[ISN] My summer of war driving

InfoSec News isn at c4i.org
Thu Nov 11 04:40:03 EST 2004 

http://www.computerworld.com/mobiletopics/mobile/story/0,10801,97352,00.html

Opinion by Demetrios Lazarikos
NOVEMBER 10, 2004 
COMPUTERWORLD

For most people, summer is about taking a vacation with family or
heading to a secluded place to get away. Earlier this year, I read an
article about the number of wireless hacks that were increasing
globally. What I found interesting was that the hacks were pretty
basic and that most of the information on how to break into default
systems, how to look for Wired Equivalent Privacy (WEP) being enabled
and other wireless steps could be found in a Google search.

I had decided at the beginning of the summer that I wasn't going to
take any downtime or a vacation per se. Instead, I would validate
through "war driving" in five cities that wireless networking isn't
ready for prime time. My itinerary involved Omaha; Chicago; Ann Arbor,
Mich.; Denver and Atlanta. War driving is driving around an area with
a laptop computer and an 802.11 network card to identify the presence
of wireless networks.

One common thread through this mission was that the cities involved
had some aspect of high-tech or higher education with an emphasis on
IT security. Another common thread was that I had friends and family
in these cities, so I had a place to stay.

Let me preface my experience with wireless networks. I embrace new
technologies and try to understand how to make the workplace safe with
security controls. It's not uncommon for individuals or organizations
to speed up the process of implementation and not put security
controls in place. I've been involved with many aspects of security
and try to be proactive by educating. In my opinion, wireless security
can be implemented safely, effectively and efficiently.

While on this mission, it was critical for me to identify if the
following could be picked up from the war drive:

1. If WEP was enabled. The WEP encryption method was designed to 
   provide wireless networks with the same security available in 
   wired networks; however, there are some challenges with this standard. 

2. The presence of the service set identifier (SSID), the name 
   assigned to a wireless network. Usually, the SSID comes by default 
   using the vendor's name and should be changed to something 
   nondescript.

With these two pieces of information, an unauthorized user could be
able to acquire access to a wireless network. Think about it. You're
surfing the Net at home or in the office, and someone just hops onto
your network connection. With information about whether or not WEP is
disabled and SSID default settings, an unauthorized user could access
your documents, financials or other sensitive information.

Packing my car with the necessary gear -- my Dell Inspiron laptop, a
newly purchased Orinoco wireless network card, lots of CDs and my
wireless 2-GHz antenna (code-named Jasmine) -- I started a
cross-country trip from my home in Denver.


Omaha

The initial drive on my way to the Midwest was pretty mellow, with
lots of time to think about what I was going to pick up on my first
destination. As soon as I started to exit from I-80, Jasmine and
NetStumbler started to pick up multiple wireless access points. I
pulled over and started to collect data in downtown Omaha.

The results were incredible for the short period of time that I spent
there:

* 59 media access control (MAC) addresses identified in a 30-minute period 
* 57 SSIDs were able to be identified
* 25 had WEP enabled 
* 24 didn't have WEP enabled 

Inventory of the manufacturers discovered: 

* (2) Agere Systems Inc./Lucent Technologies Inc. 
* (2) Apple Computer Inc. 
* (3) Cisco Systems Inc. 
* (2) D-Link Corp. 
* (26) Linksys (which was acquired by Cisco last year) 
* (7) NetGear Inc. 
* (5) Symbol Technologies Inc.

I figured this would be a good baseline. If I could drive in a city 
for 30 minutes and gather this information, I felt my summer 
experience would prove that wireless security still needs a great deal 
of attention.

I pulled into my friends' driveway and started to haul the gear into 
their house. Mr. Mom's (my friend is a stay-at-home dad) eyes popped 
out of his head. "What the heck is that?" he asked. Jasmine is always 
a nice conversation piece to have with me at the airport, at the house 
or on a vulnerability assessment. I demonstrated how it worked, and 
while doing so, I picked up another five wireless networks within five 
minutes.

I left early the next morning. I wanted to get to Chicago at a 
reasonable time so I could do some quality war driving before people 
went home for the day.


