Worldwide ‘war drive’ exposes insecure wireless LANs

Amateur wireless LAN sniffers detected hundreds and potentially thousands of insecure business and home industry-standard wireless LANs in North America and Europe during the past week in a loosely organized electronic scavenger hunt dubbed the “Worldwide Wardrive.”

Security analysts and wireless LAN industry executives said the results of the weeklong Worldwide Wardrive posted to the Security Tribe Web site indicate that many wireless LAN users still fail to use the most elementary form of security to protect their systems.

The Worldwide Wardrive, conducted between Aug. 31 and Sept. 7, was an exercise in detecting wireless LANs using NetStumbler freeware available on the Web that was carried out by people who describe themselves as hobbyists. But malevolent hackers and industrial or foreign espionage agents could easily exploit the holes found, analysts said. The logs posted on the Security Tribe Web site include precise GPS-derived latitude and longitude data of the wireless LAN access points (AP) detected during the Worldwide Wardrive that could also serve as an intelligence tool.

The term war driving is derived from the “war-dialing” exploits of the teenage hacker character in the 1980s movie War Games who has his computer randomly dial hundreds of numbers and eventually winds up tapping into a nuclear command-and-control system. The war-driving participants sniffed major technology and business centres such as Silicon Valley and Orange and San Diego counties in California, as well as Chicago, Cleveland and Denver in the U.S. and the province of Alberta in Canada. In Europe, the war drivers sniffed Barcelona, Spain, and Cologne, Germany.

Home installations accounted for the majority of APs detected in the Worldwide Wardrive exercise, which was easily determined based on the hundreds of systems broadcasting a Service Set Identifier (SSID) — an ID of up to 32 characters continuously transmitted by an 802.11b or Wi-Fi AP operating in the 2.4-GHz band — or a “linksys” SSID, which is used by Irvine, Calif.-based Linksys Group Inc. as the default for its line of low-cost home wireless LAN systems.

But the hobbyists also detected hundreds of potentially vulnerable corporate or government networks, according to analysts. That assumption is based on the discovery of many APs with an SSID of “tsunami,” which is used as a default by Cisco Systems Inc. for its wireless LAN products.

Chris Kozup, an analyst at Meta Group Inc. in Stamford, Conn., said the use of a tsunami default SSID indicates that the wireless network is probably a business or government AP, considering the high cost of Cisco equipment (just under US$1,000). In contrast, home equipment from Linksys sells for as little as $123.

Kozup, who examined the war-drive files and logs from last week, said the fact that hundreds of business and consumer users around the world continue to broadcast SSIDs indicates that highly publicized wireless LAN security warnings haven’t been taken to heart by either CIOs or home users. Turning off an AP SSID is at the most basic level of wireless LAN security, Kozup said.

He added that the use of default SSIDs indicates another potential security breach: failure to turn on built-in Wired Equivalent Privacy (WEP) encryption. “If the default SSID is not turned off, that’s a fairly good indication that WEP is not turned on,” Kozup said. Wireless LANs are shipped from the factory with WEP off.

Nick Jacobsen, a hobbyist wireless LAN sniffer, said in a post on the mailing list that he detected 69 wireless LANs in a four-hour war drive of Portland, Ore., last week. While riding his bicycle, Jacobsen detected 80 APs, out of which 69 were broadcasting SSIDs and not using WEP. He detected only seven APs with WEP that weren’t broadcasting an SSID and just four that had WEP enabled and SSID broadcast turned off.

Kurt Seifried, an Alberta sniffer, said in a post on the mailing list that he encountered a slew of unencrypted wireless LANs in his war drive of Edmonton. Between 75 percent and 80 percent of the wireless LANs Seifried detected were unencrypted, he said.

Brian Grimm, a spokesman for the Wireless Ethernet Compatibility Alliance, a wireless LAN industry trade group, agreed with Kozup that security begins with SSIDs.

“Everyone should turn off their SSIDs,” Grimm said. Enterprises, he said, should beef up their security with virtual private networks and filtering of Media Access Control (MAC) addresses. Each piece of hardware on a network has a unique MAC address, and filtering these addresses reduces the possibility of a hacker mapping and penetrating a network.

The large number of insecure LANs detected during Worldwide Wardrive week should serve as a wake-up call to corporate IT departments, Kozup said. “This is more fodder that the enterprise needs to be taking a more activist approach to wireless LAN security,” he said.

Kozup added that he is somewhat heartened by the relatively small number of tsunami default SSIDs detected, as well as by the systems broadcasting no SSID, which indicates to him that “enterprises are doing a better job” than they have in the past.