Slashdot Mirror
Exploiting and Protecting 802.11b Networks
iforgotmyfirstlogon writes: "A couple of guys from Extreme Tech drove around New York, New Jersey, Boston, and Silicon Valley with a high gain antenna to see how many (secure and) unsecure wireless networks they could tap into. They used NetStumbler and Linux AirSnort to help them search. Results? They came across over 800 networks and less than 40% had any sort of security."
looks interesting... HIGH GAIN BABY!
It takes less than 1000 packets to crack the cryptographic protocols in 802.11b WEP, regardless of key strength. Even those 802.11b networks with so-called security probably aren't very secure against someone casing the network. Use a higher-level protocol such as Kerberos or IPSec on top of the WEP.
They later went on to add that, "Out of the 40% of computers in which access was gained, just over 20% were serving some really great porn. Hey, why do you think we did this survey in the first place?"
Peter Shipley did that in San Fransisco and found smaling like 2500 access points. The only way this will ever be fixed is if companies realize that you cannot depend on protocol level security. WEP is not the answer. Tunneled SSL, or some sort of VPN end to end security is the only way to protect your connect.
Jeff Knox
You know, these people driving around looking for wide open networks are probably the ones that raise the biggest stink about "script kiddys" any time someone finds a new security hole.
Yes, WEP is insecure. Yes, there are a lot of networks that are just thrown up. Wow, kind of like wire eh? Reminds me of that great quote, "Never attribute to malicousness what can be explained by human stupidity."
Does anyone know of any good Documentation on how to secure wireless communications ?? I know we have 2 wireless connections between 3 building using SMC's Wireless routers, and the only security that was built in other than the 64 and 128 bit encryption (which is apparently crackable), and only allowing certain MAC addresses to communicate (which is also easy to crack).
So instead of writing articles on how bad wireless tech is to crack, (4th article I've read in a week) why not write a how-to on how to implement security on your wireless LANs.
what if i want to keep my network unsecured, what business of it is yours?
this sounds more like they are "casing the joint" for future criminal activity.
cops can arrest you for doing that. they should arrest people who do this as well.
When some guys get in their car and drive about looking for open wireless networks, they have an article posted about how they are pointing out such great problems. It is even implied (at least to me) that these guys are helping spread the word about wireless network security. Yet, when someone does the exact same thing over a wired network, it's called Port Scanning and they are labelled 'script kiddies' and are cursed and thought of a less-than-human. I don't understand it. (This is not a troll, or meant as a flame, just my thoughts on the matter.)
visit my free wallpaper collection, wp.erasei.com
There has been a lot of talk about people deploying many 802.11b connections privately, thus building non-corporate owned, cooperative wireless access to the net around cities and such. This might put a bit of a damper on that, but IMO it should not stop it by any means. While people might not be able to order stuff for now, there are a great many things to do that don't require security, and such nets really seem to be the ultimate expression of a free internet. If/when firmware updates become available, the access would just be that much better. It would also put more pressure on commercial interests.
This article is crap. Did you notice how the
percentage of "unsecured" (ie, lacking WEP)
networks went up significantly when they drove
by MIT? Of course. We're smart enough to have
realized that WEP is a joke, and so the hundreds
of access points set up on campus for student
use don't offer it. At all. It's by design,
not stupidity. Using WEP gives you an entirely
false sense of security.
The article's completely right about wireless exceeding their advertised range, i've just got home from the LBW where we had a single flat panel antenna connected to a regular base station transmitting over about 1 1/2 miles up to the campsite, to another relatively small antenna connected to a wavelan card in a laptop. Sure the link went down at the slightest hint of bad weather, and we got about 30% packet loss, but we were still getting about 500mbits. :)
- Hypnos
Why is this guys comment a 0? A "how to" may not be as sexy as driving around for open networks, (and if you think that's sexy, you've been way toooo into Final Fantasy jpegs), but it's definitely needed.
