Is your home wireless network secure? On a drive about town, I noticed that about one fifth of home routers are completely open and perhaps half are under-secured.
Used to be, this was because home users didn’t know how to configure their routers. But now, Comcast is
turning home networks
into public hotspots unless customers — few of whom even know about this — specifically opt out.
This article discusses the problems with this.
U.S. courts may hold you responsible if someone uses your wireless network — without your knowledge or permission — to illegally download music, movies, or software. People have even been raided by
SWAT teams
and convicted for downloading
child pornography.
Is Comcast’s project a bold move towards free wi-fi everywhere? Or is it a security outrage?
Meanwhile, here’s a simple tutorial on how to secure your home wireless network.
I’ve been running an open Wi-Fi network for many years—in addition to my internal WPA2-secured SSIDs. See https://openwireless.org/ for details—while I don’t do exactly this, I agree with the idea and encourage everyone to do the same.
Edited 2014-11-17 20:57 UTC
I like it. Cool idea, great movement.
But you do know that if you live in the U.S. and someone uses your network to illegally download music, movies, or whatever, you’re responsible, right?
I recommend you read https://openwireless.org/myths-legal for more information on this.
Thank you, I did. IMHO, it’s never good when a web site urges you to do something and then has a section called “If Law Enforcement Comes Knocking, What Are My Rights?” Just my opinion. Cheers.
Just like running a tor exit node immediately makes you responsible for anything that someone uses it for?
Nope.
Of course law enforcement wants you to believe this, however, since it makes their jobs easier. Open wifi and tor exit nodes actually make them work harder to track down suspects.
umccullough,
I have no idea about the legalities, but I’d still be extremely worried about the costs and risks of building a defense. It’s not unheard of that convicted criminals are exonerated later when new evidence comes up, but it means that innocent people can and do get wrongly convicted sometimes. It’s troubling, but juries aren’t some kind of infallible oracles of justice. They can be manipulated by lawyers. If an innocent defendant doesn’t have adequate representation or sufficient evidence to support their claims, they might well be prosecuted for someone else’s crime.
For those of us in the tech field, we know just how easy it can be to fabricate digital evidence pointing to other parties, if we were so inclined.
Edited 2014-11-18 19:46 UTC
And therein lies the problem.
Whether you secure your wifi or not – your network can still be infiltrated, your machine can become part of a botnet…
The more you secure your own network, the more likely you’re to be convicted of a crime you didn’t commit on the basis that nobody could have possibly used your resources to impersonate you.
You’re assuming they take the time to track down suspects and don’t just settle on the owner of the network. Our cops are getting very close to the “guilty until proven innocent” mindset these days and how will you prove that you didn’t download that child porn yourself? Not finding it on your computer does not prove your innocence and even if they don’t come up with enough evidence to convict you they’ve still seriously screwed your life up.
And you are proposing that fixing this erosion of our rights is to avoid it?
I agree – being accused of child porn, etc. is a life-ruining event – but until our government officials and law enforcement are reigned in and our rights are reset the way they should be, we can’t just give up our rights and hide from the problem.
It is my right to offer public wifi (my ISP has nothing in the TOS preventing it). It is my right to run a tor exit node. It is my right to not be convicted of crimes that I personally didn’t commit. How can I exercise my rights if I’m being told “it’s safer not to”… that’s absurd.
umccullough,
I’m unsure what “rights” you are referring to, I’ve never heard of this being codified into any law. Can you point to legislation that explicitly grants these rights?
Are you positive? Our ISP definitely prohibits it. What ISP do you use?
https://www.optimum.net/pages/Terms/Internet/Residential.html
I may feel that I ought to have a “right” to do whatever I choose with the bandwidth included under my package, but without a law giving me this right I think the TOS would be upheld. But I am very curious if there are any examples of the contrary.
Yes of course ideally this ought to be always true, but isn’t naive to think it’s 100% reliable? If you don’t have evidence of your innocence, that increases your risk of being prosecuted, unfortunately. Have you seen abuse of authority, and even planted evidence, on youtube? Very chilling! But at least those guys have camera footage.
Edited 2014-11-19 23:32 UTC
It is my right because it is not illegal. Can you point me to a law showing where offering public wifi service is illegal? I’m sure it’s just a matter of time before someone passes a law – and it sounds like a fair number of people will just roll over and let it happen.
Sonic.net
Other than telling me that they hold me accountable for anything that happens with my service (standard disclaimer that any service provider would obviously claim – this is mostly to combat spamming and scamming via their email service) – there is no limit on sharing my service with others.
They’re even mentioned in the previous openwireless.org page.
I could have almost the same service via AT&T, and pay probably half the price – but I choose my freedoms over cost.
That sucks, unfortunately due to monopolies here in the U.S. you probably don’t have much choice of providers.
In case you’re interested in seeing a much shorter and less irritating TOS, here’s the one Sonic.net provides:
https://wiki.sonic.net/wiki/Category:Policies
Note, I also have no bandwidth caps, but given that I only have a lowly DSL line through them, it’s not like it matters anyway.
Yes, I’m well aware of the potential issues you are alluding to. I’m an avid daily reader of blogs such as Techdirt (highly recommended if you actually care about your rights online). This is why I become so angry when people tell me I should be careful – we are allowing governments and law enforcement agencies to slowly erode our rights – we are giving them up because we’re afraid of what might happen to us if we speak up? If not ourselves, who will stick up for our rights?
