Wardriving – The Same Old Song and Dance
By D Grady
It seems like its been forever since wardriving was used to map out the neighborhood wifi scene. I remember when statistics about mass wireless networks first started to emerge. I remember building antennas out of soup cans and a wire coat hanger. I remember having to build GPS drivers from source so Kismet could include coordinates in its output. I even remember cracking my first WEP network – it took me the better part of a week. It all seems like ancient history now.
If that was forever ago, we must have come up with some new way to secure wireless networks. We must all be running high-end encryption and have everything locked down right from the factory. After all, wireless vendors know what can be done with a laptop and some free wireless utilities. Even non-techies can tell you the dangers of WEP and running default networks. If that’s true – wardriving would probably be a waste of time these days. That’s what I thought about one weekend, so I set out to get a glimpse on the current state of wireless security.
I grabbed my Eee PC, fired up Kismet, hopped in the Jeep, and tore off across the countryside. After an hour of driving through the little beach town I live in, I had collected information on about 900 unique networks. Once I got back to the house, I fired up a shell and got to work analyzing the data. The spread of open, WEP, and WPA encrypted networks surprised me. I didn’t think I would find almost 300 open networks in this little town. Add in the 345 WEP protected networks, and that’s about 70% of total networks either completely open or protected with exceedingly crackable encryption.
Next, I did analysis on the SSID’s (the name of the network). This was also pretty interesting. Almost 10% of all networks had ‘linksys’ as their SSID. If they didn’t change the default SSID, I can imagine they changed little else. A number of the networks had personal names as their SSID’s (identity theft waiting to happen?). A few more had their street addresses as the network name. Some of the apartments and condos even had their apartment number worked in somehow.
Another interesting thing I noticed was wireless used by businesses. Digging through the raw output – I came across a lot of networks with familiar names because they belonged to businesses in town. A large CNC and prototyping shop in town had an open wifi network. A few other smaller businesses had wireless networks with their name on it. I also came across a large amount of hidden networks when I drove through industrial areas – I can only assume that some more prodding would produce more business networks. The biggest shock to me was the local police station running WEP! At least if I ever got arrested I could email someone for bail money.
It appears it’s the same old sad state of wireless security out there. I don’t expect general consumers to fret over the differences between WPA1 and WPA2, or how much overhead AES encryption has – but I expect businesses to know their risk. They should invest in a wireless penetration test or wireless security audit if they intend on rolling out wireless. Hire a professional to assess your physical surroundings for existing wireless networks you may not know about, and then have them help plan out implementation strategies with you. Wireless can be a great way to get some freedom from traditional networks, but all that freedom can come at paralyzing costs. A little planning and research can help slim down attack surfaces, and can help make casual wardriving a thing of the past.
Redspin’s cost effective penetration testing services utilize the latest technology. http://www.redspin.com
Installing Linux on your wireless router has many benefits and in my opinion few risks. The one risk you do face is turning your router into a “Brick”. Now, this does seem like a big chance to take but there are many options if upgrade fails. Also, if you follow the installation instructions for each wrt54g firmware distribution you won’t have a problem.
