Helping people with computers... one answer at a time.
Sharing your wireless internet access with a neighbor might seem like a friendly thing to do, but be aware that you are potentially putting your own computers at risk.
•
Let me, at least, make one important correction to what you've described:
If you give someone access to your wireless access point, you have given them access to your home network.
They're on it.
Now, what they can see depends on a number of things but to be blunt...
I hope you trust them.
•
A Wireless Connection
It's important to realize that a wireless connection - regardless of how your hardware is set up - is a connection to your network.
A very common scenario looks like this:
That's a simple setup where multiple computers are connected to the internet via a single device: a wireless router. Some computers are wired, and some computers are connected via the wireless connection.
It's important to realize that this is exactly equivalent to this:
A wireless router just puts the wireless access point in the same box as the router itself, but in either case it's nothing more than a connection to your local network.
And of course machines on your local network should all be able to "see" each other.
About That Encryption
It's good that your wireless access point is using encryption, but it's important to realize what it does and does not do.
By giving your neighbor the password you've given them the encryption password. As a result, the encryption is not affecting your security with respect to them at all. It's as if they were connected directly to your network - because they are. It's almost the same thing as having given them a wired connection to your router.
The encryption prevent others - people to whom you have not given the password - from accessing your network.
But that's all.
What's the Risk?
There are three basic risks:1
-
If you have computers that share files or a printer among themselves, your neighbor may be able to access them.
-
There's a tiny risk that depending on how your router routes traffic that your neighbor may be able to "see" that traffic. I call it tiny because routers typically do not route traffic to computers not involved in the conversation.
-
If your neighbor's computer becomes infected with malware it may propagate to your machines.
To be honest, it's the last one that scares me the most. The first two are all about your neighbor's intention, which in most cases is probably honest and above board and is at least something you can attempt to judge. The later, however, involves your neighbor's ability to keep their own system free of malicious software. That's a risk I'd be reluctant to take even with the best of intentions.
To address your banking concern: as long as your bank is using https then I don't see an issue. Https encrypts the connection between your computer and the bank, so even if your neighbor was able to see your network traffic they would not be able to decode your banking conversation.
Protecting Yourself
So, short of denying your neighbor access to your network, what can you do?
At a minimum turn on the Windows or other software firewall on every machine you have on your network.
A more secure approach is to use a second router:
The important characteristic here is that there is a router between your local network and the point at which your neighbor connects.
As I often say, a router acts as a firewall, and as such it has a "trusted" side - your local network - and an "untrusted" site - normally the internet - that it's protecting you from. This setup draws that trusted/untrusted line between you and your neighbor.
Yet another approach is to get a wireless router specifically designed for this application. In recent years wireless routers have come to market that actually provide two separate wireless connections, one of which is isolated from your local network. While the intent is typically to provide access to the occasional guest in your home, the guest connection could also be the one you share with your neighbor.
One Possible Legality
Finally, there's one more thing I want you to look into before you agree to share your internet connection with your neighbor.
I want you to check the terms of service with your ISP.
It's very possible - perhaps even likely - that they explicitly prohibit this type of sharing (you're taking away a potential customer after all).
While it's unlikely that they would detect that the connection was being shared with a neighbor, if they did you could be penalized in some fashion.
(This is an update to an article originally published July 26, 2005.)
1: note that on a password-protected Wifi hotspot being able to access the hotspot does not imply that you can also sniff the traffic of other computers connected to the same hotspot. Even though the password to connect is shared among all users, in WPA and WPA2 the actual encryption key used for each connection is different.
Article C2395 * March 29, 2013 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
April 7, 2013 9:05 PM
A friend in another business in my building gave me a unique password for his wifi system, just so I can use it when I need to when I bring my laptop there. Is this as bad as the situation in your article?
April 8, 2013 1:38 AM
@Robert
It's exactly the same situation but in reverse. So, as long as you behave, there shouldn't be any trouble :-)
April 8, 2013 2:14 PM
I implemented the two router solution shown by Leo for a small non-profit school so that parents could surn while waiting for their children's lessons. The parents like it.
Implementation was an incredible hassle, basically trial and error to configure both routers. Can someone give a lucid explanation of the way and better the theory bheind putting two routers onto different "subnets" so they don't interfere with each other? Changing the subnet masks was not the way to do it.
April 9, 2013 6:39 AM
Never give your password for router to a friend or anyone even if you trust them you have no idea what he or her dose on the internet. Like one comment said child porn how do you no he or her dont look at it. best to not do this i would re set it if i was you.
April 9, 2013 12:00 PM
John O'Meara:
This is a little long-winded, but I have done this for both my home and my office to separate all wireless clients from my
wired network.
A router's job is to separate networks, your private home network from the public internet. Let's say for example you have a
wired router for yourself, and a wireless router that you want to have available for guests. But you want the wireless
network to be separate from your wired network.
The simplest way to do this:
First thing is to hard-wire your computer to the wireless router ONLY. You will be making changes to the wireless network
setup and do not want to be disconnected midway through. Don't worry about internet access as all you are doing is
reconfiguring the wireless router for right now.
What you are trying to accomplish is making the wireless router have a different LAN IP address & IP range than your wired
router.
Example: If the wired router's local LAN IP is 192.168.1.1 (What you type in a browser to configure the router) you can
change the wireless router's local LAN IP to 192.168.2.1, (Or 10.0.0.1, whatever) and leave DHCP enabled on the wireless
router so it can hand out IP addresses to wireless client's.
The wireless client's IP addresses will be part of the 192.168.2.x network and not the 192.168.1.x network. You can leave the
wireless router's subnet mask as 255.255.255.0 or if the wireless router changes it, that is OK too.
The only thing left is to set the wireless router's WAN IP. It probably will get the IP from the wired router's DHCP, but I
like to statically assign it using a higher IP outside of the wired IP range (Ex 192.168.1.254). The WAN IP of the WIRELESS
router has to match the LAN IP range of the WIRED router. This is where a lot of confusion occurs.
When you plug the wired router's LAN port into the wireless router's WAN (internet) port you are separating the 2 networks.
Nothing on the wireless side can see or connect to anything on the wired side & vise-versa.
The only problem doing it this way, since they are TOTALLY separate, is administering the wireless router through your web
browser. You can do it through a wireless client, but if you want to do it from your wired desktop you need to enable port
forwarding on your wired router to the remote management port of the wireless router, typically 8080.