The following is the third part of a six-part series on wireless security. Each tip is excerpted from the Cisco
Press book, Network Security First-step by Tom M. Thomas. Check back frequently for the next installment, or go to the main series page for all installments.
Like many of the beneficial technologies discussed in this book, wireless networks are also susceptible to a variety of threats; however, wireless is still a growing technology, and today you have the opportunity to protect and secure your network. This section takes a high-level look at some of those threats and why you should secure your network.
You might be familiar with the 1983 movie, WarGames, where a young man (played by Matthew Broderick) finds a back door into a military computer and unknowingly starts the countdown to World War III. The movie's young hacker executes this mayhem all over a modem, which coined the phrase WarDialing.
Fast-forward almost twenty years when London-based author, Ben Hammersley was writing and he wanted a cup of coffee or even a bit to eat from the cafÉ across the street. Ben installed a WAP that gave him the wireless access he wanted; he was a giving man, however, and decided to let his neighbors know that they could have free wireless Internet access. Disappointingly, no one took him up on his generosity. Enter Ben's friend, Matt Jones, who posted a set of runes on a website (http://www.blackbeltjones.com) with the intention of creating a set of international symbols that would let people know that a wireless connection is available. Ben took a piece of chalk and drew these runes on the curb in front of the cafÉ and became the first WarChalker. (See Figure 8-3.)
Shortly after Matt posted these symbols on the Internet (a.k.a. Black Belt Jones), word spread fast and these two individuals started an Internet phenomenon resulting in new words with such ominous names as WarChalking, WarSpying, WarSpamming, and WarDriving—all ultimately a part of the evolution of wireless access. To clarify, none of these new terms enhance the security of your network. They are simply terms that attackers use to describe their activities. The following sections review each of these threats.
If you have ever seen a pirate movie in which a fancifully drawn treasure map displayed a large red X depicting where the ill-gotten gains were buried, you have some basic idea what role symbology has played in man's pursuit of riches. Much in the same way that the X marked the spot filled with gold, jewels, and silver, so did a series of runes depict areas of danger: which house a policeman might live in, or which houses were considered sympathetic to hobos during the great depression. For example, a rune in the shape of the pound sign "#" told fellow hobos that a crime had recently been committed and to avoid the area, or a casually drawn triangle might indicate that there were too many hobos working this area, so pickings were slim.
It was these "hobo hieroglyphics" from the Great Depression that inspired Ben and Matt to add a new dimension known as WarChalking. WarChalking is a practice that originated with the intention of telling fellow wireless warriors where they could get a free wireless connection on a corporate or private wireless network. The symbols utilized by these "WarChalkers" generally indicate whether the wireless access point is considered "open" or "closed," depicted either by two half-circles back to back or a single regular circle, respectively, and what sort of security is protecting this access point.
WarChalking in its original form turned out to be a momentary cult-like movement that was fascinating for everyone. However, in practice it has changed significantly to reflect the realities of what people are trying to accomplish. Very few people walk around drawing marks on buildings; however, people are "chalking" maps using GPSs to show exactly where wireless access can be gained. Searching the Internet reveals quite a few online maps marked for use (http://www.netstumbler.com/nation.php). One of the added benefits of putting the maps online is that they are not washed away when it rains.
From a security perspective, it is highly unlikely that you will ever see the side of your building or sidewalk marked with a WarChalk symbol; however, it is likely that if your wireless network is not protected properly, it will appear chalked on someone's map for anyone to use. You might be wondering how attackers are finding these access points. Consider the last time that you saw anyone walking around with a laptop and a GPS. It does happen, but it might not be obvious because WarWalkers typically use backpacks to conceal their activities. In addition to the limitations posed by equipment battery life, all this walking can become tiring. Enter the next wireless threat—WarDriving—where converters can power a laptop for as long as the car is running.
WapChalking—A variant of WarChalking set up by the Wireless Access Point Sharing Community, an informal group with a code of conduct that forbids the use of wireless access points without permission. The group uses the WarChalking marks as an invitation to wireless users to join their community. In WapChalking terms, the two half-moon open node mark means that a wireless access device is currently indicating factory default settings and is thus easily detected.
WarDriving makes finding open wireless networks simple and dramatically increases the search area exponentially. The act of WarDriving is simple: you simply drive around looking for wireless networks. Part of the appeal is that you can now use GPS systems connected to your laptop, which is then powered by your car. This makes the act of WarDriving accurate and potentially rewarding for those looking for your wireless network because they can cover a much larger area with a vehicle.
