Wi-Fi Security and WarDriving --- Online Security - Intelligence Community Forum

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Wi-Fi Security and WarDriving


	Wi-Fi Security and WarDriving Posted: Aug 01 2003 James Carlini INTRO: “Your wireless router is as secure as the Titanic was unsinkable.” observes Northwestern Adjunct Professor James Carlini. Talk about the erosion of privacy. With the proliferation of wireless routers for the home and office, privacy has sunk faster than the Titanic for most who do not understand anything about implementing security measures on Wi-Fi technology. Those that claim they do are in the minority. Securing wireless routers for the average consumer is not commonly done as you will see. If you are serious about security, you must change the default password on the router and switch to WPA (Wi-Fi Protected Access) for starters. Many people tout their wireless router as being a great way to portable-ize their computer to the rest of their home network. Little do they know how fast someone can zero in and steal their Internet service using some cheap homemade devices. A CLASS PROJECT FOR JAMES BOND - WARDRIVING In my Network Security class this last semester, I assigned projects to do so that students could get a better understanding of developing security measures and their importance. One student decided to test the wireless routers that people use to see how vulnerable they are. Rather than writing a paper or researching firewalls or writing about intrusion detection systems, he decided to do a hands-on project. Since there was so much hype about wireless, I gave the approval to go ahead. I always like seeing what students will do. The semester before, I had a student break into a network that was supposedly well-protected by great network security administrators (another oxymoron). It was a great testimony to what was taught about sloppy security procedures (he got permission from the organization’s management). He applied what he learned and saw that it was real and not conceptual. This semester we had to somehow top that and we did. “Wardialing” is a hacking term used to describe dialing many phone numbers and trying to find a weakness or an opening into a computer network. “Wardriving”, which is similar to wardialing, is when someone takes some equipment and drives around trying to find access points or “hot spots” that are linked into an Internet access point. A student wanted to do a project on Wardriving and it sounded good. “CANTENNAS” DO WORK You don’t have to be Q to have the right gadgets to break into a wireless router. You don’t need Q’s budget either. The student decided to follow directions of making a directional antenna out of a Pringle’s Potato Chip can and built it to hacker specifications he found on the web. He fashioned it as well as he could and also got the interface needed to hook it up to his laptop. The “cantenna” performed better than what everyone expected. Directional antennas that could cost around $1,000 were not any better than this device that he made for under $50. In fact, the biggest cost was getting a cigarette lighter adapter for the car so that he did not run down his laptop’s battery. That added about another $50 so his whole “wireless snooper” tool kit cost just under $100. Many are probably wondering, “How far could he pick up a signal?” Is a half mile good enough? Talk about recycling potato chip cans! Although he didn’t drive around in an Aston-Martin, he did manage to pick up signals from his car not only from the high rises but he also got a mortgage company, a law firm, a network at an internet café and the check-out application running in the lobby of a Michigan Avenue hotel. REAL STATISTICS Many of you will list a bunch of potential counter measures and ways to “protect your wireless router” to make the argument that this article is just hype and most people are protected. Well, save your Emails and quiblings. Check out the score. Here are the real statistics that he gathered. In a two-hour period driving around Chicago’s Lake Shore Drive, he uncovered 255 sites. Out of those sites, 175 were non-encrypted and 65 had the default password still onboard. So much for the security experts that think everyone is up to “protecting their network”. The reality is that a significant majority (two thirds) were non-encrypted and 25% had default passwords. Within minutes, he could have logged onto many routers and gotten internet access. On the ones with default passwords, he could have gone in and changed the password. Thereby locking out the owner and making his own private “wireless portal” into internet services that only he and his friends would have access to. In doing some more research on this, there are others that have engaged in this new form of hacking and there are stories of similar discoveries of unprotected network access points. Some were even greater as to the percentage that used default passwords and were totally vulnerable. Besides Pringles cans, other homemade directional antennae have included Yuban coffee cans as well as soup cans. Testimonies of their successful use were found at various sites. WHERE IS THE WI-FI SITE? There are several programs you can use to really make the wireless snooper accurate. Besides collecting router information, you can also use a program that will give you GPS parameters. Go to netstumbler.com and you will find a wealth of information as well as the program that links collected data to MapPoint 2002 which will tag it with location information. So now you can capture the information and also pinpoint the location of the router. Not bad for a “class project”. ARE NEW WI-FI VENTURES GOING TO SPEND MONEY ON SECURITY? Last week in the San Jose Mercury News, they announced that McDonalds is starting to launch sites in the Bay area that would be Wi-Fi hotspots that would provide wireless internet services. Other large companies have also announced their intent to open up new access points. SBC is supposed to roll out 2000 locations in high traffic areas like airports and hotels across their 13 state region starting in the fourth quarter this year. I question whether or not all of these companies understand the security ramifications they need to address. They are just following a consumer trend but one wonders if they are going to get hacked and what the ramifications will be for their negligence in security. WHAT ELSE IS WRONG? My own suspicions lead me to believe that Voice over IP (VoIP) can also be stolen off a loose wireless router. If I can get onto the Internet, who’s to say I could not also take VoIP capabilities as well? This is something to really think about before you make any quick decisions that VoIP is the solution for your firm. Is your network infrastructure secure enough to allow wireless access? The wireless access could be a huge open driveway that has access to the information super highway. Based on what I have seen in a simple project as well as several sites on the web, this is NOT going to be a simple problem to overcome. Wardriving seems to be the new “sport” in wireless hacking. Getting some feedback from others in the industry, there already are companies that are changing their wireless plans because of the lack of security in wireless infrastructures. Wireless cash registers appear to be the target of some hackers and unless specific security steps are taken, the large retail stores that employ that technology are prime targets. There are already some credit card incidents that are being investigated. Those that thought wireless “was the way to go” better review all the issues. CARLINI-ISM: With network security, you are only as good as your network administrator no matter what the operating system or network software. For a bio on James Carlini click Here Go Top