However, in a brief spiel before I have to run, ensure end-to-end encryption. Approach it just like you would a normal WAN. Disable telnet and ftp on your servers, use SSH and SCP instead. Harden your hosts. Look into using FreeSwan or the BSD's IPSec solutions for vpns. Switch over to DJDNS. In short, do everything that people should be doing on their 'normal' wired networks. It never ceases to amaze me that just because WEP is easy to break, everything else must be totally secure by default.
Hope that helps.
If you don't have any resources unprotected on your network, why shouldn't the wireless network be wide open? My suggestion is to leave the network open, set up secure tunnels for the important stuff, and let passers-by use your 'net connection. Where's the harm in that?
That's probably what the 40% were doing, anyway...
From the looks of this survey these guys did, if they were to come by my campus (they didnt, it's not in any of the cities they drove around), one of a few things could happen:
- this network would appear to be insecure because non-WEPed transmissions could be found on it.
- This network wasnt found because the school network would refuse access to it.
- The network is secure because it was found, but data could not be accessed because the school network wouldnt allow it.
Any thoughts?The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Was advertised on Television in NY (SUNY, Alderson? Anderson? not sure). Begs the question- who's watching?
Their article is nothing new, really, it was just the first documented 'story'. In fact, shouldn't they be tossed in prison for port scanning and gaining access to unauthorized resources?
Puts a damper on Free nodes- I wonder how many people are going to spend the money on wireless with the intent to give it away for free if, every time they turn it on, they are probed almost as maliciously as when the cable light comes on.
granted you could do the same thing on most wired networks just as easy, I suppose.
;), naturally.
But wireless signals do have a limited range in feet/yards, but heck if you put the time or find something unsecured you could do it a couple of continents away.
Next in the news: unsecured IIS boxes running unsecured wireless access. @home sues for patent infringment for "pointless wastes of bandwidth 'we though of first' "
Film @ 11, in DivX
Moose.
If I hit you with a post, and no one sees it, do I get a fish?
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
It more like two open networks. One is the test network in our lab which isn't connected to anything other than other devices were playing with and the other is a point to point lan between a linux box and a solaris box. The solaris box is currently undergoing an audit but its going to live oustside of the firewall which is kind of where it is now. AT work I've had to make it very clear that If I catch any of this wireless stuff pluged into my network, I'll turn off their port. I may have gottent my point accross or maybe not but I still scan for arp traffic of the ether address ranges of the offending devices.
By doing this you are basicly acknowledging that the security isn't there and force your users to use secure tools to get to secure places.
Anyway my point is that if one of these guys drives by my home they'll probably pick up up my 802.11 and add it to their map, maybe even hack it to get access to the 'net - but do I care? nope
We also treat the wireless security as a joke. We're using an access point located outside our firewall behind another firewall. All clients using the access point get back into the corporate network using the same VPN software they use while on the road. In fact, they are now set up so they never turn the VPN software off.
Anyone breaking the security of our access point gets plain old Internet access and doesn't get into the corporate net.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
WEP is not the answer. Tunneled SL, or some sort of VPN end to end security is the only way to protect your connect.
Hear hear.
So the thing to do is to put the wireless LAN port on the logical OUTSIDE of your firewall and let the laptops all tunnel in through it. Your firewall can also filter connections between the WLAN and your net feed.
For the open net your users can also encrypted-tunnel to the tunnel server and go out from there, to avoid eavesdroppers. With this configuration there's no reason to bother with WEP.
Go ahead and route packets between the net and the wireless port if you're feeling altruistic, or restrict WLAN connections to the tunnel server(s) if you're not.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
There were a few APs at Linuxworld, about 11 or 12 networks when I scanned, I think only a couple had an real security.
The OSDN booth had a wide open AP that I was able to use to get net access while I was hanging around nearby.
I was checking Slashdot, almost caught a breaking story for First Post, while I was in the audience listening to CmdrTaco's Q&A session.
Hopefully, from now on there will be more and more open APs at conventions so I can get net access at random places on the floor.
