Software Base Station in Mountain Lion Adds Modern Encryption
For years, I have been railing against a security flaw in Internet Sharing in Mac OS X. This service, found in the Sharing preference pane, lets you turn a Mac into a router, sharing access from one network interface (like Ethernet) to another (such as Wi-Fi). It’s a basic feature with no options except for the way in which Wi-Fi is shared to other devices. In OS X 10.8 Mountain Lion, Apple has finally upgraded a lingering bit of legacy software that supported only an old, broken security method. This older technology could expose you to risk in public places or if you used it to connect devices to the Internet on your home network.
When you share from a method other than Wi-Fi (select the adapter from the Share Connection From pop-up menu), a Wi-Fi Options button becomes active. Click it, and you see the same setup that’s been in place for nearly a decade. Pick a network name, choose a channel, and opt for a security method (including “None”).
10.7 Lion added the option to select channels 36, 40, 44, and 48, all of which are in the 5 GHz band, and can be connected to with 802.11n dual-band devices. Because the iPhone and iPod touch don’t support the 5 GHz band (although the iPad does), using 5 GHz isn’t always advisable, but it’s a less-crowded chunk of spectrum, and thus nice to have as an option. I choose 5 GHz when I’m sharing to other people with laptops nearby. I know some people without an AirPort base station rely on Internet Sharing over Wi-Fi in their homes, too, to avoid the expense of buying a physical base station.
But Internet Sharing’s security options were left firmly mired in the 1990s until Mountain Lion. For years, Apple offered only 40-bit and 128-bit WEP (Wired Equivalent Privacy). WEP was the original “link-layer” encryption built for 802.11b, the first widespread wireless local area networking protocol put into use, starting in 1999. WEP had a lot of compromises, partly because of encryption export restrictions at the time and partly to accommodate the minimal computational power available in router-sized devices. WEP was shown to be thoroughly broken by about 2003, and subsequent years have brought tools that can extract a WEP key and see all the traffic on a network in a matter of seconds.
WEP was replaced by 802.11i, a much-improved security protocol that was turned into something manufacturers could build and test against as Wi-Fi Protected Access (WPA). An interim version, released in 2003, was called just “WPA” and could work with new 802.11g devices (the latest standard at the time) and upgraded 802.11b devices. WPA2, the full version of the 802.11i spec, started appearing in 2004, and nearly every computer and Wi-Fi router sold since 2003 shipped with WPA2 baked in or could be upgraded to WPA2. (The original AirPort Base Station could not be upgraded even to WPA, but the AirPort Extreme Base Station, released in early 2003, supported WPA initially and was upgradable to WPA2.)
The fact that anybody with free software can break into your communications with nearly no effort may not worry you. Much of our interaction over the Internet (whether via applications or through a Web site) has a security overlay, although sometimes you must enable a setting (as in Facebook and Twitter). But not being able to create a fully secure network using Internet Sharing’s software base station while in a public place, and therefore having to believe that no one in the vicinity would ever attempt to snoop, is a significant deterrent to using the feature. Those who don’t know they’re at risk from using WEP are in an even worse position, relying as they are on what they erroneously think of as a secure method.
Apple lagged on enhancing security in the software base station in Internet Sharing for internal reasons: the company simply didn’t devote sufficient resources to this part of Mac OS X even while it pushed the message elsewhere that we should all be using WPA2. It’s not that hard, and open-source software used in Linux works with many generations of Wi-Fi chips.
There’s another reason to want this change, though, too. 802.11n cannot work using older security standards. If you enable WEP security in Internet Sharing’s software base station in a pre-Mountain Lion version of Mac OS X, an 802.11n-capable computer has to step down to 802.11g or 802.11a for the connection, dropping from 75–450 Mbps of raw speed all the way down to 54 Mbps! (This also led to the situation where some devices, such as certain Android phones, couldn’t connect to a Mac OS X software base station because the base station contradictorily claimed it could talk 802.11n and WEP at the same time. See my Macworld article that explains
the issue.)
