Is WiFi Secure?
RV Roadie: RV Fulltiming, What is it really like
Home
Website Use Policy and Disclaimer
Computers and wireless
How'd a nice couple like us end up Fulltime RVrs?
Newsletters
Technical Articles
Just Humor
RV Lifestyle
Helpful Links
Photo Album
Photo Album 2
Photo Album 3
Non-RV Topics

 

Is WiFi secure?  Can it be intercepted?  Can it be decrypted?  How easily?  Are all separate questions from is my SSL encrypted connection to my bank secure?

 

Think of your WiFi connection as A – B – C – D, where A is your computer and Wifi card,  B is the WiFi Access point or AP (The system you are connecting to), C is the connection between the AP and the Internet backbone (This is called the backhaul, it is the method the WiFi provider has to get the signal from his place of business, be that an RV park or truck stop, and to the physical bandwidth connection, the WiFi system can use DSL, Cable Modem, Two way Satellite, Hardwired T-1 Lines from the telephone company, or wireless point to point.) and D is the connection between the backbone entry point and the website you are connecting to at any given moment, which also goes through a server at an ISP to connect you and the website you are surfing to, and to handle and receive/deliver your email.

 

It seems hi tech and too much to answer your question but bear with me so you know what the above answers really mean.

 

Let’s say you use Earthlink as your ISP and are at a truck stop and decide to connect to high speed WiFi to do some surfing, banking, and do email.  You and your computer/WiFi card are A.  The truck stop’s WiFi antenna and system is B.  Say that truck stop gets it’s bandwidth from a local bandwidth provider and ISP via DSL line, that DSL line is C.  The local ISP connects directly to a wired connection that they buy wholesale bandwidth to use and resell slightly higher to the truck stop, that connection goes to an Earthlink server which handles your request and sends your signal to the website you are surfing to, that combined connection is D.   (I know, there is another A, B, C, and/or not D, on the other side of your ISP as the signal goes to the website you are requesting by clicking on a link.)

 

So on each side of any Internet connection there are several trips the signal needs to make, each with its own security risks, all different.

 

 SSL secure connections are secure all the way between you and your bank, encrypted, and secure during that connection as far as decrypting your data.  It is not secure from interception.  So the answer you have gotten is totally accurate.  Your secure SSL connections are virtually undecipherable thus secure.  But they are not secure from interception anyplace along the path.

 

The WiFi connection itself from A to B is encrypted and you can only access it by having a password and key.  So as with any wireless radio signal it can be intercepted easily, but all someone without the passwords will see is gibberish. 

 

However, if a hacker can figure out the passwords for any given WiFi system, they can intercept all the data it handles from every user and read it!!!  Except for Secure connections, like the SSL one, that is encrypted between you and all those points to and from the bank or other secure connection using SSL.  So your banking is still secure.  But if a person who hacks WiFi systems for a hobby, or worse, does get into a system you are using, they can read everything being transmitted on the system both ways including emails etc.  And may hack into your computer while you are connected and get the banking info from your hard drive! Before it is encrypted.  The same with the keylogger Trojan that intercepts your keystrokes before they are encrypted and sent out on a secure connection.

 

Sounds terrible right?  They can intercept your banking data, but it is too well encrypted for them to read any of it.  However, anything you send in the clear, is readable just like they were at the both ends at once.  That includes unencrypted emails, posts to blogs, forums, newsgroups, sites everything.  In the clear simply means unencrypted.  Does that mean you should not ever use WiFi?  No of course not.  You see tapping into a WiFi system via hacking techniques is illegal, but invisible to all but the most experienced IT security folks, as the programs reading the data are passive, or not using any bandwidth, so don’t show up.  It is only when the hacker tries to steal bandwidth, or break into the computers that are connected to the WiFi systems that they become detectable.  Just sitting in a coverage area and reading transmissions is not detectable.   Tapping into a wireless system is called Airtapping, as tapping a wired system is called wiretapping.

 

So since it requires passwords to access a WiFi system you’re secure right?  Wrong.  Yes, your secure SSL connections remain secure, but not anything sent in the clear. 

 

Here’s why, and what you can do to improve your security when using any wireless system.

 

First off who would hack a WiFi system and how likely is to happen.  Sadly it happens everyday.  Who are these people?  They are called “Wardrivers” and there are two distinct types of them.  Those just looking for free hot spots, and those looking to steal bandwidth, or data either from transmissions, or to hack into any computers connected to the system.

 

WiFi systems that are not using more expensive proprietary encryption security, like the off the shelf systems most folks buy for their homes, are hackable easily with free tools online.  Two programs I know of can intercept enough packets of data to figure out the passwords for an average cheaper priced WiFi system, and gain access to all data it is sending to the bandwidth provider from B to C.

