It’s not enough to know what to look for in a router. I wanted to get some solid advice on wi-fi network security. Who better to give that advice than someone who built an airplane that hacks wi-fi? So I talked to WhiteQueen at http://rabbit-hole.org, the co-builder of a wi-fi hacking airplane that made waves at Defcon.
Hacker stereotypes aside, WhiteQueen was very forthcoming. He’s a white hat, and I found him eager to share what he knows.
“Hypothetically speaking, if you lived next door to me, how long would it take you to get into my wi-fi network?” I asked him.
Surprisingly–at least it surprised me–if you use WPA2 with a strong password, you can make it take years. While I can’t keep him out indefinitely, it’s entirely possible to make it so difficult that anyone not specifically targeting me will just move on to someone else. And you can too.
Why should I care?
Perhaps you heard in the last couple of years about credit card information being leaked out of TJ Maxx and Marshalls store networks. A 29-year-old Cuban-American named Albert Gonzalez admitted to the theft and re-selling of 170 million credit card numbers from 2005-2007. He stole them off poorly secured wireless networks.
The September 2010 issue of Hakin9 magazine (hakin9.org) details the crime, and how it could have been prevented.
WhiteQueen pointed me to page 47, which showed a diagram of Gonzalez’ wardriving setup. All of the equipment is easily obtained, or fabricated using instructions that are readily available.
If your password is something like “popcorn,” he can break it in less than 45 minutes. Dictionaries containing a couple million possible weak passwords exist.
So, what’s a good password? He recommends something 14-25 characters long, mixed case, with a couple of numbers and special characters, not substituting numbers and symbols for vowels, l337-style. th!sIz@s3cur3p@ssw0rd! isn’t quite what it claims to be. Use a random password generator, he says. A Google search will turn up web pages that will generate them for you.
You don’t have to type that password all that often, he said, so the pain/security tradeoff isn’t all that high.
WPA2 vs. WPA vs. WEP
You can forget about WEP. There are enough vulnerabilities in WEP that he can break it in minutes. WEP is effectively like the lock on your screen door, only useful for keeping honest people out.
Consider this. There are free tools that run on Android that crack WEP. You can’t install it from Google’s app store–you have to root the phone–but anyone with a little determination can do it. It might take 30 minutes a typical Android phone from 2010 to break a WEP network, but 2011’s phones should be able to do it in about five, which is about how long it takes an Atom netbook, circa 2010, to do the job.
WPA is better, but it also has vulnerabilities. There are automated tools for breaking WPA too. For $17, WPA Cracker will attempt to break a WPA network, and on average, it takes 40 minutes. And it’s not the only option out there.
If you’re serious about keeping someone with his abilities out, use WPA2.
You can increase the security of your WPA or WPA2 network by hibernating or turning off your laptop when you’re not using it. Attacks against WPA require something with an active connection to be using it at the time.
Setting your SSID to not broadcast is an old security trick, but it doesn’t gain you much anymore. In some ways it makes things worse.
He said you might as well broadcast your SSID. Wireless networks just work better if you broadcast it, and you don’t slow a hacker down very much by not broadcasting it. You just make the hacker stop and run a tool to look for hidden SSIDs. Not broadcasting the SSID hurts you a lot more than it hurts him, he said.
But don’t include easily identifiable information in your SSID. Keep your last name, house number, and street out of it. Personal information not only helps an attacker identify his target, but it also helps a hacker create a personalized dictionary to run against your network.
Pick something with no connection to you. The more meaningless, the better. The more bland, the better. Don’t make it something that identifies your network as belonging to you, and don’t make it something that makes it look like you’re hiding something interesting.
The best is just a plain old number (other than your house number), or random gibberish.
WhiteQueen said there are mainly two reasons a lowlife might want to get into a network. Either you have data he wants, or he wants to use your network to jump off and do something else. That could be jumping off to hack another network, effectively using you to cover his tracks. Or it could be downloading illegal stuff he doesn’t want to use his own network to download.
Preventing the second case is easy. If your network is harder to hack than your neighbors’, that guy will always pick the guy whose network is wide open, or the guy who never changed his password from the factory default, or the guy who’s still running WEP.
So, the simple advice of using WPA2 with a strong password protects you from that guy.
For extra protection against someone who specifically wants to get into your network to get at your data, he recommends a second router. Or turn off wi-fi completely.
Plug one modem into your router. Assign that router an address space of 10.something. You can set the password to something your laptop-toting houseguests won’t mind typing in, but of course, you want to balance enough strength into it so that passers-by jump on someone else’s network instead of abusing yours. Ten characters, mixed case, with one number and one special character would be reasonable.