Chicago

I arrived in Chicago by early afternoon and checked in with some 
friends who live downtown. The Captain and his wife have been friends 
for some time. Actually, the Captain is responsible for my being on a 
computer. He gave me my first Commodore VIC-20 and taught me how to 
make those early computers sing with 64KB of memory. We got into the 
car and loaded the gear. I was driving slowly downtown, and with my 
car's Colorado marker plates, it was only a matter of time before we 
were gathering stares from local cops on horses. Our patience paid 
off.

We spent about a little over half an hour downtown and were able to 
gather the following information: 

* 165 MAC addresses identified in a 30-minute period 
* 164 SSIDs were able to be identified 
* 28 had WEP-enabled 
* 137 didn't have WEP enabled

Inventory of the manufacturers discovered: 

* (2) Agere/Lucent 
* (18) Apple 
* (10) Cisco 
* (29) D-Link 
* (52) Linksys 
* (16) NetGear Inc. 
* (1) Senao International Co.


Ann Arbor

After a brief visit in Chicago, the Captain told me that they were
going up north to see his in-laws and I was welcome to tag along. I
accepted, and several hours later we picked up another friend, Old
Timer. I also bought a battery charger for the car from RadioShack. I
was quickly burning through laptop batteries, but I needed to keep the
laptop charged for more driving efforts.

We arrived at the University of Michigan around midday. As we 
approached Greek Row, Jasmine lit up, and we were capturing more data. 
Old Timer commented on how many "thunk" sounds NetStumbler was making 
as we gathered more statistics: 

* 222 MAC addresses identified in a 30-minute period 
* 221 SSIDs were able to be identified 
* 75 had WEP enabled 
* 147 didn't have WEP enabled

Inventory of the manufacturers discovered: 

* (1) Acer Inc. 
* (13) Agere/Lucent 
* (6) Apple 
* (11) Cisco 
* (20) D-Link 
* (56) Linksys 
* (22) NetGear 
* (3) Senao International


Denver

I was feeling pretty good about my drive, and I headed back to 
Colorado after spending time with my family back in the Midwest. When 
I arrived in Denver, I drove through downtown like I did the other 
cities. Operating on autopilot, I fired up Jasmine and started to 
gather my data. It wasn't that hard driving and managing the computer 
by now. With three cities under my belt, it was easy to manage this by 
myself.

Setting up Jasmine in the back window, I drove for 40 minutes while 
gathering information. Here's what I found: 

* 175 MAC addresses identified in a 40-minute period 
* 168 SSIDs were able to be identified 
* 29 had WEP enabled 
* 146 didn't have WEP enabled

Inventory of the manufacturers discovered: 

* (4) Acer 
* (9) Agere/Lucent 
* (12) Apple 
* (18) Cisco 
* (24) D-Link 
* (37) Linksys 
* (15) NetGear

I was satisfied. Or so I thought.


Atlanta

Toward the middle of August, I received a phone call from some friends 
in Atlanta, which got me thinking about Atlanta as another city where 
I could gather war-driving data. Two weeks after the call, I arrived 
in my final war drive city. After lunch and catching up with my 
friends, I walked through the business district and let Jasmine do her 
thing. This time, I was on foot so I could take my time and gather 
data at a relaxed pace. Atlanta was alive with wireless networks:

* 392 MAC addresses identified in a 2-day period on foot 
* 343 SSIDs were able to be identified 
* 119 had WEP enabled 
* 273 didn't have WEP enabled

Inventory of the manufacturers discovered: 

* (12) Acer 
* (7) Agere/Lucent 
* (26) Apple 
* (37) Cisco 
* (48) D-Link 
* (63) Linksys 
* (24) NetGear

Overall, I was pleased with the time I took off this summer. I was 
able to demonstrate some basic data gathering from vulnerable wireless 
networks. I was reminded of several issues while writing this article: 

1. People who use wireless networks should implement secure controls 
   before going live with a wireless network. 

2. Wireless networks are ready for prime time if security controls are 
   implemented properly. 

3. The cyberworld never sleeps.

This summer project really has me thinking of what research I could 
accomplish if I take some time off during the winter holidays.

Demetrios "Laz" Lazarikos, CISM, is an IT security consultant and
auditor who has worked with small to midsize businesses, Fortune 500
companies and government agencies for more than 18 years. He is the
co-author of Cover Your Assets: A Guide to Building and Deploying
Secure Internet Applications, which has been used to help define the
security awareness training for companies including Galileo
International Inc. He can be reached at security (at) laz.net

More information about the ISN mailing list