wireless (in)security

It's amazing what you can glean just from listening to the ether. Armed with an old laptop, wireless card, Kismet, and quarter of an hour, I can tell you the following about my neighbourhood:

There are 3 open wireless access points, 4 WEP-protected ones, and 5 or 6 WPA protected ones. One open point is run by a router with the default admin username and password. Several networks have their SSIDs hidden (but of course I still know them – “hidden” SSIDs mean little to Kismet). I also know (using MAC address vendor lookup) the make of each router and most of the stuff connected to it – for instance that several people use Apple computers, and one person has a wireless TiVo. Nobody except me has a Wii hooked up wirelessly :). Also, looking at the SSIDs of many of the networks, I can cross-reference with the phone book and find out exactly where the routers are (since many people put some variant of their surname in as the SSID).

So: hidden SSIDs mean nothing to an attacker (although they do stop random machines trying to automatically connect). MAC filtering again means very little to an attacker. WEP can be easily broken (say in half an hour) with monitoring and packet injection tools. And WPA(-PSK) can be subjected to a dictionary attack with information gleaned by the same tools.

My setup? Nothing out of the ordinary – just reasonable security. A strong admin password on the router. SSID “hidden”. I don't bother with MAC filtering because with the number of wireless devices I have in circulation, it's more inconvenient for me than for an attacker :). WPA encryption. A strong WPA password (not one that is susceptible to a dictionary attack). I estimate that a brute force attack on my password, testing a million keys a second, would take approx 50,000 years to succeed.

If you have a wireless network, don't wait until you see this on the pavement outside.