Before delving too deeply into this subject, it is important to remember that WarDriving or "LAN jacking" an unwary subject's WAP is possibly illegal, depending on the part of the country in which you live. The reason you would consider even building an antenna in the first place is to remain as far away from the WLANs that you are sniffing in the first place. To get the latest information on legalities and updates on this front, consult your local computer club or perform an Internet search on "war driving and legalities."
It is disturbing that almost anyone can find your wireless network so easily, isn't it? Vendors turn everything on by default, regardless of network security concerns; this makes it easy for WarDrivers. By default, wireless access points broadcast a beacon frame that identifies (broadcasts the SSID) the wireless network they are a part of, every 10 milliseconds.
The average antennae on a wireless PCI card NIC is not sensitive enough to do a good job of zeroing in on low to medium-powered WAP signals, so many WarDrivers have resorted to using a USB wireless NIC outfitted with a homemade "directional Yagi" design antennae hardwired into the USB NIC, as shown in Figure 8-4 (http://3nw.com/pda/wireless/wi_fi_pringles_can_yagi_antenna.htm). Various designs yield better or worse results depending on the signal type of the wireless traffic you are trying to snoop. The wireless network is identified by a 32-bit character known as a Service Set Identifier (SSID). For a WarDriver, the easiest networks to find are those that are broadcasting this SSID. Perhaps I do not have any special applications but only a laptop with Windows XP. From a security perspective, Windows XP is wireless-aware and perhaps too friendly because it easily picks up any SSID broadcasts and automatically tries to join any available wireless network. With such a friendly operating system, who needs all the special tools?
By default, the SSID is included in the header of the wireless packets broadcast every 10 milliseconds from a WAP. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device is not permitted to join the wireless network unless it can provide the unique SSID. Because an SSID can be sniffed from a packet in plain text, it does not supply any security to the network, even though it does function as a wireless network password. It is strongly recommended that WAPs have the broadcasting of their SSID disabled.
The presence of an SSID in a wireless network means that those engaging in the search should have more powerful wireless antennas that allow them to pick up and detect wireless signals. For example, if you want to "LAN jack" 802.11b/2.4-Ghz wireless network connections, you would most likely opt for a "helix" or "helical" design, which is basically tubular in design with a series of copper wire wrappings around a central core. This custom-made antennae style can be difficult to build because of its exacting standards and rather pricey parts list. On the other hand, a "wave guide" style can be made from rather inexpensive components such as a Pringles can (as shown in Figure 8-4), coffee can, or juice can.
The basic premise of building these specialty "signal stealers" is to mount them on the roof or hood of your car, connect the antennae to your wireless NIC, and drive around town looking for unsecured access points. Again, WarDriving for the purposes of stealing Internet access and snooping around a private network is illegal and earns you a visit from men in blue suits with no sense of humor. WarDriving was invented by a man named Peter Shipley, who had the vision to take WarChalking to the next level:
Most recently I invented Wardriving, while I am not the first person to go out and search for open wireless LANS (a few before me ventured around with in a with a laptop, pencil & paper manually scribbling notes). I was first to automate it all with dedicated software and a GPS. When I started this project the usage of WEP was around 15%, after going public with my findings, a year later WEP usage is now 33%. Thus it is good to know people are getting the message. Some maps I generated from these exercises can be found at http://www.dis.org/wl/maps/.
Depending on your frame of reference (and why you are reading this book), you might be wondering whether WarDriving is a crime. Of course, those doing the WarDriving do not view it as such; however, those of you who own the wireless networks might have a slightly different perception. While doing research, I stumbled across a quote—supposedly from the FBI—that states their position as follows:
Identifying the presence of a wireless network may not be a criminal violation, however, there may be criminal violations if the network is actually accessed including theft of services, interception of communications, misuse of computing resources, up to and including violations of the Federal Computer Fraud and Abuse Statute, Theft of Trade Secrets, and other federal violations.
Therefore, if you are deploying a wireless network, you are likely to have someone try and find it, so your security depends on that individual's understanding that it is his responsibility to ensure that he does not violate any local, state, or federal laws that might pertain to his area. To slightly rephrase: you have gone through all the trouble of purchasing equipment, learning the process, loading the tools, and setting everything up. Your wireless network is not secured, and law enforcement expects the WarDriver not to do anything illegal. Are you prepared to leave your network vulnerable to those who do not support this law-abiding scenario? If you are, go back to Chapter 1, "Here There Be Hackers!" and start reading again!
