Wednesday, 3:30 p.m., Espresso Royale on lower State Street. The drone of a latte machine and the gentle throb of the indie music mix permeate the cafe.
If wireless Internet made a noise, the air would be filled with the whir of information being exchanged, too. But the information can be heard plainly by the roving ear of a laptop at a side table.
An employee of a local technology firm, who preferred to remain anonymous due to professional concerns, set up a laptop to record information transmitted over Espresso Royale's unencrypted wireless network for a demonstration to The Badger Herald.
All of the programs used are freely available for download. The employee estimated it took two to three hours of research to begin collecting information.
According to the free "sniffer" software installed on the eavesdropping laptop, called Kismet, nine devices are connected to the cafe's Wi-Fi this afternoon, three of which are actively surfing the Internet. None of them are using security software over the unsecured network, so the laptop can intercept almost anything they send or receive.
One user with the temporary Internet Protocol address 192.168.0.137 is checking Google e-mail. 192.168.0.31 is pulling up the forecast for Charmany Farm, Wisc., through a Yahoo! weather widget program.
192.168.0.29 is chatting on AOL Instant Messenger while looking at news results about presidential candidate Ron Paul.
The content of the conversation is trivial, but the fact that such information is open to those who seek it out was discomforting to a patron at a neighboring table.
"It's really scary," said University of Wisconsin graduate student Nicole Kvale. "I'm mad impressed and really creeped out."
As wireless Internet becomes increasingly available in Madison, UW plans to extend wireless access to all campus buildings by the end of the semester. Wi-Fi provider Mad City Broadband currently offers service in large areas of the Isthmus and South Side. Some experts caution, however, that these wireless networks are not always as secure as they appear.
Whether users are chatting over instant messenger or typing in sensitive identity information, free software and a few hours of Google scholarship could be all that stands between their data and a stranger in a coffee shop.
Safe and sound?
The extent of Wi-Fi data protection depends on the security of the computer, the website being accessed and the network and Internet service providers offering the connection. If the wireless network isn't encrypted, anyone using a sniffer program can eavesdrop effortlessly, picking up information packets exchanged over a Wi-Fi network.
"If you don't encrypt your traffic, it's almost as if someone's sitting in a cafeteria. Everybody can hear them talk," said Suman Banerjee, a UW computer science professor who studies wireless networking.
With the wealth of information and programs available on the Internet, anyone interested in viewing whatever others type in, click on or look at over an unsecured wireless network can do so easily, Banerjee said.
"A little bit of knowledge of networks and how things work is enough for someone to start being malicious and collecting information," he said.
Even if a network offers some form of protection, it may not cover all of a user's activity. The Mad City Broadband wireless network is encrypted "throughout the communication layer" by Cisco technology, according to a spokesperson who declined to elaborate.
Although the communication layer, or transport layer — referring to the connection between access points located around a city and a central router — may be protected, the connection between a user's computer and an access point can still be open.
A brief listening session via a sniffer laptop from a car outside Capitol Centre Apartments Tuesday night indicated that subscribers to Mad City Broadband surf without protection unless they set up security themselves. The apartment complex uses the company's "Mad City-MDU" apartment building service.
The sniffer program revealed several AOL Instant Messenger conversations, including one about a fake identification card:
User1: hey btw, do you have your old fake?
User2: give me a bit, I am looking
User2: why you need?
User1: my friend wants it for his sis
User2: why don't i give her my ID?
User2: does she look like me?
User1: yeah, good enough!
Taking your life into your own hands
Mad City's security precautions correspond to industry standards, according to the company.
USI Wireless, which was contracted by the city of Minneapolis to provide citywide wireless by December, follows a similar system by only encrypting the connection between the access points and the central router. But if customers buy the wireless modem offered through the company, their connection to any access point is also encrypted.
"If you choose not to use our hardware, you take your life in your own hands," USI Wireless CEO Joe Caldwell said.
"Is it our responsibility to run after you to remind you not to leave your house unlocked with a sign that says 'not home?'" he asked.
The UW wireless network, which currently operates from access points in 98 percent of campus buildings, is relatively safe despite offering unencrypted Wi-Fi, according to UW Division of Information Technology communications manager Brian Rust.
An encrypted entrance portal allows only users with a UW NetID and password to access the network and prevents theft of UW login information, a configuration that meets the security needs of most students, Rust said.
"It's convenience and expediency versus cost and security," he explained, noting UW wanted to make its wireless network simple and easy to use above all else.
Most students and faculty use UW wireless Internet for schoolwork and innocuous communications, content unlikely to attract interest from information snoopers, according to Rust. He said he uses the unsecured Wi-Fi for most of his Internet needs. The UW offers free virtual private network (VPN) software available to allow users to encrypt their data being sent over the campus Wi-Fi network, although Banerjee said the software is not widely used on campus.
Many wireless network providers face a dilemma over ease of use, according to Banerjee. Encryption takes time and money, and the process can become mired in compatibility issues when a large number of devices are accessing the network, he said.
Espresso Royale chose a user-friendly, unsecured setup when it began offering free wireless Internet two years ago, according to General Manager Liz Tymus.
"Just being in a college town, it would not be in our best interests to make it hard to get online," Tymus said.
Facing the consequences
With easier access, users generally run a greater risk of information theft, according to some experts.
"Accessing data from wireless systems is emerging as a trend for thieves, because of the ease of access to information," said David Tatar, manager of the state Consumer Protection Bureau's Office of Privacy Protection. The office partners with law enforcement to investigate identification theft and mediate identification theft complaints.
Of the estimated 50 million wireless systems that have been sold in the U.S., only 30 percent are considered adequately protected, Tatar said.
College students and their peers are particularly at risk, he said, adding that 32 percent of identity theft complaints in Wisconsin are filed by people between the ages of 18 and 29, the largest percentage of any age group.
No data exists on how often identity theft arises from information stolen over the Internet or Wi-Fi, since it's often impossible to find the cause of a theft. In addition, the majority of cases go unreported, Tatar said.
Combating data theft
On open public networks and the partially secured university and Mad City networks, users must take precautions on their own if they want to ensure their information stays private, Banerjee said.
For the best results, users should install VPN software, a common practice at most enterprises and businesses. The VPN software allows access to a trusted network through an encrypted tunnel over unsecured wireless or other networks regardless of location, offering "blanket security for everything," he explained.
Users should also be cautious about giving information on websites over unsecured wireless, Banerjee said. Many reputable sites, such as financial institution homepages, encrypt a user's information, but devious operators can mimic such secure code.
Although none of the Wi-Fi providers knew of any reported security breach stemming from wireless use, Banerjee noted that most students do not take the issue of Internet security seriously enough.
"You only take notice once you've been hit," Banerjee said.
But one student was already alert to the risks of unsecured Wi-Fi: Observing the sniffing process in Espresso Royale, Nicole Kvale vowed to change all her passwords to be more secure.
"I'd like to learn how to not have that happen to me," Kvale said.
As the staff filled the air with the sound of brewing lattes, the laptop silently kept listening for information.