The Sad State of Personal Wi-Fi Security

If you have an internet connection at home, there’s a good chance you also have a wireless router set up to give you a wireless internet connection. Many people are happy with the default settings when they turn on their wireless routers for the first time. In some cases, if the router is provided by an ISP that gives a crap, you have a router with good encryption and a decent password. If you’re not that lucky, the default settings mean you’re sharing your internet connection and everything you do while online with anyone with a little knowledge of how Wi-Fi works.

Encryption is the key to safe wireless internet usage and while all wireless routers available today support a range of different encryption standards, many are configured with no encryption or very poor encryption by default. As an example, let’s have a look at the wireless access points that are visible from my apartment.

No less than 16 wireless access points are in range of my computer. I found them by using a tool called inSSIder, which anyone can download and use to scan for available wireless access points. It basically does the same as your operating system when it searches for wireless networks to connect, but the information collected from the networks found is displayed in a very convenient way. The main point of interest here is the Privacy column, which tells us what kind of encryption each network uses. There is one network with no encryption at all, 6 with WEP encryption, 3 with WPA encryption and 6 with WPA2-AES encryption (displayed as “RSNA-CCMP” in the table). As you can see, the WPA encryption comes in two flavors; WPA-AES (WPA-CCMP) and WPA-TKIP.

Initially, the network without encryption seems like an interesting one: It will give you free internet access by simply connecting to it. Personally, I get a little nervous when I see an open wireless network like this. It might be tempting to use it, but in some cases it’s a trap!. Someone might have set up this honeypot to lure you to connect to it just to record everything you do while connected. And by everything I mean everything: usernames, passwords and credit cards numbers - every single piece of data that is transmitted between your computer and the internet. Remember that free wireless internet you use at the coffee shop and the pizza place? It might be that you are connecting to a honeypot, not the free wireless network. And even if you are connecting to the coffee shop’s network, anyone can eavesdrop on the connection as long as the connection is unencrypted. This is the reason why I never connect to an unencrypted network and neither should you.

6 of the networks above are encrypted with WEP. In terms of communication security, WEP encryption is almost as unsafe as a network with no encryption at all. A quick search on Google shows you just how easy it is to crack the WEP passphrase and eavesdrop on the traffic on a WEP encrypted network: This means that if your network is encrypted with WEP and there’s someone within range of your network who wants to know what you are doing on the internet, he or she is probably listening in right now. Is your ex hiding in the bushes with his laptop? Even if that’s not the case, you should immediately change the encryption on your wireless network to something else than WEP.

WPA might seem tempting. But no. WPA can also be cracked fairly easy, even if it’s considerably more complicated than cracking WEP encrypted networks. Even though some Japanese scientists did it in one minute (PDF), most people wanting to crack an encrypted network will target WEP encrypted networks because it’s so damn easy. To stay as safe as you can today, switch to WPA2-AES (might be WPA2-CCMP on some routers) and create one hell of a passphrase. It is possible to crack WPA2-AES, but it requires a lot of computer power and password guessing. By using a non-dictionary password you can be fairly safe that no one will be able to eavesdrop when you surf on your wireless internet connection.

Personally, I’m using WPA2-AES with a 64 character long password. It makes me feel safe, but annoys the hell out of everyone who visits and want to connect to the internet.

Worth it.


Feedback

This post has no feedback yet.

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.


Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.