It comes down to speed vs. privacy. You can ignore WEP and use IPsec or a VPN. You'll take a speed hit, but you'll have reasonable privacy.
If you don't mind exchanging some privacy for additional speed, 128 bit WEP isn't a bad choice. It hasn't lived up to it's "Wired Equivalent" name but sniffing and decrypting is a non-trivial operation.
For more speed with minimal privacy, 80 bit WEP doesn't cost much bandwidth (2%) and you're still only going to be sniffed and decrypted by folks with a clue.
In some situations, speed is most important and privacy is meaningless. Suppose you're downloading Debian ISO's over a wireless link. There are times (one might argue the majority of internet traffic) when privacy just doesn't matter. If you can use reliable encrypted protocols for the exceptions then open mode 802.11b is fine. What are you trying to hide?
As long as we're able to encrypt those transactions that require privacy none of the WEP "stuff" matters. How secure is your wired network internet traffic after it gets to your ISP?
When you have 1000's of people driving around trying to h4x0r 802.11b networks, it won't be the same thing anymore.
How do you know you don't ALREADY have thousands of people driving around sniffing 802.11b nets?
And how is a person supposed to distinguish nets left open deliberately, as a public service, from those left open accidentally?
The existence of public 802.11b ports gives plausabile deniability of criminal intent to anyone making parasitic but non-malicious use of an accidentally-open WLAN.
(IANAL of course. But I'd hate to be a prosecutor trying to bring a case against someone who "trespassed" on a WLAN port.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
There seems to be a recent outbreak in these "drive by hackings." Thank the gods my friend registered www.drivebyhacking.com a couple months ago. Now we just have to figure out what to put up there.
----- Mike Sklens Staff Writer, Planet GameCube.com
Doesn't the DMCA say anything about this kind of illegal activity ?
Most of the results here were simply that people
aren't using WEP. We're constantly being told
how useless WEP is, so I can understand that.
I don't use WEP on my 802.11b home network, but
the firewall blocks everything other than port 22 tcp.
This seems to indicate to me that I have two options (considering decaffeinated coffee isn't an option):
1) Don't stop drinking coffee, thereby eliminating the 'first cup'.
2) Chase the first cup of coffee with a beer to counter the hardening of my arteries and increased blood pressure.
Its more like going thru a neighborhood and checking if anybody stores their cash on the sidewalk.
Also if their are storing their loaded firearms and gossip sheets about their neighbors, and even
personal data entrusted to the homeowner.
So its pretty much everybody's business, isnt it.
read the article:5 3D 7%2526s%253D1024%2526a%253D13880%2526app%253D5%252 6ap%253D6,00.asp
http://www.extremetech.com/article/0,3396,apn%2
fslg503-985-8686503-985-8686503-985-8686503-985-8
I was in a Starbucks here in Austin, TX which offers 802.11b access (for a fee). Instead of winding up on the provider's network, I was on the Safeway network (the Starbuck's is inside a Randall's / Safeway supermarket). This allowed my Win2000 laptop to browse the supermarket network, which has many shared [and unsecured] systems probably used for re-ordering / EDI, etc. The real issue is about education of network professionals about wireless security and how to implment it, whether or not they use WEP (Safeway clearly did NOT). I for one just wanted my 'net access via Starbucks and not Safeway's ultra-slow (probably frame relay) network.
I'm still not convinced that's all that safe. For example, do you believe that two machines attached via a hub (not switch) using ssh or vpn to establish a link is totally safe from a third machine attached to the same hub?
Some pretty clever hacks were employed back in the day before wirespread use of switches and those hacks are all relevant once again against wireless networks. Don't be lulled into a false sense of security just because you think you negotiated an encrypted link.
Word up yo, mad props! Transfer by XMODEM dawg! Who needs that ZMODEM crap!
Not when you can crack all of them with AirSnort.
All it takes is time and traffic.
Of course, it still amazes me that so few had even the most basic levels of security installed.
