Is WiFi secure? Can
it be intercepted? Can it be decrypted?
How easily? Are all separate questions from is my SSL encrypted connection
to my bank secure?
Think of your WiFi connection as A – B – C –
D, where A is your computer and Wifi card, B is the WiFi Access point or AP (The
system you are connecting to), C is the connection between the AP and the Internet backbone (This is called the backhaul,
it is the method the WiFi provider has to get the signal from his place of business, be that an RV park or truck stop, and
to the physical bandwidth connection, the WiFi system can use DSL, Cable Modem, Two way Satellite, Hardwired T-1 Lines from
the telephone company, or wireless point to point.) and D is the connection between the backbone entry point and the website
you are connecting to at any given moment, which also goes through a server at an ISP to connect you and the website you are
surfing to, and to handle and receive/deliver your email.
It seems hi tech and too much to answer your question but bear
with me so you know what the above answers really mean.
Let’s say you use Earthlink as your ISP and are at a truck
stop and decide to connect to high speed WiFi to do some surfing, banking, and do email.
You and your computer/WiFi card are A. The truck stop’s WiFi antenna
and system is B. Say that truck stop gets it’s bandwidth from a local bandwidth
provider and ISP via DSL line, that DSL line is C. The local ISP connects directly
to a wired connection that they buy wholesale bandwidth to use and resell slightly higher to the truck stop, that connection
goes to an Earthlink server which handles your request and sends your signal to the website you are surfing to, that combined
connection is D. (I know, there is another A, B, C, and/or not D, on the
other side of your ISP as the signal goes to the website you are requesting by clicking on a link.)
So on each side of any Internet connection there are several trips
the signal needs to make, each with its own security risks, all different.
SSL secure connections
are secure all the way between you and your bank, encrypted, and secure during that connection as far as decrypting your data. It is not secure from interception. So
the answer you have gotten is totally accurate. Your secure SSL connections are
virtually undecipherable thus secure. But they are not secure from interception
anyplace along the path.
The WiFi connection itself from A to B is encrypted and you can
only access it by having a password and key. So as with any wireless radio signal
it can be intercepted easily, but all someone without the passwords will see is gibberish.
However, if a hacker can figure out the passwords for any given
WiFi system, they can intercept all the data it handles from every user and read it!!!
Except for Secure connections, like the SSL one, that is encrypted between you and all those points to and from the
bank or other secure connection using SSL. So your banking is still secure. But if a person who hacks WiFi systems for a hobby, or worse, does get into a system
you are using, they can read everything being transmitted on the system both ways including emails etc. And may hack into your computer while you are connected and get the banking info from your hard drive!
Before it is encrypted. The same with the keylogger Trojan that intercepts your
keystrokes before they are encrypted and sent out on a secure connection.
Sounds terrible right? They
can intercept your banking data, but it is too well encrypted for them to read any of it.
However, anything you send in the clear, is readable just like they were at the both ends at once. That includes unencrypted emails, posts to blogs, forums, newsgroups, sites everything. In the clear simply means unencrypted. Does that mean you
should not ever use WiFi? No of course not.
You see tapping into a WiFi system via hacking techniques is illegal, but invisible to all but the most experienced
IT security folks, as the programs reading the data are passive, or not using any bandwidth, so don’t show up. It is only when the hacker tries to steal bandwidth, or break into the computers that
are connected to the WiFi systems that they become detectable. Just sitting in
a coverage area and reading transmissions is not detectable. Tapping into a wireless system is called Airtapping, as tapping a wired system is called wiretapping.
So since it requires passwords to access a WiFi system you’re
secure right? Wrong. Yes, your secure
SSL connections remain secure, but not anything sent in the clear.
Here’s why, and what you can do to improve your security
when using any wireless system.
First off who would hack a WiFi system and how likely is to happen. Sadly it happens everyday. Who are these
people? They are called “Wardrivers” and there are two distinct types
of them. Those just looking for free hot spots, and those looking to steal bandwidth,
or data either from transmissions, or to hack into any computers connected to the system.
