Staying Safe: securing your wireless connection
Recently, we reported on AT&T's push to make it easier for iPhone & iPod touch users to connect to their Wi-Fi Hot Spots. One of our readers, Jamie Phelps, pointed out on his blog that AT&T's Wi-Fi service is not actually a "secure connection," as is advertised in various places on their website; we had overlooked this, and mistakenly reinforced the company's shaky claim in our post.This brings to light an important point about wireless networks and security, however. It's really easy (and sadly all too common) to hop on to an available wireless signal in your office, at the hotel, or your favorite coffee spot and not even think twice about logging in to your e-mail or checking your bank balance.
What many users don't realize is even though the server you are connecting to (i.e. your bank's website) may employ several layers of security, the connection between your computer and the wireless access point is very likely to be unsecured. Anyone who is within range of your computer can trivially monitor the traffic being sent between your computer and the access point, allowing them to see what websites you may be visiting or capture details about other services that you may be connected to. This isn't because of some gaping vulnerability or software bug, it's just an inherent part of how wireless networks work.
So, what can you do to protect yourself? Read on for a list of simple steps you can take to ensure that your wireless connection is safe and secure.
How to tell if your wireless connection is secure
Since many hotspots advertise "secure" connections, here's a quick acid test: Did your operating system prompt you to type in a passphrase or key when you first tried to connect to the network? If so, you are probably on a secure network. In Mac OS X, you can verify this by checking to the right of the wireless network name in the wireless menu on your menu bar. If you see a padlock, the connection between your computer and the access point is encrypted. If not, it's fair game.
Major hotspot providers may deliberately choose not to enable WEP or WPA encryption to simplify the user logon experience; if you disagree with this approach you can certainly let them know. For smaller operations like the local cafe or copy shop, it's not much effort for them to post a regularly-rotated WPA key on the wall by the cash register; that also may help cut down on unauthorized use of their wireless network by non-customers.
Use encryption features on your wireless router
If you're running a wireless network at home, one of the first and most important steps you can take is to use the encryption features that are built into your wireless access point or router. You do this by logging in to your device's configuration interface, selecting an encryption type (usually WEP or WPA/WPA2), and entering a key or passphrase. While many newer devices will let you enter anything you like for the passphrase, some won't and will require that you provide a hexadecimal key instead. If you get stuck with this, Andrews Companies provides a free online key generator here that might be useful.
By the way, if you're using an AirPort Extreme Base Station, this is as simple as opening the AirPort Utility, and going into the wireless settings of the Airport. Select WPA/WPA2 Personal from the Security dropdown, and then enter a password to use (longer is better).
Use firewall settings on your system
When you're connected to a wireless network, other computers using that network can see your computer, and thanks to discovery services like Bonjour, may automatically get access to your iTunes library or any sharing services you have enabled.
Luckily for most Mac users, OS X has a simple, built-in firewall that will cover typical security needs. But, as with all firewall solutions, it doesn't provide any benefit if it's not turned on. You can check your firewall settings by going to the Security pane of System Preferences, under the Firewall tab. If you're on a public wireless network, you should have the firewall set to either allow only essential services, or you can choose to set specific rules if you would like more fine-grained control.
If you're using Windows XP or newer via virtualization or Boot Camp, you can also use the built in firewall to restrict access to your system. There are also a number of 3rd-party solutions available for both systems if you want something more advanced than the built-in offerings.
Keep your system software up-to-date
You know those Software Update notices you get periodically prompting you to install updates to Mac OS X and other system software? Install them. Not all of them are related to security, but if a vulnerability is found, chances are those updates will correct it.
Use secure connections for e-mail and web services if your service provider supports them
This one is a bit harder, as it relies on your service provider to accept secure connections. This is particularly a problem with e-mail providers. For example, if you're using Google's Gmail (or Google Apps for your Domains) and accessing your e-mail from Mail, Thunderbird, or another mail client, your connection to Google's servers is already secure, because they require secure connections. With other e-mail providers, you sometimes can use secure connections, but their instructions usually show a basic setup instead. So your best bet is to check with your provider and see if they allow secure (sometimes called SSL or TLS) connections.
Many other services such as instant messaging clients and social networks offer secure connection options as well. Sometimes it's as simple as changing http:// to https:// in your address bar, or you may need to find a setting in the service's options that will enable it. Luckily, most web services today at least use a secure connection while logging in, which is better than nothing at all.
Use a VPN if connecting to sensitive systems
If you are connecting to services at your workplace, it's a good idea to use a VPN (Virtual Private Network) if your company provides one. VPNs allow you to create a secure "tunnel" between your computer and another network at a remote location, effectively making your computer work as if it were physically connected to the network in the office.