Then again, most of the managers I have worked for seem to think that if you take steps to protect yourself, you become liable if you get hacked. (Yes, I know that makes no sense. Never stopped them...)
"Trademarks are the heraldry of the new feudalism."
We know wep is insecure. There is little point in even putting anything on these nets. as a matter of fact I can find reasons not to. Let's say for example that you run a facility that has large numbers of people from outside coming in. WOuld it make sense to enforce 128 bit encryption? Sheesh, all the people with bronze (no encryption) and silver (40/64 bit encryption) can't use it.
As someone pointed out above, put it outside the firewall, requirte ssh/vpn to get inside a firewall. tell people it's an insecure net, and recommend personal firewalls (zone alarm. blackice, ipchains, etc).
The major benefit of wireless is access anywhere. Security directly conflicts with access. For example, managing MAC level security (restricting by MAC) is a pain in the keister. WEP is worthless. So assume all your traffic is insecure and use something to encrypt it. If you really need to prevent people from getting on and using your net, _don't use wireless_.
-- Who is the bigger fool? The fool or the fool who follows him? --
I can just imagine some poor network admin trying to figure out who the heck is using their network to surf for pr0n (and imagine the PHB trying to figure out who they need to fire).
But seriously, with wireless it seems like it would be incredibly difficult to trace the unauthorized user. Land based hacks are usually done over the internet rather than by physically connecting to their network. As a result, there's usually logs to help track down the person(s) using the network.
But this seems incredibly tough... if the cracker didn't go anywhere on the network that would give themselves away (such as logging into hotmail to check their mail), I would guess that it would damn near impossible to find out who was sneaking into the network... even if/when they were actually connected. I would guess that the wireless network might get the MAC address of the card being used to get into the network, but even that likely wouldn't get you anywhere.
Is that true, or am I missing something here?
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
This link should help.
W ireless/index.html
http://www.nas.nasa.gov/Groups/Networks/Projects/
Yeah, but how many drive by's do you have in your neighborhood?
I don't think my boss is gonna go for the
"the guys in the parking lot say we're eating up
too much bandwidth and should use a caching proxy.." type thing thanks, not at $800 a month.
What idiot modded this down? It's FUNNY! And RELEVANT! Off-topic indeed!
A little research in to what I want in a contract to do security work without being arrested for hacking led me to discover that the law is very strict and straight forward. The point? These guys broke the law big time, did it hundreds of times, and advertised it in the media. If someone wanted to charge them there is no doubt they could be convicted.
As for the morals of what they did, I'll leave that up to you.
Darthtuttle
Thought Architect
There are some tips there. Extreme Tech also ran an article a couple of days ago on the basics of securing wlans.Here is the link
If it were legal to simply intercept and decode any photons that crossed your path, scanners would be allowed to receive cellphone conversations, it would be legal to decode directTV and other encrypted satellite broadcasts, and also to intercept various other communications methods... Monitoring is definitely NOT always legal in the US.
-Daniel
With all the stories on how bad WEP is and how most 802.11 networks aren't secured, I haven't found an answer to this question about securing a home 802.11 network (I'm not claiming to be an expert on this, so maybe this is a simple question).
I'm assuming most home users don't have the equipment/skills to set up the access point outside of a firewall and use VPN/SSH. Given that, how risky is the following:
1) Consumer base station (Airport)
2) WEP password enabled
3) Access restricted to specific MAC addresses (not possible w/Apple's configurator, but doable with the 3rd party Java version)
4) Airport plugged into home LAN, no other machines running any servers or file sharing (none are Windows boxes, 2 OS X, 2 OS 9.2)
I understand all the actual 802.11 traffic is basically open. I assume if the web site I'm using has effective encryption then that data is safe, but my POP3 password could be grabbed assuming it isn't encrypted by something other than WEP.
What I'm wondering is would this setup effectively prevent someone from setting up a laptop outside my house and getting at the files on my LAN.
