As his taxi crawled through traffic in downtown Toronto, Ben Sapiro fired up his laptop and, cradling a small antenna about the size of a kid’s hockey trophy, prepared to peek into the private computer networks that live high up inside Bay Street’s cold, shiny walls.
“There,” he said, holding his screen so the backseat passengers could see it. “That green circle means a great signal lock – there’s [a LAN] really close by. This name that just came up (WavePON) is the default manufacturer’s name for its hardware. That shows that someone just dropped the hardware right into the system without reconfiguring or encrypting it at all.
“Now we keep driving on, out of range, because Canadian law is very strict on hacking.”
However, Sapiro added, if he were an unscrupulous user, with just a few clicks the software he’s using could reconfigure his system to talk to the network he’s located. That would give him access to its private data – including anything one of its employees could see.
Although he keeps an eye on hackers, crackers and script kiddies, Sapiro is actually a Toronto-based senior consultant for information risk management with management consulting firm KPMG LLP. He held a demonstration of “war driving” recently for a small group of journalists.
War driving, the practice of cruising downtown streets and looking for open wireless local area networks (LANs), is the newest hacker strategy to boil up from the geek underground. Already reported in the San Francisco Bay area, Chicago and locations in Europe, its name comes from its similarity to “war dialling”, a form of ’80s cracking that used brute-force modem software to call thousands of numbers, looking for an accessible dial-in connection to pirate.
“Most people don’t seem to be aware that a wireless network is not the same as a wired network – that this technology which brings so many gains also brings risks with it … and given the ease of what we’re showing you it’s really a grave concern,” Sapiro said.
With a wireless LAN, instead of running cables to physically connect machines to an intranet, users need only be in the vicinity of a network’s access points (APs) in order to hook up, explained Wes Nelson, a former chief technology officer at WirelessMoney Inc., and Now a Waterloo, Ont.-based consultant.
Nelson noted that as hardware has come down in price and been standardized, many companies are finding wireless LAN technology extremely cost-effective and convenient.
“The problem is that without challenges or encryption all the computers that are close enough to connect to the wireless LAN’s access points are trusted. So if I walk into your organization, and I have the same 802.11B wireless LAN card that all of the rest of you have and your LAN is unprotected, suddenly, I’m behind your $100, 000-plus firewall and I have access to your entire intranet,” Nelson said.
Scanning for clouds
As well as an off-the-shelf antenna and wireless card, for his demonstration Sapiro used a wireless program called NetStumbler, available for free on the Internet. NetStumbler rapidly scans for the electronic “clouds” – a LAN’s total available broadcasting area, which can extend outward up to 200 metres.
“[The software] picks up a network and it also tells you who the vendor of the hardware is. You can learn quite a bit about the network without actually being on it, so you know exactly what piece of hardware you’re dealing with,” he said.
Most damning is NetStumber’s WEP (Wireless Encryption Protocol) analysis column that tells the hacker whether or not the network administrator has bothered to enable the system’s built-in encryption, Sapiro said.
“Very quickly you can see who’s vulnerable and who’s not. In our war driving experiences to date we are seeing, both here in Toronto and Montreal, an average rate of only about 30 per cent of people turning encryption on. We’re hoping that will increase – it’s simply a configuration issue with their hardware.”
As the cab continued on its ten minute cruise, Sapiro’s set-up detected 14 wireless LANs only three of which had their WEP activated. In addition, the first two vulnerable networks appeared less than half a block from KPMG’s office located in the heart of Canada’s financial community in downtown Toronto.
By combining NetStumbler or one its variants with a GPS unit, Sapiro said cyber-criminals could build a map of available open networks, although he joked that he and his colleagues “haven’t done that because we don’t really want to know.”
“War driving is so easy to do that I can’t imagine that it’s not happening,” Nelson said, noting that wireless LANs are also very popular for home users who want to work by their pools or in their yards without snaking ugly cable everywhere.
“I can tell you for a fact that I know of several software companies in the Kitchener-Waterloo area that have open wireless intranets. So if I dropped into their office with my laptop I could access all their source code,” he added.
Although WEP has been shown to be a flawed system full of gaping holes for experienced hackers to exploit, it does at least offer some preliminary resistance to intruders, said Sapiro.
“At this point it’s all about raising public awareness. Right now people deploy their systems and they assume just because they are inside of their network and behind a firewall, that they are safe. The honest truth is that that’s not the right way to do it – they need to harden internal servers to create layers of defence,” he said.
Both Nelson and Sapiro agreed that wireless tools are too potentially useful to give up. Instead, they said companies have to get a whole lot smarter about basic security.
“Technologically it’s not difficult to add defences. It’s more a human question of asking your people to remember a new password, and setting up a new network infrastructure.” Nelson said, “As far as security is concerned, people are the problem – not the technology.”