80% of WiFi Networks are still Insecure, Kismet Author Says

acz writes "The brain and guts driving the development of Kismet is Mike Kershaw alias Dragorn, who works during the day on IBM mainframes and hacks code at night. Kismet is simply the best war driving tool out there plus it's free as in GPL and can even run on your linux PDA. In a recent interview posted on HERT today, he says: 'I've become entirely jaded towards security as a whole (or rather, people's complete lack of it) and not much surprises me when it comes to open wireless networks. ... the overall percentage of unencrypted networks is still at about 80%.'"

How is that surprising?

[sunilonline]

Go for a drive around town running netstumbler or kismet. I can pick up two hundred access points in 5-10 miles, and the vast majority of them are unprotected... Probably more than 80%. Even more interesting than that is the fact that you can tell which people have actually tried to configure their access points. Many people are using default SSID's and no protection. Kind of scary if you ask me, but hey, it almost guarantees free internet in some neighborhoods.

PRoblem is I only have wep

[Billly+Gates]

The key can easily be obtained and with the tools out there it is just as insecure as having the data unencrpted since its easy to fool the AP to giving you the key.

IPSEC is the way to go but my router and older system do not support it.

Linksys supports IPSEC but guess what?

There is a default admin password that anyone can use to log in. SO whats the point?

what does insecure mean?

[j1m+5n0w]

from the post:

80% of WiFi Networks are still Unsecure, Kismet Author Says

from the article:

Despite all the press about it, the overall percentage of unencrypted networks is still at about 80%

An insecure network and an unencrypted network are not the same thing. WEP is encrypted, yet insecure, while secure IMAP and SSH are secure by providing end to end encryption, instead of relying on the network to provide it.

-jim

The whole Broadcom thing sucks.

[teamhasnoi]

It pisses me off that in order to use Kismac fully, I have to get another wireless card - even though I have Airport Extreme. Just release the specs already - what is the point of keeping them closed source?

how many unsecure wired boxes are there?

[jkravitz]

I wonder how many unpatched computers are connected to the wired web? Probably an equally scary amount. It seems to me that there are greater long term risks with this scenario. Most spammers and child pornographers unless they are your neighbor or using an antenna are not going to set up shop on your front lawn where as your unprotected wired box can be owned and operated by anyone in the world.

The will to pay and be forced to

[NeedleSurfer]

All those talks on network security sometimes bugs me. All those leftist trying as hard as they can to make the right wing extremist's job easy.

The lack of security over WI-FI is a good thing. Ever thought about the democratization of communications, WI-FI can bring you that, unsecure WI-FI WILL bring you that. With file encrytion files are safe (mostly) anyways, that's what we need to promote. Leaving your network open will just make it accessible by other people which, if they get the hardware themselves will make this network availlable to more and more people and so on.

In a few years when you wanna call someone you basically open iChat, MSN messenger, whatever, turn on rendez-vous or equivalent find your contact name and double-click. Get it?

Security isn't always a good thing, making everything locked just make sthe world harder to travel, some doors need to be opened.

In the very unllikely event that I win a huge amount of cash, dream number one is to get several WI-FI routers and configure them to enable a neibourhood network, hoping to change it into a city network and so on. I dream of the day communication will be democratized, free, for everyone.

Instead, as of now, the technology exist, it's there for everyone to grab, but they all stare at it, telling themselves: "too complicated and the router is around 200$CAN, it's expensive, I'd rather pay 30$ a month plus long distance and service fees for the rest of my life"...

The Myth of Easy WEP Cracking

[Karpe]

Please check out this.

Re:To assuage conspiracy theorists out there

[gwernol]

WEP is complicated. You need to be able to shell in (sometimes even to a port other than 80) from within the LAN. Then you need to know an admin ID/password. Then you need to know what on earth hex/ascii/etc mean, and 56/128/etc bits (and how the security ranslates to a number of characters). Then you need to set it all up using complex menus, and then you need to figure out how to set up all PC's (which call it something else).

By this time we would have lost the typical buyer, oh, 5 times over. That is why it is shipped open by default - the support would cost a fortune, otherwise. WEP is way too complex in its consumer implementation.

Very true.

I wonder if it would be possible to create a feature that allows you to "auto sync" a WAP and a device over a wired network. This would allow you to connect your (say) laptop to the WAP over a local wired connection and the software would automatically configure encryption to allow the laptop to access the WAP wirelessly. It could auto-generate a random key each time the sync was performed.

