虽然我们大多数人都不必担心有人入侵我们的Wi-Fi网络，但对于一个狂热者来说，入侵一个人的Wi-Fi网络有多难呢？今天的超级用户问答帖子回答了一位读者关于Wi-Fi网络安全的问题。

今天的问答环节是由SuperUser提供的，SuperUser是Stack Exchange的一个分支，是一个由社区驱动的问答网站分组。

图片由Brian Klug（Flickr）提供。

问题

超级用户读者Sec想知道，大多数狂热者是否真的有可能入侵Wi-Fi网络：

I heard from a trusted computer security expert that most enthusiasts (even if they are not professionals) using only guides from the Internet and specialized software (i.e. Kali Linux with the included tools), can break through your home router security.

People claim that it is possible even if you have:

• A strong network password
• A strong router password
• A hidden network
• MAC filtering

I want to know if this is a myth or not. If the router has a strong password and MAC filtering, how can that be bypassed (I doubt they use brute-force)? Or if it is a hidden network, how can they detect it, and if it is possible, what can you do to make your home network really secure?

As a junior computer science student, I feel bad because sometimes hobbyists argue with me on such subjects and I do not have strong arguments or can not explain it technically.

这真的有可能吗？如果有可能的话，Wi-Fi网络的哪些“弱点”是爱好者们关注的焦点？

答案

超级用户贡献者davidgo和reirab为我们提供了答案。首先，戴维戈：

Without arguing the semantics, yes, the statement is true.

There are multiple standards for Wi-Fi encryption including WEP, WPA, and WPA2. WEP is compromised, so if you are using it, even with a strong password, it can be trivially broken. I believe that WPA and WPA2 are a lot harder to crack though (but you may have security issues relating to WPS which bypass this). Also, even reasonably hard passwords can be brute-forced. Moxy Marlispike, a well known hacker offers a service to do this for about US $30 using cloud computing – although it is not guaranteed.

A strong router password will do nothing to prevent someone on the Wi-Fi side from tran**itting data through the router, so that is irrelevant.

A hidden network is a myth. While there are boxes to make a network not appear in a list of sites, the clients beacon the WIFI router, thus its presence is trivially detected.

MAC filtering is a joke as many (most/all?) Wi-Fi devices can be programmed/reprogrammed to clone an existing MAC address and bypass MAC filtering.

Network security is a big subject, and not something amenable to a SuperUser question. But the basics are that security is built up in layers so that even if some are compromised, not all are. Also, any system can be penetrated given enough time, resources, and knowledge; so security is actually not so much a question of “can it be hacked”, but “how long will it take” to hack. WPA and a secure password protect against “Joe Average”.

If you want to enhance the protection of your Wi-Fi network, you can view it as a transport layer only, then encrypt and filter everything going across that layer. This is overkill for the vast majority of people, but one way you could do this would be to set the router to only allow access to a given VPN server under your control, and require each client to authenticate across the Wi-Fi connection across the VPN. Thus, even if the Wi-Fi is compromised, there are other (harder) layers to defeat. A subset of this behaviour is not uncommon in large corporate environments.

A simpler alternative to better securing a home network is to ditch Wi-Fi altogether and require only cabled soluti***. If you have things like cell phones or tablets, this may not be practical though. In this case you can mitigate the risks (certainly not eliminate them) by reducing the signal strength of your router. You can also shield your home so that your frequency leaks less. I have not done it, but strong rumour (researched) has it that even aluminum mesh (like fly screen) across the outside of your house with good grounding can make a huge difference to the amount of signal that will escape. But of course, bye-bye cell phone coverage.

On the protection front, another alternative may be to get your router (if it is capable of doing it, most are not, but I would imagine routers running openwrt and possibly tomato/dd-wrt can) to log all packets traversing your network and keeping an eye on it. Even just monitoring for anomalies with total bytes in and out of various interfaces could give you a good degree of protection.

At the end of the day, maybe the question to ask is “What do I need to do to make it not worth a casual hacker’s time to penetrate my network?” or “What is the real cost of having my network compromised?”, and going from there. There is no quick and easy answer.

接着是reirab的回答：

As others have said, SSID hiding is trivial to break. In fact, your network will show up by default in the Windows 8 network list even if it is not broadcasting its SSID. The network still broadcasts its presence via beacon frames either way; it just does not include the SSID in the beacon frame if that option is ticked. The SSID is trivial to obtain from existing network traffic.

MAC filtering is not terribly helpful either. It might briefly slow down the script kiddie that downloaded a WEP crack, but it is definitely not going to stop anyone that knows what they are doing, since they can just spoof a legitimate MAC address.

As far as WEP is concerned, it is completely broken. The strength of your password does not matter much here. If you are using WEP, anyone can download software that will break into your network pretty quickly, even if you have a strong password.

WPA is significantly more secure than WEP, but is still c***idered to be broken. If your hardware supports WPA but not WPA2, it is better than nothing, but a determined user can probably crack it with the right tools.

WPS (Wireless Protected Setup) is the bane of network security. Disable it regardless of what network encryption technology you are using.

WPA2, in particular the version of it that uses AES, is quite secure. If you have a descent password, your friend is not going to get into your WPA2 secured network without getting the password. Now, if the NSA is trying to get into your network, that is another matter. Then you should just turn off your wireless entirely. And probably your internet connection and all of your computers too. Given enough time and resources, WPA2 (and anything else) can be hacked, but it is likely going to require a lot more time and a lot more capabilities than your average hobbyist is going to have at their disposal.

As David said, the real question is not “Can this be hacked?”, but rather, “How long will it take someone with a particular set of capabilities to hack it?”. Obviously, the answer to that question varies greatly with respect to what that particular set of capabilities is. He is also absolutely correct that security should be done in layers. Stuff you care about should not be going over your network without being encrypted first. So, if someone does break into your wireless, they should not be able to get into anything meaningful aside from maybe using your internet connection. Any communication that needs to be secure should still use a strong encryption algorithm (like AES), possibly set up via TLS or some such PKI scheme. Make sure your e-mail and any other sensitive web traffic is encrypted and that you are not running any services (like file or printer sharing) on your computers without the proper authentication system in place.

有什么要补充的解释吗？在评论中发出声音。想从其他精通技术的Stack Exchange用户那里了解更多答案吗？在这里查看完整的讨论主题。