Feelings of Insecurity

By Eric Griffith

June 24, 2004

Reports from the recent World Wide WarDrive and the SuperCOMM tradeshow reveal different aspects of just how far Wi-Fi security has not come.

It's been said by some that the problems with security in wireless networks are no longer an issue -- the tools are available to fix anything that could come up. Whether encrypting your own traffic with Wi-Fi Protected Access (WPA) or virtual private networks (VPNs), or running a full fledged intrusion detection system (IDS) to weed out rogue access points and unwanted, freeloading users, there's no lack of tools available.

Yet no one seems to use them.

At least, the majority don't seem to bother, if you go by the findings of two very different bits of research. One is the fourth annual World Wide WarDrive (WWWD4), which featured wireless enthusiasts around the globe tabulating the security conditions of some 288,012 unique networks. The second is the findings of IDS provider AirDefense while attending the SuperCOMM 2004 tradeshow this week in Chicago.

WWWD4 ran from June 12 to the 19th and covered 11 countries. Each wardriver drove around using global positioning equipment and Wi-Fi tools for scanning networks. The data they compiled was fed into the WWWD4 Stats page at WiGLE.net (Wireless Geographic Logging Engine) to reveal just how many of the networks they saw were running without any encryption turned on.

As with past WWWDs, the results should make an enterprise IT security maven blush. Out of 288,012 found access points, only 31.6% were confirmed to be running with the bare minimum of security, wired equivalent privacy (WEP). Just over 50% of the nodes found were confirmed to be running without any encryption security and thus wide open to outsiders.

Maybe worse, the number of units running with the default service set identifier (SSID) was 28.7%. The SSID is the unique name for the network access point. By using the default name that comes with the Wi-Fi hardware, it's all the easier for outsiders to get access -- they don't have to guess the SSID.

The wardrivers found more than double the amount of access points they found last year during WWWD3. Thankfully, the percentage running without WEP has gone down by about 17%. The number using with the default SSID remains approximately the same.

While the WWWD shows just how open and naive some network runners might be -- and their numbers include home networks on up to enterprises -- the regular tracking AirDefense does at industry tradeshows is meant to send a signal directly to enterprises about the threats they face. It's not surprising considering that AirDefense wants to sell its IDS system to any and all enterprises with a WLAN, but the numbers speak for themselves.

While monitoring two hotspot locations on the tradeshow floor of SuperCOMM, one run by Intel and the other run by AirDefense partner IBM -- IBM is reselling AirDefense equipment, plus using it to provide a new managed wireless IDS service -- the company found all of the usual problems and a relatively new one.

Anil Khatod, president and CEO at AirDefense, says the congestion of Wi-Fi users was the worst problem at the show: "I literally saw on the AirDefense console hundreds of people trying to connect to a single access point. No one could get through."

Something just getting a foothold is the proliferation of software-based access points or "softAPs." The software can turn a laptop wireless client into an AP that other users can associate with. While considered a boon by some for expanding a WLAN without extra hardware purchases, softAPs can also be used maliciously, to trick users into connecting to the wrong AP.

At one point, AirDefense recorded 117 users trying to get on the IBM hotspot simultaneously, many of whom then connected to a softAP in the vicinity that was mimicking the SSID of the hotspot.

As we reported yesterday, Intel recently scuttled plans to include softAP functions in future desktops, saying that turning such functions on by default would lead to a proliferation of unsecured APs. Still, plenty of methods exist to turn a former client into a softAP, including software from PCTEL , and a hardware solution that comes in various form factors (PC Card, internal PCI card, or miniPCI) from a company called Quetec that turns a client into a wireless bridge, router, or access point.

AirDefense also recorded 50 scans by users on the network, 40 devices with invalid or spoofed media access control (MAC) addresses, 12 devices scanning the ports of other users on the hotspot, and eight users getting hijacked away from the hotspot by tools like AirSnarf.

The company has cataloged any number of attacks taking place wirelessly at tradeshows from Networld+Interops to our own Wi-Fi Planet Conference & Expos, all as a means to "show the implications for enterprises," says Khatod.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.