Then, plug a second router’s WAN port (not one of its Ethernet ports) into a LAN port in the first router. Assign that router a 192.168 address space. Either turn off its wireless, or turn on WPA2 and assign a nice, strong password to it. Plug your desktop PCs, your NAS, and that kind of stuff into the second router.
For the security paranoid, the two routers should be different. Different revisions of the same model could be OK (such as an early, pre-v5 Linksys WRT54G or WRT54GL based on Linux and a later v5-v8 WRT54G based on VxWorks), but different models or different brands entirely is better. That way, if someone uses a vulnerability in one to get through, he still has to get through a second one to get to your network. Of course, don’t forget to change the default passwords on your routers.
Vulnerabilities in wireless routers do come up from time to time. http://www.cvedetails.com/ has a nice database of vulnerabilities, which you can search by vendor and product. Fortunately, vulnerabilities that crash the router are a lot more common than vulnerabilities that let someone come in and do something.
Fixing them is just a matter of downloading the latest firmware from the vendor and installing it.
Hackin9 adds another step: Lock down the router to allow a limited number of connections. If you have two computers, set the router to only allow two connections. Then hard-code the MAC address of those machines. The procedure to do this varies from router to router.
The moving target
It took about five years for a vulnerability to be found in the original WPA. And brute-force attacks–trying every possible password–are much more practical now than they were in years past. The typical $500 consumer PC of today is a supercomputer compared to anything that was available in 2001.
So far, there are no known vulnerabilities in WPA2, so in 2010 the only way in is to use brute force.
Here’s some good news: A dictionary suitable for cracking 8-character passwords using all 95 of the easily typable characters on the U.S. keyboard would require approximately 11.91 petabytes to store. The largest available hard drive in 2010 is 3 terabytes–an order of magnitude smaller–so it’s safe to say we’re still a few years away from being able to store that kind of information on the desktop.
A dictionary file suitable for hacking 14-character passwords goes consumes a mere 4 brontobytes. What’s a brontobyte? One brontobyte would hold approximately 1,000 copies of the World Wide Web, circa 2010, in its entirety.
This is a bit of an oversimplification, but in 1990, consumer hard drives were measured in megabytes. In 2000, they were measured in gigabytes, and today, in 2010, they’re measured in terabytes. We may be pushing 2020 before we get to petabytes. So it’s more likely that someone will discover a flaw in WPA2 before that’s practical to store. But that, too, will take time.
But don’t feel too secure. A hacker who wants in will throw every dictionary he has at you. And WhiteQueen said hackers tend to collect passwords as they discover them, and add them to their dictionaries. He said humans aren’t very good at being random, so when they find a password one human used, there’s a good chance another human will use it.
The second-best thing you can do is stack the odds in your favor. The best thing you can do is keep your wi-fi turned off.
Re: strong passwords. You’re allowed to use spaces in WPA2 passphrases, so: use a sentence, properly punctuated, spaced, and capitalized, as long as is allowed, that means something to you that nobody else will be able to guess (Something like “My shameful secret: I had a total crush on Buck Rogers when I was 12!”) Congratulations: you’ve just made a password that’ll be easy to remember and totally impregnable against dictionary attacks for the forseeable future.
Since half the Wifi drivers out there are too stupid to allow you to see the passphrase as you type it, I’ve taken to typing my passphrase into a notepad document and then pasting it into the password field.
Naturally I write all my passwords down on a paper that I keep in my desk at home next to my birth certificate and passport and mortgage papers.
The most important aspect of wireless security (I’m talking about home-based routers here, not businesses) is simply not being the “lowest hanging fruit” around. In other words, if all of your neighbors have no security, WEP is probably good enough. If all your neighbors are using WEP, I recommend WPA (and so on). I used to have a few old NICs still in service around the house that didn’t support WPA, so for a long time I was stuck running WPA. I think everything (including all our iToys and gaming consoles) support WPA now, so it’s no longer an issue.
For businesses though, yeah, all bets are off. I recently helped a client lock down his office, and this is what I did: (A) enabled WPA2, (B) relocated router so that it wasn’t quite so easily to pick up the signal with a default antenna in the parking lot, and (C) have him turn off the router after hours and on weekends.
I ran the passphrase advice past WhiteQueen, and a couple of CISSPs, and they agreed that a nonsensical sentence like that is just fine. The key is to making it long enough and including a couple of punctuation characters and numbers, which your example does.
A coworker (one of those two CISSPs, in fact) showed me a secure, cloud-based password service just a couple of days ago. I’ll ask him the name of it. The advantage to that, over a piece of paper, is that if you have to look up a password while you’re on the road, you can do it. That’d be a good topic to cover later this week.