In the Spotlight

News & Features
No wires - no security
By Jon Gordon
Minnesota Public Radio
December 10, 2001
Click for audio RealAudio

One of the rare success stories in technology this past year is the rise of wireless computer networks. With a system called "Wi-Fi," users connect their computers to the Internet or nearby computers wirelessly, at their workplace, home and in public places like coffee shops and airports. What millions of new wireless users don't know is these new-fangled networks lack basic security. With simple tools, outsiders can find computer networks, snoop around, and even do damage.

Andy Warner
Andy Warner runs Link Margin, a wireless network consulting firm. He has detected more than 400 "Wi-Fi" networks in the Twin Cities. A majority of the networks are unencrypted.
(MPR Photo/Jon Gordon)

One reason Wi-Fi is so popular is it's relatively cheap. A hundred dollars buys a wireless card for your laptop computer that allows you to hop onto wireless networks at places like Twin Cities-area Dunn Brothers coffee shops. Two hundred dollars more and you can make your own high-speed network for connecting multiple computers at home or the office. A Wi-Fi transmitter, about the size of a book, beams a signal up to 400 feet in every direction. It uses the same radio frequency as a baby monitor. But the signal can't tell an authorized user from someone next door who's using the network without permission.

Andy Warner is driving through downtown Minneapolis in his green Volkswagen Golf. He's got a laptop in the passenger seat that's armed with a program called "NetStumbler."

"The program we are running right now simply listens all the time for new networks," he says. "Every time it finds one, it makes that characteristic noise. And it shows the name of the network it finds, the signal strength, the location, and whether it's encrypted or not."

Wi-Fi equipment includes encryption, a fancy word for srambling data so only authorized users can make sense of it. But you have to turn encryption on when installing your network. Most users don't bother. Warner, who runs wireless networking firm Link Margin, has detected more than 400 Wi-Fi computer networks in the Twin Cities.

Something over 65 percent of the networks we've observed are not encrypted. It's a scary number. They're just completely open. Anyone with a wireless card can decide to be on that network.

That means anything on a private computer network is visible, from business plans to credit card numbers.

On a recent day, Warner found 58 wireless networks in Minneapolis, around the University of Minnesota and downtown, in the space of an hour. One was a financial services firm that set up a Wi-Fi network to link a new employee into its existing network because it was cheaper and easier than running new wiring. The Wi-Fi network wasn't protected with encryption, making all its valuable data vulnerable. A company spokesman asked that the firm not be named, but he says the company didn't know about the security problem until MPR informed him.

"It is a convenience factor to have the wireless network, and it's nice, but it's not worth any sort of risk. Since the call from you, we have completely uninstalled the network and we're no longer using the hardware in any manner," the spokesman said.

Elizabeth Saewyc
University of Minnesota School of Nursing professor Elizabeth Saewyc set up a wireless network so she could share files and a printer with her colleagues. Her system is more secure than most.
(Photo courtesy of University of Minnesota)

Another network identified itself to Warner's computer as "Bisexual Youth Study." A few phone calls led us to University of Minnesota School of Nursing professor Elizabeth Saewyc. She's conducting a federally funded study of health concerns of bisexual teenagers.

Saewyc set up the Wi-Fi network so she could share a printer and files with her colleagues. She encrypted the network, making it much less vulnerable to hackers. But she has made one change as a result of our inquiry.

"The work we do is relatively sensitive and some people find it controversial. I certainly wouldn't want the average stranger driving by with a laptop and finding "Bisexual Youth Study" and wanting to come in and make some alterations or do some damage. So, we've renamed it," she said.

When you set up a wireless network, you give it a name. Hiding the identity of the network is called "security through obscurity." Not a perfect solution, but it helps. Encryption will probably deter people from stealing bandwidth so they can surf the Web for free; and it will likely stop virus writers and junk e-mailers who might like to use other people's Internet service so they can't be traced.

Still, encryption won't faze the most determined hackers, because computer security researchers have already found a way to bypass it.

Peter Shipley, a Berkeley, California security consultant and hacker, has mapped thousands of Wi-Fi networks in the San Francisco Bay area and made his results public. Like other geeks, he does it for two reasons: to expose security problems, and for fun. He's seen wide-open networks at law firms, banks, and hospitals.

"People are running out and setting up these networks and forgetting about it," says Shipley. "It's very similar to the big Internet rush a few years ago, where people were throwing their systems online as fast as they can, and once their Web page was up they thought they were done and never bothered doing security. Sadly, we're seeing this whole thing happen again. Security, I believe, is in a sense being thrown back 10 years."

Computer scientists are working on new, more secure technical standards for wireless networks. But that's probably a couple of years away. For now, the problem is likely to get worse, as more Wi-Fi networks are set up.

(MPR's Kaomi Goetz assisted in this story)

More from MPR
  • Tips on wireless network security

    More Information
  • Advice on how to set up a secure wireless network
  • Provides software for detecting wireless networks
  • Sans Institute An overview of war driving and war dialing from the non-profit Sans institute