 

Air tapping Wifi -  the tools are free???

http://airsnort.shmoo.com/

http://sourceforge.net/projects/wepcrack/

 

 

One of the programs is Airsnort.  Here is an FAQ page from their website that should reassure you about your SSL secure connections with your bank.  But will also make you realize that there are literally thousands of wardrivers of every stripe out there and they can read everything not SSL, or other secure connection encrypted.

 

Go here scroll down and read paragraphs 10-13

http://airsnort.shmoo.com/faq.html

 

See what I mean?  Your banking and other secure connections are safe between you and the bank, but that’s as far as it goes.

 

Now before you throw your wifi gear out of the door, there is a lot you can do to increase your security.

 

As Don mentioned it is imperative that you have a good firewall installed on your computer and have it running all the time, whether WiFi, or any Internet connection.  That keeps the personal data on your computer hard drive secure.

 

When you are hooked up to any WiFi connection don’t assume your emails and other data is safe on regular non SSL connections.  So be sure not to send emails with passwords, bank account numbers, or anything else in the clear that you may regret later. 

 

Want to secure all of your files on your computer, and all of your emails with strong encryption to make emails and files on your hard drive secure?  Then get PGP which stands for pretty good protection.  WARNING!  This program is not for the average user.  It has a steep learning curve for a newbie to computers and using it incorrectly can lock you out of your own files and computer.  However, for power users, distributing your public keys to newbies is relatively easy to do for them.  For a select group, or an individual in your address book, you can send them the keys and all emails between you are encrypted and unbreakable.  Here is the page for their free version for non business home users. http://www.pgp.com/products/freeware.html

If you are considering it, surf around the website and see what it can do.  There is not even a government back door in it, and for all practical purposes it is unbreakable if you follow the help files in key creation and generate strong keys, they even rate your proposed keys for strength for you.

 

 

 

 

Social engineering and false assumptions about security breaches. 

 

Many folks have fallen for one of the many “Phishing” scams that are proliferating today.  They receive an email telling them that their account with whatever company is overdue, about to be closed, or whatever and ask you to click on a link to verify all of your account info.  The page you are then sent to looks just like the company pages you have seen from whatever company is involved.  And it is a secure connection so you figure it is OK to give them the information.  WRONG!!!!  These scams have used CitiBank, Earthlink, AOL, PayPal, and many other institutions, copy their basic webpage design, then spam emails to scare you into giving up the information on what appears to be a secure and legitimate website of that company.

 

Legitimate companies will not send you an email and redirect you to a site.  They will ask you to contact them or to go to the site yourself using the right address from your links, or to call.  They will not provide a link to collect or correct any Credit card numbers, passwords, or other personal information.

 

If you do receive an email that redirects you to provide that info on a form, don’t.  Stop, call or email that company and ask them if they sent the email, and you’ll find that it was bogus all of the time.  Yes, when you go to your bank’s website, or your ISP’s site, you can give your user name and password and get on a secure site that is legitimate and confirm your account is alright.  The key is you contact a company you do business with the normal way, by phone or with the link in your bookmarks, when you receive a notice that service will be terminated, or an account has been closed, YOU go there, don’t click a link in an email to take you there, because that will be a criminal looking for your info.

 

Some folks will, inevitably, respond to a “phishing” scam while on WiFi and swear that the connection was compromised with the institution when in fact they had a secure connection to the thieves, not their actual financial or other institution.  “Phishing” scams increased 500% in 2004.

http://www.techweb.com/wire/story/TWB20040521S0004

 

Some other social engineering scams.  Folks offering software that is pirated and very cheap from other countries.  They may actually send you the software, and have a real SSL secure connection.  But a thief is still a thief.  If they have your credit card number, and other information, they can use it later, when you won’t suspect it is them.  But if the day they steal your funds on a day when you are banking on a WiFi connection, it would be easy to falsely assume the secure connection wasn’t.

 

Also remember that wired connections can be wiretapped, and in some cases easier than hacking into a WiFi system, so security is relative.

 

If your bank gets hacked at their end when you are not connected, via normal hacking techniques that are not WiFi related, your information can be gotten that way as well.  Rare to have that happen as well, but it does.

http://www.techweb.com/wire/story/TWB20040528S0005

 

Should we worry about all of that?  If you don’t take the reasonable precautions below, then do worry.  If you take them, I don’t think so.  While worm writers, hackers, and malicious spyware writers seem like geniuses to the newbies to coding and computers, 99% of them are just copying programs or code from underground and aboveground websites.  They write their malicious programs after a known vulnerability has been found, usually after the patch that slams the door on that attack has already been made available.  So every new Virus/worm attack comes after the fix is already available to close the vulnerability.  They DEPEND on you not updating regularly if at all!  There are still millions of people being infected by Virus’ that have been patched against for a year or more!  Having a good and current antivirus program is also security related as some of them create a back door to access your computer contents on your hard drive.

