Practical Technology

for practical people.

Wi-Fi Convenient, but Dangerous


With the advent of standardized 802.11n Wi-Fi, it’s easier than ever to expand your business network wirelessly, but that may not always be a smart idea.

I’m sitting outside an office building in Portland, Oregon. The building has at least half a dozen businesses with about 40 Wi-Fi access points (AP). In the hour I’ve been sitting here, I’ve broken into 28 of these corporate networks.

While I certainly know more about networking than most people do, I’ve no special expertise. I’m no hacker. I’m just making use of a good network packet analyzer, Wireshark (formerly known as Ethereal) and several common-as-dirt, dead simple to use cracking tools.

The simple truth is that, given a few days and publicly available programs, any wireless network can be broken. Sadly, as I just rediscovered today, most Wi-Fi networks don’t require that much trouble. Heck, it barely requires any effort at all.

Indeed, two of the businesses (downtown businesses, mind you, not Harry’s Home Network) didn’t have any security on their APs. Sigh. Leaving an open AP isn’t just a matter of letting other people share your bandwidth. It’s also an open door into your network. Another three were even worse: They used the default passwords for their wireless routers and APs. As for the rest, most were little more trouble to unlock.

That’s because most Wi-Fi security protocols are pathetically easy to break. For example, it’s a good bet that every Wi-Fi device your company has supports Wi-Fi Wired Equivalency Privacy (WEP). And many of you, including ten of the companies I just “visited,” use WEP for security.

It’s just too bad that WEP was broken, for all practical purposes, back in 2001. WEP stops someone with no clue about Wi-Fi networking security, but those are the only people that it will stop. However, every vendor still includes WEP as part of their laundry list of supported protocols; some reputable sources, like Consumer Reports, as recently as 2009 recommended WEP’s use. Consumer Reports subsequently corrected its mistake, but alas its “better” recommendation, WPA (Wi-Fi Protected Access), is also pretty easy to crack.

WPA, with its baked in security protocol, Temporal Key Integrity Protocol (TKIP), was broken more recently. It takes more of an effort to break than does WEP, but it’s also useless against any determined attacker. If someone wants to be fancy about it, he can try cracking your WPA using either a vulnerability in Quality of Service (QOS) or using a man-in-the-middle attack.

Practically speaking, I, and anyone else who wants to jump into your network probably doesn’t need to bother with these methods. Instead, they’ll use the rainbow tables, lists of the most common WPA passwords. That’s because your SSIDs (the broadcast name of your Wi-Fi Access Point) makes up part of the password. Thus, chances are you’ve already given any would-be hacker part of the key. They then use the rainbow table to look through likely passwords until they find one.

How successful is this technique? With a 2.2GHz processor and an 8GB rainbow library, I broke into 15 WPA “protected” networks. Mind you, I didn’t have to do any work; I used a common program that automated the process and set it to work. Had I more time, I have no doubt I would have cracked the other WPA networks. There’s even a service, WPA Cracker to do it for you!

Perhaps you imagine that WPA2, the most advanced standardized Wi-Fi security protocol out there, would be immune. You’d be wrong. You see WPA2 has two security standards: TKIP and the jaw-breaking Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), also known as Advanced Encryption Standard (AES).

It’s more trouble to break WPA2 with CCMP, but thanks to those rainbow tables, it can be done on any ordinary laptop computer. Such as mine, which managed to bust into one WPA2/TKIP network. In 2011, both WEP and TKIP-based security will no longer be supported by the Wi-Fi Alliance. But, of course, millions of legacy devices, including any that you buy this year, will still include them.

So, what you really want is WPA2 with AES. Unfortunately, a lot of older equipment and operating systems don’t support it. For example, Windows 2000 and Windows XP SP2 systems cannot support this protocol natively. If for some reason you just won’t move to Windows XP SP3, you can add WPA2-AES support to Windows XP SP2 with the Windows KB893357 hotfix. Note that this is not a patch. Even if your system techs. were keeping Windows XP SP2 up to date, before Microsoft pulled the plug on Windows XP SP2 support, you still won’t be able to use WPA2-AES unless they deployed that hotfix.

OK, let’s say you are using WPA2. You probably know that it comes in two versions: Personal and Enterprise. With Personal version there is a single universal password, the so-called Pre-Shared Key (PSK) for everyone. With the Enterprise version, each Wi-Fi wireless network user gets his or her own password.

As you might guess, the Personal version, even with AES, is more dangerous to use than the Enterprise one. But both can be broken. As long as your network is constantly sending and receiving packets over the air anyone can snatch them and try to brute-force their way into the network. If you were using a really long, random password, like say 20-characters, you’d be “relatively” safe. But how many of us would really use 20-character long passwords like sfds*&10wiJMdis12rt?

The other networks I visited were all “protected” by WPA2-Personal with a really easy to guess password. In one case, the password was the same as the SSID. In the other, it was the name of the company. Great security there, guys. Just great.

Of course, you could just let the machine remember the password rather than try, and fail, to get people to remember it. That will fail, of course, if anyone with malicious intent ever steals a PC.

Here’s the simple truth. People being people, your Wi-Fi security will be broken. It’s just a matter of time. That being the case, if you’ve got information on your network that you really don’t want anyone getting into, consider making it only available over wired networks. Yes, you get into those too, but the skill sets needed to break into a building are entirely different, and a lot harder to find, than those needed to break into a wireless network.

A version of this story was first published in IT Expert Voice.

Leave a Reply