Researchers Lure Wi-Fi Hackers

By Ed Sutherland

August 26, 2002

Amid the international intrigue and political brinkmanship of the nation's capitol in Washington, D.C., a Wi-Fi network 'honeypot' silently waits for someone to jimmy the door.

The sorry state of Wi-Fi security has become one of the most well known secrets of the 802.11 networking standard. The ease of setting up a wireless networking using 802.11-based technology is mirrored by the effortless way hackers, snoopers and the just-curious can detect, enter and use Wi-Fi networks used by corporations, coffee shops and your corner neighbor.

Within every metropolitan area, there are hundreds or thousands of unprotected access points, estimates government contractor Science Applications International Corporation (SAIC).

If an open access point is like honey to a bee, SAIC decided to devise a "honeypot," in an effort to study how and why intruders attack wireless networks. Rob Lee, a former U.S. Air Force security investigator turned chief of SAIC's information security operations, says this is likely the first time a honeypot has been created to study only wireless security.

How does a honeypot work? It essentially is a closed system with no valid users and no purpose beyond presenting an attractive target for intruders. Hidden beneath a deceptively open computer are layers of systems to detect, track and log the movements of intrusion attempts. Data collected is then used to refine security protocols and head off future attacks.

In the case of SAIC, its Wireless Information Security Experiment (WISE) consists of several open computers, five Cisco access points and two omni-directional high-gain antennas. Each connection attempt is carefully logged as an 802.11b "sniffer" detects every intrusion attempt.

Lee hopes the information gleaned from the experiment will provide a better profile of the average wireless intruder, by determining whether Wi-Fi intrusions are used to spawn further attacks or simply to freeload an Internet connection.

"These numbers will initially be based on wireless networks installed with defaults and very little configuration," according to an overview of the WISE project. The WISE Web site said results will then be collected indicating the effectiveness of even simple security has on the intrusion rate.

As time goes on, Lee envisions using the detection system to learn about the tools Wi-Fi hackers employ, as well as discerning any telltale signs that might be incorporated in future wireless security. Lee says the intent of the experiment was never to entrap hackers for later prosecution.

According to SAIC, WISE has two phases. The first phase consists of several computers connected through access points that are then tied together with bridges to create a lab large enough to cover a metropolitan area. The second phase, according to SAIC, could include satellite broadband access and linking the lab to another city.

Lee has said another component to the WISE honeypot may be Internet access through a Web proxy allowing connection attempts to be intercepted while presenting a banner, so that Internet usage can be legally monitored.

The WISE honeypot was officially opened June 15th, but researchers at SAIC report little activity: just one quick ping sweep of the computers and a few attempts at gaining Internet access.

My attempts to contact Lee resulted in SAIC spokesperson Zuraidah Hashim reporting no further activity. A possible reassessment of the honeypot's future may be on the way.

Got a comment or question? Discuss it in the 802.11 Planet Forums with moderator Jim Geier.
Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.