Thursday

WiFi

Getting a Grip on Reality: Wide Open 802.11 Networks Around Us

• Tweet
• Sharebar

• Tweet

As mentioned, in the majority of cases an attacker does not have to do anything to get what he or she desires. The safe door is open and the commodities are here to be taken. The Defcon 2002 wardriving contest showed that only 29.8 percent of 580 access points located by the contesters had WEP enabled. As much as 19.3 percent had default ESSID principles, and (not surprisingly) 18.6 percent of learned access points did not use WEP and had default ESSIDs. If you reckon that something has changed in view of the fact that then, you are mistaken. If here were any changes, these were the changes for the worse, because the Defcon 2003 wardrive demonstrated that only approximately 27 percent of networks in Las Vegas are protected by WEP. Because one of the teams employed a lateral approach and went to wardrive in Los Angeles instead, this number also includes some data for that city.

The Defcon wardrive observations were independently confirmed by one of the authors wardriving and walking around Las Vegas on his own.

Are things any better on the other side of the Atlantic? Not really. We speculated that only around 30 percent of access points in the United Kingdom would have WEP enabled. To make lawful this for research purpose, one of the authors embarked for a London Sightseeing Tour in the well-known open-top red double-decker bus armed with a “debianized” laptop running Kismet, Cisco Aironet LMC350 card, and 12 dBi omnidirectional antenna. During the two-hour tour (exactly the time that laptop’s batteries lasted), 364 wireless networks were learned, of which 118 had WEP enabled; 76 had default or company name and address ESSIDs. Even worse, some of the networks learned had visible public IP addresses of wireless hosts that were pingable from the Internet side. If you are a wireless network administrator in central London and are reading this now, please take note. Of course, in the administer of collecting this information, no traffic was logged to avoid any legal complications. The experiment was “pure” wardriving (or very “warbusing”) at its best. Not surprisingly, warwalking in central London with a Sharp Zaurus SL-5500 PDA, D-Link DCF-650W CF 802.11b card (wonderful large antenna, never mind the blocked stylus slot), and Kismet demonstrated the same data. A similar level of 802.11 WLAN insecurity was exposed in Bristol, Birmingham, Plymouth, Canterbury, Swansea, and Cardiff.

Crossing the English Channel does not help either. One of the authors has driven from Warsaw to London with another Zaurus/D-Link CF card/Kismet kit and found a similar ratio of WEP/noWEP 802.11 networks, including very powerful unencrypted point-to-point links crossing the countryside motorways in the middle of nowhere. Another author has evaluated 802.11 security in Riga, Latvia. Curiously, the wireless networks in Riga were so abundant that it was virtually impossible to use the middle ISM band (2.4–2.45 GHz) and many networks went to the UNII (5.15–5.35 and 5.725–5.825 GHz) or even licensed ~24 GHz bands. Many legacy Breeznet and 802.11 FHSS networks were present. The wireless boom in Riga can be clarified by ancient, noisy, Soviet-period phone lines incapable of carrying xDSL traffic without a significant carton loss/retransmission rate. Yet, despite the popularity of 802.11 networks, hardly anyone used WEP.

If you reckon that the majority of these unprotected wireless networks were home user access points, wireless community networks, or public access hot spots, you are incorrect. Many of the wide open networks we have observed “in the wild” be in the right place to government organizations (foreign governments included) and large corporations (multinationals included). In fact, some of these corporations are major information technology (IT) enterprises or IT-related consultancies, which is particularly discreditable! We don’t even dare to reckon how many of the 802.11 networks located had implemented proper security measures further than the standard (“crackable”) WEP and MAC address filtering. Single-digit percentage principles surely come to mind. Considering that both WEP and MAC filtering are not hard to circumvent with a bit of patience, it is not startling that security remains the major concern restricting the spread and use of wireless technology around the world. At the same time, here are efficient wireless security solutions available, including powerful and reasonably priced free and Open Source-based wireless safeguards that we describe in the second part of this book. Unfortunately, very few wireless network engineers and administrators are aware of the being of these solutions. As always, human factor proves to be the weakest link.