, but also offers administrators with a high level of assurance that only authorized users can access the network. Based on the ratified IEEE 802.11i standard, WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm. WPA2 can be enabled in two versions – WPA2 – Personal and WPA2 – Enterprise. WPA2 – Personal protects unauthorized network access by utilizing a set-up password. WPA2 – Enterprise verifies network users through a server.
4. If you have a small network you can use MAC address filtering to control access to your wireless device. Unlike IP addresses, which can change, MAC addresses are static and hard coded by the manufacturer. A MAC (Media Access Control) address is made up of 6 two digit hexadecimal numbers separated by a colon. The first three are unique to the manufacturer, with the trailing three being unique to the device. MAC filtering is not, in my opinion, a true security measure, but a deterrent. Although the MAC address is unique and hard coded they can be spoofed through software. Even without spoofing, I don’t have to be connected to see the data that is passing between you and your access point. Remember that unlike a cable where data follows a linear path, wireless is broadcast 360 degrees and up to 300’ away.
So if someone uses your network for illegal activity, who is financially responsible for the damage? It’s your network it’s your responsibility to secure it. How would you feel if one morning you woke up, turned on your computer and all your files were missing? Change the default user name and password on your access point. Turn off remote management, and turn on WPA. If you can’t use WPA, hide your SSID turn on WEP and MAC address filtering. Do you go to bed or vacation and leave your doors unlocked? Protect yourself lock it down. If you need help or have questions call us 419-724-5300. If you have had an experience or have additional thoughts please share them.
Senior Wireless Engineer