While editing an industry newsletter related to Wi-Fi security issues, I recently encountered several news articles that pointed to the same dire message: If you don’t secure your wireless router, very, very bad things could happen.
Case in point, earlier in 2011, a family in Buffalo, NY was rousted from bed by an army of local police officers, searching for all of their computer gear and peripherals. The charge? Downloading child pornography. Pretty serious charges, huh? The homeowner was obviously bewildered and shocked beyond words. He was a family man, after all, with standing in his community. After a few days in jail, and after the police captured the real culprit, the homeowner was released and began to put his life back together. It turned out that one of his neighbors was accessing his unsecured Wi-Fi router to download child pornography, thinking this would protect him from Law Enforcement intervention. It did, for a while. Fortunately, the neighbor was caught, but in spite of being completely cleared, it still took many weeks to get his gear, and his life, back.
What happened, might you ask? Simply, this individual’s Wi-Fi router was running wide open, without password protection or encryption. It was open to anyone with a compatible Wi-Fi device capable of connecting to an IEEE 802.11 a/b/g/n Wi-Fi network. This happens far too often when Wi-Fi routers are installed by novices who don’t understand the implications, or they don’t understand how to configure the security settings. Others cop an attitude that they have nothing to hide, and that by locking out their wireless network from “bad guys,” it will only encourage those bad guys who like a challenge, to digitally attack the router until they crack the password or otherwise wreak havoc for no good reason other than that they get their jollies creating chaos. One of my friends actually said that as far as securing his Wi-Fi router went, “If I lock my doors, people will try to get in because it’s a challenge. If my door is open, there’s no fun in it and they won’t try.” I like to place that in the category of “famous last words.”
Okay. Let’s just say you are one of those folks who don’t believe in password protecting your wireless network–that you are performing a “service” for you and your freeloading neighbors (generously giving them “free” internet). Then, let’s say one of these “bad guys” parks his car on your street in range of your wireless router so he can download child porn, run a drug business, or whatever reason he had to illegally and anonymously use your internet bandwidth.
Here’s what’s going to happen. First, know that law enforcement (among other agencies) is watching. This is the age of Homeland Security after all. Internet service providers often report suspicious activities. They know the IP addresses where illegal content can be found, and it’s not just child porn. It’s torrent sites, it’s websites of terrorist organizations, websites and other places where drug transactions can be made, and more. Your ISP is going to capture your IP address and report to either the local police or the feds when a computer coming from your IP address visits one of these bad places. They may or may not capture the MAC address (Media Access Control) of the specific device using that IP address. Hopefully they will, because it will help Law Enforcement locate the culprit down the road if your home is raided. If they don’t report it, the transaction may still have been detected by some law enforcement, which would then get the details from the ISP, usually, in the “spirit of cooperation,” without a warrant. Gee, warrants are so pre-9/11…
Now comes the day when you get that knock on the door. A large group of Law Enforcement officers, armed with big, scary weapons, will charge into your home (breaking down your front door if you’re not fast enough in granting their admittance). You will be served with a search warrant. You will then be forced to the ground while you and anyone who may be in your home is handcuffed. You will be berated and cursed by these officers. They will call you a pervert and worse–much worse. You will be questioned for hours and hours–first at home, and then at the police station. You will be denied food, water, and toilet until they deem you deserve those privileges. You will be thrown into a jail cell with other “interesting” folks, who will most certainly be made aware that you’ve been tossed in there on child pornography charges. With Law Enforcement’s current attitude that private citizens do not deserve nor are entitled to constitutionally-protected due process, they might also take a very casual attitude regarding when you can contact your attorney, who will hopefully be able to get you out on bail.
In the meantime, teams of forensic experts will be tearing your home apart, seizing all of your computers (and those of every member of your family), hard drives, thumb drives, SD cards, CDs, DVDs, and anything else that might store data. They will keep them for a long, long time, searching for contraband content. Your kid had his homework on his laptop? Too bad. Guess he’s getting an “F” for that history paper. Your wife’s big marketing project for work? Tough luck. Guess who’s getting fired for losing confidential company information (besides you for being arrested in the first place)?
If you think having passwords and encryption on your devices is going to protect you, forget it. You will be compelled to give up all of your passwords. If you don’t, you will rot in jail until you do (or until your attorney gets a court order to force your release). Maybe you will be served with a court order to compel you to give up your passwords. If you don’t, same thing. You will rot in jail, this time legally, until you give them up. Oh, and if they damage your gear or erase some of your important financial and personal records, oh well. Oops! That’s just too bad. Serves a pervert right.
Hopefully, after all of this has gone on, and you are, indeed, found innocent, then and only then will the cops go back and examine the information provided by the ISP (hopefully the ISP provided a MAC address). Remember, a bird in the hand (even if it’s the wrong bird) is worth two in the bush. Even if it seems like you might be innocent, they’re not exactly motivated to exonerate you. It’s easier, and less embarrassing for some of the more ethically-challenged officers to just try to convict you. If you’re lucky, however, once the cops have determined you have no gear with the MAC address in question, maybe, just maybe, you’ll be released, and like I said, you might get your equipment back at some future date after you get your own court order and spend lots of money you will never get back again.
Whew! What a nightmare! Admittedly, this is a chilling worst-case scenario, where your rights are trampled upon by overzealous Law Enforcement types, who feel they are making the world safe from folks like you. The reality is that the vast majority of members of the Law Enforcement profession are, indeed, dedicated professionals, who will really try to find the true culprit if there is reasonable doubt about your involvement, though your initial contact will still be pretty close to what I described.
This kind of scenario happens far more often than you might imagine. And it didn’t have to happen at all! All you had to do was read your wireless router’s quick-start guide, or use the automated installer CD that comes with most modern wireless routers that do most of the heavy lifting needed to configure the security features of your wireless router. It really is just that simple.
Here’s an acronym to remember: WPA or WPA2. These are the strongest encryption schemes available to us mere mortals. WEP encryption can be cracked by an expert in less than 10 minutes. Don’t use it. Use WPA or WPA2 (WPA2 is preferable) encryption. Next, make sure you are using strong passwords. Today’s password cracking software tied into a fast PC with a superfast graphics card (hackers use the CPU on graphics cards to do hyperfast calculations) can crack a 7-character password in a few hours, and an 8-character password in a few days. Experts recommend using at least ten characters with mixed upper/lower case characters, some numbers, and special characters (@, #, $, %, ^, &, *, +, etc.), though some places still don’t permit you to use special characters (as recently as a few years ago, ADP, the company that does payroll for tens of thousands of companies and millions of employees, didn’t permit the use of special characters in passwords!). Don’t use a common phrase–too easy to crack. You can do a variation on common phrases, however. Consider the phrase “Happy Holidays.” Have some fun with it and try something like this: “4adP^H0L1Da4z3!”. In this example, I have taken the first “h” and turned it upside down to make a “4”. I have performed similar transformations and substitutions to make this one really hard to crack. Okay…a bit extreme, and not exactly easy to remember, but something this long, and using some of the substitutions shown, it will be nearly impossible to crack without waiting for 40-50 years (hopefully, by that time, you will have changed that password to something else). Obviously, don’t use this particular one, as the bad guys have probably already added it to their list of “known” passwords.
If it sounds like I’m trying to scare you, you are absolutely correct. It’s so easy to avoid a disaster scenario like this. Just use the WPA or WPA2 encryption on your wireless router with a 10+ character password with a mixture of letters, numbers, and symbols, and you will probably never face this nightmare, nor subject your family to the same.