Fork me on GitHub

Should Wifi routers be required to mandate strong authentication

An interesting technology related issue has cropped up in India recently especially in the context of what is being suggested as apparent misuse of unsecured WiFi networks by terrorists.

To sum up, there seems to be some evidence linking the usage of unsecured WiFi networks by terrorists. This has led to a situation where Telecom Regulatory Authority of India (TRAI) seems to be requiring that all Wireless Networks be made secure and is directing the Internet Service Providers to ensure the same for all such networks connected to the internet. The ISPs claim (quite reasonably in my opinion) that they are unable to be able to ensure the same since people may connect up PCs from their home via WiFi routers and that they cannot monitor the status of such routers which are under the control of the respective families. More information on this issue here : TRAI plans to prevent WiFi abuse. There is also a thought to declare all unsecured networks are illegal which IMHO places a tremendous burden on families especially those who may not be as computer savvy.

There clearly are competing interests here :

(a) The government needs to ensure that all internet traffic is traceable. There might be a whole number of privacy concerns here but these are perhaps not relevant in this context, since there already seems to be a sufficient infrastructure to trace traffic to the IP addresses, what seems to be missing here is the traceability into the using party given the fact that anyone can apparently easily use a unsecure wireless network connected to the net. (b) Many families may have installed such WiFi routers for convenient access to the net from their homes. They may not be particularly educated in all cases sufficiently to know and understand the necessity of and how to secure their domestic WiFi networks. Besides declaring unsecure networks as illegal may make it mandatory to require every family sufficient education on how to secure the network. (The current proposal seems to be putting this onus onto the ISPs)

While the following suggestion is unlikely to help the currently installed base of WiFi routers, here's a thought. Can we not require and mandate that each such WiFi device require some minimum form of reasonably strong password verification before allowing WiFi based routing (ie. one can connect to the device to set the password in the first place), and manufacture this requirement into the firmware of each device (ie. there should be no reasonable way to bypass it). In other words, such devices will implicitly disallow any WiFi based networking except between a PC the router itself when no password has been set (The connection needs to be allowed so that the password could be set to some basic minimum required strength). It could then perhaps makes sense to declare devices which do not conform to these norms as not valid under the law. Moreover It is likely that current WiFi router providers could be required to issue a firmware upgrade for their existing models where such upgrades are feasible.

Its an interesting situation where common good needs to be balanced with that of individuals. This is probably not the only solution. Maybe such Wifi devices already exist and I simply haven't been following the space adequately enough. I am also certain that strong password authentication is only a start and possibly there are other measures to secure the networks further .. but at least its a start which is unlikely to be controversial either from a user's or vendor's perspective. Maybe there are other solutions. While the issue is currently being debated in India, its probably relevant to all the corners of the globe. Any thoughts ?

Comments !