Slashdot Mirror
80% of WiFi Networks are still Insecure, Kismet Author Says
acz writes "The brain and guts driving the development of Kismet is Mike Kershaw alias Dragorn, who works during the day on IBM mainframes and hacks code at night. Kismet is simply the best war driving tool out there plus it's free as in GPL and can even run on your linux PDA. In a recent interview posted on HERT today, he says: 'I've become entirely jaded towards security as a whole (or rather, people's complete lack of it) and not much surprises me when it comes to open wireless networks. ... the overall percentage of unencrypted networks is still at about 80%.'"
Go for a drive around town running netstumbler or kismet. I can pick up two hundred access points in 5-10 miles, and the vast majority of them are unprotected... Probably more than 80%. Even more interesting than that is the fact that you can tell which people have actually tried to configure their access points. Many people are using default SSID's and no protection. Kind of scary if you ask me, but hey, it almost guarantees free internet in some neighborhoods.
I know in suburba the number is much higher as opposed to downtown San Francisco.
The key can easily be obtained and with the tools out there it is just as insecure as having the data unencrpted since its easy to fool the AP to giving you the key.
IPSEC is the way to go but my router and older system do not support it.
Linksys supports IPSEC but guess what?
There is a default admin password that anyone can use to log in. SO whats the point?
http://saveie6.com/
Don't mind if I send threatning messages to the President or send out a few hundred thousand spams through your AP?
Can someone answer the following:
* Why aren't WAPs shipped with encryption turned on by default?
* With many well-known strong encryption schemes, why was the weak WEP made standard?
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
from the post:
from the article:
An insecure network and an unencrypted network are not the same thing. WEP is encrypted, yet insecure, while secure IMAP and SSH are secure by providing end to end encryption, instead of relying on the network to provide it.
-jim
I've had that idea myself, but I've read nothing but horror stories about people that have actually tried it... e.g., the winners of this year's Wi-Fi Shootout at Defcon:
"We were going to war-drive around Cincinnati and find unencrypted wireless access points," Corrado said. "We knocked on people's doors and asked if (they) wanted us to encrypt them, and they just got all freaked out. So we were searching for other things to do with the equipment we had just purchased."
From this story at Wired News...
It pisses me off that in order to use Kismac fully, I have to get another wireless card - even though I have Airport Extreme. Just release the specs already - what is the point of keeping them closed source?
I wonder how many unpatched computers are connected to the wired web? Probably an equally scary amount. It seems to me that there are greater long term risks with this scenario. Most spammers and child pornographers unless they are your neighbor or using an antenna are not going to set up shop on your front lawn where as your unprotected wired box can be owned and operated by anyone in the world.
Most modern routers with 128-bit WEP aren't vunerable to the "weak-key" exploits. I have tried to crack my WEP key for the longest time, and have been unable to do so.
WPA is nice, but there are compatibility problems you have to look out for (Windows 2000 and OS 9 for example, and being unable to relay the signal via WDS)
In my the middle of Silicon Valley, I can see from my apartment complex about a dozen access points at once, and I can probably 95% of the time access the Internet through at least one. I've given up even paying for Internet access, cause I've always got it anyway. People just plug in their AP's turn them on, and if it works, thats the last time they touch it.
All those talks on network security sometimes bugs me. All those leftist trying as hard as they can to make the right wing extremist's job easy.
The lack of security over WI-FI is a good thing. Ever thought about the democratization of communications, WI-FI can bring you that, unsecure WI-FI WILL bring you that. With file encrytion files are safe (mostly) anyways, that's what we need to promote. Leaving your network open will just make it accessible by other people which, if they get the hardware themselves will make this network availlable to more and more people and so on.
In a few years when you wanna call someone you basically open iChat, MSN messenger, whatever, turn on rendez-vous or equivalent find your contact name and double-click. Get it?
Security isn't always a good thing, making everything locked just make sthe world harder to travel, some doors need to be opened.
In the very unllikely event that I win a huge amount of cash, dream number one is to get several WI-FI routers and configure them to enable a neibourhood network, hoping to change it into a city network and so on. I dream of the day communication will be democratized, free, for everyone.
Instead, as of now, the technology exist, it's there for everyone to grab, but they all stare at it, telling themselves: "too complicated and the router is around 200$CAN, it's expensive, I'd rather pay 30$ a month plus long distance and service fees for the rest of my life"...
Why aren't these articles ever about how great it is that we can all get on the internet practically everywhere? At no point in the whole interview does he talk about the benefits of open wireless, as well as people's abilities to seperate the wired and wireless connections pretty easily to do all their secret things wired, leaving free internet for anyone that wants it?
It IS possible to have an OPEN AP on the same connection as your ENCRYPTED wired environment, and the quick and dirty way costs about 30 bucks for an extra cheap router.
