June 23, 2003

Wide-open wireless along the Amtrak N.E. corridor

- by Lee Schlesinger -
When I took the train from Boston to New York City last week to attend CeBIT America, I took with me my most portable notebook, a Sony PictureBook running Windows ME. I turned on the computer as the train rolled out of Route 128 Station, and kept it on until we dipped under the East River, all the while running a program called NetStumbler that scans the airwaves for Wi-Fi access points. The results: There are a lot of 802.11b access points out there, and most of them are wide open to air piracy.

When I tried this exercise a year and a half ago, Wi-Fi wasn't nearly as widespread. At that time I uncovered only 43 devices on a similar stretch of track. This time, on a slightly shorter trip that started in the suburbs outside of Boston, I found 113 Wi-FI devices, all but five of them access points. Of those 108, only 15 were using WEP encryption.

Without WEP protection, which admittedly is relatively easy to crack but is better than nothing, anyone with a laptop computer and an 802.11b adapter could park within range of an unencrypted access point and share its Internet connection. Worse, if the owner's internal security was as bad as its network security, anyone could read or copy files from computers on these networks. Unfortunately I couldn't test any of the sites I found myself, because riding behind a speeding locomotive, an access point goes in and out of range faster than you can click a mouse.

It appeared that most of the secured access points belonged to individuals, not businesses. They had SSID names like gramps, KPeterson, and Anthony's Network. Why aren't businesses making wireless security a priority? I can think of a number of possible reasons, but none of them holds up against the possibility of letting strangers inside your firewall.

I recently added WEP to my own home network. All of my neighbors who might be within range are old (or dead, in one case) and unlikely to be wild wireless access point hunters (I'm not being agist, I just know my neighbors), but I think it's good practice. It's a tiny bit more work when I set up each new PC, but just a trivial amount. I can understand how users might complain that they need to reconfigure when they move from their home network to their office network, but the simple solution to that problem is to give your home network the same encryption key as your office.

If you're responsible for a wireless network, I urge you to practice safe computing. Even if you think leaving your link unencrypted is extremely unlikely to cause harm, consider the down side if you're wrong. Just say yes to wireless data encryption.

Click Here!