Tuning in along the streets of London

Without security, hacking a wireless network is easy. Anyone with a PDA and wireless card can sit outside a building operating wireless and see network broadcasts. Attacks using high-reach, soup can antennas, warchalking and wardriving are common in cities, because many companies are still neglecting basic wireless security. We decided to find out how easy it is to find rogue access points in London.

With the help of Network Associates (NA), SC Magazine assembled a wardriving team. We started in the Docklands and worked our way west into the City, finishing in the West End.

Almost half of the networks we found were unencrypted, and half of those we traced to the hosting company because of transparent service set identifiers (SSID). A potential hacker would know the company he is attacking from this information and could pinpoint their exact location with ease. Only a third of the networks we found were encrypted and used secure SSIDs; something that most experts think is just basic security.

"The 41 per cent of unencrypted networks we found disappoints, but doesn't surprise me," says Stuart Beattie, senior manager of marketing for Network Associates. "There's still a lot to be learned about wireless. We spent half an hour in each area. It didn't take a long time to find any networks. There's been a lot of press attention given to security issues over wireless, but we're here with 41 per cent of companies not even bothering with the most basic encryption."

When we started wardriving, Beattie, our "hacker", and Sam Barker, our photographer, walked around Docklands sniffing for IP broadcasts. Not long into the exercise, a security guard approached Barker to question him, while Beattie continued to scan the area for rogue access points. The security guard was oblivious to Beattie, whose basic equipment represented a very real threat to the surrounding businesses. Indeed, the guard eventually agreed to pose in a photo next to Stuart.

"I think that security guards have no awareness of wireless hacking threats whatsoever, or the electronic risks within their organisations," commented Beattie. "They are purely focused on a physical level of security. We were obviously trying to look for open access points, but the guard was more upset about the photographer being there. He wasn't interested in what I was doing as a potential hacker. While security was accosting the photographer, I was free

to roam around and check out people's networks. No one cared what I was doing. If I was a malicious person, I could have been hacking into organisations' networks. Someone in the know would have seen the wireless card hanging out of the PDA."

The interest in the photographer instead of in Beattie demonstrated that the public still regards IT security and physical security as separate issues.

Educating security guards

"There's a big barrier between cyber security and physical security," said Beattie. "Security guards are not aware that their organisations could be under electronic and cyber attack. The problem is that PDAs and smart phones are very common these days. It's socially acceptable for people to walk the streets consulting their computers. Anyone who saw us just thought I was checking my diary. It's not seen as suspicious. But security guards know what a camera looks like and what it's capable of. They know it's an aspect of security, because it's written into their policy. But they certainly don't know that a PDA is a dangerous tool in the wrong hands."

Rogue access points are becoming a common problem in companies. A worker has only to install a wireless connection without permission, and network data will be broadcast up to half-a-mile away. Using the right tools, that wireless signal can be heard far beyond its intended range.

"One of the limitations of wireless is distance," says Beattie. "Depending on surroundings, the range is between 100 and 200 feet from the access point, depending on thickness of walls, steel, and so on. Soup cans be used to pick up broadcasts further than 200 feet. They take a weak signal and amplify it, so the hacker can be further away. I've seen people pile up soup cans, but you can buy products that do the same thing."

Mark Stevens, chief technical officer for WatchGuard, described a classic example of soup can wireless. "There's a guy who lives on an island off the coast of Seattle and he's running wireless over 14 miles using cans," he said. "Someone with a half decent high-gain antenna could be sitting just half-a-mile away listening to your network."

Stevens also carried out a wardriving experiment, travelling 15 miles to see how many networks he could sniff out. "A few weeks ago, I loaded WEPCrack on my pocket PC," he said. "I plugged in a wireless card and left it on my dashboard as I drove to work. I found 52 networks and only eight of them had WEP turned on. But the built-in web protocol is cryptographically very weak, and it's easy to download tools like WEPCrack, that will let you break that."

Wired equivalent privacy (WEP) is the current standard security protocol on wireless devices. By default, this is switched off, which leaves the door open for hackers. But even if switched on, WEP is still possible to crack.

Although we looked hard, we failed to find any warchalked buildings in London. City maps of warchalked buildings are available on the internet, but we found enough networks without one.

"The idea of war chalking is based on the method that hobos used to use to signify where they could get food and shelter for the night," says Beattie. "Warchalkers have done the same thing. They mark a building to say that there's an accessible wireless network where people can use the internet for free. Typically, warchalkers are people looking for free internet, not malicious hacker types."

The financial areas of London scored well in our wardriving tests. We found few networks in the area, but most of those we did find were encrypted, which could indicate that many companies have adopted "no wireless" policies. Stuart pointed out that the results could also be due to the thick walls in some buildings, especially in the City.

"Most of the networks we saw in the financial areas didn't appear to have wireless switched on," says Stuart. "Half of all the networks that did were encrypted, which is encouraging. Whether vendors have done that, or it's turned on by default, they've been smart. I think the financial institutions are communicating their wireless policies very well. They're doing a good job. There were very few that we found, but most were well encrypted."

The highest concentration of open access points was found around Soho and Oxford Street in London's West End. Retail outlets were the most susceptible to attack, as they used no encryption and identifiable SSIDs.

"Most networks we found there were typical retail businesses," said Beattie. "Many didn't have encryption and the rogue access points were out in the open. If they were points of sale, they could transmit all kinds of stuff like credit card information, stock control, confidential files, emails or financial data. I've even seen customer databases accessed in clear text."

Sniffing networks requires a small amount of equipment. We used a PDA worth around £300, a wireless card, (£35) and NA Sniffer software (£2,840). Beattie outlined the difference between scanning for networks and analysing network traffic.

Sniffing out what users are doing

"Things like Netstumbler are good for finding networks, but the key thing is to find what traffic there is," said Beattie. "I've seen organisations that tolerate wireless for certain situations like internet access, but they have some security for confidential things. With the sniffer, because we can see the application traffic, we can see what that wireless network is carrying and what users are doing."

Clearly, a pretty healthy proportion of businesses are aware of wireless security but how can companies protect themselves from people like Beattie sniffing their data?

"There are two angles for prevention. If companies are going to deploy wireless, there needs to be an active policy and use of encryption. First of all, companies can turn on WEP; although it's not great, it's free and it's a start. There was no evidence of any VPN activity in this study either, which would infer that if we did break into a network, we'd see absolutely everything.

"They should think about a VPN solution and some secure authentication like RSA SecurID, so people have to actively log on to the network. That prevents people sniffing the traffic from outside."

We found that many companies used defensive SSIDs to secure their access points. Although 46 per cent of networks had instantly recognisable names, some used illusive strings of characters, like '$h$p$794AP1' in an effort to prevent detection.

But if a company bans wireless, how does an administrator regulate the network to make sure there are no rogue access points? "Companies can scan the area, the same way we did," said Beattie. "It's very important to check on a regular basis to ensure that no one has gone to the local computer shop, spent £150 on an access point, plugged it in, and hidden it under their desk. It's very difficult to find out if this has been done. The easiest way is to use a tool that looks for wireless traffic."

Minimum effort

We found wardriving childishly easy. Within minutes of starting we picked up open access points and we found the same trend throughout the day. It is easy to see how a hacker could break into some of these networks with the minimum of effort.

"Education is definitely necessary," concluded Beattie. "Businesses need to take responsible steps towards security. Even if guards are fully trained in IT security, they might not be able to spot a potential hacker - especially if they use a soup can from a distance."