Wireless Home Security
Upcoming decisions by the Wi-Fi Alliance could make securing a wireless home network easier.
Setting up security on a home wireless network is complex and unwieldy, judging by the estimated 70 percent of home wireless users surfing on unsecured networks. But a handful of wireless chip manufacturers and an organization called the Wi-Fi Alliance are working toward creating a “certification” that would make it far easier for the average person to set up security measures and browse the Web with ease of mind.
When a wireless network is open, it can cause problems: neighbors or passers-by can hop on to it, snare bandwidth, and ultimately reduce the speed that information can be transferred – or sneak a peak at one’s private information. With simple downloadable software called “packet sniffers” a novice hacker can read e-mails, for example, from an unsecured network. Such scenarios are part of a larger problem: convincing people that security is important, says Adam Stubblefield, a computer science professor at Johns Hopkins University.
It’s not as if people don’t want to lock down their networks. A major reason why so many wireless networks go unsecured is simply because doing so is a hassle, says Stubblefield. In many cases, people have to navigate through a series of setup steps presented on their computer screens. Often they’re asked what type of security protocol they want to use – something an IT professional would know, but the average user may not. And if they choose a protocol for which their computer doesn’t have the correct drivers, they won’t be able to connect to their network. “It could become frustrating,” Stubblefield says.
These ease-of-use issues have motivated a number of wireless chip manufacturers, including Broadcom, Atheros, and others, to devise simpler security solutions for hardware and software. It has also prompted the Wi-Fi Alliance – a nonprofit organization composed of some 250 companies in the wireless industry – to establish a Wi-Fi security certification. The goal of the certification is to ensure interoperability between routers and devices approved by the organization and to give people a simple security interface, says Karen Hanley, senior marketing director of the alliance.
Wireless chipmakers Broadcom and Atheros are both working on solutions that could be incorporated into the alliance’s security certification. While each company’s approach differs somewhat in its user interface, they both reduce the act of setting up security to a few easy steps. In August, the alliance is expected to announce the final security certification, which could include elements of each type of security technology, says Hanley.
One simplified interface relies on pushing a single button on both the wireless router and connecting device while the configuration process goes on in the background. Broadcom, a member of the Wi-Fi Alliance, has developed its security technology based on this push-button solution.
The company’s software, called SecureEasySetup, encrypts data and allows only approved devices that have the encryption keys (a collection of bits that encrypt and decrypt information) to access the network. A person pushes a button on the wireless router that comes loaded with the software, creating and storing a key. Then, after the user installs the software on a computer and follows a few prompts, the software automatically and wirelessly connects the device to the router, so they can share the key. Using the setup software, each device connects to the router wirelessly in a secure network that allows encrypted data to be sent and received.
Broadcom’s security solution is already shipping in Linksys routers, Gateway laptops, and Hewlett-Packard printers, says David Cohen, cofounder of the Wi-Fi Alliance and senior product marketing manager for Broadcom. Both the wireless access point and devices need to have SecureEasySetup in order to work together. But, Cohen adds, hardware vendors will offer customers software upgrades for existing laptop or desktop computers without the technology.
Atheros, also a member of the Wi-Fi Alliance, proposes a slightly different user interface with its software, JumpStart. Via computer software, the router and devices also connect wirelessly to share a common password for two specific devices. Then, in an additional step, the password is used to create an encryption key that is stored by the software on each device. Early versions of JumpStart did not employ a push button technology, and relied on flashing LEDs on routers to confirm device authentication, but more recent versions also offer buttons for authentication.*
Unlike SecureEasySetup, JumpStart is open-source software. It can run on any device, from laptops and cell phones to cameras and printers. Additionally, says Andy Davidson, director of software at Atheros, the program doesn’t need to run on devices that use wireless chips made by Atheros. “What you need is some commonly accepted or standardized method,” Davidson says. “To help this problem, we posted the code in open source, so it’s free for anyone to build this into their products.”
Although it’s unclear which interface or source code approach will prevail – or whether, as is more likely, there will be a combination of the two – what is known is the type of encryption protocol to be used. As of March 16, the alliance adopted a security protocol called WPA2, the second generation of Wi-Fi Protected Access, or WPA. WPA2 uses government-grade encryption (called Advanced Encryption Standard), which is much more robust than the original Wi-Fi encryption standard, Wired Equivalent Privacy, or WEP, which was shown to be extremely vulnerable in 2001, says John Hopkins’ Stubblefield.
By the end of this year, an estimated 18.1 million homes will have gone wireless, according to Parks Associates, a consumer research firm. Currently, however, just 25 to 30 percent of them have any security on these networks, and even fewer use the WPA2 encryption standard, according to Broadcom.
In the end, though, it may take more than easier setups and a Wi-Fi Alliance certification to make most people take action to secure their networks, suggests Stubblefield. Widespread adoption may come only when device security features are turned on by default. “It’s not that people don’t want security,” he says. “They just don’t want to have to do anything about it.”
*Correction, March 31, 2006, 6:30 pm EST: The original version of this story suggested that the current user interface for Atheros’ system does not use a push button. An earlier version of Atheros’ JumpStart did not rely on a button for authentication, but the most recent version of the technology does.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today