Home Page - Wireless Media Players - Wireless Security Basics

A Guide to Wireless Security Basics

Security in Wireless Home Entertainment Systems

Security in wireless networking is becoming more critical as the use of wireless technology is increasing in popularity. This security issue applies irrespective of whether it is a laptop connecting to a wireless network, or setting up a wireless digital media player as part of a home entertainment solution.

In this article, we look at the basics of wireless security, WEP, WPA, and WPA2 encryption protocols. We also explain what WPS is all about and list a few simple steps you can take to help secure your wireless networking.

Home Automation & Networking

A Complete Guide to Home Automation, Networking & Wireless Audio/Video distribution in the home.

by Duncan McClelland
More information HERE.

Last Update
8^th April 2009

Wireless Home Entertainment brings in added convenience and flexibility ...but what about security issue?

Netgear EVA9150
Digital Entertainer Elite

Netgear's top media player capable of streaming media direct from the Internet.

Features an HDMI port, 1080p upconversion, simultaneous dual-band 802.11n operation, and 500GB hard disk.

There often come a time when you will want to set up a wireless media player or put in place a wireless internet-enabled entertainment system because of the various advantageous associated with wireless connectivity. In particular, there is the added convenience and flexibility of doing away with long interconnecting cables.

At the same time, you do not want hackers from tapping into your home network to steal personal information or damage your system.

Unfortunately, the level of security associated with wireless networks is inherently less than that of wired systems. Wired-LANs are somewhat protected by the natural access constraint of their structure - in particular, if all parts of a wired network resides inside a building protected from unauthorized access.

Wireless LANs, being over radio, do not have the same physical access constraints. This renders wireless LANs more vulnerable to tampering than wired networks.

For this purpose, a number of security protocols were devised to provide an acceptable level of wireless security when transmitting data over radio, by encrypting the data contents over the wireless link.

All wireless network gear - whether this being a home router, a wireless media player, etc., supports various wireless security protocols intended to make it more difficult for network hackers to tap into your home network. We are saying 'difficult' rather than 'impossible' simply because for the experienced hacker, tapping into someone else network is not impossible; it is true that it can be time-consuming but...

Wireless Security Basics: WEP and WPA/WPA2 Encryptions

WEP

Virtually, all wireless equipment supports a wireless security feature referred to as WEP bit encryption. WEP - short for 'Wired Equivalent Privacy', is a data encryption technique for wireless local area networks (WLAN), defined in the 802.11 standard.

WEP is the original standard for wireless security. It was designed to supposedly provide the 'same' level of security as that of wired local area networks (LANs) by scrambling the information passed between wireless devices. A hacker attempting to tap into your WEP-enabled wireless network would find only meaningless bits. However, the wireless access point and the client device would share an encryption key that is used to scramble and descramble the encrypted information.

There are various levels of WEP encryption - depending on the number of bits within the encryption key; the latter can be 64-bit, 128-bit or even 256-bit. The higher the number of bits, the more difficult it will be to decipher, but actual data throughput will suffer as there is more payload for the same amount of data.

One should be aware that although WEP do provide a significant level of wireless security - especially at 128-bit and 256-bit encryption, nevertheless it is not 100% secure. There are a number of open source utilities that hackers can use to break a WEP encrypted network in minutes. In other words, if a hacker can receive packets on a WEP protected network, it is only a matter of time till the WEP encryption is cracked.

At the same time, it is a fact that while WEP is not perfect, yet with so many unprotected networks, simply having it enabled is often enough to send a hacker away to search for an easier target.

WPA, RSN, and WPA2

Introduction

Wi-Fi Protected Access - or WPA, is an enhanced encryption technique created by the Wi-Fi Alliance to provide improved wireless security over WEP. It is an early version of the 802.11i standard rectified by the IEEE in June 2004; the latter defines the security mechanism for wireless networks after it was shown that WEP has severe wireless security weaknesses. WPA was mainly designed as an intermediate attempt to provide improvement to WEP by implementing in-the-field firmware upgrades to existing 802.11 gear.

WPA covers a subset of the defined security mechanism in the final 802.11i standard. WPA was followed by a full implementation of the IEEE 802.11i with the introduction of the WPA2; this is based on the concept of a Robust Security Network or RSN.

In RSN based systems, wireless devices need to support additional security capabilities. A fully compliant RSN network is incompatible with existing WEP equipment, though in the transitional period, WEP equipment will still be supported.

WPA

WPA employs authentication via user ID and password and uses more sophisticated techniques to protect data passing over a wireless link. It distributes different keys to each user; however, it can also be used in a less secure 'pre-shared key' (PSK) mode, where every user is given the same pass-phrase.

The PSK can be anything using an 8 to 63 character passphrase. It may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken fairly easy by experienced hackers using easily available programs. It is therefore essential to select a 'good' difficult-to-break passphrase, or preferably enter a full 64-character hexadecimal key for improved wireless security.

