WiFi security has come a long way from the days when consumers used wireless routers with inadequate or no encryption, and overlooked the need to change default passwords for gateway access.
The underlying problem was poor product design, laziness about the importance of security from technology-centric vendors, and near universal ignorance from users as to the risks of just turning on a router designed to broadcast a user’s every web visit and email to the neighbourhood via a powerful radio signal.
Five years on and the latest WiFi generation of routers will typically demand secure passwords and user names are set during setup, complete with hard-to-crack encryption keys using standards such as WPA2.
But wireless security hasn’t quite gone away as an issue in an age when people now often connect through public access points away from their homes, sometimes using devices other than PCs.
For the sake of argument let’s assume that the router has been configured competently (see D-Link's CAPTCHA system for defeating scripted attacks on home routers) and WPA2 encryption turned on at 128-bits or above. Unfortunately, as secure as this setup will be in most cases, this is only the most basic layer of wireless security. The vulnerability is still the PC itself, especially when roaming away from home, and the threat of social engineering attacks that bypass simple hijacking or sniffing of the wireless connection.
Basic security tools
Type ‘wireless tools’ into a search engine and the returns will offer a bewildering range of hacking and cracking tools for poking into other people’s WiFi connections. It’s tempting to dismiss them as being for the black hats and the nosy, but it’s still worth having a basic utility on a laptop simply to keep an eye on the range of access points around you.
A good basic and free tool is inSSIDer, which is mainly used to troubleshoot wireless signal problems and interference from other access points, but it does notice all WiFi devices in a locale broadcasting using SSIDs. From this you can see signal strength (expressed in negative numbers – smaller is better), stability, and get some idea on the encryption schemes in use (or not) by access points. This tool runs across all Windows versions. Which AP to connect to in a public place? This is better than nothing at separating the rogue from the legit.
A step up from this is Wi-Fi Inspector from Xirrus, which does the same job as inSSIDer but with more detail. One useful feature is being able to chart the direction and distance of access points, complete with a Geiger counter which beeps more rapidly as you move closer to one. This could be one way to physically locate a rogue access point if one is turned on.
Wi-Fi Inspector is also good for troubleshooting connections - not strictly a security issue - but it will also rate Internet connectivity speed and app quality of service on offer from local access points. The benefit of this tool and the detail it brings is being able to monitor the local radio environment as a background (i.e constant) rather than occasional task.
Secure roaming tools
A further step up are tools designed to manage wireless security in public places, easily the riskiest place to use WiFi. Oddly, many users ignore this risk and such tools are not used as often as they might be.
WeFi is a community-driven tool for locating (and adding) free and paid WiFi access points across the developed world that works with Windows, Mac, Android, Symbian and Windows Mobile. The first security feature is that users can access the free directory map to find trusted access points in their locality, compete with information on whether they will have to pay for them. This is obviously an advance from just turning on a laptop and making assumptions about what it finds.
The connection manager also makes it easy to configure the way that the laptop will connect to favourite access points in different locations, whether at home or in public places. The level of configuration here is impressive right down to automatically dealing with web page sign-ins that some access points throw up. Auto-connection, always a dangerous approach in public spaces, can also be reined in.
Login to the WeFi site can be via Facebook if you have such an account. The subscription version gives access to paid access points but the free will be mroe than enough for most basic uses.
Easy WiFi offers much the same range of conveniences as WeFi, including automatic logging in to 'captive portals' and encryption of sensitive data moving to and from the Easy WiFi's servers. In addition, this free software offers ‘evil twin’ protection by authenticating the security certificate that will be used by a commercial access point. If an access point fails this test, the app blocks the connection in favour of the next one that does pass.
This security feature won’t be available for small, informal, free access points but it is still a useful layer of defence. Easy WiFi also works on mobile devices, including Android smartphones and the iPad.
Previously a paid-for app but now free, Avanquest Connection Manager takes the above concept and parlays it for business users or home workers. In principle, it is a tool for managing connectivity while in the office (printers, mapped networked drives, email settings), at home (WiFi access settings) and while roaming (WiFi), but the ability to manage VPN security settings and move between domains is still quite neat. Windows 7 has stolen some of its thunder, but older versions of Windows will still benefit.
WiFi users accessing a VPN will be getting encryption for free, regardless of the WiFi encryption scheme in use with the access point. They will also be accessing a RADIUS authentication server, which checks the user against a more robust set of parameters than simply connecting to an access point with a key.
Sad to report that Witopia’s SecureMyWiFi authentication service is no longer available although there is talk of bringing this back in the future. This offered RADIUS for the masses, which is to say anyone, even people with home WiFi routers. The company is focussing on its mobile VPN service instead. Watch out in case it returns.
However, a newer service is AuthenticateMyWifi
Using WiFi with 3G
There is one more recent way to secure a WiFi connection in the public sphere pioneered by Novatel Wireless’s MiFi, even if it is not free as such.
In essence, this is an ingenious way to carry a battery-powered router around with you, which will connect through mobile 3G networks, serving the connection through WiFi. The company calls it a ‘mobile hotspot’which can function as a home 3G router while at home and be taken with a laptop while roaming.
It is, in effect, a way of cutting out the risk of public hotspots altogether by harnessing a simple sharable router tied to an independent network, which in the UK would mean any one of the big five mobile networks. Advantages? It offers good security, a signal from more locations than public WiFi, and has the ability to serve multiple users at once, not just one. It hands some of the control back to the roaming party even if it does add a layer of cost for the device itself and the 3G subscription.
A variation on this theme is Connectify, a software router for turning a Windows 7 PC into a hotspot.The advantage (apart from being to share a connection of any type with others) is that it users accessing the Internet through this connection from other WiFi devices.