雖然我們大多數人都不必擔心有人入侵我們的Wi-Fi網路，但對於一個狂熱者來說，入侵一個人的Wi-Fi網路有多難呢？今天的超級使用者問答帖子回答了一位讀者關於Wi-Fi網路安全的問題。

今天的問答環節是由SuperUser提供的，SuperUser是Stack Exchange的一個分支，是一個由社群驅動的問答網站分組。

圖片由Brian Klug（Flickr）提供。

問題

超級使用者讀者Sec想知道，大多數狂熱者是否真的有可能入侵Wi-Fi網路：

I heard from a trusted computer security expert that most enthusiasts (even if they are not professionals) using only guides from the Internet and specialized software (i.e. Kali Linux with the included tools), can break through your home router security.

People claim that it is possible even if you have:

• A strong network password
• A strong router password
• A hidden network
• MAC filtering

I want to know if this is a myth or not. If the router has a strong password and MAC filtering, how can that be bypassed (I doubt they use brute-force)? Or if it is a hidden network, how can they detect it, and if it is possible, what can you do to make your home network really secure?

As a junior computer science student, I feel bad because sometimes hobbyists argue with me on such subjects and I do not have strong arguments or can not explain it technically.

這真的有可能嗎？如果有可能的話，Wi-Fi網路的哪些“弱點”是愛好者們關注的焦點？

答案

超級使用者貢獻者davidgo和reirab為我們提供了答案。首先，戴維戈：

Without arguing the semantics, yes, the statement is true.

There are multiple standards for Wi-Fi encryption including WEP, WPA, and WPA2. WEP is compromised, so if you are using it, even with a strong password, it can be trivially broken. I believe that WPA and WPA2 are a lot harder to crack though (but you may have security issues relating to WPS which bypass this). Also, even reasonably hard passwords can be brute-forced. Moxy Marlispike, a well known hacker offers a service to do this for about US $30 using cloud computing – although it is not guaranteed.

A strong router password will do nothing to prevent someone on the Wi-Fi side from tran**itting data through the router, so that is irrelevant.

A hidden network is a myth. While there are boxes to make a network not appear in a list of sites, the clients beacon the WIFI router, thus its presence is trivially detected.

MAC filtering is a joke as many (most/all?) Wi-Fi devices can be programmed/reprogrammed to clone an existing MAC address and bypass MAC filtering.

Network security is a big subject, and not something amenable to a SuperUser question. But the basics are that security is built up in layers so that even if some are compromised, not all are. Also, any system can be penetrated given enough time, resources, and knowledge; so security is actually not so much a question of “can it be hacked”, but “how long will it take” to hack. WPA and a secure password protect against “Joe Average”.

If you want to enhance the protection of your Wi-Fi network, you can view it as a transport layer only, then encrypt and filter everything going across that layer. This is overkill for the vast majority of people, but one way you could do this would be to set the router to only allow access to a given VPN server under your control, and require each client to authenticate across the Wi-Fi connection across the VPN. Thus, even if the Wi-Fi is compromised, there are other (harder) layers to defeat. A subset of this behaviour is not uncommon in large corporate environments.

A simpler alternative to better securing a home network is to ditch Wi-Fi altogether and require only cabled soluti***. If you have things like cell phones or tablets, this may not be practical though. In this case you can mitigate the risks (certainly not eliminate them) by reducing the signal strength of your router. You can also shield your home so that your frequency leaks less. I have not done it, but strong rumour (researched) has it that even aluminum mesh (like fly screen) across the outside of your house with good grounding can make a huge difference to the amount of signal that will escape. But of course, bye-bye cell phone coverage.

On the protection front, another alternative may be to get your router (if it is capable of doing it, most are not, but I would imagine routers running openwrt and possibly tomato/dd-wrt can) to log all packets traversing your network and keeping an eye on it. Even just monitoring for anomalies with total bytes in and out of various interfaces could give you a good degree of protection.

At the end of the day, maybe the question to ask is “What do I need to do to make it not worth a casual hacker’s time to penetrate my network?” or “What is the real cost of having my network compromised?”, and going from there. There is no quick and easy answer.

接著是reirab的回答：

As others have said, SSID hiding is trivial to break. In fact, your network will show up by default in the Windows 8 network list even if it is not broadcasting its SSID. The network still broadcasts its presence via beacon frames either way; it just does not include the SSID in the beacon frame if that option is ticked. The SSID is trivial to obtain from existing network traffic.

MAC filtering is not terribly helpful either. It might briefly slow down the script kiddie that downloaded a WEP crack, but it is definitely not going to stop anyone that knows what they are doing, since they can just spoof a legitimate MAC address.

As far as WEP is concerned, it is completely broken. The strength of your password does not matter much here. If you are using WEP, anyone can download software that will break into your network pretty quickly, even if you have a strong password.

WPA is significantly more secure than WEP, but is still c***idered to be broken. If your hardware supports WPA but not WPA2, it is better than nothing, but a determined user can probably crack it with the right tools.

WPS (Wireless Protected Setup) is the bane of network security. Disable it regardless of what network encryption technology you are using.

WPA2, in particular the version of it that uses AES, is quite secure. If you have a descent password, your friend is not going to get into your WPA2 secured network without getting the password. Now, if the NSA is trying to get into your network, that is another matter. Then you should just turn off your wireless entirely. And probably your internet connection and all of your computers too. Given enough time and resources, WPA2 (and anything else) can be hacked, but it is likely going to require a lot more time and a lot more capabilities than your average hobbyist is going to have at their disposal.

As David said, the real question is not “Can this be hacked?”, but rather, “How long will it take someone with a particular set of capabilities to hack it?”. Obviously, the answer to that question varies greatly with respect to what that particular set of capabilities is. He is also absolutely correct that security should be done in layers. Stuff you care about should not be going over your network without being encrypted first. So, if someone does break into your wireless, they should not be able to get into anything meaningful aside from maybe using your internet connection. Any communication that needs to be secure should still use a strong encryption algorithm (like AES), possibly set up via TLS or some such PKI scheme. Make sure your e-mail and any other sensitive web traffic is encrypted and that you are not running any services (like file or printer sharing) on your computers without the proper authentication system in place.

有什麼要補充的解釋嗎？在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎？在這裡檢視完整的討論主題。