Basically anyone with physical access to the WAP could be authorized to use it, everyone else is locked out. Most consumers understand the concept of physically securing a box better than the intricacies of WEP.

I don't know enough about the TCP/IP stack to know if software can guarantee that two devices are directly physically connected. If you can, this might be a good approach.

Not secure enough for every situation, but it might overcome the current difficulty of using WEP or other encryption/security?

Unencrypted != Insecure

[B747SP]

the overall percentage of unencrypted networks is still at about 80%.

Many folks seem to launch into the misinterpretation that 'unencrypted' == 'insecure'. It does not. Just because your box can talk at layer 2 or layer 3 on my wireless network doesn't mean it's going to be of any earthly use to you.

Case in point: wander around pretty much anywhere in the Haymarket, Ultimo and Broadway areas at the south end of the City of Sydney, Australia - you'll find literally dozens of open, unencrypted wilress access points, all with SSID "UTS WLAN". Natural next step for a geek is "Whoah! open wlan! I'm there!", fire up laptop, connect...

It's shortly after that that you realise that you've just helped yourself to an open, unencrypted, and completely useless wireless network belonging to the University of Technology, Sydney. You know this because no matter *where* you point your web browser, you always get the same page: "Welcome to UTS WLAN, enter your username/password to continue". If you manage to guess a username/password, then you'll get the same page, with red writing, saying something to the effect of "oops, no IPSEC tunnel, no cigar".

That network is opened, unsecured in that you can get your machine to talk on it without authentication, but you can't talk off of it without additional rights.

Now granted, there's holes in my story. One day, some clever kid is going to figure out that he can use the wlan as his own private routed trunk from one side of the city to the other, and then the owners of the network will have to block that. Second, how hard can it be to get a username/password pair out of a drunk undergraduate? Third, this lot isn't *really* in the spirit of the story - I've built the chinese cookware, I've found, literally, hundreds of wireless nets that really are open for all to see, most of them quite likely unintentionally so.

So yes, there are a lot of unencrypted wireless networks out there, but they're not all unsecured.

Re:Some on purpose to promote free WiFi.

[Archfeld]

Luckily that is your right and choice, as is my leaving my wap available, I DO LOG traffic, and limit number of IP's and bandwidth, as well as reset the device EVERY NIGHT, but I have no issue with allowing someone to get their email or surf. NOTE: I run a hardware firewall and do enforce a logical separation.

Re:No WEP? So what!

[dublin]

In my setup WEP offers no advantages whatsoever so I never bothered with it, but I guess that makes me just another dumb newbie in their survey.

The real problem isn't that people aren't using WEP (since any blackhat with a web browser to download the tools can crack WEP in a few hours at most.)

The REAL problem is that ALL low-cost "wireless gateway" appliances treat wireless nodes as part of the LOCAL network, when, of course, the wireless segment should be treated as another WAN (Internet) link, where the bad guys live, and where you have to authenticate yourself before connecting to the LAN. As long as this remains true, wireless will continue to be a huge security hole in most networks.

Unfortunately, the "business" networking vendors are more than happy with this arrangement, since it keeps savvy business users from buying their network gear at CompUSA or Fry's. The sad fact is that security comes at a very serious cost premium today - it shouldn't, but the factis that companies that value security will pay *much* more for it, so the vendors simply "de-feature" the mass market products to help justify "enterprise" capabilities such as this common-sense approach to wireless networks.

This won't change until one of the SoHo/Home market vendors gets a clue and decides that their buyers might actually like a wireless router that can protect the rest of their network. Why that hasn't happened yet is a mystery.

BTW: If anyone knows of a low-cost wirless router device that *can* treat wireless as an "outside" network, post a reply and let us know...

Re:Some on purpose to promote free WiFi.

[medelliadegray]

I fail to see how sharing my wife, home, money, car, and clothes have anything to do with sharing an internet connection?

you dont lose anything tangible if you share an internet connection properly.

its simple: IPSEC (or VPN) your own connection while letting others through unencrypted. if you use WEP, you're screwed from the start if you want privacy, so why pretend.

I plan on implementing a setup verymuch like this in the near future. the only deviance to this will be bandwith throtteling for the unencrypted packets. *GRIN* just incase i get a greedy neighbor.

