A Wireless Security Disaster

By Lance Ulanoff  |  Posted 2003-01-09 Print this article Print

When consumers start setting up wireless networks en masse, will they get little or no security guidance?

I couldnt believe my ears. There I was sitting across from a PR representative for a major peripherals manufacturer when, in response to a standard but important wireless networking ease-of-use question, she told me I could find the answer "in our [companys] 70-page manual." Unbelievable. I mean, really. Thanks for nothing. I mean….Actually, I should back up a bit.

I had just witnessed a product demonstration where the vendor rep explained (and supported with a series of chart- and graph-covered slides) the companys belief that wireless networking in the home would eventually become as widespread—and easy to use—as the refrigerator (Im paraphrasing, somewhat). Its an assessment I wholeheartedly agree with. Home networking has been a growing trend for years, and now lower costs coupled with the rapid adoption of 802.11b and devices that combine the a, b, and even g 802.11 wireless capabilities propel the growth even faster.

The rep even talked about the wizards that would speed installation of the companys products and mentioned the companys 24-hour tech support. I asked what sort of guidance users would receive for WEP (Wired Equivalent Privacy) setup and for changing the default SSID (Service Set Identifier). The PR person stared blankly at me and then said that users could find the information about how and why to use such critical settings not in the setup wizard, but in the browser interface that lets you control the router and in "the 70-page manual."

To be fair, I should say that this is the common practice. The information on WEP and SSID configuration for my SMC Barricade wireless cable/DSL router is poor. The WEP configuration portion of the manual is abysmal and the information in the Web-based router setup is even worse. The only reason I knew to change my SSID and apply WEP encryption was because Craig Ellison, the PC Magazine Labs director of operations, recommended that I do so.

In order for WEP to work, you must set all systems on the wireless network in accordance with the WEP configuration of the router, which you modify via a browser-based interface on a computer wired to the router. You must enter the matching encryption level and WEP ID (a 10-digit code) in each client PCs wireless configuration utility.

The Barricade router setup gives you four WEP encryption choices: 64- or 128-bit manual or automatic. I selected one, but the WEP fields filled with bullets, not numbers. I had no idea how to get the values I would need to enter into my other systems, and neither the manual nor the router configuration app offered any assistance. Without the proper WEP ID on the other systems, they would not be able to access the wireless network.

The vendor with whom I spoke readily admitted that the WEP setup assistance is buried in the manual, along with the important advice on changing the default SSID.

If wireless networks become as prevalent as refrigerators, we can expect users to treat the equipment much the same way—plug it in and, beyond some initial setting up, forget about it. If a wireless network works (and it probably will) after the purchaser has followed the instructions on the quick-setup sheet, most people will never go further and see the information about setting up WEP or changing the SSID. In other words, I believe were heading for a security disaster.

Heres the scenario. In roughly three to five years, wireless networking will have achieved the kind of explosive growth in the home market that everyone is predicting. A good portion of those homes will have first- and second-generation equipment thats cheaper than state-of-the-art products. So whatever improvements have been made in security setup and enabling will not be in wide use. This means that all around the world, those with a little networking savvy will be able to sniff WEP-free wireless networks simply by sitting on street corners or in apartment-building hallways or even outside small offices and typing "default" as the SSID in their wireless configuration utilities. I tried doing this on my recent trip to Comdex and was shocked by how many wireless networks at the show were set to "default" or something else that was way too easy to figure out. Hackers are bound to hit an open network. And because early adopters of wireless connectivity will also be broadband users, hackers will be tapping right in to the Internet and maybe even, if security-free users are tunneling into their office LANs via Virtual Private Networks, right into the networks of corporate America and beyond.

This is not that far-fetched. Those who read PCMag.com regularly already know this. So this warning is really for the wireless-networking product manufacturers. If you want to play in the consumer electronics space and dont want the blame for a widespread security crisis dumped in your lap, you better learn how to speak the consumers language.

Discuss this article in the forums.

Lance Ulanoff is Editor in Chief and VP of Content for PC Magazine Network, and brings with him over 20 years journalism experience, the last 16 of which he has spent in the computer technology publishing industry.

He began his career as a weekly newspaper reporter before joining a national trade publication, traveling the country covering product distribution and data processing issues. In 1991 he joined PC Magazine where he spent five years writing and managing feature stories and reviews, covering a wide range of topics, including books and diverse technologies such as graphics hardware and software, office applications, operating systems and, tech news. He left as a senior associate editor in 1996 to enter the online arena as online editor at HomePC magazine, a popular consumer computing publication. While there, Ulanoff launched AskDrPC.com, and KidRaves.com and wrote about Web sites and Web-site building.

In 1998 he joined Windows Magazine as the senior editor for online, spearheading the popular magazine's Web site, which drew some 6 million page views per month. He also wrote numerous product reviews and features covering all aspects of the computing world. During his tenure, Winmag.com won the Computer Press Association's prestigious runner-up prize for Best Overall Website.

In August 1999, Ulanoff briefly left publishing to join Deja.com as producer for the Computing and Consumer Electronics channels and then was promoted to the site's senior director for content. He returned to PC Magazine in November 2000 and relaunched PCMag.com in July 2001. The new PCMag.com was named runner-up for Best Web Sites at the American Business Media's Annual Neal Awards in March 2002 and won a Best Web Site Award from the ASBPE in 2004. Under his direction, PCMag.com regularly generated more than 25 million page views a month and reached nearly 5 million monthly unique visitors in 2005.

For the last year and a half, Ulanoff has served as Editor, Reviews, PC Magazine. In that role he has overseen all product and review coverage for PC Magazine and PCMag.com, as well as managed PC Labs. He also writes a popular weekly technology column for PCMag.com and his column also appears in PC Magazine.

Recognized as an expert in the technology arena, Lance makes frequent appearances on local, national and international news programs including New York's Eyewitness News, NewsChannel 4, CNN, CNN HN, CNBC, MSNBC, Good Morning America Weekend Edition, and BBC, as well as being a regular guest on FoxNews' Studio B with Shepard Smith. He has also offered commentary on National Public Radio and been interviewed by radio stations around the country. Lance has been an invited guest speaker at numerous technology conferences including Digital Life, RoboBusiness, RoboNexus, Business Foresight and Digital Media Wire's Games and Mobile Forum.

Lance also serves as co-host of PC Magazine's weekly podcast, PCMag Radio.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel