War driving
, ordrive-by hacking- the illegal practice of listening in on orbreaking into private wireless networks- could be on the increase, withthe cost of the equipmentneeded to do
it now less than £500, writes Eric Doyle.
Last week,
security consultancy and
penetration testing firm I-Sec invited Computer Weekly along to
prove how easy it is to
break into a company's network with nothing more than a laptop,
a wireless card and a
Pringles crisp container.
The software to detect
802.11b wireless local area networks (LANs) is
freely available on the Web.
Once a network is
found, tools for
hacking the system and attempting to decrypt messages can also
be found on the internet.
The aim was to drive around the City district in London to see
how many wireless networks were open to attack. Strictly speaking,
just detecting the wireless points is breaking the law but I-Sec
consulted its lawyers and it was deemed in the public interest to
go ahead.
The Pringles container was an essential part of the kit because it
formed the aerial, which was connected to the
Agere Systems Orinoco wireless card. This gave a 12dB to 15dB
boost to the signal. An equivalent commercial aerial would cost up
to £150.
As makeshift aerials go, the Pringles tube was perfectly adequate.
An old coffee tin gave a higher gain but did not detect any more
wireless access points.
The Netstumbler software detects the broadcast probe, an identifier
signal sent from network access points. This contains useful
information for the hacker, including the service set identifier
(SSID), which must be carried in the header of any packet passing
across the wireless LAN to indicate it is part of a valid data
stream.
Geoff Davies, managing director at I-Sec, said: "Except for Intel,
most manufacturers leave the broadcast probe turned on as a default
setting. All an administrator needs to do is to turn it off and the
access point becomes 'invisible' to Netstumbler. This makes it
harder to access the SSID."
In a 20-minute drive, the home-made kit detected 49 access points
and only 13 were using wireless equivalent privacy (WEP)
encryption. "Some of the SSIDs not only give you the key to the
network, they also tell you the name of the company or department,"
said Geoff Davies. "SSIDs should be like passwords - a combination
of letters and numbers that will be virtually impossible to
guess.
"Just to make sure, encryption is the best protection against
hackers at the next level, but WEP is a poor implementation that is
relatively easy to crack - even at 128-bit. Using IPSec virtual
private networks is better."
In order for companies to protect themselves, I-Sec advises network
administrators to think about security before they even attach an
access point to the Lan. Anyone who can gain access is behind the
corporate firewall and can then work to gain control of the
network. "Administrators should think carefully about what
information will be carried on the network before deciding to
install a wireless LAN," warned Davies.
How hackers get tooled up for £500
Second-hand Pentium
II laptop: £400
Agere Systems Orinoco PC Card: £69
Pringles tube and cables: £30
Netstumbler software: Free
TOTAL: £499
How to secure your wireless Lan
- Disable the broadcast probe at the access point
- Avoid default settings for passwords, service set identifiers
(SSIDs) or encryption keys
- Use non-descriptive SSIDs. Mixed number and letter codes are
best
- Keep access points away from external walls and partition walls
in multiple-occupancy buildings
- Use WEP (Wireless Equivalent Privacy) encryption or stronger
IPSec encryption, which comes as part of Windows 2000.