Security through warning labels

| Comments (3) |
California is getting ready to mandate warning labels on WiFi equipment. Here's the text:
22948.6. (a) A device that includes an integrated and enabled wireless access point, such as a premises-based wireless network router or wireless access bridge, that is for use in a small office, home office, or residential setting and that is sold as new in this state for use in a small office, home office, or residential setting shall be manufactured to comply with one of the following:

(1) Include in its software a security warning that comes up as part of the configuration process of the device. The warning shall advise the consumer how to protect his or her wireless network connection from unauthorized access. This requirement may be met by providing the consumer with instructions to protect his or her wireless network connection from unauthorized access, which may refer to a product manual, the manufacturer's Internet Web site, or a consumer protection Internet Web site that contains accurate information advising the consumer on how to protect his or her wireless network connection from unauthorized access.

(2) Have attached to the device a temporary warning sticker that must be removed by the consumer in order to allow its use. The warning shall advise the consumer how to protect his or her wireless network connection from unauthorized access. This requirement may be met by advising the consumer that his or her wireless network connection may be accessible by an unauthorized user and referring the consumer to a product manual, the manufacturer's Internet Web site, or a consumer protection Internet Web site that contains accurate information advising the consumer on how to protect his or her wireless network connection from unauthorized access.

(3) Provide other protection on the device that does all of the following :
(A) Advises the consumer that his or her wireless network connection may be accessible by an unauthorized user.
(B) Advises the consumer how to protect his or her wireless network connection from unauthorized access.
(C) Requires an affirmative action by the consumer prior to allowing use of the product. Additional information may also be available in the product manual or on the manufacturer's Internet Web site.

(4) Provide other protection prior to allowing use of the device, that is enabled without an affirmative act by the consumer, to protect the consumer's wireless network connection from unauthorized access.
(b) This section shall only apply to devices that include an integrated and enabled wireless access point and that are used in a federally unlicensed spectrum.
(c) This section shall only apply to products that are manufactured on or after October 1, 2007.

The basic operating principle of this measure is that consumers would be better off if they secured their wireless networks, if only they weren't too stupid to know what's good for them. The competing theory, of course, is that it's not actually that important to secure your wireless network, so people don't do it.

It should be fairly easy to measure the effectiveness of this measure: each piece of 802.11 equipment has a unique MAC Address. Each manufacturer gets a range of addresses and then typically assigns them in some predictable order. This means it's reasonably easy to determine when a particular piece of hardware was manufactured. So, starting in mid 2008 or so, you should be able to drive around and see if equipment manufactured after 2007 has substantially better security deployment (though note that people may be smoothly deploying more security, so you're looking for a change in the trendline, not necessarily just more deployment).

3 Comments

There was a paper, "Predictors of Home-Based Wireless Security" by Matthew Hottell, Drew Carter and Matthew Deniszczuk, along the lines you suggest, at WEIS this year. In short, they found that only the usability of security features had significant impact as to whether a network was encrypted.

I don't know if the MAC address thing will really work. I get the impression many companies are not using MAC addresses that are in the proper range.

Indeed, I recently bought a pair of ASUS motherboards and both turned out to have the same MAC addresses, assigned from a block ASUS does not have rights to...

There are real law enforcement problems created by easy access to open WiFi access points. Smart internet criminals don't create paths that lead to their own door these days, most times the trail leads to either a cybercafe or a WiFi access point.

One problem is that there is not much of a compelling consumer interest in protecting the security of their WiFi connection. The only real advantage is that you are less likely to have the police arrest you after someone uses your open WiFi connection to surf kiddie porn. On the other hand if you do surf kiddie porn you would be better off with an open WiFi node.

The other problem is that configuring WiFi systems is a tedious drag. WEP is not just insecure and tedious to configure, systems seem to stop working in unexpected ways when WEP is enabled.

I recently switched to a new Linksys MIMO router and upgraded all the NICs so that everything was using 802.11G and WPS-PSK. At last I have a setup that is reasonably robust, does not contiunously flake out and which allows me to add new machines without hunting about for the stupid WEP key.

This system is barely acceptable. It could be made much simpler and this is going to have to happen if we are ever going to have automated homes where every lightswitch is on the Internet.

One question I don't see answered here is whether California can actually do this. Use of the FCC unlicensed spectrum is unlicensed, the FCC seem to be fairly insistent on making the rules here. If the laws don't allow the FCC to pre-empt state law what is there to stop a state from making a few bucks charging for radio spectrum a second time??

Leave a comment