wireless (in)security

It's amazing what you can glean just from listening to the ether. Armed with an old laptop, wireless card, Kismet, and quarter of an hour, I can tell you the following about my neighbourhood:

There are 3 open wireless access points, 4 WEP-protected ones, and 5 or 6 WPA protected ones. One open point is run by a router with the default admin username and password. Several networks have their SSIDs hidden (but of course I still know them – “hidden” SSIDs mean little to Kismet). I also know (using MAC address vendor lookup) the make of each router and most of the stuff connected to it – for instance that several people use Apple computers, and one person has a wireless TiVo. Nobody except me has a Wii hooked up wirelessly :). Also, looking at the SSIDs of many of the networks, I can cross-reference with the phone book and find out exactly where the routers are (since many people put some variant of their surname in as the SSID).

So: hidden SSIDs mean nothing to an attacker (although they do stop random machines trying to automatically connect). MAC filtering again means very little to an attacker. WEP can be easily broken (say in half an hour) with monitoring and packet injection tools. And WPA(-PSK) can be subjected to a dictionary attack with information gleaned by the same tools.

My setup? Nothing out of the ordinary – just reasonable security. A strong admin password on the router. SSID “hidden”. I don't bother with MAC filtering because with the number of wireless devices I have in circulation, it's more inconvenient for me than for an attacker :). WPA encryption. A strong WPA password (not one that is susceptible to a dictionary attack). I estimate that a brute force attack on my password, testing a million keys a second, would take approx 50,000 years to succeed.

If you have a wireless network, don't wait until you see this on the pavement outside.

5 Responses to “wireless (in)security”

  1. sylvene says:

    Heh. I have the same setup as you do. A hidden SSID and a strong admin password on the router.

    (http://livejournal.com/users/sylvene)

  2. elbeno says:

    WPA with a strong password is the important bit though.

    (http://livejournal.com/users/elbeno)

  3. sylvene says:

    WPA vs WEP Ya know… I set it up 3 years ago. I don't remember… now I'm going to have to check when I get home.

    Bah!

    (http://livejournal.com/users/sylvene)

  4. elbeno says:

    Mine used to be WEP until I upgraded my router. WPA didn't used to be well supported by older routers and network cards. If you have to use WEP, 128-bit is better than 64-bit – it takes about 3 times longer to crack. But even so it's still crackable in reasonable time.

    But hey – if you can't be bothered with fiddling, another approach is to do a neighbourhood scan and see what's around. You probably only need to be more secure than the easiest target.

    (http://livejournal.com/users/elbeno)

  5. sylvene says:

    Haha. I know I'm more secure than the easiest target because I've logged into the neighbor's network while mine was down. *snicker*

    (http://livejournal.com/users/sylvene)

Leave a Reply