I would rather have an opensource firmware in my router which gives me the control about what and what not to run in the first place.For example being able to use 802.1x via eap-tls (wpa2-enterprise).
I do everything (and have for years) that is on that checklist for the simple tutorial. However, none of that will prevent someone from being able to use your connection – it just keeps honest people honest. It certainly won’t keep LEO from charging you with a crime… in fact, quite possibly the opposite. They’ll point out that it’s unlikely someone else could have used your connection since you “secured” it. It’s one of those damned-if-you-do/damned-if-you-don’t problems.
It recommends security theatre: disabling SSID broadcast and MAC address filtering. Completely useless against attackers (honest people aren’t attacking, and a good passphrase keeps them out) and give a false sense of security.
A study from last year says almost all consumer routers are hackable.
See this article for the analysis —
http://www.cnet.com/news/top-wi-fi-routers-easy-to-hack-says-study/
and here’s the study itself —
http://www.securityevaluators.com/knowledge/case_studies/routers/so…
We need more hotspots for better connectivity. I always use my router’s ability to have guest network to have one open.
Legally there shouldn’t be a problem in any modern society, but in case copyright trolls have corrupted your system, then at least having open networks being normal and opt-out not opt-in will destroy even their hard bought legal fig leaves.
Edited 2014-11-17 22:03 UTC
Look, if you want to run an open network, that’s fine. But for an ISP to change your network into an open one without your consent, especially in a country like the US where you’ll be held responsible for anything some random schmuck does, is insanity. What scares me more is that people are praising more hotspots without realizing just what this means to anyone who gets the short end of the legal stick.
Run all the open networks you want. I run an open guest network myself, but have a lot of restrictions set up on what can be done. THe key difference is: this is my choice. Mine. Not my ISPs. One of many reasons why I don’t use an ISP-provided router and make sure everyone I know is aware of what can happen when they do stick with the routers they’re given. Nothing’s free, and tactics like this are the cost of accepting “gifts” from the ISPs.
Everyone so far has focused on the security and legal issues related to running a hotspot, but no one’s mentioned the issue related to connecting to ones; if you don’t know who is running the hotspot and can’t vouch for it to be secure should you really be connecting to it at all? Many apps, websites, mail-servers and whatnot still operate in plaintext, so running a hotspot is still a good way of getting all sorts of details about people, and hotspots are also a great way of infecting people with malicious software — see a user downloading a .exe-file, for example? Whoops, it got infected on-the-fly!
Personally I just simply don’t use any wireless networks other than the one at home.
Can’t you use a VPN in such case? It’s a good idea if you for example connect in some Internet cafe or the like.
Of course you could use a VPN, but most people do not have such. I, at least, am not aware of anyone who uses a VPN. I believe that training Average Jane and Joe to just connect to any open hotspot that happens to be nearby is a big security issue in development and they should be trained to avoid such unless they have a VPN or other system in use.
I think it’s becoming more common. And especially in public WiFi it should be a normal practice. But as you said, people should be trained in doing that. Most probably have no clue still, but recent privacy issues brought it more into focus.
Edited 2014-11-18 05:22 UTC
I don’t even trust my ISP. Traffic is encrypted or it doesn’t matter. Fortunately you can configure most services to be encrypted these days, even if it isn’t always default, but it usually is now.
I remember when MiFi was giving away free hotspot access points for people to use to build a national Wifi Network.
Having broadband at home is great, but it’s always been a disappointing limitation that it only works at home or in select WiFi enabled-zones. To truly make a WiFi network ubiquitous, you’d need an access point in just about every home. Making dual mode access points makes a lot of sense.
As far as legal accountability, this isn’t public or anonymous, you need an existing comcast account “Anyone hooking up to the ‘Xfinity Wi-Fi’ public network must sign in with their own traceable, Comcast customer credentials.” So it’s not the same as running a public WiFi access point on your own.
If an ISP really wanted to they could actually provide a persistent IP address per customer across the network. This would mean IPs and accounts would retain the same 1:1 relationship that they normally have.
The evil Comcast, AKA “xfinity” has all their APs open and called “xfinity”. They present a login page. What could go wrong with that? First, google “sslstrip”. Then note that they don’t insist that the login page is ONLY accessible via one of these leech ports.
(And does the leech bandwidth count against the host’s bandwith – or even just slow it?).
So here is what I expect might already be happening.
Someone sets up rogue APs called “xfinity” that just do a MITM to the real xfinity, but captures the credentials. With the stolen credentials, I can now go to any xfinity AP and use the internet. I can also change service, and maybe get some credit card and other personal information (home address, phone, etc).
tomz,
To be fair though, impersonation is a fundamental problem for all public WiFi access points, be it in a hotel, coffee shop, or airport.
The solution is education, being consistent in using secure protocols on top of public access points will keep your data and credentials safe (which you should be doing anyways). However it’s easy to be caught off guard especially once logging in has become routine.
In theory a local application could cryptographically authenticate & secure the connection. But for better or worse these days everyone expects everything to run from the browser with no other local software. In the browser, the human is responsible for making sure HTTPS is being used and that the domain is valid.
Edited 2014-11-18 03:13 UTC
Worth a read (a long one, because there are many replies):
https://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
https://www.schneier.com/blog/archives/2011/04/security_risks_7.html
Yes beware of the evil maids and juries.
Thank god my country of origin doesn’t have a jury in the justice system.