Firesheep's Real Lesson: Take Wi-Fi Security Seriously

Firesheep has people in a panic because it makes it easy to grab useful information when you're using public Wi-Fi. Big deal. You could always do that. The real worry is that businesses' Wi-Fi networks were, and are, often just as vulnerable.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

From all the yammering, you'd actually think there was something new about Firesheep, the Firefox extension that lets you grab login IDs, passwords, and other important information . What a joke. I, and any hacker or network administrator worth his salt, have been able to do this kind of stuff for years.

The only thing "new" about Firesheep is that how it easy makes it to do. I'm unimpressed. Anyone who was serious about grabbing your personal information has already been doing it for years. Trust me, if someone really wanted your data and you've been using open Wi-Fi networks, they've already grabbed it.

No, the real worry isn't about some jerk grabbing your Twitter password in a coffee house. The real worry has always been that your office Wi-Fi is easy to compromise and then someone can use a packet-sniffer to get something that really matters like your Accounts Payable password.

As an experiment I recently sat outside an office building and start scanning for Wi-Fi Access Points (AP). It took me a hour to find about 40 APs and "break" into 28 of them. Was I able to do this because I'm some kind of expert cracker? Hardily. At best, I'm a good network administrator but a mediocre cracker.

No, the real reason I was able to be so successful with minimal efforts is that many network administrators don't have the first clue on how to secure a wireless network. Five APs didn't have any security. Three of those used the default passwords for their wireless routers and APs.

Another ten were using, I kid you not, Wi-Fi Wired Equivalency Privacy (WEP). WEP has been broken for almost a decade. More amazing still, people still recommend its use! Consumer Reports, as recently as 2009, recommended using WEP.

Another dozen used WPA (Wi-Fi Protected Access), with the built-in Temporal Key Integrity Protocol (TKIP) security protocol. There, I used a rainbow table, a list of the most common WPA passwords, to pop open APs almost as quickly as I could open up a coke bottle. I also managed to pry open a pair of routers using WPA2 (Wi-Fi Protected Access 2) with TKIP using rainbow table.

If you really want to secure a Wi-Fi network in 2010 you must use WPA2 with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), aka Advanced Encryption Standard (AES). If you don't, trust me, if someone really wanted your important information out of your business network they've already got it and then they didn't a baby cracker tool like Firesheep to do it.

So, I guess, in a way I should thank Firesheep. Maybe it will finally make it clear to the vast majority of people that network security is important.

What am I saying? Most people, not even many network administrators, ever learn these lessons. Still, maybe a few people will start taking security seriously. I live in hope.

Editorial standards