WPA makes use of a Temporal Key Integrity Protocol or TKIP, to constantly change the encryption key. This dynamically changing of keys makes the WPA/TKIP solution more difficult for a hacker to break the key.

The 802.11i standard allows for various network implementations and while it can use TKIP as a wireless security protocol, yet by default, RSN based systems use the Advanced Encryption Standard (AES); this is the preferred algorithm in 802.11i and in WPA2.

WPA2

WPA2 is the Wi-Fi Alliance branded version of the final 802.11i standard. The primary enhancement over WPA is the inclusion of the AES block cipher and the Counter-Mode/CBC MAC Protocol (or CCMP encryption protocol) as mandatory. It is this that provides for a stronger, scalable wireless security solution. Instead, WEP and WPA use the RC4 stream cipher, and while WPA can be implemented through a firmware upgrade to a WEP device, WPA2 would require a hardware upgrade as well.

RC4 stream cipher makes use of a 128-bit key and a 48-bit initialization vector (IV). However, one major improvement in WPA over WEP is in the handling of the encryption key. Whereas WEP uses the same key, WPA makes use of a temporary key - thanks to the use of TKIP, thus making it more difficult for a hacker to break the system.

AES-CCMP introduces a higher level of security than RC4-based systems by providing protection for the MAC protocol data unit (MPDU) and parts of the 802.11 MAC headers. This protects even more of the data packet from eavesdropping and tampering.

The CCMP encryption protocol used in AES is equivalent to TKIP in WPA. RSN based solutions - like WPA2, defines a hierarchy of limited life keys, similar to TKIP. And like TKIP, master keys are not used directly in CCMP, but are instead used to derive other keys.

The end result: WPA2 encryption is much harder to break than WPA even though the latter already provides significant wireless security improvements over WEP-based devices.

WPS - Wireless Security Configuration Made Simple!

Many home users who know little of wireless security often feel intimidated at the thought of configuring security on their home network and associated connected wireless devices. This is due to the different security options often supported by Wi-Fi certified gear.

For this purpose, in January 2007, the Wi-Fi Alliance officially launched the Wi-Fi Protected Setup, or WPS protocol, to provide a standard that simplifies the establishment of a secure wireless home network. It is also for this reason that the WPS protocol was originally referred to as 'Wi-Fi Simple Configuration'.

WPS emphasis is placed on a user-friendly setup while ensuring security. In order to achieve its objective, the WPS protocol defines three types of devices in the network:

Registrar: A device with the authority to issue and revoke credentials to a network. In a typical home application, this is often integrated into the Wireless Access Point or AP, and takes the form of a wireless router with integrated AP and Ethernet switch.

Enrollee: The device that is seeking to join the wireless network.

Authenticator: This is the AP functioning as a proxy between a Registrar and an Enrollee.

It is not the scope of this article to explain how these devices inter-operate in a WPS scenario. However knowing of their existence will help you better understand how WPS manages to achieve its goal of user usability while ensuring network security.

Usability is ensured thanks to four simple setup modes - or possible setup choices as defined by WPS - that provide the user with a simple way of adding a new device to a secure home network. These setup options are:

	PIN Method: A PIN (Personal Identification Number) has to be read from either a sticker on the new wireless client device (the Enrollee), or a display if there is one, and entered at the Registrar of the network, which in the case of a typical wireless home network, is the wireless access point. Every Wi-Fi Protected Setup certified product must support this setup mode.
	PBC (Push Button Connection) Method: In this case, all that the user has to do is to push a button (physical or virtual) on both the AP or the Network Registrar, and the new wireless client device (Enrollee).
	NFC (Near Field Communication) Method: Here, the user has to bring the new wireless device close to the Access Point or Network Registrar to allow for what is referred to as Near Field Communication between the devices. Near field communication relies on the use of very short range (typical 4 inches), high frequency transmission, to enable a secure mode of exchange of data between wireless devices during the setup process.
	USB Method: In this case, the user uses a USB stick to transfer data between the Network Registrar or AP, and the new wireless device; this method is not covered by the WPS certification, and like the NFC method, is optional.

Security is preserved as in each of these four possible setup modes, the WPS protocol requires that exchange of security information between the wireless device seeking to join the network and the network registrar or AP, is triggered only by a specific user action. In other words, once device identification takes place at both ends of the wireless link, exchange of security information between the two requires a human trigger to initiate the actual setup session.

Basic Steps in Securing a Wireless Network

What follows are just a few simple basic steps in wireless security - listed in order of importance - you can take to help enhance the security of your wireless networking activity.

By default, encryption is switched off. Turn it ON. Use WPA2 whenever possible; alternatively opt for WPA as the next best wireless security encryption. WEP is better than nothing.

Change default passwords required to access wireless devices. Default passwords represent an easy crack for hackers.

