Warbiking in Perth – how does Wi-Fi security stack up these days?

At the end of 2017, my colleague John Shier and I had the opportunity to measure Wi-Fi security in Perth, Western Australia – on bicycles, in the summer sunshine!

TL;DR, we observed some of the best security we have seen in any city we’ve surveyed.

But even though Wi-Fi security has improved dramatically over the years, that doesn’t mean we can rest on our laurels.

The results

In Perth, just under 6% of access points (APs) were left unencrypted.

This could look bad if you forget that nearly every access point that is intended as public service – for example, those provided by municipalities, hotels, cafes and public transit – is by nature an unprotected Wi-Fi network.

This is down from between 14% and 28% in other cities we’ve measured in the past, suggesting that we have largely eliminated networks that are open by mistake, and that openness is due to generosity and purposeful sharing.

Approximately one third of one percent of APs surveyed (3 in 1000) utilized WEP.

This is very bad news for those 25 access points: using WEP is about the same as running an unprotected AP, because WEP can be cracked automatically in seconds, but it implies that the person running the AP actually wanted their communications to be private.

Just over two thirds of the APs were offering the latest and greatest protection, WPA2/CCMP, also known as WPA2/AES, because it’s based around the AES encryption algorithm.

Excellent news indeed, but 25% of the APs also supported older cryptographic standards such as WPA/TKIP, also known as WPA/RC4, after the outdated RC4 algorithm it uses for encryption.

Whether you’re an ISP, a business or a home user, don’t forget to disable old protocols that are no longer considered secure, including anything with WEP, TKIP or RC4 in its name.

Even if you also support the newer, more secure protocol versions, you need to protect against downgrade attacks, where someone in range of your network could trick one of your users into asking for a less secure connection – why allow insecure connections at all if you think they are insecure?

The manufacturers

We also looked at the manufacturers of the Wi-Fi chipsets in the APs we scanned. We found a mixed bag.

The good news?

We observed more than 125 different manufacturers, which means a lot of diversity; this makes it unlikely that a single flaw would make every device vulnerable to the same attack.

The bad news?

We observed more than 125 different manufacturers, which means a lot of diversity; this makes it difficult to study, research and disclose flaws to improve the security of Wi-Fi devices in general. (We didn’t try to uncover the current state of the device firmware, because that could have put us on the wrong side of the law.)

We observed that most home access points were provided by Western Australia’s major internet providers and that they appear to ship their devices so that they are largely secure by default.

Devices provided by Telstra, iiNet, Optus, Belong and others all had encryption enabled out of the box.

Unlike previous surveys, we also saw a lot more devices just randomly listening for Wi-Fi connections.

This included cars from Audi and Ford, printers from HP and Canon, PlayStation 3 and 4 game consoles, Roku and Chromecast TV devices, Sonos speakers, and GoPro cameras.

One manufacturer, HP, seems to enable an ad-hoc WiFi connection by default, a questionable policy that saw 262 HP devices just randomly listening for connections, nearly 4% of the APs we discovered.

What next?

The most important thing to remember is that Wi-Fi encryption is only one part of online safety.

A wireless password protects you against eavesdroppers within radio range of your home and devices, but it does not protect you on public Wi-Fi, or when your information is traversing the greater internet.

In particular, even with WPA2/CCMP Personal (that’s where you have a network password, known as the PSK or pre-shared key, shared by all users), anyone who is already connected to a Wi-Fi network when you join it can sniff out your session setup data and then decrypt all your future traffic.

Make sure you stick to websites that use HTTPS (the padlock in your browser) while you’re on Wi-Fi, adding another level of security against having your communications stolen, surveilled, or sneakily modified.

As we recently saw with the KRACK vulnerability, we cannot rely on any given layer in our security to be 100% flawless.

Defence-in-depth still wins the day.

Watch the video

Here’s a video we made of our outing: