Driveby Hacking on the Go

By Jacqueline Emigh

(Back to article)

How did Frank Keeney, a California-based security consultant and war driving convert, spend his recent vacation? With his wife and kids along for the ride, Keeney used a laptop, rigged up in the back of his SUV, to map access points to home and corporate wireless LANs all the way from Pasadena to San Francisco.

Keeney, of course, is scarcely the only war driver -- aka "driveby hacker" -- around. "I only got into war driving, in fact, after reading about it on the Web," Keeney says. College students, stepping out for a new sort of joy ride, are toting laptops outfitted with GPS units, wireless cards, and wireless sniffer software such as NetStumbler or Airsnort, so they can tap into wireless access points around their neighborhoods. War driving is also a method that network managers can use to uncover the burgeoning crops of "rogue" or unauthorized wireless LANs now springing up on corporate grounds.

"A lot of the war driving we hear about is being done by IT consultants, to prove the security threats posed by wireless LANs," maintains Sarah Kim, an analyst for the Yankee Group. Kim doesn't dispute, however, that these threats are real. "Now, you can purchase wireless access points and cards at a lot of retail stores. Many people still don't know how to set them up correctly, though."

Meanwhile, postings in news groups and other forums indicate that war driving is catching on as a hobby, too. In the Stumbling Setups Forum on NetStumbler's Web site, a new initiate to driveby hacking asks for antennae advice.

"My question is this," he writes. "My Toughbook has a full magnesium alloy shell, and the PC card antenna sits, obviously, right next to it. Will this affect my receive performance? I haven't added an external antenna yet. My pigtails are in the mail."

In an Internet forum on ISP-Wireless, a member called "MB" acknowledges, "Being a student, war driving is something we do when we're not partying; we used to drive around and download all night long into our van."

During Keeney's war driving expedition, he mapped access points along the I-5 and 100 freeways in southern California, meanwhile intentionally avoiding any network intrusions.

"Part of my reason for doing this during (the) vacation was to find out if there were many access points in the more rural areas. Well, there are plenty. While driving north on I-5 there were many large warehouse facilities, (with) many access points," according to Keeney.

"The Silicon Valley area has been mapped (by other war drivers) many, many times. There is little I can add to what has already been said about the state of 802.11b in this area.. Nearly every major company has (at least one) access point."

Whose Default?
As Keeney sees it, lackadaisical security settings are a big problem indeed. Under their default settings, wireless hardware products from most vendors will automatically broadcast their IP addresses, allowing easy detection by sniffer software. A handful of vendors, including Symbol and Lucent, automatically disable broadcast IP. Otherwise, users must go out of their way to turn off this feature.

"What surprised me most during my vacation trip, though, was that less than half of the businesses and homes had even bothered to turn on WEP encryption," says Keeney, who works for Pasadena Networks, LLC.

Managed Services Provider (MSP) DataVox came up with similar findings about the use of Wired Equivalent Privacy (WEP) encryption within New York City's financial district in lower Manhattan.

In a recent driveby of London, the UK-based security company Orthus detected 124 wireless computer systems, which enabled them to access 207 different networks. More than two-thirds of these systems were unprotected by any type of encryption.

In a widely circulated paper published in January, 2001, the University of California at Berkeley pointed to several security defects in WEP. Software programs such as WEPCrack can be used for retrieving WEP keys. "Even so, though, cracking the keys takes more time than most people would be willing to spend," Keeney notes.

Several vendors have been devising workarounds to WEP encryption problems. Symbol, for example, uses rotating WEP keys in its wireless LAN lineup. In mid-December, RSA Security announced a WEP security patch that has gained approval from the IEEE. Co-developed with Hifn, the patch uses a technology called Fat Packet Keying to encrypt each packet of data with a different key.

Meanwhile, though, consultants have been advising the use of other security mechanisms to supplement WEP. Frequently raised suggestions range from firewall security to SSL, 802.1x, VPNs, and a number of proprietary solutions.

Bluesocket and ReefEdge, for example, each offer multifaceted security offerings which, although quite different from one another, combine proprietary authentication/encryption schemes with support for standard wireless protocols. Administrators can use either vendor's products to assign access rights and allocate bandwidth through role-based permissions, for instance.