-non serviam-
Please check out this.
Has anybody running an open wifi connection *ever* had either of these happen? I've been running semi-open wifi (port 80 open, rest of the ports filtered on a Linksys DHCP router) for two years now- of course, I've yet to get up that dish so that I can access it from the park (ran out of time soon after getting the dish) but you can access it from the other side of my fence on the sidewalk just fine. And I've NEVER had a problem.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
You are absolutely correct sir. A few months back, I was reading Risks Digest in comp.risks -- a low-volume high snr forum that EVERYONE here ought to be reading -- and the topic of discussion was user-interface design. One of the posters made a very salient point:
There is no such thing as human error, only bad user-inteface design.
Some would argue that wifi is not ready for the masses yet and thus joe-sixpack shouldn't be buying expecting it to work like his stereo. I might agree with that, except that the vendors market the devices as if they were ready for joe-sixpack.
So, the conclusion here is that if a product is not designed for easy and intuitive use by the target buyer, then the manufacturer has failed, not the buyer.
Many folks seem to launch into the misinterpretation that 'unencrypted' == 'insecure'. It does not. Just because your box can talk at layer 2 or layer 3 on my wireless network doesn't mean it's going to be of any earthly use to you.
Case in point: wander around pretty much anywhere in the Haymarket, Ultimo and Broadway areas at the south end of the City of Sydney, Australia - you'll find literally dozens of open, unencrypted wilress access points, all with SSID "UTS WLAN". Natural next step for a geek is "Whoah! open wlan! I'm there!", fire up laptop, connect...
It's shortly after that that you realise that you've just helped yourself to an open, unencrypted, and completely useless wireless network belonging to the University of Technology, Sydney. You know this because no matter *where* you point your web browser, you always get the same page: "Welcome to UTS WLAN, enter your username/password to continue". If you manage to guess a username/password, then you'll get the same page, with red writing, saying something to the effect of "oops, no IPSEC tunnel, no cigar".
That network is opened, unsecured in that you can get your machine to talk on it without authentication, but you can't talk off of it without additional rights.
Now granted, there's holes in my story. One day, some clever kid is going to figure out that he can use the wlan as his own private routed trunk from one side of the city to the other, and then the owners of the network will have to block that. Second, how hard can it be to get a username/password pair out of a drunk undergraduate? Third, this lot isn't *really* in the spirit of the story - I've built the chinese cookware, I've found, literally, hundreds of wireless nets that really are open for all to see, most of them quite likely unintentionally so.
So yes, there are a lot of unencrypted wireless networks out there, but they're not all unsecured.
I find your ideas intriguing and I wish to subscribe to your newsletter.
Wireless is still mostly in the hands of early-adopters; many of who know what they're doing.
My wireless covers one coffee shop near my apartment complex.... someone else is covering the other one. Out of the 8 or so wireless access points I can see from right here, 5 have WEP, 2 I know are open intentionally (the two I mented), and the other one is T-Mobile (damn expensive).
You don't get it.
If I send a death threat to the President through your AP, by the time you are arrested and thrown into an interrogation room, I will be miles away and you will have absolutely zero recourse and your petty tales of cfree internet access will fall upon deaf ears before you are released 10 hours later.
Luckily that is your right and choice, as is my leaving my wap available, I DO LOG traffic, and limit number of IP's and bandwidth, as well as reset the device EVERY NIGHT, but I have no issue with allowing someone to get their email or surf. NOTE: I run a hardware firewall and do enforce a logical separation.
errr....umm...*whooosh* *whoosh* Is this thing on ?
Personally, I wish more cheapie access points you buy at CompUSA would include some kind of DNS rerouting feature like you see at coffee shops and so on. To get access to the AP, you need to try to pull up something in your Web browser. When you do, you first get redirected to a page that says, "Hi, welcome to our network!" or something similar.
For free/open access points, this would be handy for two things:
1. Saying who you were and letting people know that, yes, you do know your access point is open and, no, it's not really cool to just leech off my DSL line all day if you're my next-door neighbor and you're just too cheap to pay for your own broadband.
2. Putting up some kind of "EULA" that says something to the effect that this AP is provided free of charge, with no warranty whatsoever, and that you assume full responsibility and liability for any content received over the network link, including but not limited to viruses, spyware, and illegal content.
I doubt it would truly "indemnify" you, but I think any reasonably sane court would take such a page into evidence as supporting the idea that you really did have no idea/control of the kiddie porn that guy was downloading.
Breakfast served all day!
In my setup WEP offers no advantages whatsoever so I never bothered with it, but I guess that makes me just another dumb newbie in their survey.
The real problem isn't that people aren't using WEP (since any blackhat with a web browser to download the tools can crack WEP in a few hours at most.)