Re:Myth's about WEP

[photonrider]

WEP is easy to crack *if* one or more of the nodes on the WLAN are not filtering weak IV's and is *not* using WPA. In my test setup using a Netgear wireless AP and a Netgear PCMCIA card in a laptop copying a 65 mb ISO image in an endless loop to a server on the wired network, it took 24 hours to capture enough weak iv's. DWepcrack took about 10 seconds to load the capture file and 3 seconds to break the WEP key (on a PII 333mhz Dell Laptop). Netgear doesn't filter weak IV's and they're cheap enough to buy for testing. Second test was with the Netgear AP and a Linksys PCMCIA card in the the laptop, Linksys filters weak IV's. This same test, copying the 65mb ISO image in an endless loop took 36 hours to capture enough weak IV's. To contrast, using an AP and a PCMCIA card that both filter weak iv's (Cisco) I ran the same test for 8 full days and still had not captured enough weak IV's to crack the WEP key. If you have an environment where one or more nodes are not filtering weak IV's AND they have not implemented WPA or other protections, it's just a matter of time. In my research, I checked Netgear, Dlink, Cisco, Linksys, Intel, and Dell(branded intel I think). Only Cisco and Linksys filtered weak IV's. Recent discussions with Dell and Intel reveal that they don't think it's worth their time to filter weak IV's. They think everyone will run WPA and the problem will go away. WPA isn't the default setup either so if they're not filtering weak IV's... It seems to me that filtering weak IV's is such a simple thing for them to implement that it is simply negligent not to. IMHO it provides a big bang for the security buck.

Opportunity knocks...

[ktakki]

Last year, I found myself without a home or a job (by choice, actually). I moved to another part of the US and, while I looked for a job and a place to live, I relied on open access points for e-mail (to my old ISP over the web via SSL).

When not job-hunting, I made a modest living helping the local businesses secure their open access points (which expiated some of the guilt over leeching on open WAPs). This led to more business as a tech support consultant, which kept me afloat and paid my motel bills until I found a permanent position.

Using NetStumbler and a DeLorme Earthmate GPS on a laptop, I identified open access points. Then I would approach the business and offer to secure their connection for a modest fee (usually $100). Only two businesses turned me away, but the rest were glad to have my services.

I've read some comments from people who intentionally leave their access points open. While I don't advise this, that's entirely up to you, and I'm sure that you understand the consequences. These small business owners that I worked with were not so aware of the ramifications. They bought a WAP, hooked it up, and were pleased with themselves when it worked. And with two exceptions, they were all horrified that someone 500 feet away from their office or store had access to their network and data.

Some tips if you want to do this:

• Look professional. I wore a suit when I made my cold calls. Think of this as a job interview. It is.
• Be polite. If they decline your help, thank them for their time. If they do ask for your help, let them bring up the issue of compensation. I never had to ask for money; I was always asked what my fee would be.
• Visual aids help. NetStumbler's signal strength graph was really useful for showing how far an 802.11 signal propagates.
• Don't overplay the threat. It's enough to say that someone across the street could plug into the network. Invoking the possibility of Al Qaeda using the WAP to send coded messages is overkill.
• Don't underplay the threat, either. Business owners do worry about identity theft, both theirs and their customers. Medical offices have HIPAA (Health Insurance Privacy and Accountability Act) compliance to worry about.
• This is a legal grey area. So tread lightly. I avoided approaching financial institutions because of 18 USC 1030 (IIRC), which levies higher penalties on misuse or abuse of their networks and computers. While a banker wouldn't think twice about calling the cops on me, the car dealers and restaurant owners were willing to hear my pitch.
• Don't charge an arm and a leg. Because these small business owners are always looking for tech help, a break in the price now will lead to more business later (mostly cleaning spyware and viruses, but that's another story).
• Don't charge too little, either. Though it depends on the part of the country (or world) you live in, I've found between $60 and $100/hr. to be a reasonable price point. Feel your customer out: the cafe owner won't pay as much as the Mercedes dealer.
• Know the gear. Some WAPs have a web interface. Others rely on SNMP or a direct connection via USB cable. Hit the manufacturers' sites and download the manuals. Be prepared.
• Leave a business card. Because you will get a callback when the administrative assistant's computer gets hosed by spyware.

I wouldn't want to do this full time, but for a few months I made a pretty decent living at this, enough to stay in a nice motel, eat lobster, and drink good scotch. When I was hired by a company that provided contract network administration services I had a nice stack of references (and new business for the firm, something that clinched the deal).

k.