For years, I have been railing against a security flaw in Internet Sharing in Mac OS X. This service, found in the Sharing preference pane, lets you turn a Mac into a router, sharing access from one network interface (like Ethernet) to another (such as Wi-Fi). It’s a basic feature with no options except for the way in which Wi-Fi is shared to other devices. In OS X 10.8 Mountain Lion, Apple has finally upgraded a lingering bit of legacy software that supported only an old, broken security method. This older technology could expose you to risk in public places or if you used it to connect devices to the Internet on your home network.
When you share from a method other than Wi-Fi (select the adapter from the Share Connection From pop-up menu), a Wi-Fi Options button becomes active. Click it, and you see the same setup that’s been in place for nearly a decade. Pick a network name, choose a channel, and opt for a security method (including “None”).
10.7 Lion added the option to select channels 36, 40, 44, and 48, all of which are in the 5 GHz band, and can be connected to with 802.11n dual-band devices. Because the iPhone and iPod touch don’t support the 5 GHz band (although the iPad does), using 5 GHz isn’t always advisable, but it’s a less-crowded chunk of spectrum, and thus nice to have as an option. I choose 5 GHz when I’m sharing to other people with laptops nearby. I know some people without an AirPort base station rely on Internet Sharing over Wi-Fi in their homes, too, to avoid the expense of buying a physical base station.
But Internet Sharing’s security options were left firmly mired in the 1990s until Mountain Lion. For years, Apple offered only 40-bit and 128-bit WEP (Wired Equivalent Privacy). WEP was the original “link-layer” encryption built for 802.11b, the first widespread wireless local area networking protocol put into use, starting in 1999. WEP had a lot of compromises, partly because of encryption export restrictions at the time and partly to accommodate the minimal computational power available in router-sized devices. WEP was shown to be thoroughly broken by about 2003, and subsequent years have brought tools that can extract a WEP key and see all the traffic on a network in a matter of seconds.
WEP was replaced by 802.11i, a much-improved security protocol that was turned into something manufacturers could build and test against as Wi-Fi Protected Access (WPA). An interim version, released in 2003, was called just “WPA” and could work with new 802.11g devices (the latest standard at the time) and upgraded 802.11b devices. WPA2, the full version of the 802.11i spec, started appearing in 2004, and nearly every computer and Wi-Fi router sold since 2003 shipped with WPA2 baked in or could be upgraded to WPA2. (The original AirPort Base Station could not be upgraded even to WPA, but the AirPort Extreme Base Station, released in early 2003, supported WPA initially and was upgradable to WPA2.)
The fact that anybody with free software can break into your communications with nearly no effort may not worry you. Much of our interaction over the Internet (whether via applications or through a Web site) has a security overlay, although sometimes you must enable a setting (as in Facebook and Twitter). But not being able to create a fully secure network using Internet Sharing’s software base station while in a public place, and therefore having to believe that no one in the vicinity would ever attempt to snoop, is a significant deterrent to using the feature. Those who don’t know they’re at risk from using WEP are in an even worse position, relying as they are on what they erroneously think of as a secure method.
Apple lagged on enhancing security in the software base station in Internet Sharing for internal reasons: the company simply didn’t devote sufficient resources to this part of Mac OS X even while it pushed the message elsewhere that we should all be using WPA2. It’s not that hard, and open-source software used in Linux works with many generations of Wi-Fi chips.
There’s another reason to want this change, though, too. 802.11n cannot work using older security standards. If you enable WEP security in Internet Sharing’s software base station in a pre-Mountain Lion version of Mac OS X, an 802.11n-capable computer has to step down to 802.11g or 802.11a for the connection, dropping from 75–450 Mbps of raw speed all the way down to 54 Mbps! (This also led to the situation where some devices, such as certain Android phones, couldn’t connect to a Mac OS X software base station because the base station contradictorily claimed it could talk 802.11n and WEP at the same time. See my Macworld article that explains the issue.)
This situation has at last been resolved in Mountain Lion, although it’s not listed among the 200+ features that Apple trumpeted. The Security pop-up menu in the Wi-Fi Options dialog now has just two items: None and WPA2 Personal. Pick a passphrase of perhaps 10 to 12 characters, which can include letters, numbers, and punctuation, and you’re good to go. If you must use WEP for backwards compatibility with ancient hardware, hold down the Option key before selecting the Security menu, and the two old WEP options appear, too. (The WPA2 Enterprise flavor, which uses a login account or other authentication instead of a passphrase, requires an authentication server, although Apple could implement it very easily using Mac OS X accounts!)
Note that this software base station feature in Internet Sharing is distinct from the Wi-Fi menu’s Create Network feature. While these may seem equivalent, they use different parts of the Wi-Fi spec. The software base station is, quite literally, a base station in software, using infrastructure mode, which is how dedicated hardware Wi-Fi routers also work. In that mode, a central base station coordinates the activity for all clients.
The Create Network command in the Wi-Fi menu uses the alternative, creating an ad hoc network, in which each computer or device is a peer, and network traffic passes among participants in the network. Create Network offers just 40-bit and 128-bit WEP because WPA2 requires a central encryption host to manage keys, which can’t exist in an ad hoc network.
Why create an ad hoc network with Create Network instead of using Internet Sharing for an infrastructure network? Ad hoc networks once made sense for simple workgroup connections – to enable Bonjour among people working together, for instance — where software base station was the right choice for sharing one connection to the Internet. Now, because of the security difference, I recommend always choosing Internet Sharing.
It’s taken too long for Apple to make sure its Mac OS X users have the same level of security that’s offered in hardware base stations, but I’m glad I no longer have to rant about the issue.