Securing wireless networks is far too difficult
This story at the NYT web site (registration might be required—it seems kind of random to me) about the prevalence of “piggybacking” on open wireless networks. Most of the article deals with the theft of bandwidth, although there are a couple quotes from David Cole of Symantec about other dangers of people getting into your LAN and accessing the Internet through it.Â Something that really struck me, though, was the following section about a woman who approached a man with a laptop camped outside her condo building:
When Ms. Ramirez asked the man what he was doing, he said he was stealing a wireless Internet connection because he did not have one at home. She was amused but later had an unsettling thought: “Oh my God. He could be stealing my signal.”
Yet some six months later, Ms. Ramirez still has not secured her network.
There are two problems highlighted here, I think:
- We haven’t done enough to make it clear why encrypting your wireless network is important.
- More importantly, wireless routers need to be secure out of the box.Â Users will not change their behavior unless the barrier for wireless network security is lowered as far as possible, and that includes shipping routers with:
- WPA encryption enabled
- a unique shared key
- a unique router admin password (the fact that millions of routers ship with the same default admin password is embarassing)
- a unique SSID
- SSID broadcast disabled
Think about it: if you purchased a car that came with non-functioning locks and keys, and it was your responsibility to get keys cut and locks programmed, would you be satisfied with purchase?Â Would it be realistic to expect most consumers to do this on their own?Â I think it’s not.Â But that’s what the manufacturers of consumer wireless equipment (and related products, like operating systems) ask of the average consumer. With expectations like that, is it really a surprise that most users choose not to bother, even when they know better?