Wi-Fi Security Issues Up Close
May 11, 2006
Have you ever seen what Wi-Fi eavesdroppers see? Here's your chance and it isn't pretty.
You can read and read about Wi-Fi security, but nothing will get the point across as efficiently as actually seeing what eavesdroppers can see on an unsecured wireless network. You may think your network is secured after just changing the default SSID or disabling SSID broadcasting, especially after reading New Yorks Westchester County's recent press release discussing a new Wi-Fi law for the city of White Plains. As mentioned in the press release, these two actions do take little effort, but by no means does this adequately secure your wireless network.
Understanding the importance of securing a wireless network requires you to be aware of the issues resulting from not securing your network:
Real-time Traffic is Compromised
- People can see what Web sites youre visiting.
- Login information to unsecured sites (non-SSL) is compromised, along with the content.
- Login information and content from services such as POP3 e-mail accounts and FTP connections is compromised.
- Your internet connection may be used for sending and/or receiving illegal information, such as spam, music files or even child porn.
- Others can access any shared files on PCs or servers connected to the network.
A Wi-Fi Eavesdroppers Look
First, lets take a look at what a Wi-Fi eavesdropper can see when you send an e-mail over a wireless network without encryption. To do this, I sent an e-mail (shown in Figure 1) from a computer on a wireless network with Microsoft Outlook using a POP3 account.
At the same time, I captured packets from the network on my laptop using a free tool called Ethereal. As shown in Figure 2, youre able to see exactly what was in the e-mail. Just imagine if this was an e-mail containing real sensitive information, and someone passing by in their car captured the wireless packets.
If that isnt bad enough, see what I captured in the packet trace shown in Figure 3 when I synchronized my e-mail. This sensitive information includes the login information for the POP3 account! It clearly shows the main server, user name and password for the account.
To clarify, the administrator of this wireless network could have changed the default SSID, disabled SSID broadcasting, enabled MAC address filtering, and many others things; however, we would still see the same information in Figures 2 and 3.
You should also note that I did capture these packets in Ethereal via an Ethernet connection to the test network. It is possible, though, to use Ethereal to capture packets using a wireless adapter. This brings up another issue: make sure the wired connections to your network are secure, because interlopers can capture any of the Ethernet traffic.
Securing your Private Wireless Network
Now that you understand the importance of Wi-Fi security, you should implement methods like those discussed below to ensure your sensitive information is secure.
To Secure Real-time Traffic
- Use WEP encryption at the minimum; ideally, go with WPA encryption.
To Prevent Others from Connecting
- Try to keep wireless coverage within a controlled area.
- Use MAC address filtering.
- Limit DHCP addresses, or assign static addresses.
- Disable SSID Broadcast.
Keep in mind that the use of encryption is the only method that adequately secures the real-time traffic, such as e-mails and Web browsing, on your wireless network. Most other security methods, such as MAC address filtering and disabling SSID broadcast, are intended to help prevent others from successfully connecting to the wireless network.
You can never be sure that your wireless network is completely secure. However, implementing multiple security methods means it will be much more difficult for Wi-Fi eavesdroppers to capture readable real-time data.
Protecting Yourself on Public Hotspots
When youre using an unsecured wireless network, such as a hotspot in a hotel, cafe, airport or any other public location, you should take steps to make sure your sensitive information isnt exposed:
Secure Your Real-time Traffic
- Use a VPN connection.
- Make sure any services you use, such as POP3 and FTP, are secured if you are not using a VPN.
- Dont visit any private or sensitive Web site unless its secured (for example, implementing SSL) if you are not using a VPN.
Prevent Others from Connecting to Your Laptop
- Disable any sharing of files, folders and services.
- Use personal firewall software.
- Make sure your operating system is kept up to date.
A VPN connection encrypts any data sent from your wireless adapter all the way to the VPN server and vice versa, therefore providing end-to-end encryption. Along with providing a great way to secure the data, this also enables access to the remote network hosting via VPN server, which is often used in businesses. If you arent provided with a VPN connection by your employer, you can either set up your own server, for example using Windows XP, or use a subscription-based, hosted service such as JiWires SpotLock.
Eric Geier is a computing and wireless networking author and consultant. Hes employed with Wireless-Nets, Ltd., a consulting firm focusing on the implementation of wireless mobile solutions and training. Eric is also an author and contributor of several books and eLearning (CBT) courses.