Cracked by PC World
Lax security implementation leaves wireless networks wide open — allowing The Technical Guy (and friends) to go on a successful hacking spree up Auckland’s Queen St.Juha Saarinen | Monday, September 03 2001
While most of Auckland was sheltering from an unexpected late-winter blast, a band of evil crackers set out to map vulnerable wireless networks in city’s central business district.
Using hi-tech equipment and sophisticated software, they quickly picked up the first 802.11 local area network. The network’s name (or SSID) told the crackers which company they had spotted; not only that, but it had the location of the wireless access point.
Using an open network, they uploaded the information gleaned to a distributed worldwide database, which enabled other crackers to find the networks with ease.
To passers-by, they looked harmless enough, three nondescript men in their late twenties and mid-thirties. Nobody noticed that they were listening in on network traffic emanating from business and banks, as well as research institutions and government bodies.
How much of this did I make up? Well, to start with the “band of evil crackers” was in fact a benign bunch of e-bandidos, comprising John S. Russell, IP operations manager of Auckland-based telecommunications company Callplus, and David Robb, senior network engineer at Ihug — as well as yours truly.
Second, we didn’t use any hi-tech gear as such. I brought an ASUS T9400 portable (courtesy of Morningstar Computers) into which David put a vintage model WaveLAN card. John had his trusty Compaq iPAQ hand-held — with a Cisco Aironet card inserted. The mapping software we used on the ASUS portable was NetStumbler, but it wasn’t strictly speaking necessary. The standard wireless client software that comes with most network cards can do more or less the same things as NetStumbler; it’s just less convenient. NetStumbler keeps a list of the access point MAC (media access control) numbers and its System ID (SSID) that you use to connect to the network with. In other words, we used pretty bog-standard equipment, which requires only a passing understanding of wireless networks.
As we didn’t have time to source any aerials to amplify the signal, we were a bit concerned that poor reception would spoil the experiment. Fortunately for us, many wireless network administrators turn up the power of the access stations to the max, blasting out data hundreds of metres away. With an antenna, we would have been able to pick up many more networks than we did, however.
Neither did we have a GPS (geographical positioning system) to help pinpoint the exact location of the access stations, but as so many were named with the location it wasn’t really necessary. Some of the more serious crackers use GPS and the signal strength to triangulate the exact position of the access point. They even claim to be able to work out which floor it’s situated on, and how many walls there, by looking at the signal. Oh, and there is a worldwide database of access points. Check out netstumbler.com for example — they give out T-shirts to those who add the most networks per week.
Other than that, it only took us five minutes or so to pick up our first network. We were actually spotted by eagle-eyed staff at a network integrator, who thought we “looked dodgy as hell” (um, maybe the sunglasses didn’t help – ed) and quickly turned off the company’s access points. Must have been the largish portable that gave the game away.
Networks Wide Open
As AP Mapping isn’t anything new, we expected to find mostly secured networks. To our surprise, the majority weren’t even using WEP (wired equivalent protocol), which provides rudimentary security through 40-bit or 128-bit encryption keys — of the 18 networks we saw during roughly 30 minutes of active scanning, only five had WEP enabled.
We most certainly didn’t expect to be welcomed into an outside network without any kind of authentication. John’s iPAQ was assigned an IP address, gateway and DNS servers through DHCP (dynamic host configuration protocol) — giving him full access to the network in question.
An evil cracker, in the same situation, might have used the network access to spy on sensitive data, or as a stepping-stone for nefarious activities such as sending spam, or attacking other networks, all for free and completely undetected. John of course did nothing of the kind. The test was just to prove that anyone, without any particular skills, could get invited to wireless networks in Auckland CBD.
Another popular wireless application that we saw was bridging two networks in separate buildings. A popular fashion retailer showed up three times in our NetStumbler list and we also picked up access stations that appear to belong to a bank. As these networks might be used to send sensitive data such as credit card numbers and EFTPOS pins, it’s to be hoped that the communication is encrypted end-to-end.
What should admins do to secure their networks? As of writing this, WEP has been found to be easily compromised, so even if it were enabled, it would be trivial to sniff traffic undetected, and to run a cracking program on the collated data to obtain the reusable keys. A new standard, 802.11e, is in the works to fix WEP, using 128-bit Rijndael AES (advanced encryption standard). However, it looks like it won’t be available until 2002 at the earliest.
Some form of authentication to deter casual or unintentional access to the network by strangers is a must. Try to implement access control lists that contain the MAC addresses of the wireless cards allowed to access the network (but be aware that some cards can have their MAC address changed). Also, introduce CHAP (challenge authentication protocol) with RADIUS (remote authentication dial-in service) servers to keep track on who logs onto your network. The new 802.1x authentication standard (supported by Microsoft Windows XP) could also be worthwhile.
Treat wireless networks as inherently insecure. Limiting access from the wireless network to the rest of the LAN is a good idea. One of your users could mislay his/her portable device, which might have access passwords saved on it. If that happens, your entire network could become compromised. The wireless network should also be implemented as a virtual private network (VPN), which uses strong encryption to tunnel data between end points on the network. The challenge here is to find a VPN protocol that is not only secure, but also compatible with your gear and doesn’t chew up too many resources in PDAs and hand-held PCs.
Since securing 802.11 requires so much effort, small to medium sized businesses should probably think hard before implementing wireless networks. Does the convenience of wireless LANs really outweigh its innate security risks?
Larger firms that spend thousands of dollars on firewalls and other security equipment need to understand that all that investment can be rendered useless by a poor wireless implementation. One worry is that even if the network admins are clueful about security, unbeknownst to them some happy marketing chappies might decide to put in a cool wireless access point into the meeting room so that they can roam around with their flash porties. Such a move could easily blow away corporate IT security in a few minutes. Meanwhile, if you have already implemented a wireless network, you can be reasonably certain that it has already seen unwelcome guests. Ours wasn’t the first wireless walkabout. Time to bring forward that security audit, perhaps?
How to choose the best tablet for you
101 great websites:
You haven't heard of yet
We ask the pros for building tips