Monday, December 08, 2003
So, on my way back from Peoria, IL to Indianapolis, IN (209 miles!) last week I was bored. I had 3 hours of drive time with nothing better to do than to boot up the laptop in the passenger seat and look for open wireless access points. I used Network Stumbler and my Compaq Evo N800w laptop in my search.
Some interesting statistics:
- 79 total access points found
- 56 of these access points were "open" and broadcasting their SSID
So, what's the big deal? Well, if you own a wireless network and don't mind if people "share" your internet connection, fine. I don't see an issue with that per se. Although there is quite a debate going on these days as to whether or not this is ethical. I'll shy away from that for now. That debate aside, even if you are leaving your access point open on purpose so that others may piggyback onto your connection, understand that they also have unfettered access to your internal network - your PC included.
What can you do? Well, here are some things you can try:
1. Change the default SSID on your wireless access point. The SSID is the "name" given to your wireless network. The amazing thing is that most people don't change the SSID on their device from its factory default. Not that it's too important (given 30 seconds and a laptop with a wireless card, I can find your SSID), it's not a bad idea to change this to something else to prevent people from just "guessing" it and accessing your network. 16 of the 79 access points I found were set to "linksys" - the default configuration for any device you buy from Linksys.
2. Change the password on your new wireless access point. You have to put in a password to access your wireless access point and configure it. My guess is the 16 WAPs above configured with the "linksys" SSID also have the default password still configured. Change it so that only you can reconfigure your wireless access point.
3. You can disable SSID broadcast. I like this suggestion a lot. Once you've changed your SSID on their wireless access point, disable SSID broadcast if you can. This is the feature that an access point has to basically "announce" its configuration. If it's off, it's a lot harder to find your access point and the correct SSID. You know it - because you set it up - and can configure your PCs to point to it.
4. Use WAP. Yes, I know that WAP (Wireless Authentication Protocol) sucks - it's inherently weak. However, it's a great deterent. WAP encrypts the data between your device and the wireless access point. Turn it on - and use 128-bit if it's available. It's not a guarantee - any good hacker with AirSnort and some time on their hands can crack your WEP key (password).
5. Enable MAC address filtering. This is a GREAT idea. MAC address filtering allows you to prevent anyone EXCEPT your known devices from attaching to a wireless access point. The MAC (Media Access Control) address is a statstically unique identier of your network card. Every network card (wired or wireless) is assigned a MAC address when it leaves the factory. The network uses this MAC address to route network traffic to the device its meant for. With most access points, you can block all network cards from attaching to your wireless access point unless their MAC address appears in an exception list. So, find out your MAC address on your NIC (it's either on the NIC, the box it came in or you can find it in the properties of your network card from your operating system) and setup your wireless access point to only allow the devices you want to allow.