When addressing various physical home security issues, I came to the realization that if a trained team of attackers equipped with body armor and night vision broke into my home, the issue escalated beyond anything I could sensibly prepare for.
The article reminded me of that. If someone attacks my home wifi with network sniffing hardware, sophisticated password guessing tools, hours of planning and execution, etc then, well, the issue escalated beyond anything I could sensibly prepare for.
I realize these computing tools are easy to come by and not terribly hard to use. Ditto body armor, night vision, and combat training. And if someone is inclined to apply them against my pathetic existence, I'm screwed. Planning for such events is pretty pointless, I have other things to do.
A physical assault carries a high chance of being noticed, and unless carried out by law enforcement, a significant chance of being punished with jail time. So it's not something that has a high chance of happening. Additionally, it's hard to defend against, and you definitely don't want to defend against a SWAT team.
Whereas a bored teenage neighbor could attack your wireless network with a very small chance of being detected. Or with a sensitive directional antenna it doesn't even have to be your neighbor if the goal is just to sniff traffic. Plus, the only cost to you in defending against this attack is entering a more complex password on new devices. Stick a note on the fridge or choose a phrase.
I'm no security expert, but after I saw each new wifi password standard cracked within days of its release, I stopped passwording my wifi and used a little script I put on a home linux server to watch the router and if it spotted any unrecognized MAC addresses getting an IP address from DHCP, it would throw them out within a few seconds.
These days, I just turn on the MAC address filter that's built in to most wifi base stations. Now, unless I've manually entered your MAC address into my whitelist, my router won't connect you. My wifi shows up as "open" to any machine that passes by, yet it won't connect.
Many (most?) of you know more about security than I do. How secure is the MAC address whitelist approach compared to a password approach?
* WPA2 hasn't been 'cracked'
* Without 'passwording', all your traffic is unencrypted and can be trivially sniffed
* Spoofing one of your whitelisted MAC addresses in order to use your network is easy
First: thanks to ALL of you who answered. This was very informative. If I understand correctly:
1) I would define something as "not cracked" if it is as strong as its password--in other words, there's no way to circumvent it that isn't a general vulnerability (peek through my window, get a keylogger on my machine, etc.) I assume you're telling me that this is the case with WPA2.
2) It sounds as though you are saying that something like WPA2 doesn't just authenticate a login but remains in use as an encryption key for subsequent wireless data interchange between client and base station. If I'm understanding correctly, that's a powerful point.
3) I knew that MAC addresses could be spoofed, but I was thinking they wouldn't know WHICH MAC address to pretend to have. Of course, if I'd been a little smarter, I would have noticed that my own linux process was using the MAC address a client claimed to have to throw out unrecognized machines (before I had MAC address filtering as a built-in router feature). If they were sending their MAC address to me, then my own client machine would be sending its MAC address in clear text to them, telling them which MAC address to pretend to have. Duh.
Well, I feel a little dumber and a little smarter. Time to go change my network. Thanks again.
This approach is very easy to bypass by any knowledgable hacker.
Since you said your WiFi is open, the only thing that needs to be done is fire up the aircrack-ng airdump and sniff, there I would see your MAC, in the clear. Then I could set my own to it or select any other mac I have seen connecting to for a longer while ,and use it and access your router and add my other mac on its whitelist.
Someone's said in the Ars Technica comments that MAC addresses are freely available in the packets-in-flight, and MACs are spoofable, so MAC filtering will only deter the casual, passing wifi-borrower, not anyone actually determined to gain access.
WPA2 with good password, at least, would put up a non-negligable barrier in terms of the number crunching required; in contrast, getting around MAC filtering would take effectively no time at all.
The only in-the-wild attacks against WPA2 are variations of brute-force attacks.
There are precomputed rainbow tables of common SSID+passphrase combinations floating around, but as a general rule, WPA2 with a sufficiently complex passphrase should be secure against anyone who doesn't have a massive compute cluster at their disposal.
This provides no security at all. A good solution would be to use a VPN like OpenVPN; i.e., you treat the wifi as an insecure channel just as the internet, and only after connecting to the VPN you would be able to get to the internal network and the uplink.
Unfortunately, MAC addresses can be spoofed by a dedicated attacker. It prevents your neighbor from using your connection without paying, until they decide to listen to what your address is and then just use your address when you go to bed.
It's a terrible way to secure a network. MAC addresses are easily spoofed, and without encryption anyone can sniff your traffic anyway. Even using WEP is better since then there's (usually) a requirement to see a connected client for longer than a few seconds in order to break the encryption. The only reasonable approach for a home network imo in practice is WPA2 PSK with a decent password.
a bored teenage neighbor could attack your wireless network
He would have to be very bored indeed. Singling out my home to spend considerable time at an inconvenient in-range location to crack passwords to access ... what, exactly? view pictures of my toddlers? copy my slightly deranged music collection? If he's looking for free network access, he can go down the street and get it from McDonalds or Starbucks or wherever while sitting in a comfortable chair sipping a soda.
I realize a bored teen is different from a SWAT team. Both, however, would need unusual motivation to turn their talents on my abode.
a large fraction of normal wifi devices that can be set into a proper receiving mode
>sophisticated password guessing tools
some password cracker they downloaded in minutes
>hours of planning
pressing a button or typing a couple commands
>and execution
taking a nap
It's not hard to secure a network from extremely simple attacks. At least for now.
And that analogy is nonsense. Body armor, night vision, combat training don't help them break into a house. At best it'll get them past the armed guards you don't even have.
Walk into a well stocked military surplus store and you can walk out with all the tools you need to break into a house in short order, and trust me it doesn't take long to learn how to use them well enough.
The point is that once someone is determined enough to get into either your home or network, it doesn't take much to reach a stage where the owner has to go to great lengths to resist a very unlikely occurring, but very likely successful, attack.
Like locks at doors, only meant to desuade the random amateur. Given enough dedtermination, preparation, tools and skills one can enter anything.
But since I'm not the Pentagon I don't live in nuclear bunkers and don't employ regiments of cybersecurity people. I uess the risk of being cracked by pros is just part of the normal risk of live.
My point is that you don't need any tools to break into a house. Kick in a door or throw a rock through a window. That is why the analogy is bad. Someone has to be very determined at breaking in to buy all those things. Someone has to be very determined to break into a secured network.
But someone does not have to be determined to break into the average house. And they do not have to be determined to break into a network that is misconfigured.
Using WPA2 with a long password and turning off WDS makes a network safe from direct attack.
The article reminded me of that. If someone attacks my home wifi with network sniffing hardware, sophisticated password guessing tools, hours of planning and execution, etc then, well, the issue escalated beyond anything I could sensibly prepare for.
I realize these computing tools are easy to come by and not terribly hard to use. Ditto body armor, night vision, and combat training. And if someone is inclined to apply them against my pathetic existence, I'm screwed. Planning for such events is pretty pointless, I have other things to do.