Wi-Fi security: It's a good time to be a bad guy

One disadvantage to living in an urban area is that there are a ton of wireless networks on the 2.4Ghz band, no doubt, constantly interfering with each other. For example, when I use Wi-Fi at home, Windows often pops up a message that I'm now associated with my wireless network. No doubt, this automatic re-association with the router results from just having being disconnected due to interference.

But the upside is that there is fertile ground for a survey. After writing a few postings here about Wi-Fi security as well as a longer article at eSecurityPlanet, I decided to see what my fellow city-dwellers were doing in terms of securing their wireless networks.

For the survey I used Bossie award winner inSSIDer from MetaGeek. InfoWorld gives out annual Bossie awards to free, open source software.

inSSIDer survey

I surveyed using a ThinkPad X40 laptop running Windows XP SP3. The Wi-Fi capabilities of the machine (Intel PRO/Wireless 2200BG) are limited to B and G in the 2.4 GHz spectrum. The latest version of inSSIDer was used, version from July 2009.

I ran surveys from two locations, each time letting the software scan for about 40 minutes. The locations were very far apart, insuring that each survey saw totally different networks.

In the first location, inSSIDer picked up 64 networks. In the second location, it picked up 52 (when I say location, I mean one location, scanning was done from a single spot, the computer never moved).

An examination of the networks at the second location found some duplicates. That is, networks with the same (or very similar SSIDs) using hardware from the same manufacturer showed up multiple times, each time using a different Wi-Fi channel. I counted these as a single network in my tally. One location was my living room, so I excluded my network from the totals.

Strangely, this left an even 100 networks. Their security profiles were:

  • 12 had no security/encryption at all
  • 49 were using WEP  
  • 16 were using WPA  
  • 20 were using WPA TKIP
  •  3  were using WPA2 AES (a.k.a. WPA2 CCMP)

The first thing that stands out is the huge percentage of WEP and open networks. Considering that WEP encryption is very weak, a whopping 61% of the networks are not secure. And that doesn't include the WPA and WPA2 networks that are using passwords such as "password". Encryption on any network with a weak password is breakable.

At the other end of the spectrum, only 3% of the networks are using the best encryption, WPA2 with AES-CCMP. In the middle of the pack, WPA security is used 36% of the time.

It's a good time to be a bad guy.

NOTE: I spoke with MetaGeek about why WPA is sometimes reported simply as "WPA" and other times reported as "WPA TKIP". They said that there are no real standards as to how the hardware reports this information. Thus, inSSIDer is forced to deal with the peculiarities of each Wi-Fi network adapter, no doubt, a virtual Whack-a-mole for any programmer.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon