We retrace our steps to find out how easy wi-fi is to hack
It’s called war driving – cruising the streets with a laptop running a free program you can download from the Internet. The program continually listens for wi-fi connections and determines which have open access and which are safely encrypted – like scanning through radio channels, but you can only get those stations which haven’t been closed off.
Open access can enable a war driver to access the Internet using someone else’s broadband for free. Even more sinister, they can steal passwords, data, bank account details or spread computer viruses.
Under the Telecommunications Act it’s not against the law to ‘listen’ to a wi-fi access point, but it is illegal to use a connection that’s not deemed for public access.
Five years ago NetGuide took a 30-minute war drive around Auckland, and discovered 145 access points, with 60% of those without WEP (Wired Equivalent Privacy – the standard form of signal scrambling to stop unauthorised people getting in).
We decided to recreate that war drive with the same security expert. The results he gathered showed a substantial increase in the number of wireless sites – around 1500. But the good news is that only 25% were without WEP (or its successor, WPA – Wi-fi Protected Access), and the overwhelming majority of the unencrypted access points were public wi-fi hotspots.
But just because you have encrypted your wireless connection, doesn’t mean you are safe from thieves, according to our security expert. “That’s just one level of goodness; you have to look at it holistically and create many layers of security.”
He should know; it’s his job to combat the hackers’ latest inventions, and he tells us about one Web site where they will hack an encrypted wi-fi account in 40 minutes if you pay them $20. Although he points out that sending your credit card details to a hacking site is probably not the wisest move.
According to our expert the biggest issue with security is apathy. Many broadband users with wi-fi enabled devices just don’t bother with the basics. “How hard is it to lock your house?” he asks. “You just have to learn these things.”
He says many wi-fi spots are automatically encrypted today, but that doesn’t mean you can be complacent.
Here are his steps to securing your connectivity – or in his words, building multiple layers of “goodness”:
First on the list is “Read the manual” – it’s that simple. It will show you how to hide your SSID – basically the number that identifies your wi-fi connection. This is a great start, but it is only one layer of goodness.
It’s a good idea to name your wi-fi – many of the connections we detected on our war drive still had the name of the manufacturer. If you couldn’t be bothered creating your own name, it’s a sign that you might not have bothered to secure the connection properly either.
So yes, change the name but don’t make it identifiable. This is one time when you do not want to advertise. You can be Bob, Sue, George or Griselda. Some of the names we saw were rude and unrepeatable; others, like ‘Cutiepie’, were quite sweet.
That creativity you unleashed to create a name – use some of it to think up a password. Make it different to every other password you’ve got. Ensure it has number and letters in it. Then write it down in a book, so when you need it again, you can find it. NB: don’t put that book by the computer!
Remember, if they can hack into your connectivity, they can hack into your life. And, as our security guy says, if they’re outside your house they don’t have access to the book of passwords. So it’s worth making the effort to create something that is unique.
Highest level of security
If you really want to ensure no one can get into your computer and there are just a couple of you in the household, you can lock it down to just a few specific IP addresses. On your router or access point, look for the DHCP (Dynamic Host Configuration Protocol) setting and turn it off. You can then assign a fixed IP address range and configure only permitted computers to access it. The instruction manual should tell you how to do this.
We asked our security expert if, when you’re travelling, it’s safe to use the wi-fi in your hotel room. He answered with an anecdote.
He recently stayed in a hotel overseas, and when he logged onto the computer he was able to open up the Outlook email account of the person who’d been there before him. He saw all sorts of things, most of them innocuous, such as subscription emails and Uncle Joe’s holiday snaps. Our security guy thought about emailing the person to explain about what had occurred, but he decided against it and pressed ‘delete’ instead. A message out of the blue about security from a stranger would be too hard to explain.
But if he had sent a message he would have explained that in a hotel, if you don’t want anyone else to see your private email, you should only use the secure VPN connection back to your company when you access the Internet. That is private and protected.
Also, he would have told them that Uncle Joe shouldn’t be wearing speedos at his age.