Default passwords are set by product manufactures to enable you to access the system on first log-on, but these should be changed once you set up your system to prevent hackers from accessing your network. By simply changing these passwords, you will be doing a lot towards enhancing your wireless security

Change the default SSID (Service Set Identification), or network name used to identify your network.

Hackers know the default names of the different brands of equipment; furthermore, default SSIDs - like default passwords - may serve as an indication for hackers that a network is easy to tap in.

Change default SSID to something that would make it easy for the respective users to find the correct network, BUT that at the same time, would still be difficult for a hacker to guess. In other words, do not use a name that is easily associated with you!

Disable file and print sharing - if not needed.

Disabling the print/file sharing feature can limit a hacker's ability to steal data from your computer in the event s/he manages to get past the encryption.

Limit radio coverage of your Access Points to the desired area only whenever possible.

Any wireless signal spilling outside your desired coverage area represents an opportunity for hackers to get access to your network without entering your home!

Use directional antennas at the perimeter of the covered area to direct your broadcast inward, and do not use more radio power than necessary to avoid signal leakage outside the required access zone.

Use a firewall especially between wired and wireless segments of the network to prevent anyone breaking your wireless network from hacking your wired network.

The following wireless security measures - while ineffective against determined experienced hackers - may still serve a useful purpose against the majority of inexperienced opportunistic users. Furthermore, these may also force experienced hacker to move elsewhere and find an easier target!

Disable the SSID broadcast: Hiding the SSID may help prevent unauthorized access from the casual opportunistic user since a user need to know the SSID to connect to a network.

Enabling MAC address filtering: MAC address filtering will prevent the casual users from connecting to your network by maintaining a list of allowed MAC addresses that can access your network.

At the same time, it is important to keep in mind that hiding the SSID, or enabling MAC filtering alone, will not prevent anyone from reading the data transmitted over your wireless network, only encryption will do that.

Wireless Speakers Systems Guides and Reviews:

Wireless Speaker related articles appearing under this section

Guides:

Basic Guide to Wireless Audio Systems

Installation Tips for Wireless add-on Speaker Systems

Home theater wireless systems: an HTiB or a component-based solution?

Introduction to Wireless Media Players and Internet-enabled Home Entertainment Systems

Reviews:

Rocketfish RF-WHTIB Wireless Rear speaker Kit

Add-on wireless speakers for Surround and Multiroom Audio

Wireless HTiB Reviews

Wireless Digital Media Players Reviews

Home Theater Guides:

Related Technical Guides

Guide to Wireless Headphones and Dolby Headphone technology
Ever told to turn it down? Combine a set of wireless headphones and Dolby Headphone technology for a great sound experience.

Surround Sound Formats
The never ending list of terms and brand names - Dolby, DTS, THX - associated with surround systems is starting to get a bit too complicated...

Speaker Placement in Multi-channel Audio
Correct home theater speaker placement plays a critical role towards achieving that seamless ‘enveloping’ sound so important in the overall home theater experience.

Home Theater Design:
A series of articles covering all aspects of home theater - from design to implementation.

Set-up Discs and Video Calibration Solutions
Home theater setup DVDs and video calibration kits can help you squeeze a lot more out of your system.

Equipment Racks:
There is more to equipment racks than a storage space for your system components. More in this informative home theater guide.

The HDMI Cable Guide
To many, HDMI is still an unfamiliar term. This easy-to follow home theater guide explains all you need to know about HDMI.

TV Viewing Distance
Buying a big screen TV? Care should be taken as you may easily fall into the trap of buying a too large TV for your room.

Recommended Guides to Home Networking

...and wireless AV distribution in the home

Wi-Fi Home Networking

Coverings everything from terminology to wireless security and required products. An extremely informative book that can help you set up and run your own WiFi network.

Home Networking Demystified

A step-by-step guide to designing your network, from component selection, wiring installation, Internet and PC network connectivity, wireless security measures, to troubleshooting.

Wireless Media Players & Wi-Fi enabled gear

Featured digital media players, BD players & internet-enabled HDTVs

LG BD 370 Network Blu-ray Disc Player

The new LG BD player for 2009 comes at half the price of its previous model and feature enhanced online support to stream NetFlix videos and movies, NetCast for YouTube, and CinemaNow.

42-inch Panasonic Viera TC-P42G10 42-Inch 1080p Plasma HDTV

Panasonic most affordable 2009 THX-certified HDTV - featuring VieraCast internet connectivity to browse online content like YouTube videos, Amazon Video on demand, Picasa Web Albums, weather and stock information, etc, through a web interface build direct into the TV.

Panasonic SC-PT960 Deluxe 5 DVD Home Theater System

A 1250W, six-speaker wireless HTiB complete with 5 DVD/CD changer, 1080p upscaling capabilities, built-in iPod docking station, and wireless rear speakers with multi-room audio support using Panasonic Viera link technology.

For the full range of wireless media players available at amazon, please

Click HERE