The FBI quote seems to be an accurate representation of law enforcement agency positions on WarDriving; contests are held to see who can find the most wireless networks. Individuals involved in the wireless industry and dedicated to a certain bias in this debate, clearly maintain these websites, but check them out:
You will find links to various WarChalked maps that show the GPS locations and, in many cases, much more about open wireless networks worldwide. In doing my research for this chapter, I stumbled across a few people who have taken WarDriving to the next level, literally, in the form of WarFlying.
I have heard only of two cases of WarFlying, but it is such an interesting endeavor that I just had to include it. WarFlying (a.k.a. WarStorming) is simply searching for wireless networks while flying in an airplane. However, because not many people have access to a small plane and the tools necessary to pull off WarFlying, the occurrences of WarFlying will be less than WarDriving. Because of the limited range of wireless LANs, the plane must fly below 1500 meters. WarFlying was first recorded in Perth, Australia.
WarFlying has some clear limitations because you do not have the ability (at least today) to triangulate on the access point, which could be several miles from where it was detected. Regardless, however, it is interesting, and I suggest checking out the three-part article on how Silicon Valley was WarFlown. I am not sure if that statement is grammatically correct; however, you get the point. Check out the rest of the story at http://www.arstechnica.com/wankerdesk/3q02/warflying-1.html.
Everyone has received spam or junk mail; it is a plague on the Internet and, frankly, in my mailbox at home. I believe in free speech; however, that freedom does not give you the right to be heard. Fortunately, law makers and politicians around the world are beginning to notice our feelings on this matter and developing laws to penalize spammers. These laws might or might not be effective—time will tell. However, is it is becoming more difficult for spammers to source their spam from countries that are beginning to develop these laws. There are also organizations that list IP addresses of places where spam has originated from, so what is a spammer to do? Many are now sourcing their spam from other countries; this presents all sorts of logistical problems and additional costs to our spammers. As a spammer, what if I could drive downtown or hire someone to find an open wireless network, join that network, and send my spam?
Remember the concept of downstream liability discussed in Chapter 3, "Overview of Security Technologies?" It would be simple to find an open wireless network and join it to send spam. The attacker (spammer) could be sitting in a cafÉ across the street, and you might never know. Now fast-forward a bit; the spam is sent to thousands of people who report that they received it, and yet another wrinkle–the spam was pornographic in nature. Yes, it can be even worse than that (remember, we are not talking about people who have morals—they are driven by other goals and needs). A quick check reveals your network's IP address, which is then blacklisted and reported to your ISP— and do not forget about the new antispamming laws. The result is that all outgoing e-mail from your company is blacklisted. How embarrassing when your customers get the bounce message saying that your company is spamming, the ISP shuts off your Internet connection, and law enforcement comes knocking. Also, if you have one of those Internet connections where you are billed by usage, expect a big bill this month.
The truth of the matter in WarSpamming is that your network did, in fact, spam others and, while it might have been as a result of an attacker, you are now liable because your wireless network was not secured properly. Who do you think is responsible for that and are they looking for a new job? Expect to see WarSpamming increase as it becomes more difficult for spammers to operate. Those who want to do questionable things will always find a way; some will stop as it becomes too difficult, and others will not.
A nice follow-up to WarSpamming is WarSpying, which is a relatively new phenomenon coming to a wireless video network near you. The most popular method of WarSpying is using those wireless X10 cameras. X10 is the camera featured in pop-up ads all over the Internet and they invariably have some gorgeous woman in them. X10 is also a means by which to automate your home, as in a smart house; however, that topic is beyond the scope of this book.
WarSpying was first documented in the magazine 2600, an interesting read if you can find the few nuggets of technical worth from the rants it prints. Regardless, it outlined how to make a wireless device that can pick up wireless surveillance systems transmissions. Since then, many people have explored and documented the topic online, and there are now reports of people tapping into all sorts of cameras that are transmitting over a wireless network. You can learn more about WarSpying at http://rhizome.org/RSG/RSG-X10-1/.
Notice I have completely avoided all discussions of the other nefarious uses into which this could develop. The key is awareness and an understanding of how to protect your network.
Many places that sell kits to start someone WarDriving—plans, maps, and so on are also readily available. A simple Internet search shows the results:
This section was rather revealing about how wireless networks are found and, to a lesser degree, what some of the threats are. In addition, a variety of more specific threats are possible. Plus, after an attacker joins a wireless network, you have a host of other problems. The following sections examine these topics in more detail.
Reproduced from the book Network Security First-step, ISBN 1587200996, Copyright 2004, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses. Visit www.ciscopress.com for a detailed description and to learn how to purchase this title.