New Scientist article: Wireless boom is hackers' heaven

[Jim Cheesman]

[From: http://www.newscientist.com/article.ns?id=dn6894]

Setting up a wireless computer network at home has never been easier or
cheaper. But the freedom to access the internet from anywhere in or around
the house comes at a cost: Wi-Fi networks leave home computer users open to
unprecedented levels of security breaches.

Wi-Fi's radio signals carry up to 100 metres, and anyone within range can
pick them up. That is good news if you want to take your laptop into the
garden and connect to the net from there. But radio waves are no respecters
of household boundaries, and that can leave the network wide open to an
intruder operating a Wi-Fi PC from a neighbouring house, or sitting in a car
outside.

Most Wi-Fi networks come with security features to prevent this. But they
are not always easy to implement, so many users do not bother. And with
Wi-Fi sales rocketing (see graph), this carefree approach is worrying
security experts.

For an example of what could go wrong, consider the case of a man who was
arrested in Toronto 12 months ago after committing a minor traffic offence.
It turned out he had been driving around looking for unsecured domestic
networks that he then used to access paedophile websites via his Wi-Fi
laptop. If he had not been caught in the act, the trail of evidence would
have led instead to the people whose networks he had hijacked.

Firewall software
Domestic Wi-Fi networks are centred on a box called a wireless router, which
is usually connected directly to a broadband modem to give access to the
internet. The router uses a low-power radio signal to transmit and receive
data through Wi-Fi transceiver cards installed in computers anywhere in the
house.

Wireless routers come with a battery of built-in security features. To
prevent people hacking in from the net they run firewall software that
blocks off attempts to gain access via the modem. On the Wi-Fi network side,
encryption can be used to scramble the radio dialogue between the router and
the computers. This should prevent eavesdroppers reading emails, documents
or any other material as it passes round the network. The router can also be
set up to ensure that only computers authorised by the user are able to use
the network.

At least, that is the theory. In reality many Wi-Fi users are not bothering
to activate these features after completing the daunting process of getting
Wi-Fi up and running, says Ollie Whitehouse of Symantec Antivirus in London,
UK. Others are failing to change the default passwords set by
manufacturers - passwords that all hackers know.

Ross Anderson of the University of Cambridge, UK, says it is simpler for the
home user to run a Wi-Fi network on the security defaults that are set when
it comes out of the box. The software that comes with Wi-Fi cards and
routers is often complicated to configure, and turning on the encryption can
stop the network working unless people know what they are doing.

Wi-Fi cellphones
And it is not just home users who are leaving themselves wide open.
Consultancy firm KPMG says that around 70% of the Wi-Fi networks on
commercial premises it polled in 2002 were not encrypted, leaving companies
vulnerable to email snooping, password pilfering and data theft.

Phone calls could also be vulnerable to eavesdropping. People are
increasingly using voice over IP (VOIP) software to make phone calls over
the internet via their computer headsets. The danger can only increase when
Wi-Fi enabled mobile phones - which can be used to make free VOIP calls when
in range of a Wi-Fi network - come onto the market this year.

Security experts say that the solution lies in educating people about the
risks involved in going wireless, and making the software to protect them
easier to use. "Blaming the consumer is wrong. Computers are too complex for
the average person to secure. It's the fault of the network, the operating
system and the software vendors," says California-based cryptographer Bruce
Schneier in the US. "Products need to be secure out of the box," he says.

Unless security is improved, new breeds of computer virus that target the
multiple devices connected to Wi-Fi networks are likely to emerge, says
Mikko Hypponen of Finnish security firm F-Secure. A virus picked up via
email could, for instance, disable a Wi-Fi cellphone or perhaps divert calls
to others on its owner's contacts list.

Schneier is pessimistic. "When convenience and features are in opposition to
security, security generally loses. As wireless networks become more common,
security will get worse."




Regards,
Jim Cheesman


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com