“I loved the MCSE 2003 class. It's obvious why you folks are number one!”
GS-12 Tim Robinson
8th Marine Corps District IT Management Specialist
War Drive' Reveals Ease Of Wi-Fi Snooping, Mike Krey, Investors Business Daily
Publish Date:
March 1, 2004
Admittedly, "lurk" would be an OK word to describe our actions. "Criminal" would not.
Yes, my leather-jacketed host pointed a large and powerful device at offices and town homes. True, we rode in a black limo driven by a large man with a Russian accent. And it's fair to say we were sticking our noses where they didn't particularly belong.
So, sure, our activities -- which officially go by the name "war drive" -- might have skirted the borders of proper ethics in the court of public opinion. But we committed no crime.
In a quick drive in a rented car on the streets of San Jose and Sunnyvale, Calif., tech security instructor Eric Ouellet demonstrated how simple it is to electronically eavesdrop on Wi-Fi users.
"Most everyone," said Ouellet, "is surprised at how easy this is."
He's a professional hacker -- that is, security instructor -- for a company called Intense School. The outfit provides certification boot camps for corporate types looking to learn more about security. Camps can include war drives.
"No question, Wi-Fi is the big security topic right now," said Ouellet.
So-called wireless fidelity provides easy and cheap wireless transmission. Starbucks and McDonald's are among companies that provide Wi-Fi access points, called hot spots.
But companies and average Joes can easily set up a hot spot, basically a little box of electronics with an antenna. Might cost you $50. Many laptops, including those powered by Intel Corp. Centrino chips, come ready for Wi-Fi-ing. Otherwise, inserting a $20 add-in network interface card can make most any laptop work with Wi-Fi.
Tools Of The Trade
When I entered the limo, Ouellet opened his laptop and took out something that was three feet long and looked like a telescope. It was a Yagi, an antenna made by Cisco Systems Inc. It works on Wi-Fi and other frequencies. It costs $45.
Into his laptop running Windows 2000 he inserted a Cisco Aironet 350 Wi-Fi adapter card with an external MMCX (micro-miniature coaxial) converter to connect the laptop to the antenna. The 350 card goes for about $90, he says, and the connector $10 to $15.
You don't need a Yagi to find hot spots. Many laptops now come equipped with an antenna. To show this, Ouellet pulled out his Apple Computer Inc. PowerBook G4, which has an antenna inside. Sure enough, we found hot spots, though fewer than with Yagi.
Back at the laptop, he called up a free Windows application called NetStumbler. More info on it can be found at NetStumbler.com.
"This is all run-of-the-mill stuff," Ouellet said.
And then . . . there they were. Wi-Fi access points. Pointing the Yagi out the car window, access points as separate line items started to pop up on the NetStumbler screen. One, five, eight. We hadn't even started to drive.
To cut to the chase, in a one-hour, four-mile tour, we uncovered 404 Wi-Fi access points. Wi-Fi is exploding.
When NetStumbler finds an access point, it provides various columns of handy data. One column is simply the name of the access point. All Wi-Fi access points have a name or what's called a MAC (media access control) address.
For the most part, default names appeared that matched the brand of Wi-Fi gear used. Many said Linksys. Cisco-owned Linksys makes Wi-Fi gear. A lot said tsunami, a default name for some Cisco gear.
One hot spot showed up as "Tom's Public Linksys." In this case, a nice chap was advertising that his Wi-Fi access point was available.
In the next column comes the specific IP, or Internet, address. That's a series of letters like 928.43.86.121, or whatever. We'd soon use one to link to the Internet.
Another column in NetStumbler provides the key item for would-be hackers. It notes whether the Wi-Fi connection is encrypted. That is, it has security software that scrambles transmissions so crooks, company spies, suspicious spouses, voyeurs or what have you can't log on to the hot spot and view a user's Internet activity.
Half the hot spots had encryption. Asked about this ratio, Ouellet noted we were in the world's most tech-savvy real estate, yet some 200 Wi-Fi hot spots had zip security. "That," he said, "is scary."
But take heart, it's easy to provide good security. Wi-Fi access gear, in fact, comes with encryption software. WEP (wireless equivalent protection) is a typical type.
Changing Keys
Using WEP is just the start, though. Ouellet says it's important for users to regularly, maybe once a week, change the "keys" to that software. The keys are the ways to scramble and unscramble encryption. Unless the keys are changed regularly, a hacker can break through a WEP.
True, Jamie Fink, director of product management at privately held security firm 2Wire Inc., said in a later interview. He says a newer, tougher standard is taking hold, called WPA. "But Wi-Fi security is not an enforcement issue," he said. "It's an education issue."
2Wire sells a secure Wi-Fi router and software, or gateway, through DSL providers such as SBC Communications Inc. and BellSouth Corp. Because of cost and time, he says retailers can't deal much with security. "So, many buyers of Wi-Fi access gear don't know about security or don't want to bother with it," Fink said.
Customers get more help going through an SBC/2Wire, says Fink. Its product for home users is HomePortal, which SBC sells for $50. "It's easy to set up, but more than half our users do end up phoning," Fink said. "That's fine. We walk them through it. What's funny is that a good 20% of callers with problems have accidentally hooked up to a neighbor's Wi-Fi access. And the neighbor seldom would ever know. No doubt a lot of people are taking advantage of this situation."
A 2Wire poll of 200 consumers found that nearly half would take a look at a neighbor's wireless network if they got a chance.
There's also no doubt, Fink says, that with just a little time and effort, everyone can easily get secure Wi-Fi access.
Back in the limo, Ouellet called up another application that came free with the Aironet 350. He locked onto an unsecured Wi-Fi access point, coming from a town home complex in North San Jose. He quickly got the hot spot's IP address. He then logged into the Internet and sent me an e-mail from his Hotmail account to my work account. This all took, oh, 26 seconds. We could've surfed the Web to our heart's content.
And then, he showed me a free sniffer-type software product. (Network Associates Inc. also has an official product called Sniffer.) The sniffer could do real spying. We had broken no laws to this point. But with the sniffer, we could have logged into an unsecured Wi-Fi hot spot fairly quickly and viewed a user's Web surfing, e-mails, etc. It's easy to do. There are "ethical" issues, said Ouellet, but it's not really illegal, "though we suspect court cases will soon emerge."
Boyfriends can, and do, use these products to check up on their girlfriends, he says. And vice versa. Business rivals can, and do, take looks at what rivals are doing. Some try to capture user names and passwords.
"There's no excuse for businesses and homeowners anymore to not have security," Ouellet said. "But it happens. Imagine if spammers get into your company's server via a Wi-Fi access point. Within seconds they could send out millions of spams -- and it looks like it came from your company. Not good."
We didn't end up doing any sniffing. We were far too upstanding. Plus, we ran out of time.