If you don't use an employer's VPN but you still want to leverage a VPN service to lock down your connections, see Jason's post about Hotspot Shield; for accessing Bonjour-based services on your home machine over a secure SSH tunnel, Brett noted ShareTool a while back. If you're looking for a free tool to set up your own VPN, HamachiX may be what you need.
Don't rely on MAC-based authentication
MAC-based authentication (not to be confused with Mac as in Macintosh) is a very basic security option offered by many wireless routers. A MAC address is a supposedly unique identifier programmed wireless cards and other networking devices. The router maintains a list of allowed MAC addresses, and ignores traffic from those not on the list. This method sounds like it should work perfectly, and it would, except that it is very easy to "spoof" the MAC address of any machine to look like it is coming from an authorized device. And to top things off, your MAC address is broadcast over the air with every packet you send, giving anyone who is listening a list of authorized addresses for the picking.
When in doubt, scrutinize browsing habits if roaming about
Since many aspects of your wireless browsing experience may be beyond your control (which is particularly true if you're using a public hotspot that doesn't support encryption), it's always good practice to scrutinize your browsing habits. Avoid highly sensitive browsing like accessing your banking information or completing purchases online when on an unsecured network. If you use instant messaging, avoid sending personal information unless you know the service is using a secured connection.
Be particularly wary of unusual dialogs or messages prompting you to install software or asking you to confirm your password. If it's a website, even if it looks legitimate, don't put in any information unless you specifically went to that site by typing in the address yourself.
Now, of course the point of this article isn't to scare anyone or to suggest that you shouldn't use wireless connections. Chances are, the guy sitting next to you at the coffee shop isn't just sitting there sniffing packets and waiting for someone to log in to their online banking. But that doesn't mean you shouldn't be proactive about making sure that your data is secure. As the saying goes, it's better to be safe than sorry.
Share
Categories
Recently, we reported on AT&T's push to make it easier for iPhone & iPod touch users to connect to their Wi-Fi Hot Spots. One of...
Add a Comment
I've found a way here, to secure wi fi using WEP security
July 15 2009 at 1:25 AM Report abuse Permalink rate up rate down ReplyI used a lot of words, because just the summary would not have been clear to many what I meant. In hindsight, I missed one of points in the summary: "WEP can be useful for access control where security is not important, but low cost, low complexity, and *high compatibility* is."
As for the false sense of security, I think the onus is on the user to find out about wireless security. Even if the security in the coffee shop was WPA2 with a 30 digit random password, the MITM logging could be perpetrated by a neighbor who also has the WPA password. But whether this is likely to ever happen, even with WEP encryption, and whether a perpetrator could then decrypt the SSL, and whether that information could be put to any use is really up for debate. For example, if someone decrypted my login to my bank's website, there is little they would be able to do other than see how much money I have. Any transfers would be traceable, my address cannot be changed without further authorization(s), my debit card # is not available on the website, etc.
If we hold providers of free wireless responsible to educate the end users, locations with free wireless will dry up, and that would not be good for us geeks whose standard of living depends on being able to sniff account #s and commit fraud. ;)
One more thing. I'd appreciate, as someone else asked, someone chiming on the relative security of using 3G tethering. It seems far more secure to me that WiFi, but I don't really know.
July 02 2009 at 6:28 PM Report abuse Permalink rate up rate down ReplyWow... this is the most informative and useful comment thread I've EVER seen on TUAW. It rivals many Ars comment discussions and is a welcome change from people posting "firsts". Big thanks to CS (love the Black HAT DC 2009 Video, I hadn't seen it) and the others. The original article is a bit lacking as it does provide some flase comfort suggesting methods are secure that are not.
I thought I knew a lot about wireless security, as much as many professionals claiming to be security experts anyway. First because I'm a geek, but more because I need to keep familiar with it. I travel internationally a lot (India, Thailand, China, etc.) and I am constantly on very sketchy networks.
I long recognized that a publicly available WEP/WPA key means the network is no more secure than an open hot-spot. I agree with whomever said it that it gives users a false sense of security and public hotspots ought to be left unsecured.
I guess it's time I finally setup a secure VPN through my home connection. (I run DD-WRT, will finally setup OpenVPN).
I neglected to note that there are two additional advantages to using VPN: your IP address is changed to the IP address of the server you are using at the time (Witopia does not log its clients' Internet usage and deletes the skimpy logs they do keep within 48-72 hours...) And your ISP cannot track your Internet activities because your connection bypasses its servers altogether.
It's a nice package: security AND privacy for a nominal cost.
