You might have heard about the Public Internet Project, a nonprofit organization devoted to expanding Internet access (for more information about this project as well as all the solutions I discuss in this month's column, check out the Web-exclusive box of additional resources at http://www.winnetmag.com, InstantDoc ID 40706). Last year, the group surveyed 802.11b wireless access in New York City. Figure 1 shows a map of Manhattan based on the group's research. The blue dots, which indicate secure wireless Access Points (APs) with Wired Equivalent Privacy (WEP) enabled, account for less than 30 percent of the mapped APs. The red dots, which indicate the other 70 percent, account for insecure APs open to anyone who cares to use them for Internet access. At first glance, this data might look harmless—after all, an AP owner might choose to make its AP public, right?
Now look at Figure 2, page 24, which is from a war drive I did in my neighborhood in Modesto, California, using Marius Milner's MiniStumbler on a Compaq iPAQ Pocket PC equipped with a Proxim ORiNOCO Gold PC Card wireless network card. The circle-and-padlock symbol indicates secure APs in the area, of which there were relatively few. Even more telling are the AP names, which are actually Service Set Identifiers (SSIDs). No less than 4 of the 12 APs listed are named "linksys," which is the default, out-of-the-box name that most Linksys APs use. In other scans, I found similar numbers of default AP names from other vendors. In almost every case, these devices are wide open without any security and use default administrative settings, which lets any passer-by not only access the Internet but also potentially hack the AP.
Although new security options simplify creating a secure wireless network and ease finding rogue wireless APs, few individuals take advantage of these options. As a result, unsecured APs are spreading like wildfire. After I surveyed my residential neighborhood, I surveyed Modesto's downtown business district, with similar results—many small businesses apparently install APs without ever giving a thought to security. Many Mobile & Wireless UPDATE correspondents report similar results, noting that they've found wide-open APs everywhere, including lawyers' and doctors' offices.
Even worse, these unsecured APs don't appear to be limited to residential PC users and small business owners who don't know any better. A front-page Wall Street Journal story last year detailed the experiences of two hackers who amused themselves by driving through Silicon Valley with a notebook PC connected to a high-gain antenna, successfully hacking into various companies, including Sun Microsystems. Just how sure are you that all the APs in your company are secure?
The problem of wide-open APs potentially affects us all. How many times during the past year have we had to contend with a virus, a worm, and who knows what else that intruders had injected into enterprise servers? Every insecure AP is an open invitation to hackers to do their worst in total anonymity: They can simply drive up within range of the open AP, inject whatever they want, and drive away laughing. And although I don't want to appear alarmist, in a post-9/11 world, we should all remain aware of the risk of terrorism, both physical and electronic. Unsecured APs provide a perfect medium for anonymous communication by anyone with a wireless mobile device and secure email software.
Industry Response
I'm not surprised that so many AP owners inadvertently set APs up in a wide-open state: Security measures on these devices are typically disabled by default, and the documentation rarely provides step-by-step instructions. For that matter, AP WEP-based security is so weak that any determined hacker can beat it. Having said that, I don't think weak security is a reason for not using it, but clearly we need something better.
The IEEE has been working on a new, more advanced wireless standard called 802.11i that will incorporate improved security, and vendors including Linksys are beginning to offer 802.11i-based products. Large organizations have also been implementing a component of another new wireless standard called 802.1x. In contrast to WEP, which requires separate authentication keys at each AP, 802.1x provides pass-through authentication against a central authority—typically a Remote Authentication Dial-In User Service (RADIUS) server, such as Microsoft Internet Authentication Service (IAS) in Windows Server. Administrators can integrate this central authority directly with Active Directory (AD), and this configuration is much less vulnerable to hacking.
Microsoft offers 802.1x wireless authentication support as an add-on to Windows 2000 and a built-in 802.1x client for Windows XP. For earlier OSs, Funk Software's Odyssey provides 802.1x support on most Windows-based systems, including Pocket PC devices.
Previous
Register