This seems to me a reasonable set up for a home user, but if it leaves the family Quicken file vulnerable to any kid on the block then 802.11 seems to be destined to never be mainstream. If on the other hand a home user can put at least basic security in place (e.g. they can see your web pages but they can't trash your entire drive) then it has a chance.
Thanks.
I have no wireless network card, and no experience with PPPOE, but it does seem that it is exactly the type of thing to use to give your connection a bit of encryption. Of course that is assuming that it does some kind of decent encryption. if it doesn't, well it sounds like a 10 minute hack to solve the problem, but then again, it's not my area of expertise
Slackware: old school feel, new school gear.
We tried this stunt from an office window in the centre of New Zealand's largest city, Auckland. Even with only the laptop's wireless card, we were able to tap into 13 networks, and gain external internet access through 10 of these. The main security risk this poses, is that most highspeed business connections here are MB capped, and therefore, any kid with a laptop and wireless LAN card can use any local retailer's high-speed connection to download his warez, or even worse, to carry out even more highly illegal activity and it is traced back to.. the kid? No. The retailer. And this was only with a 5 inch steel aerial! Imagine what we could tap into with the kind of reciever power used in that article. Ironically, one of the internal networks we were able to enter completely anonymously, was that of a major NZ bank. Cash anyone?
I run a 56k Linux firewall with a crossover cable into a Linksys wireless cablemodem/dsl router, the BEWS4. Then I hang a 24-port hub off the hub port, with 3 Linux boxes, an NT server for work and my wife's 98 box. My Linksys doesn't support limiting wireless clients to a list of MAC addresses.
I really only have one wireless client at this point, so perhaps I can limit the DHCP to one client and then use ipchains to restrict server access to the wired static range and the wireless dhcp "range of one". I can't go with static on the laptop b/c I use the wireless at 4 locations, all DHCP. Like hell I'm gonna change the IP address each place I attach to.
Does anyone run kerberos at home? Seems like a real bitch to setup. Well, amanda just got around to my laptop so I'd better go...
Intelligent Life on Earth
friggin code red boxes still running
12.10.209.125
12.81.64.148
202.105.44.20
12.4.104.2
203.146.82.66
have fun, tell them billy g said it's ok. he sold the bad software.
Regarding the "publicly accessible" wireless networks that are supposedly springing up, why not setup a nice transparent stateful firewall to only allow outgoing (and their resulting replies) connections? That way if your neighbor, or "the public" want to use your broadband connection, they can do so wirelessly, but only to make outbound connections. Granted, they could setup a VPN or some such to get a public IP for unrestricted inbound/outbound traffic. Just monitor the system and keep extensive connection logs (no, that's not packet sniffing logons and passwords ;)).
Of course, why are you letting other people surf through your connection for free? Another issue, for another Slashdot article.
Ok, here it is in a nutshell. You can put an Open Source-based IPSec gateway immediatly upstream of your wireless AP... or better yet, simply put a wireless card in a Linux box... and secure your wireless with an IPSec tunnel.
This protects your network, your traffic and if the hosts are configured properly... your clients. Way better than the mess that Nasa came up with.
I am currently setting up a Linux/FreeSwan device for my employer's wireless and I have a similar OpenBSD IPSec setup at home.
I also have a floppy-based Linux "access-point" that I'm trying to integrate FreeSwan with that will offer the same thing for anyone.
Anyone interested?
Given the basic nature of routing, the traffic on these 'free' networks, long-range traffic has to get to an upstream Internet pipe somehow (and the aggregate of traffic in a 'free' internet would be large getting to these pipes).
Who would underwrite the cost of that upstream "last mile" to the Internet from the "free" wireless access net? I'd rather not have the sum total of several thousand "free" wireless access points flowing through my T-1 / T-3 / OC-whatever if the traffic is significant.
The cost should ultimately drop with wireless, obviously, because the end users don't have to underwrite the large infrastructure creation cost required to support them.
