Wireless networks are all the rage. But do you know how to protect your data from eavesdropping hackers? BY SIMSON GARFINKEL


You've read a lot about the security of wireless LANs—or WLANs—during the past year. With the plummeting prices of wireless access points and laptop cards, businesses, schools and home users have all rushed out and installed low-cost WLANs. Most of these systems are easy to install, and as it turns out, most wireless access points have their access control disabled. This is great for useability: If you can receive the radio signal, you can put your laptop on the network without setting any codes or entering any encryption keys.

But that also means that many homes and businesses have inadvertently opened their network to outsiders because radio waves can travel through walls, out onto the street and even into your neighbor's house. And you thought the British Royal Family had problems.

Because of those WLAN vulnerabilities, "war driving" has become a popular hacker pastime. All you need is a wireless card, a laptop, a global positioning system receiver connected to your laptop, a car and a free afternoon. Drive around town with a copy of NetStumbler or a similar program running, and your computer will log the geographical position of any WLAN it finds. When you're done, you can graph the results on your computer. You can even upload the findings to one of the national databanks. Or, if you feel especially motivated, you can get out of your car and mark the area so that other nosy strangers can find it—a kind of hacker public-service ritual known as war chalking.

Although war driving started as an exercise in demonstrating computer security holes, most people involved these days have a different political agenda. They're interested in using WLANs to create a mesh of free wireless Internet service throughout our neighborhoods. The war driving maps show where coverage is good and where new coverage needs to be added.

I'm all in favor of community groups, businesses and individuals teaming together to provide free high-speed wireless Internet access. Indeed, I have opened up the wireless access point in my own house; if you stand in my driveway with your wireless-enabled PDA, you can browse the Internet using my connection without even knocking on the door. Likewise, I've come to expect that high-speed Internet access will be available at conferences that I attend—and in most cases, it's both easier and cheaper for conference organizers to set up a single wireless hub than to set up an Ethernet switch and string a lot of Category-5 cables.

But just as wireless technology has created security problems for network administrators, it has created vulnerabilities for mobile users as well. Ironically, these insecurities are both more severe for mobile users and easier to overcome. Most of the press coverage regarding WLAN's security problems has focused on the weakness of the encryption system used to protect access points. Called WEP—short for wireline equivalent privacy—the system assigns an encryption key to each wireless network. In theory, each company was supposed to make up its own encryption key. If you didn't know a company's key, you were supposed to be blocked from accessing that company's network.

As things turned out, the whole WEP approach was flawed for two reasons. The first was the encryption algorithm and protocols themselves. Seems the math behind WEP wasn't very good, and it was fairly easy for cryptographers to write programs that could figure out the WEP key that a particular access point was using. Even moving to a stronger encryption algorithm didn't help much because the underlying cryptographic protocols were flawed.

The second problem with WEP is significantly more embarrassing. Most people don't even turn it on because WEP is somewhat hard to configure. To use the encryption, you need to type in the same key or password on every wireless computer you want to use. That configuration makes wireless computing a whole lot less convenient to use in practice—and as a result, people leave WEP disabled.

Without encryption, there's nothing to prevent a hostile computer user from hooking up with your access point and scoping out your internal network. Any intranet pages, file shares or other services on your network that aren't protected by passwords are then wide open. An attacker might even use your company's Internet connection to send out spam.

An attacker that can use your wireless LAN can also listen in on the other wireless conversations taking place. Last spring, a Boston-area business was broken into by an attacker who sniffed the CEO's password using a wireless LAN. The attacker then connected to the company's Microsoft Exchange server and proceeded to download all the CEO's e-mail. Messages about current and pending business deals eventually ended up on a website—ultimately costing the company more than $10 million.

Such eavesdropping is even more of a problem for people using wireless "hot spots" like those popping up at Starbucks coffee shops, conferences and many universities. By design, these hot spots do not use encryption. That means that any traffic sent over the network by one laptop-toting Starbucks customer can be eavesdropped by another.

Without encryption, there's nothing to prevent a hostile computer user from hooking up with your access point and then scoping out your internal network.

I proved this point somewhat dramatically last fall at the Pop!Tech technology conference. I had just upgraded my laptop to MacOS 10.2 and was curious about the improvements that Apple had made to the wireless LAN system. So I opened up a window and started running the "tcpdump" program—a built-in packet sniffer that comes standard with every copy of MacOS version 10. A few seconds later, my window was filled with packets that were whizzing back and forth through the area—mostly from other people in the audience who were browsing the Web or checking their e-mail. Personal e-mail, professional correspondence, computer passwords and whatever else was being sent over their wireless work—it was all there. Amazing.

Sniffable passwords and e-mail messages weren't the only security problems to be found. Many of the high-powered corporate executives in the audience had a directory or an entire hard drive that their laptop was sharing with the network. I decided against checking any of those file shares to see if I could read the files without providing a password.

The horror stories like that one often leave readers thinking that there is no way to secure wireless

The horror stories often leave readers thinking that there's no way to secure wireless technology. In fact, nothing could be further from the truth.

technology. In fact, nothing could be further from the truth. While many of the laptop-wielding conference attendees were literally airing their confidential information, others were completely protected. That's because they were using encryption to form a cryptographic barrier between my laptop and their information. But here's the critical point: The others weren't using the WEP encryption. They were using other encryption protocols such as SSL and IPsec—two protocols that are commonly used to secure webpages, e-mail and other information sent across the Internet.

Indeed, whenever I download my e-mail, I use SSL, the so-called secure sockets layer. SSL made its debut more than seven years ago as a tool to protect credit card numbers used to buy things online. But SSL also does a great job protecting e-mail passwords and the contents of mail messages. These days SSL is built into most e-mail clients, including Outlook, Outlook Express, Netscape and even Apple OS X Mail.

Sadly, most ISPs don't make SSL available to their customers because SSL places a higher load on the ISP's servers. I avoid that problem by running my own servers and making sure that those servers are equipped with SSL.

Many businesses don't bother with SSL on their internal networks, but they do use IPsec or other virtual private network (VPN) protocols for letting mobile workers tunnel through the firewall to access the company's internal mail servers and intranet. In many ways, that's a fine compromise. The firewall/VPN combination protects the company's critical servers from hostile outsiders, while the VPN encrypts all of the mobile user's data so that it can't be spied upon.

The problem with relying on firewalls and VPN, however, is that they encourage poor internal security practices—thinking that the network is safe, administrators don't require the use of encryption for passwords or e-mail. File shares are left unprotected—after all, only people inside the company have access to them, right? Alas, these are the same practices that can be exploited when somebody sets up a wireless access point inside a company.

Good operational security procedures can go a long way toward minimizing such risks. If you always treat your network as if there were some hostile eavesdropper, you'll be better prepared for those times when there actually is one.


Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He is also CTO of Sandstorm Enterprises, an information warfare software company. He can be reached at machineshop@cxo.com.

More Safety in Numbers