Driveby Hacking on the Go
How did Frank Keeney, a California-based security consultant and war driving convert, spend his recent vacation? With his wife and kids along for the ride, Keeney used a laptop, rigged up in the back of his SUV, to map access points to home and corporate wireless LANs all the way from Pasadena to San Francisco.
Keeney, of course, is scarcely the only war driver -- aka "driveby hacker" -- around. "I only got into war driving, in fact, after reading about it on the Web," Keeney says. College students, stepping out for a new sort of joy ride, are toting laptops outfitted with GPS units, wireless cards, and wireless sniffer software such as NetStumbler or Airsnort, so they can tap into wireless access points around their neighborhoods. War driving is also a method that network managers can use to uncover the burgeoning crops of "rogue" or unauthorized wireless LANs now springing up on corporate grounds.
"A lot of the war driving we hear about is being done by IT consultants, to prove the security threats posed by wireless LANs," maintains Sarah Kim, an analyst for the Yankee Group. Kim doesn't dispute, however, that these threats are real. "Now, you can purchase wireless access points and cards at a lot of retail stores. Many people still don't know how to set them up correctly, though."
Meanwhile, postings in news groups and other forums indicate that war driving is catching on as a hobby, too. In the Stumbling Setups Forum on NetStumbler's Web site, a new initiate to driveby hacking asks for antennae advice.
"My question is this," he writes. "My Toughbook has a full magnesium alloy shell, and the PC card antenna sits, obviously, right next to it. Will this affect my receive performance? I haven't added an external antenna yet. My pigtails are in the mail."
In an Internet forum on ISP-Wireless, a member called "MB" acknowledges, "Being a student, war driving is something we do when we're not partying; we used to drive around and download all night long into our van."
During Keeney's war driving expedition, he mapped access points along the I-5 and 100 freeways in southern California, meanwhile intentionally avoiding any network intrusions.
"Part of my reason for doing this during (the) vacation was to find out if there were many access points in the more rural areas. Well, there are plenty. While driving north on I-5 there were many large warehouse facilities, (with) many access points," according to Keeney.
"The Silicon Valley area has been mapped (by other war drivers) many, many times. There is little I can add to what has already been said about the state of 802.11b in this area.. Nearly every major company has (at least one) access point."
As Keeney sees it, lackadaisical security settings are a big problem indeed. Under their default settings, wireless hardware products from most vendors will automatically broadcast their IP addresses, allowing easy detection by sniffer software. A handful of vendors, including Symbol and Lucent, automatically disable broadcast IP. Otherwise, users must go out of their way to turn off this feature.
"What surprised me most during my vacation trip, though, was that less than half of the businesses and homes had even bothered to turn on WEP encryption," says Keeney, who works for Pasadena Networks, LLC.
Managed Services Provider (MSP) DataVox came up with similar findings about the use of Wired Equivalent Privacy (WEP) encryption within New York City's financial district in lower Manhattan.
In a recent driveby of London, the UK-based security company Orthus detected 124 wireless computer systems, which enabled them to access 207 different networks. More than two-thirds of these systems were unprotected by any type of encryption.
In a widely circulated paper published in January, 2001, the University of California at Berkeley pointed to several security defects in WEP. Software programs such as WEPCrack can be used for retrieving WEP keys. "Even so, though, cracking the keys takes more time than most people would be willing to spend," Keeney notes.
Several vendors have been devising workarounds to WEP encryption problems. Symbol, for example, uses rotating WEP keys in its wireless LAN lineup. In mid-December, RSA Security announced a WEP security patch that has gained approval from the IEEE. Co-developed with Hifn, the patch uses a technology called Fat Packet Keying to encrypt each packet of data with a different key.
Meanwhile, though, consultants have been advising the use of other security mechanisms to supplement WEP. Frequently raised suggestions range from firewall security to SSL, 802.1x, VPNs, and a number of proprietary solutions.
Bluesocket and ReefEdge, for example, each offer multifaceted security offerings which, although quite different from one another, combine proprietary authentication/encryption schemes with support for standard wireless protocols. Administrators can use either vendor's products to assign access rights and allocate bandwidth through role-based permissions, for instance.
ReefEdge also supports mobile roaming through proprietary Mobile Masquerading and Dynamic IPsec technologies. The US Airforce recently purchased ReefEdge's products for use at multiple sites, according to ReefEdge CEO Inder Gopal.
Another major wireless security problem, experts say, is that network administrators also rely on manufacturers' default Service Set IDentifiers (SSIDs), or network names, instead of creating SSIDs that are harder for outsiders to guess.