You'd expect this with existing shared technology like cable modems, but of course the economics of the monopoly apply here still (telecom regulation yeah right, at least today)
But perhaps the bottleneck would shift from a last mile problem to a first mile problem (with which the average ISP deals quite nicely) in a wireless neighborhood. In cases where frequency of access and bandwidth consumption are low, I'd expect access prices to drop significantly, though.
The shared-resource telecom concepts of Erlangian distribution, and so on become highly relevant again in such a scenario. Is this the PBX / concentrator again?
Speaking of which, in the Boston area, if you have line-of-sight to the Prudential building (and who doesn't in mass of landfill), you can now get wireless (microwave?) 1 megabit guaranteed bandwidth for $300 a month.
Firewall the wlan, punch holes for higher level security (pptp, ssh, ipsec, etc..).... good luck.
How many times have we heard this now? This has been an old hat for well over a year. And what's more, even before WEP was shown to be TOTALLY broken a couple of months ago it was obvious that 802.11b security wasn't... even if you used encryption, with in an organization that's useless because there's no key management... you can't possibly think that a password that's stored on dozens to hundreds of laptops that are travelling all over, some percentage getting stolen as a matter of course, most of which can be regularly accessed innoculously by strangers, can be called "secure" in even the vaguest sense!
/any/ security. And don't DON'T DON'T connect the wireless net to your organizational network... just connect it to the
/specifically/ for the wireless LAN, but I think that's stupid, anything you do might as well be the same for wireless/Internet access... it's exactly the same problem space. In either case you have a network you MUST treat as COMPLETELY UNTRUSTED.
The right way to do wireless is simple... DON'T Don't bother. Don't use
Internet and treat it as public internet access. Instead of asking "do we put wireless access on our network", ask "do we want to provide public wireless internet access throughout our buildings a few hundred feet beyond? And make your ESSID something like "yourname-public" so its obvious... visitors should be able to easily use it to! Why the hell not?
You already have some way of accessing your organizational network or some of its services from the Internet, don't you? (If you don't you have security requirements that probably mean you REALLY can't use wireless.) Be it IPSec VPNs or SSh tunnels, or just SSL web/mail access, that's what you'll have to use even when you're using the wireless gateways right in your office.
Of course you can set up some other level of IPSec tunnels
-j
Using 802.1x, a computer/user must authenticate to the access point through standard RADIUS/EAP mechanisms (e.g., smart card, certificate, MD5-based challenge response, etc.). If you are unable to authenticate, the access point (or wired Ethernet switch, for that matter -- this isn't 802.11b specific) will refuse to forward any of your packets to the network.
There are also provisions in 802.1x to have the access point authenticate to the client, in order to prevent man-in-the-middle attacks, among other things.
Furthermore, 802.1x provides means to give each user a different WEP key, and to cycle those keys at various intervals. This greatly reduces the exploitability of the cryptographic flaws in WEP. (These flaws should still be addressed, though.)
Finally, 802.1x is already available today, in Windows XP.
Just fyi.
I believe cisco aironet is able to rotate keys if a radius server is available. You could make your rotation fo keys happen at a fairly short interval and give any wannabe snoopers a fairly annoying experience, possibly even rotating them before snoopers collect enough information to break any key you are using. not sure if any of the other 802.11b implementations allow for this. normally a session uses one key and will use the one key indefinatley.
meridian at tha.net
Care to share with the rest of us?
Thank you.
If it takes 100MB~1GB of packet data for airsnort to crack your 802.11 network, why not set up a cron job to telnet into your access point and change the access code after every 10MB, or so?
Doesn't seem like the overhead would be that large...
It would be nice if the access point software allowed us to reduce the power of transmissions so that it was effectively limited to the radius of our home. Has anybody tried to manually reduce the range by surrounding their access point with an interfering material (ex. putting it in a metal box) and then checking signal strength?
The net result of this insecurity will likely not be better security protocols, but rather another inane law restricting the right of people to use wireless devices.
It happened with cellphones in the 90's, that's why it's now illegal to listen to cellular frequencies in the US.
Just wait, it will happen.