The REAL problem is that ALL low-cost "wireless gateway" appliances treat wireless nodes as part of the LOCAL network, when, of course, the wireless segment should be treated as another WAN (Internet) link, where the bad guys live, and where you have to authenticate yourself before connecting to the LAN. As long as this remains true, wireless will continue to be a huge security hole in most networks.
Unfortunately, the "business" networking vendors are more than happy with this arrangement, since it keeps savvy business users from buying their network gear at CompUSA or Fry's. The sad fact is that security comes at a very serious cost premium today - it shouldn't, but the factis that companies that value security will pay *much* more for it, so the vendors simply "de-feature" the mass market products to help justify "enterprise" capabilities such as this common-sense approach to wireless networks.
This won't change until one of the SoHo/Home market vendors gets a clue and decides that their buyers might actually like a wireless router that can protect the rest of their network. Why that hasn't happened yet is a mystery.
BTW: If anyone knows of a low-cost wirless router device that *can* treat wireless as an "outside" network, post a reply and let us know...
"The future's good and the present is nothing to sneeze at." - Roblimo's last
It's the same great idea as planting nice looking trees on your front yard, so people who drive by can appreciate their beauty.
Of course you'll say "ooh! but I'm so smart I reallize there's no law making me do such a nice thing, so I won't do it!".
It's the same as doing community service work like building playgrounds for children in your neighborhood.
But now your going to tell me "don't do that, because someone might get hurt".
It's the same nice thing as handing out candy at halloween.
Oh, now you'll say "but you're just encouraging razor-blade-wielding terrorists who poison apples".
It's hard to follow people like you. Some people are nice because they're nice people. You shouldn't be so afraid of them.
I fail to see how sharing my wife, home, money, car, and clothes have anything to do with sharing an internet connection?
you dont lose anything tangible if you share an internet connection properly.
its simple: IPSEC (or VPN) your own connection while letting others through unencrypted. if you use WEP, you're screwed from the start if you want privacy, so why pretend.
I plan on implementing a setup verymuch like this in the near future. the only deviance to this will be bandwith throtteling for the unencrypted packets. *GRIN* just incase i get a greedy neighbor.
Troll, Troll, go away and flame again some other day
I use WEP on my home WiFi network despite it being a complete pain in the ass. No two vendors want to authenticate the same way so I have to jump through hoops to get a new system on my network. On my Powerbook with its AP Extreme card I have to use xwepgen to generate a hex key to input into the Airport settings. Trying to hook up a Windows system is ten times harder since different cards have different interfaces and not all of them work properly with Windows XP's native configuration.
If it was easier to implement WEP between different vendors' products more people would use it. Unfortunately the product lifetime of WiFi products is a whopping 6 months so drivers and firmwares are rarely updated significantly. If you want to switch from WEP to WPA, which is easier to work with between vendors, you usually have to buy a number of new devices. I'm not apt to plunk down $100+ every year on new WiFi equipment just to get it talking to other equipment. Vendors have no impetus to increase interoperability because they want you buying from a single source.
I'm a loner Dottie, a Rebel.
Same here, though I don't think anyone's using it besides me. I set my SSID to "call (my phone number)" to see if anyone was using it. After about two months, I checked the wap's logs and only found my MAC address in the connect list.
I was thinking of getting someone to make me a "warchalk" sign to hang on my house, so people could see there was internet access here. Then it occurred to me that the idea might be sellable to enough people to turn a buck or two. Anyone feel like a little entrepenurship?
I work for the Department of Redundancy Department.
WEP is easy to crack *if* one or more of the nodes on the WLAN are not filtering weak IV's and is *not* using WPA. In my test setup using a Netgear wireless AP and a Netgear PCMCIA card in a laptop copying a 65 mb ISO image in an endless loop to a server on the wired network, it took 24 hours to capture enough weak iv's. DWepcrack took about 10 seconds to load the capture file and 3 seconds to break the WEP key (on a PII 333mhz Dell Laptop). Netgear doesn't filter weak IV's and they're cheap enough to buy for testing. Second test was with the Netgear AP and a Linksys PCMCIA card in the the laptop, Linksys filters weak IV's. This same test, copying the 65mb ISO image in an endless loop took 36 hours to capture enough weak IV's. To contrast, using an AP and a PCMCIA card that both filter weak iv's (Cisco) I ran the same test for 8 full days and still had not captured enough weak IV's to crack the WEP key. If you have an environment where one or more nodes are not filtering weak IV's AND they have not implemented WPA or other protections, it's just a matter of time. In my research, I checked Netgear, Dlink, Cisco, Linksys, Intel, and Dell(branded intel I think). Only Cisco and Linksys filtered weak IV's. Recent discussions with Dell and Intel reveal that they don't think it's worth their time to filter weak IV's. They think everyone will run WPA and the problem will go away. WPA isn't the default setup either so if they're not filtering weak IV's... It seems to me that filtering weak IV's is such a simple thing for them to implement that it is simply negligent not to. IMHO it provides a big bang for the security buck.