WiFi systems that are not using more expensive proprietary encryption
security, like the off the shelf systems most folks buy for their homes, are hackable easily with free tools online. Two programs I know of can intercept enough packets of data to figure out the passwords
for an average cheaper priced WiFi system, and gain access to all data it is sending to the bandwidth provider from B to C.
Air tapping Wifi - the
tools are free???
One of the programs is Airsnort.
Here is an FAQ page from their website that should reassure you about your SSL secure connections with your bank. But will also make you realize that there are literally thousands of wardrivers of
every stripe out there and they can read everything not SSL, or other secure connection encrypted.
Go here scroll down and read paragraphs 10-13
See what I mean? Your
banking and other secure connections are safe between you and the bank, but that’s as far as it goes.
Now before you throw your wifi gear out of the door, there is
a lot you can do to increase your security.
As Don mentioned it is imperative that you have a good firewall
installed on your computer and have it running all the time, whether WiFi, or any Internet connection. That keeps the personal data on your computer hard drive secure.
When you are hooked up to any WiFi connection don’t assume
your emails and other data is safe on regular non SSL connections. So be sure
not to send emails with passwords, bank account numbers, or anything else in the clear that you may regret later.
Want to secure all of your files on your computer, and all of
your emails with strong encryption to make emails and files on your hard drive secure?
Then get PGP which stands for pretty good protection. WARNING! This program is not for the average user. It has a steep learning
curve for a newbie to computers and using it incorrectly can lock you out of your own files and computer. However, for power users, distributing your public keys to newbies is relatively easy to do for them. For a select group, or an individual in your address book, you can send them the keys
and all emails between you are encrypted and unbreakable. Here is the page for
their free version for non business home users. http://www.pgp.com/products/freeware.html
If you are considering it, surf around the website and see what
it can do. There is not even a government back door in it, and for all practical
purposes it is unbreakable if you follow the help files in key creation and generate strong keys, they even rate your proposed
keys for strength for you.
Social engineering and false assumptions about security breaches.
Many folks have fallen for one of the many “Phishing”
scams that are proliferating today. They receive an email telling them that their
account with whatever company is overdue, about to be closed, or whatever and ask you to click on a link to verify all of
your account info. The page you are then sent to looks just like the company
pages you have seen from whatever company is involved. And it is a secure connection
so you figure it is OK to give them the information. WRONG!!!! These scams have used CitiBank, Earthlink, AOL, PayPal, and many other institutions, copy their basic webpage
design, then spam emails to scare you into giving up the information on what appears to be a secure and legitimate website
of that company.
Legitimate companies will not send you an email and redirect you
to a site. They will ask you to contact them or to go to the site yourself using
the right address from your links, or to call. They will not provide a link to
collect or correct any Credit card numbers, passwords, or other personal information.
If you do receive an email that redirects you to provide that
info on a form, don’t. Stop, call or email that company and ask them if
they sent the email, and you’ll find that it was bogus all of the time. Yes,
when you go to your bank’s website, or your ISP’s site, you can give your user name and password and get on a
secure site that is legitimate and confirm your account is alright. The key is
you contact a company you do business with the normal way, by phone or with the link in your bookmarks, when you receive a
notice that service will be terminated, or an account has been closed, YOU go there, don’t click a link in an email
to take you there, because that will be a criminal looking for your info.
Some folks will, inevitably, respond to a “phishing”
scam while on WiFi and swear that the connection was compromised with the institution when in fact they had a secure connection
to the thieves, not their actual financial or other institution. “Phishing”
scams increased 500% in 2004.
Some other social engineering scams. Folks offering software that is pirated and very cheap from other countries. They may actually send you the software, and have a real SSL secure connection. But a thief is still a thief. If they have your credit card
number, and other information, they can use it later, when you won’t suspect it is them.
But if the day they steal your funds on a day when you are banking on a WiFi connection, it would be easy to falsely
assume the secure connection wasn’t.
Also remember that wired connections can be wiretapped, and in
some cases easier than hacking into a WiFi system, so security is relative.
If your bank gets hacked at their end when you are not connected,
via normal hacking techniques that are not WiFi related, your information can be gotten that way as well. Rare to have that happen as well, but it does.
Should we worry about all of that?
