The Washington Post has embarassed itself today with a FUD-laden, inaccurate and hysterical story about "WiFi security risks" that appears to have been ginned up by publicists for "security companies" who rely on public fear to generate business.
But most of those networks are unprotected, vulnerable to hackers who could steal data, introduce viruses, launch spam or attack other computers. Even as the number of wireless networks has risen dramatically, Poole's surveys suggest that the rough percentage of them that are unprotected remains above 60 percent.
None of these are risks that are unique to WiFi. The world is full of coin-operated or cash-based network access systems (I spent an hour feeding quarters into an Ethernet-equipped payphone in the Vancouver airport in June), and the idea that I, as a hotspot provider, am "unprotected" because the people who gain access to my network can do something bad to someone else is (deliberately) misleading.
I'm no more "unprotected" from spammers on my WiFi node (something I've yet to see a single published account of, despite the continuous warnings about it) than I am from spammers sending Nigerian 419 letters from the next terminal at the library. It's like saying that restauranteurs are "unprotected" from bank robbers who use a back table to plan their next job. Sure, they're "unprotected." So what?
Fundamentally, this is a warning against abetting the anonymous use of the Internet. A Beltway-Insider rag like WashPo should have too much familiarity with the Bill of Rights to advance the un-constitutional notion that anonymity is somehow bad, wrong, or illegal.
In their darkest visions, consultants can imagine someone with a WiFi-enabled laptop walking through an airport launching a destructive computer virus at every other unprotected laptop in the vicinity, because users who tap into a vulnerable network are just as exposed as its host.
In their sales literature, snake-oil "security" vendors identify "being connected to the network" as a risk, instead of "running unpatched and insecure software" as a risk. It's the public Internet. If connecting your computer to the public Internet puts you at appreciable risk from "destructive computer viruses," you'd better get a new operating system.
Hackers could also use WiFi access to anonymously launch attacks at the broader Internet, also threatening non-WiFi users.
Hackers could also use coin-operated Ethernet jacks and Internet Cafes to launch attacks on the broader Internet, also threatening WiFi users. So what? Malice is transport-independent.
Although no calamitous hacking event via wireless has occurred, security professionals say it is only a matter of time.
"Security professionals" also noted that "although no calamitous hacking event has been launched using a Dvorak keyboard, it is only a matter of time."
"It's broken; it has holes and flaws," Skoudis said of WEP technology. "It's kind of like a Band-Aid, but better to have a Band-Aid than a big gaping hole."
Users can also require passwords for access to their networks.
Yes, yes they can. Using WEP technology. Geez.