Getting a Grip on Reality: Wide Open 802.11 Networks Around Us

As mentioned, in the majority of cases an attacker does not have to do anything to get what he or she wants. The safe door is open and the goods are there to be taken. The Defcon 2002 wardriving contest showed that only 29.8 percent of 580 access points located by the contesters had WEP enabled. As much as 19.3 percent had default ESSID values, and (not surprisingly) 18.6 percent of discovered access points did not use WEP and had default ESSIDs. If you think that something has changed since then, you are mistaken. If there were any changes, these were the changes for the worse, because the Defcon 2003 wardrive demonstrated that only approximately 27 percent of networks in Las Vegas are protected by WEP. Because one of the teams employed a lateral approach and went to wardrive in Los Angeles instead, this number also includes some statistics for that city.

The Defcon wardrive observations were independently confirmed by one of the authors wardriving and walking around Las Vegas on his own.

Are things any better on the other side of the Atlantic? Not really. We speculated that only around 30 percent of access points in the United Kingdom would have WEP enabled. To validate this for research purpose, one of the authors embarked for a London Sightseeing Tour in the famous open-top red double-decker bus armed with a "debianized" laptop running Kismet, Cisco Aironet LMC350 card, and 12 dBi omnidirectional antenna. During the two-hour tour (exactly the time that laptop's batteries lasted), 364 wireless networks were discovered, of which 118 had WEP enabled; 76 had default or company name and address ESSIDs. Even worse, some of the networks discovered had visible public IP addresses of wireless hosts that were pingable from the Internet side. If you are a wireless network administrator in central London and are reading this now, please take note. Of course, in the process of collecting this information, no traffic was logged to avoid any legal complications. The experiment was "pure" wardriving (or rather "warbusing") at its best. Not surprisingly, warwalking in central London with a Sharp Zaurus SL-5500 PDA, D-Link DCF-650W CF 802.11b card (wonderful large antenna, never mind the blocked stylus slot), and Kismet demonstrated the same statistics. A similar level of 802.11 WLAN insecurity was revealed in Bristol, Birmingham, Plymouth, Canterbury, Swansea, and Cardiff.

Crossing the English Channel does not help either. One of the authors has driven from Warsaw to London with another Zaurus/D-Link CF card/Kismet kit and found a similar ratio of WEP/noWEP 802.11 networks, including very powerful unencrypted point-to-point links crossing the countryside motorways in the middle of nowhere. Another author has evaluated 802.11 security in Riga, Latvia. Curiously, the wireless networks in Riga were so abundant that it was practically impossible to use the middle ISM band (2.4–2.45 GHz) and many networks moved to the UNII (5.15–5.35 and 5.725–5.825 GHz) or even licensed ~24 GHz bands. Many legacy Breeznet and 802.11 FHSS networks were present. The wireless boom in Riga can be explained by old, noisy, Soviet-period phone lines incapable of carrying xDSL traffic without a significant packet loss/retransmission rate. Yet, despite the popularity of 802.11 networks, hardly anyone used WEP.

If you think that the majority of these unprotected wireless networks were home user access points, wireless community networks, or public access hot spots, you are wrong. Many of the wide open networks we have observed "in the wild" belong to government organizations (foreign governments included) and large corporations (multinationals included). In fact, some of these corporations are major information technology (IT) enterprises or IT-related consultancies, which is particularly shameful! We don't even dare to think how many of the 802.11 networks located had implemented proper security measures beyond the standard ("crackable") WEP and MAC address filtering. Single-digit percentage values surely come to mind. Considering that both WEP and MAC filtering are not difficult to circumvent with a bit of patience, it is not surprising that security remains the major concern restricting the spread and use of wireless technology around the world. At the same time, there are efficient wireless security solutions available, including powerful and affordable free and Open Source-based wireless safeguards that we describe in the second part of this book. Unfortunately, very few wireless network engineers and administrators are aware of the existence of these solutions. As always, human factor proves to be the weakest link.