ReefEdge also supports mobile roaming through proprietary Mobile Masquerading and Dynamic IPsec technologies. The US Airforce recently purchased ReefEdge's products for use at multiple sites, according to ReefEdge CEO Inder Gopal.

Another major wireless security problem, experts say, is that network administrators also rely on manufacturers' default Service Set IDentifiers (SSIDs), or network names, instead of creating SSIDs that are harder for outsiders to guess.

Right now, a lot of war driving is apparently still being done just for fun. Driveby hackers catch a bit of free Internet access, or eavesdrop on e-mail. However, if left wide open, the security holes in wireless networks carry the potential for much more serious consequences.

In one Internet newsgroup forum, a war driver recently pointed to wireless LANs, located within a certain retail giant's distribution warehouses, as good "targets" for testing out driveby hacking equipment.

Lasell College in Newton, Mass., is one of many colleges and universities currently building wireless LANs. "We have one wireless network with two domains: one for faculty/staff, and the other for students," says Deborah Gelch, Lasell's director of information technology.

Lasell has used Bluesocket's solution to give greater bandwidth priority to faculty/staff, as well as to provide them with more access to college resources.

Gelch claims to hold no particular qualms about war driving, per se. "But I've definitely had some concerns about students -- particularly some of the students in our computer science program, and other sophisticated users. We host a summer computer camp, and this has made me even more concerned. The main reason we're using Bluesocket is for security. We don't want students to be able to hack into (the administrative network) through either the wired or wireless side of things."

Other network administrators worry over the dangers posed by unauthorized wireless LANs on company property. The Gartner Group estimates that at least 20 percent of enterprises have rogue wireless LANs attached to their networks.

ReefEdge's Gopal equates the rise of these wireless rogues to the wired LAN phenomenon of a couple of decades ago.

"Back then, some miscreants would decide to go out and buy a few 386es, and put up their own departmental LANs. Nowadays, with wireless LAN equipment so easily available, some people are saying, 'Gee, I want one in my office.' You, as network administrator, need to embrace wireless, before people inside your company get those rogue access points out there," Gopal advises.

"Even if you (threatened to) fire them as a penalty, people would still set up unauthorized wireless LANs. All they need to do is pop a card into their PC, and plug an access point into their office wall. It can be very difficult for companies to detect rogue LANs," agrees Bluesocket CEO Eric Janszen.

KPMG Consulting is one company that managed to find several rogues, although not on its own premises. At its Watford Labs in the UK, KPMG is now working with Microsoft and Compaq on solutions that will leverage Bluesocket technology, together with IPsec, for securing IPAQ PDAs. "WEP places a huge amount of overload on the network, so we're looking for alternatives," says Simon Thomason, CT architect for KPMG Consulting.

For the Microsoft TechNet show in Barcelona, Spain, KPMG was asked to set up a conference-wide wireless network supporting PocketPCs. "When we went to do so, though, we found that six of the exhibitors had already put up their own rogue LANs. Their networks conflicted with ours. In the end, their options were either to become part of our network, or not to do wireless at the show at all. Since our network was largely WEP, it took a big hit in performance," Thomason recalls.

In smaller campus environments, network managers can track down wireless LANs from a central location, using a product like NetStumbler or Airsnort. Products supporting the 802.1x protocol can also be used, although at this point only with Windows XP clients. In enterprises with farflung branch offices, war driving can serve as another way of routing out the rogues.

"Detecting rogue LANs is very important. You shouldn't try to discourage people in your organization from wireless technology, though. Obviously, wireless is valuable to employees, or they wouldn't be using it. Instead, you should supply a simple way of plug in to the corporate network from the wireless LAN, while at the same time keeping the network secure," Janszen recommends.

Jacqueline Emigh is a 12-year veteran of computer journalism. She is currently freelancing for several leading technology and business publications. She was previously a senior editor for Sm@rt Partner Magazine, and before that, a bureau chief for Newsbytes News Network.

Editor's note: This article first appeared on CrossNodes, an internet.com site.