Insecurity usually goes further than that. For instance, a friend of mine recently went to a fairly popular local place(name withheld to protect the innocent), and found that the wireless router still had the default password. She didn't do anything particularly nefarious, but a less scrupulous person easily could have.
And the l33t shall inherit the 34r7h.
...while the average citizen = default settings, usually insecure.Sitting in my home in my room with my new college laptop, playing Warcraft FT, it suddenly minimizes, to my amazment, with a dialog window saying "You may connect to the following wireless networks, yadda yadda yadda," and there were four networks, w/ SSID of D-Link, and linksys, w/out WEP, or 802.1x encription. Not even trying to wardrive for networks, four pop up and say, "JOIN ME, JOIN ME!!!!" If I had proper utilities, i could be bouncing off the four servers, and even the above average user probably wouldn't be able to see it.Note: I live in a suburb of Washington DC, so DC must not be tech savvy.
When not job-hunting, I made a modest living helping the local businesses secure their open access points (which expiated some of the guilt over leeching on open WAPs). This led to more business as a tech support consultant, which kept me afloat and paid my motel bills until I found a permanent position.
Using NetStumbler and a DeLorme Earthmate GPS on a laptop, I identified open access points. Then I would approach the business and offer to secure their connection for a modest fee (usually $100). Only two businesses turned me away, but the rest were glad to have my services.
I've read some comments from people who intentionally leave their access points open. While I don't advise this, that's entirely up to you, and I'm sure that you understand the consequences. These small business owners that I worked with were not so aware of the ramifications. They bought a WAP, hooked it up, and were pleased with themselves when it worked. And with two exceptions, they were all horrified that someone 500 feet away from their office or store had access to their network and data.
Some tips if you want to do this:
I wouldn't want to do this full time, but for a few months I made a pretty decent living at this, enough to stay in a nice motel, eat lobster, and drink good scotch. When I was hired by a company that provided contract network administration services I had a nice stack of references (and new business for the firm, something that clinched the deal).
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Unfortunately computers and WiFi tend to fall under slightly different terms than phone lines in my opinion.
For starters, phone lines are not your responsibility, they are the responsibility of the phone company, including all security and problems arising from tapping a phone line.
Along that same line, computers and a WiFi router, are the responsibility of whoever sets them up. If you setup a WiFi router, and *willingly* leave it open to promote free WiFi net access, any infraction noted by your service provider will immediately be your fault. There is no disputing that.
Secondly, with WiFi, and any technology that a user sets up themselves, "I didn't know" simply isn't an option. In an extreme hypothetical, if someone was downloading child pornography and was arrested, yet claimed "I didn't know it was illegal", I don't think that would make a difference.
Open WiFi spots simply are the problem of the user or admin who sets them up, and nobody else. If you leave a WiFi access point wide open, you better have a damn good system in place to prevent abuse, or some damn good lawyers.
and then bills the people who connect, with you acting as admin. Not free WiFi, but takes the idea of providing an open access point and make it managed. http://www.speakeasy.net/netshare/netshare.pdf/PDF for light overview
http://www.speakeasy.net/netshare/learnmore/
HTML version with some additional detail
http://support.speakeasy.net/cgi-bin/support.cfg/p hp/enduser/std_adp.php?&p_refno=030512-000240#admi n/
FAQ
Case in point: My neighbor recently bought a wireless router and did the default setup (ie: wide open). I discovered it while rebuilding a machine at home. Living in the Bay area houses are fairly close together, so I initially associated to his AP. No WEP. Broadcast. No MAC filtering.
I went over and asked him if that was indeed what he wanted. Needless to say, he was pretty much horrified that someone could suck up all his bandwidth without knowing about it (he didn't even know where to look in Linksys's web interface to see who had what IP address).
A lot of us like to think that the rest of the world wants to share as we do, but truth is, not many ordinary folk do.
Is this the same guy who'se using your mailbox to send the VCR tapes of the same content? It's about as likely to happen. Better keep an assault rifle pointed at that mailbox, just in case.
Suppose I want to be helpful to my next-door neighbour and let him share my network connection. If I do so deliberately I am breaking my ISP's terms of service. But if I just leave the wireless router at its default open setting and drop a couple of hints...
Indeed, if you have a wireless network and your outbound Internet link isn't congested, there is not much reason not to share it. You do of course use SSH and other secure protocols for your networking...
-- Ed Avis ed@membled.com