Defense Brainstorm: Fixing WiFi

A few things annoy me about how KARMA works. First off, if my wireless network at home is WPA2-PSK and one shows up with the same name somewhere else without any encryption, all the operating systems I know of will happily connect to the impostor.

Why operating systems don't try to match a given access point (or an AP mesh/WDS) to a key and warn you if there's no encryption when it has a key stored for the network boggles my mind.

For networks that aren't meshed, I think that the AP list should keep track of the BSSID (MAC address, essentially) of the access point, as well as any encryption keys.

I know very little about wireless drivers, supplicants, or even the lower level protocols more than tools such as Wireshark show me. I really have no idea how feasible this functionality is. In my opinion, if wireless connection tools alerted users to inconsistencies, things would be a little more secure. It most certainly wouldn't be hacker-proof. Even if these defenses were able to be switched on in some "advanced" control panel, I would probably sleep better at night after having set this up and educating my users.

As it stands, the only defense is to trust nothing by default, keep your software up-to-date, log out of all of your sessions and kill all your cookies before connecting to public WiFi somewhere -- or in some cases, even in your own home or office.

In the blink of an eye, tools like Hamster & Ferret can snarf valid sessions for your sensitive online web-apps, and as more things move "into the cloud" the more sensitive information could potentially find its way into the wrong hands.

Given the ubiquity and untrustworthiness of wireless networks, I feel like this is one of the weakest links right now. How would you fix WiFi? Are any of my ideas even possible?

blog comments powered by Disqus