If you don’t take the reasonable precautions below, then do worry. If
you take them, I don’t think so. While worm writers, hackers, and malicious
spyware writers seem like geniuses to the newbies to coding and computers, 99% of them are just copying programs or code from
underground and aboveground websites. They write their malicious programs after
a known vulnerability has been found, usually after the patch that slams the door on that attack has already been made available. So every new Virus/worm attack comes after the fix is already available to close the
vulnerability. They DEPEND on you not updating regularly if at all! There are still millions of people being infected by Virus’ that have been patched against for a
year or more! Having a good and current antivirus program is also security related
as some of them create a back door to access your computer contents on your hard drive.
So why isn’t WiFi more secure? Well the answer to that is simple. The main standards body
(IEEE) has a bunch of proprietary variants competing for the lucrative licensing of all WiFi systems! Because of the bickering to be the one with the patent for the new standard, which is called 802.11i, there
is still no standard! 802.11i when it finally is decided, will be much more secure. The original security called WEP, was pretty poor.
Older systems used this in the 802.11b early era. Since the standard still
wasn’t out an interim security improvement came out called WPA, which is better, but not nearly enough. For the techies in the crowd here’s a link that details the development from late 2003. It says that 802.11i will be out in second quarter 2004. It
So where is the IEEE now with 802.11i and when can we expect it
So it may be next month, or next year.
WiFi is here to stay, and security concerns are valid, but can
be overcome with some free software and a little common sense. In the early days
of the telephone we had party lines. Anybody on your wire could eavesdrop on
conversations. If you treat your in the clear communications, be that on a cell
phone, dial up connection, DSL or cable modem, or landline phone with the same restraint folks used on party lines, you will
be fine. Shopping and banking with a secure connection are as safe as banking
and shopping in person. We’ve all heard about a store employee retrieving
carbons of credit card imprints, and computers stolen with that kind of data stored on the hard drive from a major company. I have personally had two banks lose large deposits in the 70’s and 80’s! Nothing is 100% secure. WiFi is no less
secure than any other way of connecting, with a few free programs and some awareness.
- Wireless AND
Wired systems can be Airtapped and Wiretapped, there is no 100% “secure from interception” system. Not even your telephone, cell or landline.
- WiFi encryption
can be broken but SSL and PGP are almost invulnerable to breaking by all but the top experts in the world which would take
weeks, even with a Cray supercomputer by the government. Unless you are a real
“bad guy,” your info isn’t of interest to them.
- Regardless of
your connection method always have a firewall active on your computer to protect your data on your hard drive from hackers,
and worms/viruses. They don’t just come in email anymore, as Sasser proved. A good firewall is almost certain security for your personal data on your hard drive. There are several free ones that are very good.
- Update your virus
program daily. Period. If you don’t
have one, or think an old one offers any protection without daily checks for updates you are living in a dream world. Pay for your update services or get one of the several free programs with free updates
Like the CA offer or AVG from grissoft.com a very good free AntiVirus program.
- Keep your computer’s
operating system patched for security vulnerabilities. Check weekly for updates. Linux and Macintosh also have known vulnerabilities.
If you are targeted for an attack, regardless of a feeling of security from using a different operating system, you
will be wide open for an individual attack to gain personal data from your computer if you don’t download the patches
for your system. Apple vulnerabilities and patches are on their website. Linux vulnerabilities and fixes can be found at the Linux Exposed website. Windows patches and automatic installation can be found at the Windows Update site, or a free CD can be
ordered that contains them and installs them automatically.
- Never send your
Social Security number, bank account numbers, credit card numbers, or any information you don’t want intercepted “in
the clear” without a secure connection. This includes emails, forms on
websites that are not secure etc.
- Online shopping
is reasonably safe as long as the connection is secure, and you know the company. Pirated
software from other countries can be dual purpose. Social engineering can make
a deal sound too good to be true, and usually is, appear to be legitimate, then wipe you out before you know it.
Are there really Wardivers out there?
Air tapping Wifi the tools are free???
Jamming 802.11 WiFi is also possible if the wrong equipment is
Want to improve your WiFi Range? For 7 bucks?
Cantenna very easily built
Another Cantenna design-Scroll down to the design.
Cingular story and high speed data by cell phone