h1

Why oh wifi?

September 17, 2007

Vista busy cursor If you have your home wifi properly secured, what do you do if Uncle Brian turns up for a flying visit, just happens to have his laptop with him and asks to use the Internet?

I had the choice of getting his laptop authorised to use the wifi with all the security still on, turn all the security off briefly or lend him one of my laptops. He really wanted to use his so it was one of the first two.

What a choice! Why don’t router manufacturers build in some easy system to add a guest temporarily?

I didn’t really want to pass out my WPA pre-shared key to Uncle Brian. It’s not that I don’t trust him, but I just don’t feel comfortable with adding it to PCs which are not under my control. I could have changed the key later but that would have meant updating 5 separate machines, a pain in itself.

In the end I switched off security and disabled MAC address filtering, chose a new SSID and turned SSID-broadcasting on, so for a while my wifi was wide open. I didn’t worry too much; I can’t imagine a team of spies armed with packet sniffers had been encamped in the garden for months waiting for me to drop my guard so they could steal the family photos off the hard drive.

Speaking of hard drives, I suddenly had a panic. In principle Uncle Brian could now access the shared drives on my network; so I turned sharing off temporarily.

Brian was able to access his email and whatever else on the Internet. Meantime the security changes broke my son’s wifi connection – he was less than gruntled.

The worst part was having to reverse all the changes after Uncle Brian and his partner bid their farewell, particularly reactivating sharing on the hard disks of some of the PCs. I made mistakes with the share names so some programs which I use over the network were broken and I had to check the pathnames and rename the shares. It took a while to get everything working and settled back down as it had been before. A disproportionate amount of hassle to let a random visitor check emails for a while.

I really do think router manufacturers should build in temporary guest features, or there should be a provision for this in the wifi standard.

I had a look on the Internet to see whether anyone provides such a facility. I did come across McAfee’s Wireless Protection system which makes it easy to add new PCs to the wifi while maintaining security, and it keeps changing the key so I could just have disabled Uncle Brian’s access rights and the old key would be no good to him. It might be an option for the future. The main drawback for me is that I use my PDA with the wifi and the McAfee client software would not install on that.

I gather some routers support multiple virtual networks (different SSIDs with different security and different access rights) using a single router.

Or I might just plug in an old access point …

Any better ideas out there?

AddThis Social Bookmark Button

Advertisements

3 comments

  1. […] My recent posting most wifi section looks ordered to be the person of a forthcoming program of “Security […]


  2. John. I agree with all of that. I could safely dispense with MAC filtering etc, just rely on WPA-PSK with strong password. I do use a very strong password, taken from Steve Gibson’s password generator page.

    (https://www.grc.com/passwords.htm)

    Speaking of which, see my next post for an interesting exchange with Steve himself who has promised to address this issue (letting casual visitors onto secure home wifis) in a future episode of his “Security Now!” podcast.


  3. I used to advocate all this security nonsense as well in relation to WiFi but some of it is NO security.

    SSID Hiding:
    The SSID is still broadcast as it is critical to the operation of wireless. Setting this flag just tells well behaved wireless devices to hide the network from the user! Programs such as Netstumbler can still find your wireless network regardless of how you set this flag.

    MAC Address Filtering:
    It is possible to find out the active MAC addresses on a wireless network without knowing the password. Again, MAC addresses are critical to wireless networking and are sent in the clear. Most modern network cards allow the changing of the MAC address to spoof another address! There are also applications that allow this to be changed. So once you’ve captured one of the working MAC addresses you can spoof it on your computer. As long as the spoofed computer isn’t online then you’ll go undetected on most wireless networks.

    Working around both these measures is trivial and you don’t need to be so super hacker to do them! They cause more pain than their security worth IMHO.

    Even WPA is vulnerable to dictionary attacks. Look up cowpatty.

    Best solution is a well chosen WPA-PSK(2) password, which is changed on a regular basis. The other steps are fluff!



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: