Fact or Myth: Good security software should detect WiFi Intruders

  • 2 May 2012
  • 1 reply

Userlevel 7
  • Retired Webrooter
  • 369 replies
This is very much a myth.
Some security suites crow about blocking WiFi Intruders and tout this as a critical function.  In reality, not only is it Mostly Useless™, but it can have some seriously bad unintended side effects.  A WiFi Intruder is a device connected to your private Wireless network without your permission.  While it SOUNDS scary, and actually is dangerous, there are a lot of things to consider before taking action.
First and most important, the chances of having an intruder when your router is properly secured are next to none.  Open WiFi or WEP encryption do not count as “properly secured” and WPA is not quite as good as WPA2.  With WPA2 encryption, somebody would need to work very hard to get into your network and would need to really know what they’re doing.  It’s not an easy (and often not even possible) process.  If they know how to do that, nothing but shutting down your computer will help.  But you’re also more likely to get struck by lightning than hit by one of these people.  If you’re on an unsecured network, chances are they’d rather use your internet connection than poke your computer anyway, so blocking them from your computer only hides the problem and makes it worse when, for example, somebody does something illegal on your network connection and it gets traced to your address.
Next, if you are using an up to date operating system (Vista or preferably Windows 7), and are up to date on your system patches, the intruder can’t do anything to your computer that any security program on your computer can block anyway.  The security program can only stop the intruder from talking to your computer.  Vista and Windows 7 do this automatically already.  The security program CANNOT stop the intruder from seeing things you send to the internet if that is possible, nor can it kick the intruder off.  The only thing that can fix it is to properly configure your router with secure connections, and the security program can’t do that for you.
Finally, most of the “Intruder Alert!”s that anybody will get are not really intruders.  Security programs know nothing but “I have not seen this machine ID before so I do not know if it’s trusted.”  When they see a new machine ID (MAC Address. A string of 12 letters and numbers in hexadecimal format, sometimes with dashes or colons in it), they call it an intruder.  Then all they can tell you is the MAC address, which means nothing to most users, and the IP, which means nothing at all.  As the user at the computer, you suddenly are given a scary alert and have to decide if it’s safe, but with no way of knowing whether it’s somebody sitting on the street outside, or (most likely) your Android device or iPhone or Xbox360 or other device that you intentionally connected to your WiFi.  Blocking this because the warning is so vague and scary just means that suddenly your stuff doesn’t work.  Then you’ll end up on the phone with some poor phone or game console support tech because your security program tricked you into thinking it was a WiFi Intruder.
So this kind of detection doesn’t actually help your security, nor does it solve the root problem of intruders.  Add the fact that it can break dozens of things that you do want to legitimately do, and it really provides no benefit to most people.  But it does make for a proper panic and way to sell security software by scaring people.  Thankfully, Webroot protects you without faking things or trying to panic you, so you won’t find a WiFi Intruder detector asking you to decide if “00:13:65:F5:EC:49” is safe or not on our apps.  We also promise to not make an “Alien Invader” detector for your front door that claims anybody new who knocks is from Mars and asks you to decide whether to let them in or not based on the showing you the chemical composition of their hair.  Both of them would be silly.  Unfortunately, one of them is out there and breaking peoples’ networks regularly. 
While detecting intruders can have advantages in some cases, it really only helps trained network administrators.  It also should not be needed in consumer environments, because the router must be configured properly to keep the intruders off your network, rather than responding to shield your computer against them after they're already on.

1 reply

Userlevel 7
Badge +56
Thanks for the Great article Kit!