Advertisement

Staying Safe: securing your wireless connection

Michael Jones
Updated ·8 min read

Recently, we reported on AT&T's push to make it easier for iPhone & iPod touch users to connect to their Wi-Fi Hot Spots. One of our readers, Jamie Phelps, pointed out on his blog that AT&T's Wi-Fi service is not actually a "secure connection," as is advertised in various places on their website; we had overlooked this, and mistakenly reinforced the company's shaky claim in our post.

This brings to light an important point about wireless networks and security, however. It's really easy (and sadly all too common) to hop on to an available wireless signal in your office, at the hotel, or your favorite coffee spot and not even think twice about logging in to your e-mail or checking your bank balance.

What many users don't realize is even though the server you are connecting to (i.e. your bank's website) may employ several layers of security, the connection between your computer and the wireless access point is very likely to be unsecured. Anyone who is within range of your computer can trivially monitor the traffic being sent between your computer and the access point, allowing them to see what websites you may be visiting or capture details about other services that you may be connected to. This isn't because of some gaping vulnerability or software bug, it's just an inherent part of how wireless networks work.

So, what can you do to protect yourself? Read on for a list of simple steps you can take to ensure that your wireless connection is safe and secure.


How to tell if your wireless connection is secure

Since many hotspots advertise "secure" connections, here's a quick acid test: Did your operating system prompt you to type in a passphrase or key when you first tried to connect to the network? If so, you are probably on a secure network. In Mac OS X, you can verify this by checking to the right of the wireless network name in the wireless menu on your menu bar. If you see a padlock, the connection between your computer and the access point is encrypted. If not, it's fair game.

Major hotspot providers may deliberately choose not to enable WEP or WPA encryption to simplify the user logon experience; if you disagree with this approach you can certainly let them know. For smaller operations like the local cafe or copy shop, it's not much effort for them to post a regularly-rotated WPA key on the wall by the cash register; that also may help cut down on unauthorized use of their wireless network by non-customers.



Use encryption features on your wireless router

If you're running a wireless network at home, one of the first and most important steps you can take is to use the encryption features that are built into your wireless access point or router. You do this by logging in to your device's configuration interface, selecting an encryption type (usually WEP or WPA/WPA2), and entering a key or passphrase. While many newer devices will let you enter anything you like for the passphrase, some won't and will require that you provide a hexadecimal key instead. If you get stuck with this, Andrews Companies provides a free online key generator here that might be useful.

By the way, if you're using an AirPort Extreme Base Station, this is as simple as opening the AirPort Utility, and going into the wireless settings of the Airport. Select WPA/WPA2 Personal from the Security dropdown, and then enter a password to use (longer is better).

Use firewall settings on your system

When you're connected to a wireless network, other computers using that network can see your computer, and thanks to discovery services like Bonjour, may automatically get access to your iTunes library or any sharing services you have enabled.

Luckily for most Mac users, OS X has a simple, built-in firewall that will cover typical security needs. But, as with all firewall solutions, it doesn't provide any benefit if it's not turned on. You can check your firewall settings by going to the Security pane of System Preferences, under the Firewall tab. If you're on a public wireless network, you should have the firewall set to either allow only essential services, or you can choose to set specific rules if you would like more fine-grained control.

If you're using Windows XP or newer via virtualization or Boot Camp, you can also use the built in firewall to restrict access to your system. There are also a number of 3rd-party solutions available for both systems if you want something more advanced than the built-in offerings.

Keep your system software up-to-date

You know those Software Update notices you get periodically prompting you to install updates to Mac OS X and other system software? Install them. Not all of them are related to security, but if a vulnerability is found, chances are those updates will correct it.

Use secure connections for e-mail and web services if your service provider supports them

This one is a bit harder, as it relies on your service provider to accept secure connections. This is particularly a problem with e-mail providers. For example, if you're using Google's Gmail (or Google Apps for your Domains) and accessing your e-mail from Mail, Thunderbird, or another mail client, your connection to Google's servers is already secure, because they require secure connections. With other e-mail providers, you sometimes can use secure connections, but their instructions usually show a basic setup instead. So your best bet is to check with your provider and see if they allow secure (sometimes called SSL or TLS) connections.

Many other services such as instant messaging clients and social networks offer secure connection options as well. Sometimes it's as simple as changing http:// to https:// in your address bar, or you may need to find a setting in the service's options that will enable it. Luckily, most web services today at least use a secure connection while logging in, which is better than nothing at all.

Use a VPN if connecting to sensitive systems

If you are connecting to services at your workplace, it's a good idea to use a VPN (Virtual Private Network) if your company provides one. VPNs allow you to create a secure "tunnel" between your computer and another network at a remote location, effectively making your computer work as if it were physically connected to the network in the office.

If you don't use an employer's VPN but you still want to leverage a VPN service to lock down your connections, see Jason's post about Hotspot Shield; for accessing Bonjour-based services on your home machine over a secure SSH tunnel, Brett noted ShareTool a while back. If you're looking for a free tool to set up your own VPN, HamachiX may be what you need.

Don't rely on MAC-based authentication

MAC-based authentication (not to be confused with Mac as in Macintosh) is a very basic security option offered by many wireless routers. A MAC address is a supposedly unique identifier programmed wireless cards and other networking devices. The router maintains a list of allowed MAC addresses, and ignores traffic from those not on the list. This method sounds like it should work perfectly, and it would, except that it is very easy to "spoof" the MAC address of any machine to look like it is coming from an authorized device. And to top things off, your MAC address is broadcast over the air with every packet you send, giving anyone who is listening a list of authorized addresses for the picking.

When in doubt, scrutinize browsing habits if roaming about

Since many aspects of your wireless browsing experience may be beyond your control (which is particularly true if you're using a public hotspot that doesn't support encryption), it's always good practice to scrutinize your browsing habits. Avoid highly sensitive browsing like accessing your banking information or completing purchases online when on an unsecured network. If you use instant messaging, avoid sending personal information unless you know the service is using a secured connection.

Be particularly wary of unusual dialogs or messages prompting you to install software or asking you to confirm your password. If it's a website, even if it looks legitimate, don't put in any information unless you specifically went to that site by typing in the address yourself.

Now, of course the point of this article isn't to scare anyone or to suggest that you shouldn't use wireless connections. Chances are, the guy sitting next to you at the coffee shop isn't just sitting there sniffing packets and waiting for someone to log in to their online banking. But that doesn't mean you shouldn't be proactive about making sure that your data is secure. As the saying goes, it's better to be safe than sorry.