 |
|
 |
|
|
Redspin Security Management Advisory
|
 Back To Redspin Security Management Advisory Headlines
|
 |
Volume 11 | March 2009
|
 |
|
The Same Old Song and Dance
It seems like it's been forever since wardriving was used to map out the neighborhood Wi-Fi scene. I remember when statistics about mass wireless networks first started to emerge. I remember building antennas out of soup cans and a wire coat hanger. I remember having to build GPS drivers from source so Kismet could include coordinates in its output. I even remember cracking my first WEP network — it took me the better part of a week.
It all seems like ancient history now.
|
|
Probably a waste of time
If that was forever ago, we must have come up with some new way to secure wireless networks. We must all be running high-end encryption and have everything locked down right from the factory. After all, wireless vendors know what can be done with a laptop and some free wireless utilities. Even non-techies can tell you the dangers of WEP and running default networks. If that's true — wardriving would probably be a waste of time these days. That's what I thought about one weekend, so I set out to get a glimpse on the current state of wireless security.
70% Attractively Crackable
I grabbed my Eee PC, fired up Kismet, hopped in the Jeep, and tore off across the countryside. After an hour of driving through the little beach town I live in, I had collected information on about 900 unique networks. Once I got back to the house, I fired up a shell and got to work analyzing the data. The spread of open, WEP, and WPA encrypted networks surprised me. I didn't think I would find almost 300 open networks in this little town. Add in the 345 WEP protected networks, and that's about 70% of total networks either completely open or protected with exceedingly crackable encryption.
Identity Theft waiting to happen?
Next, I did analysis on the SSID's (the name of the network). This was also pretty interesting. Almost 10% of all networks had 'linksys' as their SSID. If they didn't change the default SSID, I can imagine they changed little else. A number of the networks had personal names as their SSID's (identity theft waiting to happen?). A few more had their street addresses as the network name. Some of the apartments and condos even had their apartment number worked in somehow.
|
"If I ever get arrested, I could email someone for bail money"
Another interesting thing I noticed was wireless used by businesses. Digging through the raw output — I came across a lot of networks with familiar names because they belonged to businesses in town. A large CNC and prototyping shop in town had an open Wi-Fi network. A few other smaller businesses had wireless networks with their name on it. I also came across a large amount of hidden networks when I drove through industrial areas — I can only assume that some more prodding would produce more business networks. The biggest shock to me was the local police station running WEP! At least if I ever got arrested I could email someone for bail money.
|
Businesses Should Know Their Risk
It appears it's the same old sad state of wireless security out there. I don't expect general consumers to fret over the differences between WPA1 and WPA2, or how much overhead AES encryption has — but I expect businesses to know their risk. They should invest in a wireless penetration test or wireless security audit if they intend on rolling out wireless. Hire a professional to assess your physical surroundings for existing wireless networks you may not know about, and then have them help plan out implementation strategies with you. Wireless can be a great way to get some freedom from traditional networks, but all that freedom can come at paralyzing costs. A little planning and research can help slim down attack surfaces, and can help make casual wardriving a thing of the past.
|
|
|
 |
