Wi-Fi Security Hysteria Promulgated by UM

It's distressing enough when a lay person mistakes the facts surrounding Wi-Fi security, but it's even more painful when an institution of higher learning, in this case the University of Maryland, leads people further astray.

For starters, the title of the press release, "UM Study: Password Protecting Your Wireless Network Is Not Enough", is catchy but entirely inaccurate. A few sentences into the piece it's pretty clear that the problem is not passwords, but additional unsecured or rogue access points. On the home front sometimes a single access point is not enough to cover the whole house, so a second access point is added. Obviously, that needs to be secured like the first. And in the office, if coverage is poor an employee may install their own access point. That's called a "rogue" access point, but apparently that's not part of UM's vocabulary. Either way, yes, that's a security gap, but the problem is not passwords.

Prof. Cukier, the study's author, continues by describing the various ways that wireless networks can be secured. But that misses the whole point -- if the initial wireless access point(s) in a home or business network was already properly secured, the readers of the press release don't need further advice regarding *how* to secure their access points, but guidance enforcing strong wireless security policies. On the home front that might be as simple as clear communication of expectations with household members, but in the enterprise, overlay wireless IDS/IPS systems and/or wireless LAN infrastructure products can assist in enforcing corporate policies. So the problem has nothing to do with passwords but everything to do with consistent wireless policy enforcement.

The press release goes on to highlighting 5 ways to secure an access points, but I can only recommend 1 1/2 of them. The first, limiting signal coverage, does help limit access by the drive-by leecher, but a hacker with the right directional antenna can bring all that work naught. Furthermore, homes aren't in the position to shape coverage. Second, SSID broadcasts should not be considered a security mechanism. They are merely an identification name, point that the CWNA (Certified Wireless Network Administrator) handbook also makes. It's easy enough to disassociate a client from an access point and to capture the SSID when it re-associates. Third, the WPA/WEP encryption paragraph thoroughly confuses the subject. While it's true that clients can only use one encryption mode at time, at a time, WEP and WPA can be used on an AP at the same time (it's called mixed-mode encryption, though most SOHO APs don't support it). Only WPA/WPA2 should be recommended and users strongly encouraged to move away from WEP. And key rotation (belying the author's presumption that we're talking about WPA Personal, not Enterprise) is not needed or required with WPA or WPA2. Simply use a complex text string, preferably 10 characters or longer, and you'll be fine. The fourth way mentions key rotation again. Last, MAC address filtering isalso not a security solution as MAC addresses on wireless cards can easily be changed to match existing associated clients.

The press release presumes that limiting Wi-Fi coverage, disabling SSID broadcasts, rotating keys, and using MAC address filtering are helpful means to securing home or enterprise access points, but the reality is that a good pre-shared key with WPA or WPA2 is all that is needed to maintain a secure wireless connection at home and keep leechers at bay; enterprises should have some kind of rogue device monitoring system in place.