Wireless Connectivity: how secure?
Pretty insecure.
Figure out that it takes forever to protect physically-connected devices, even for 'experts'.
Now, if a determined, I believe, warjacker, is the term, wants to breach your system, it will probably be a cakewalk
Whenever I am in the EU, I always try to remember to shut off my Bluetooth connectivity because of BlueSnarfing, the European term for jackers of Bluetooth connections.
It is more rampant over there as most of the wireless telcos there were early adopters; apparently before they thought about security.
The lack of security in WEP and the current news reports about the porosity of WPA security do not allow for confidence.
- Bluetooth was adopted early on in its developmental stage by EU telcos before the security envelope was clearly defined.
- Bluejacking and Bluesnarfing – I swear, I am not making up these names – are endemic in Europe.
- Bluetooth is just one of a number of wireless connectivity options available to users in the US. Just because it has gained traction in the EU does not automatically give it a pass in the US; actually, telcos, and users in the US gave it a pass!
- Even for laptops and printers, Bluetooth-enabled devices failed, and miserably at that, with consumers in the US.
- The teething problems with Bluetooth, and both the bumbling pace of the Bluetooth SIG and their laissez faire attitude towards concerns about signal strength, fidelity, and power consumption did nothing to endear the technology to users out here.
- Talking about power, until recently, for a wireless connectivity technology, Bluetooth was not considered power-friendly. Why go with a wireless device that would keep you tethered to a wall for power?
Finally, this is not about Europe versus US, or security problems with Bluetooth per se, because any current wireless technology would display the same issues, it is about the security of wireless connectivity as a whole.
One thing we all seem to agree on is the flimsiness of current wireless connectivity; I hope you'll agree with me on this.
To add a fork into this thread, here's a two-part question:
- What steps do you think should be taken? a) From a systems administrator's point of view, and b) From a consumer/home user's standpoint.
- What should the standards bodies, SIGs, propose/develop for the near term to make a transitional leap in security for wireless?
But I would take it further by requiring a strong password change before the device is set up. We all have a doofus on our net who would like to either have no passwords ("That way I don't have to remember anything") or wants to use the default password. Heck, we even had a company controller/treasurer who had his passwords on a post-it on his monitor.
While ease-of-use is very welcome, I am sure all of us hate those non-revenue-bearing support calls.
Believe me, if you have to get up in the middle of the night, and fly halfway across the world, only to find out that your contractually-obligated support visit was for some a$$hole who fubar-ed the system by either not using a password thereby allowing unsanctioned access, or forgot a password, and becomes idiotized before the closing of the books for the business year, you would be pissed. Expenses and time paid or not. (Don't worry, we've not had those contracts for ~7years.)
Because Microsoft has the greatest facetime, it falls prey to accusations when improperly-secured devices are used as entrepoints for unauthorized access. However, I must take MS to task as well for not requiring that OEMs ship systems with passwords, and with admin rights from the git-go. Even XP will allow you to install without ad admin password!
Many users are so enamored of hotspots that they forget that their systems are vide open for perusal by all.
I also thing manufactures of wireless-access devices should have security warnings emblazoned all over the internal packaging of the devices.
Somehow, they seem to forget that if user feel more secure with wireless devices, the market is more likely to grow
When you remind me of servers with that username and password combo, I still get nightmares. It is clown school all over again.
What we did approximately 5-7 years ago, was undertake a review of our support calls, and identified password problems one of the nonsensical and avoidable culprit. Then, a lot of SMBs were not even connected externally. Now, our contracts explicitly requires a password policy and if a security audit after a breach reveals none, or some combo like firstname/lastname, we're off the hook and the (billing) clock starts from when we got the call.