What Wi-Fi Hackers can do on Unsecured Wi-Fi Networks

If you don't properly secure your wireless network, Wi-Fi eavesdroppers can...

See your real-time traffic:

  • Web sites you’re visiting.

  • Login information and data to and from unsecured (non-SSL) sites.

  • Login information and data from unsecured services, such as POP3 e-mail accounts and FTP connections.

Connect to your network:

  • Access shared files on your PCs or servers, to possibly steal company secrets, customer data, or other sensitive information.

  • Use your Internet connection for sending and/or receiving illegal content.

Seeing What a Wi-Fi Eavesdropper Can See

You can read and read about Wi-Fi security, but nothing will get the point across as effectively as actually seeing what eavesdroppers can see on an unsecured wireless network.

Figure 1 shows an example of an email message sent from a computer on a unsecured wireless network with Microsoft Outlook, using a POP3 account.

Figure 1 shows an example of an email message sent from a computer on a unsecured wireless network with Microsoft Outlook, using a POP3 account.

Figure 2 below shows an example of what an eavesdropper could have captured using a free tool called Wireshark while the email was being sent.

Figure 2 shows an example of what an eavesdropper could have captured using a free tool called Wireshark while the email was being sent.

As you see, they can see exactly what was in the e-mail. Just imagine if this was an e-mail containing real sensitive information, and someone passing by in their car captured the wireless packets.

If that isn’t bad enough, see what they could have captured in the packet trace, shown in Figure 3 below. It clearly shows the POP3 server address, user name, and password for the account—everything they need to get onto your email server.

Figure 3 shows what they could have captured in the packet trace: the POP3 server address, user name, and password for the account; everything they need to get onto your email server.

Securing your Wireless Network

Keep in mind, encryption is the only method that adequately secures the real-time traffic, such as e-mails and web browsing, on your wireless network. Other security methods, such as MAC address filtering and disabling SSID broadcast, are intended as additive measures to further control network access. Using encryption is also the only way to really prevent unauthorized connections.

Encryption Methods for Wi-Fi Networks

Here's a review of the different encryption types:

WEP (Wired Equivalent Privacy): This first Wi-Fi encryption standard was quickly cracked and debunked. In some cases, Wi-Fi eavesdroppers now can decode and crack a WEP key within seconds. WEP only provides protection against the average user searching for a open Wi-Fi network. It does not adequately protect against Wi-Fi hackers wanting to wreak havoc, whether their goal is to steal or intercept customer data or trade secrets.

WPA/WP2 (Wi-Fi Protected Access): The first WPA version, based on TKIP encryption, was secure for several years. Now holes have been discovered and its not fully secure. However, the second version, WPA2, is based on the newer AES encryption standard, which is totally secure.

Both versions can be used in two very different modes:

Personal (PSK): This Pre-Shared Key (PSK) mode is good for most home networks. Since the actual encryption key or passphrase must be entered into your computers, this mode isn't suitable for business networks. Since employees have the encryption key, they could access the network when they leave the company, or their laptop could be stolen and a thief could have the key. You could manually change the encryption key on all the computers if you suspect a comprise, however this obliviously would be a pain.

Enterprise (RADIUS): If you require a secure wireless network, it’s best to use the Enterprise mode. After securely logging on to the network with a username and password, every computer automatically receives a unique encryption key that’s long and regularly updated. The Personal (PSK) mode doesn't use truely unique encryption keys. (This article discusses this very well.) Thus, the Enterprise mode provides superior wireless protection.

Benefits of Using Enterprise-Level WPA/WPA2 Encryption

Using the Enterprise mode provides two very important benefits:

  • Increased key security: The way the Shared Secrets are derived on the network makes it harder for someone to crack the actual encryption keys that are regularly changing.

  • Password-based authentication: Computers are not loaded with the actual encryption keys or passphrases to the network. These are derived securely in the background after someone has correctly configured the computer and logs in with a username and password you've defined. This prevents users from gaining access after they leave your organization and prevents problems if their computer is stolen, as you can always change the usernames and passwords. If you use non-enterprise encryption, you'd have to manually change the key when you think there has be a compromise, which isn't very feasible.

What's Required for Enterprise Encryption & What We Provide

The special ingredient of the Enterprise mode is a RADIUS server, which is also used by ISPs and other Internet services such as VPN providers. This server enables the password-based (802.1X/PEAP) authentication and overall superior encryption.

The problem: setting up and configuring your own RADIUS server can take hundreds or thousands of dollars, and a great deal of time and expertise. In addition to the RADIUS server, you would have to create and maintain your own Public Key Infrastructure (PKI), and possibility a database or backend.

The solution: sign up to use our hosted RADIUS servers through the AuthenticateMyWiFi™ service. Get the top-notch wireless security without the high monetary and time costs! Additionally, we provide step-by-step guides on setting everything up. Plus as shown on the Service page, we provide more than just the basic authentication service.

More Reading: Networking Articles

Here are articles and tutorials by Eric Geier, Founder and CEO of NoWiresSecurity, on a variety of networking topics:

Bringing Your Wireless Network Up to Speed

What Wi-Fi Eavesdroppers See on Unsecured Networks

Ten Tips and Considerations on Upgrading to Wireless N

Tips to Secure Your Small Business Wi-Fi Network

Seven Troubleshooting Tips for Wireless N Networks

Supercharging Your Cheap Router with Enterprise Features

Configuring 802.1X Authentication in Linux

Troubleshooting Network Sharing Issues

Tips and Tricks for Using 802.1X in Windows

Understanding the Wi-Fi Security Guidelines of PCI DSS

Ten Networking Hacks for Your Windows Registry

Moving to WPA/WPA2-Enterprise Wi-Fi Encryption

Securing Your Wi-Fi Hotspot Sessions

Using Third-Party 802.1X Clients on Windows, Linux or Mac

 

Home · About Us · Affiliates · Press · Contact Us
Copyright © 2010 NoWiresSecurity

 
Share/Bookmark