This situation has at last been resolved in Mountain Lion, although it’s not listed among the 200+ features that Apple trumpeted. The Security pop-up menu in the Wi-Fi Options dialog now has just two items: None and WPA2 Personal. Pick a passphrase of perhaps 10 to 12 characters, which can include letters, numbers, and punctuation, and you’re good to go. If you must use WEP for backwards compatibility with ancient hardware, hold down the Option key before selecting the Security menu, and the two old WEP options appear, too. (The WPA2 Enterprise flavor, which uses a login account or other authentication instead of a passphrase, requires an authentication server, although
Apple could implement it very easily using Mac OS X accounts!)
Note that this software base station feature in Internet Sharing is distinct from the Wi-Fi menu’s Create Network feature. While these may seem equivalent, they use different parts of the Wi-Fi spec. The software base station is, quite literally, a base station in software, using infrastructure mode, which is how dedicated hardware Wi-Fi routers also work. In that mode, a central base station coordinates the activity for all clients.
The Create Network command in the Wi-Fi menu uses the alternative, creating an ad hoc network, in which each computer or device is a peer, and network traffic passes among participants in the network. Create Network offers just 40-bit and 128-bit WEP because WPA2 requires a central encryption host to manage keys, which can’t exist in an ad hoc network.
Why create an ad hoc network with Create Network instead of using Internet Sharing for an infrastructure network? Ad hoc networks once made sense for simple workgroup connections – to enable Bonjour among people working together, for instance — where software base station was the right choice for sharing one connection to the Internet. Now, because of the security difference, I recommend always choosing Internet Sharing.
It’s taken too long for Apple to make sure its Mac OS X users have the same level of security that’s offered in hardware base stations, but I’m glad I no longer have to rant about the issue.
Glenn,
Great article, not just the revelation that Mountain Lion now supports WPA2, but the excellent explanation of Internet Sharing (infrastructure mode) versus Create Network (ad hoc mode). Thanks!
Alas, internet sharing no longer works for me now that I've updated to Mountain Lion. Could my problem be related to WPA2?
You've toggled the checkbox and other settings off and on?
Yes. That used to work with Lion, but no more.
Glenn - I tried what you suggested in Mountain Lion but the window that pops up says "Create a Computer-to-Computer Network", and the only two options are WEP protocols. Can you suggest where I'm going wrong?
You need to go to the Network preference pane, not the Wi-Fi menu and use Internet Sharing. See paragraph 2 of the article for how to get started. The Wi-Fi menu's Create Network (see end of article) doesn't have WPA2 Personal security.
Thanks Glenn! I was in the Network item of the System Preferences, not Sharing. This cleared it all up.
Great article, Glenn. Nice to see Apple finally updating OS X sharing for better security.
Any ideas how this is dealt with in iOS, i.e. the iPhone's personal hotspot feature? If I share my iPhone's 3G connection over wifi is this the same as ad-hoc sharing in OS X, i.e. does it use just some 40 bit WEP?
iOS only allows the use of WPA2 Personal for the Personal Hotspot feature, which is part of why it was weird to me that Apple couldn't get that updated correctly for Mac OS X. There's no option to use WEP with Personal Hotspot, and iOS even prefills a strong easy-to-remember password as a default the first time you enable Personal Hotspot.
This is all great, except that the Sharing control panel has all the options grayed out, including the Wi-Fi Options button. A nearby iOS device sees the shared Wi-Fi network but says it can't connect, and I have no idea what the password might be.
I see that other people are reporting this same problem.
I haven't seen this, so I can't troubleshoot it. We'll post something if there's a solution.
Just trying it now, all the Internet Sharing options are grayed out when you turn Internet Sharing on. If I uncheck Internet Sharing, I can click the Wi-Fi Options button and set those options.
Yes, if Internet Sharing is enabled, you can't change the options. You have to uncheck it, then select interfaces.
Rob, is that the issue? I thought you meant that you couldn't change anything in the Sharing preference pane at all.
D'oh! That was it. Sorry.
Thanks for the great explanation!
What I'm experiencing is, that if i try to use WPA2 on a 2.4GHz band, neither my MBA nor my 4S can connect to the mini (that's where I share the connection from) - I always get a "connection timeout" message on the MBA in the dialog where you used to put the connection passwd.
Using the very same passphrase with WPA2 on a 5GHz channel works like a charm - otho it leaves my iPhone out of course.
Any idea what that might be?
cheers
That's peculiar. Have you tried different passphrases just to see if that's the problem? It shouldn't be, but I'm baffled.