 

So why isn’t WiFi more secure?  Well the answer to that is simple.  The main standards body (IEEE) has a bunch of proprietary variants competing for the lucrative licensing of all WiFi systems!  Because of the bickering to be the one with the patent for the new standard, which is called 802.11i, there is still no standard!  802.11i when it finally is decided, will be much more secure.  The original security called WEP, was pretty poor.  Older systems used this in the 802.11b early era.  Since the standard still wasn’t out an interim security improvement came out called WPA, which is better, but not nearly enough.  For the techies in the crowd here’s a link that details the development from late 2003.  It says that 802.11i will be out in second quarter 2004.  It isn’t.

http://www.nwfusion.com/columnists/2003/1110wizards.html

 

So where is the IEEE now with 802.11i and when can we expect it to emerge?

http://grouper.ieee.org/groups/802/11/Reports/tgi_update.htm

So it may be next month, or next year.

 

WiFi is here to stay, and security concerns are valid, but can be overcome with some free software and a little common sense.  In the early days of the telephone we had party lines.  Anybody on your wire could eavesdrop on conversations.  If you treat your in the clear communications, be that on a cell phone, dial up connection, DSL or cable modem, or landline phone with the same restraint folks used on party lines, you will be fine.  Shopping and banking with a secure connection are as safe as banking and shopping in person.  We’ve all heard about a store employee retrieving carbons of credit card imprints, and computers stolen with that kind of data stored on the hard drive from a major company.  I have personally had two banks lose large deposits in the 70’s and 80’s!  Nothing is 100% secure.  WiFi is no less secure than any other way of connecting, with a few free programs and some awareness.

 

In summary:

  1. Wireless AND Wired systems can be Airtapped and Wiretapped, there is no 100% “secure from interception” system.  Not even your telephone, cell or landline. 
  2. WiFi encryption can be broken but SSL and PGP are almost invulnerable to breaking by all but the top experts in the world which would take weeks, even with a Cray supercomputer by the government.  Unless you are a real “bad guy,” your info isn’t of interest to them.
  3. Regardless of your connection method always have a firewall active on your computer to protect your data on your hard drive from hackers, and worms/viruses.  They don’t just come in email anymore, as Sasser proved.  A good firewall is almost certain security for your personal data on your hard drive.  There are several free ones that are very good.
  4. Update your virus program daily.  Period.  If you don’t have one, or think an old one offers any protection without daily checks for updates you are living in a dream world.  Pay for your update services or get one of the several free programs with free updates Like the CA offer or AVG from grissoft.com a very good free AntiVirus program.
  5. Keep your computer’s operating system patched for security vulnerabilities.  Check weekly for updates.  Linux and Macintosh also have known vulnerabilities.  If you are targeted for an attack, regardless of a feeling of security from using a different operating system, you will be wide open for an individual attack to gain personal data from your computer if you don’t download the patches for your system.  Apple vulnerabilities and patches are on their website.  Linux vulnerabilities and fixes can be found at the Linux Exposed website.  Windows patches and automatic installation can be found at the Windows Update site, or a free CD can be ordered that contains them and installs them automatically.
  6. Never send your Social Security number, bank account numbers, credit card numbers, or any information you don’t want intercepted “in the clear” without a secure connection.  This includes emails, forms on websites that are not secure etc.
  7. Online shopping is reasonably safe as long as the connection is secure, and you know the company.  Pirated software from other countries can be dual purpose.  Social engineering can make a deal sound too good to be true, and usually is, appear to be legitimate, then wipe you out before you know it.

 

 

Are there really Wardivers out there?

http://www.blacklisted411.net/

http://freaky.staticusers.net/ugboard/viewforum.php?f=15&sid=2d676e89fb1b1c4b86f0ba8e41fa0898

 

 

Air tapping Wifi the tools are free???

http://airsnort.shmoo.com/

http://sourceforge.net/projects/wepcrack/

 

Jamming 802.11 WiFi is also possible if the wrong equipment is used.

http://securityfocus.com/news/8575

 

Want to improve your WiFi Range?  For 7 bucks?

Cantenna very easily built

http://www.turnpoint.net/wireless/cantennahowto.html

 

Another Cantenna design-Scroll down to the design.

http://www.oreillynet.com/cs/user/view/wlg/1124

 

 

Cingular story and high speed data by cell phone

http://story.news.yahoo.com/news?tmpl=story&cid=620&e=2&u=/nf/20040528/bs_nf/24273

 

 

 

 

All content ęDerek Gore/RV Roadie 1997-2005 All Rights Reserved.  Three rights is left.