Complete security leader Sophos announced the findings from a recent practical experiment into WiFi security covering the city of London. The experiment was conducted over two days by Sophos' director of technology strategy, James Lyne. The project involved using a bike equipped with dynamos and solar panels to power a computer designed to scan for wireless networks - a technique known as 'wardriving', or in this case 'warbiking'. In addition, a GPS-enabled device allowed the creation of a 'heat' map, depicting levels of security of wireless networks around central London.
Lyne passed more than 1,000 wireless hotspots for every mile he rode, and found that at least one in four had poor security. Analysing the geographic mapping of the hotspots and the level of security they demonstrated revealed some interesting trends. Residential areas largely had reasonable default configurations - although many devices had default network names like 'SKY-XYZ123', they often had the strong 'WPA2' encryption standard enabled. At a micro level, the worst offending areas, consistently across London, were streets with collections of small businesses.
Of the overall number of networks, 9 percent were using default network names with no random element, such as 'default' or the vendor name. This makes password hacking even faster. This figure increased to 21 percent if networks which used the default name but which had some random element per device, e.g. 'Default-165496' are included. These figures excluded default names of obviously identifiable, intentionally open hotspots such as those in hotels and cafes. Some providers offering packaged solutions with a plug and play router generate truly random names by default, and supply these on a sticker on the bottom of the router. It's therefore reassuring to see some vendors following best practice here, helping consumers in particular to be more secure out of the box.
More detail and a video showing the warbiking experiment can be found on the Sophos website here: www.sophos.com/warbiking.
Crucially, Sophos only collected high level data within the confines of the law, which revealed the general state of wireless security (and is therefore representative of awareness of steps taken to secure networks). However, it should be noted that cybercriminals have significantly more offensive tools in their armouries and could relatively easily take this exercise further.
"With the tools available we could have gone much further but we carefully stayed in the confines of the law. This exercise doesn't paint the complete picture, but it shows enough to demonstrate that security best practice and education still need a lot of focus." said James Lyne, director of technology strategy at Sophos.
"Pretty much every wireless device can be configured to use secure wireless networking out of the box, so poorly configured devices show a lack of awareness rather than a lack of capability to be secure," added Lyne. "It's easy to take simple steps to protect your wireless network, making it a far less attractive target for anyone trying to snoop on your internet activities or steal personal information. If an attacker gains access to a wireless network they can cause a lot of damage, such as intercepting usernames/passwords, taking control of computers on the network, changing browsing to websites (for example to deliver malware or capture credentials), or using the network to perform any manner of anonymous or illegal activities. Unfortunately many networks are still like a Rolo - hard on the outside but soft and gooey on the inside. Without good security as per our top tips, an organisation won't know they've been attacked until perhaps the police come knocking."
Top level findings of the project include:
- 106, 874 individual hotspots detected across more than 91 miles of central London.
- 8 percent of the hotspots used no encryption and appear to be both home and business networks (this figure excludes a large number of coffee shops and other open hotspots which were identified by name of hotspot).
- 19 percent of the hotspots used the obsolete 'WEP' encryption.
- The remaining networks used WPA or WPA2 encryption, which represents acceptable security, providing they are not configured with default or easy to guess passwords.
Sophos was concerned that so many of the hotspots detected rely on the outdated WEP encryption standard. Using readily available tools, WEP passwords can typically be cracked in just a couple of minutes. This could enable attackers to join networks and directly attack computers or devices, as well as 'sniff' network traffic, for example viewing which websites are being visited, reading emails and capturing information such as passwords. It is likely these hotspots are older and haven't been reconfigured or changed for quite some time. Modern devices tend to come with a more secure configuration out of the box.
"Enabling an attacker access to your network like this also makes it possible for them to launch other nasty attacks like 'man in the middle'. This enables attackers to sniff your usernames, passwords or other sensitive data while you think you are using a secure and private connection," said Lyne. "The minimum level of protection on any wireless network is the implementation of WPA2 encryption and, even then, this can be redundant if a strong passphrase is not also used."
The Sophos experiment has no way of testing the strength of the passwords used, as no attempt was made to access any of them. However, there are tools available which can attack WPA2 protected networks with massive wordlists at high speed. Attackers would have no qualms about using such tools, so it is critical that organisations and individuals adhere to best practice when configuring their wireless networks. Businesses should also ensure they have appropriate configuration management, logging and anomaly detection capabilities so that their configuration remains standard across the office or geographic locations."
Moreover, most wireless routers will come with a default wireless network name (this is the name of the router as it appears on your computer when you try to connect to it. It's also known as the 'service set identification' or 'SSID', which many users do not bother to change). Not changing this allows hackers to prepare default password look-up lists combined with common SSIDs which speed up the password cracking process drastically, enabling them to test vast numbers of passwords per second. Having a custom SSID increases the time it takes for an attacker to break your passphrase, but when changing it, organisations should also give thought to their selected name. Calling your wireless network 'Company X' may make you more of a target as you are so easily identifiable.
Coffee shops and public hotspots will often intentionally be open so users of such services should ensure they are configured to use a VPN, which protects their traffic irrespective of the potential hazards of attackers listening in.