You don't need to go to the trouble and expense of setting-up a VPN server to gain the advantages of a VPN server; there are a number of companies offering "public" VPN accounts for reasonably priced monthly or yearly subscriptions.
Several years ago I demoed all the public VPN options that I could find and I settled on personalVPN from Witopia. For $40 a year I have VPN/PPTP on my Macs and iPhone. You can have 128-bit or 256-bit encryption. The installation process is easy and connecting to the server(s) is a snap. personalVPN has servers in the U.S. and Europe. The customer service has been excellent. At times the data download speed is faster than Charter and the upload sppeed is much faster because it is not as restricted as Charter.
A quick Google search will turn up a number of public VPN options.
I'm not an employee/investor (darn it!) just a Very Satisfied Customer...
WEP is not so bad as some of you make out - it's just not secure. But it can serve a purpose. If your goal is just to keep 'honest people honest' and have some control over use of bandwidth while retaining compatibility with almost all wireless devices out there, WEP is fine. 99.9% of people will not try, much less succeed, at hacking a WEP-encrypted network.
For example, a coffee shop which wants to provide an open network but doesn't want everyone on the block able to easily use it can use an old 802.11b wireless router, change the WEP key occasionally, and tape the key/password on the counter by the cash register. If you think about it, this will keep out almost all 'drive by' wifi users. At a minimum, they have to come up to the register, and unless they're really bold, they'll buy at least a cookie.
There are lots of more complicated ways and systems for coffee shops to give measured access, but those cost money and require training, updates, and supplies. The owner can set the router web interface to be the home page of the office computer if they want to make it very easy to change regularly.
It will not keep out those who buy a cookie one day and then use the connection free until you change the password, but you can 'shape' that with regular key changes. In any event, the control it gives you is much more than just providing an open wireless network gives you.
Anyone reading this is not the demographic I am talking about, by the way. Those of us who could easily subvert this are a very small percentage of the population. And only a small percentage of our geek population are the kracksters who would try to do harm, and if you have one of them after your network, they'll probably find a way in regardless-- the WEP is not the critical factor. Thankfully, such attacks on small businesses are rarely worth a malicious kracker's time. Most who could do that stuff are in it just for the thrill of being able to do it.
Summary: WEP can be useful for access control where security is not important, but low cost and low complexity is.
>Summary: WEP can be useful for access control where security is not
>important, but low cost and low complexity is.
Wow you used a lot of words to say that ;) and I agree, however you did not address the false sense of security 99% of users at those coffee shops get THINKING that WEP is securing their browsing when any neighbor could be using a MITM to easily log all traffic (including SSL encrypted traffic).
so whats the solution then? Is there any way to have a truly secure wireless network? Is the only way to go is by cable? Bah.
July 01 2009 at 4:36 PM Report abuse Permalink rate up rate down ReplyThe cable isn't secure either. The Internet isn't secure.
If you want security, use encryption.
Here's a question: given the choice between a public Wi-Fi network like the one in Starbucks or AT&T's 3G network (or even Edge), which one should I choose if I wanted to, say, check my bank account info or submit a credit card number for an online shopping transaction? I know neither are ideal for things like this, but sometimes you just don't have a choice.
July 01 2009 at 1:48 PM Report abuse Permalink rate up rate down ReplyNo difference. Both are wide open. And the same is true of wired connections -- ISPs have rogue employees who eavesdrop -- or isp hardware can be subverted by hackers or viruses.
Are you using SSL (now called TLS apparently) to talk to your bank? That's the only thing that can save you.
http://en.wikipedia.org/wiki/Transport_Layer_Security
Ok, other commentator have said this, but let me spell it out.
The purpose of "secure" wi-fi is to prevent strangers from jumping onto your network without at least having to do a bit of work. That's all it is good for! Google aircrack-ng if you want to know more.
And you know, your bank is probably 10 routers away from your computer. What's the big deal with securing one of those hops but not the other nine? No point at all, hence banks require the use of SSL -- which is actual real security.
Are we going to see a correction?
Deals of the Day
more deals- Refurbished iFrogz Summit Snap-In Case and Stand for iPad 2 for $10 + $2 s&h
- Luxury Aluminum Shell for Apple iPhone 4 / 4S for $4 + $2 s&h
- Used Apple iPad 64GB WiFi + 3G for $250 + free shipping
- HHI 360 Dual-View Stand Case for new iPad w/ $2 credit for $12 + $3 s&h
- 1,500mAh External Extension Battery for iPhone 4/4S for $15 + free shipping
- Stylus with Anti-Dust Plug for iPhone for $1 + free shipping
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
32 Comments