War driving, or drive-by hacking - the illegal practice of listening in on or breaking into private wireless networks - could be on the increase, with the cost of the equipment needed to do it now less than £500, writes Eric Doyle.
Last week, security consultancy and penetration testing firm I-Sec invited Computer Weekly along to prove how easy it is to break into a company's network with nothing more than a laptop, a wireless card and a Pringles crisp container.
The software to detect 802.11b wireless local area networks (LANs) is freely available on the Web. Once a network is found, tools for hacking the system and attempting to decrypt messages can also be found on the internet.
The aim was to drive around the City district in London to see how many wireless networks were open to attack. Strictly speaking, just detecting the wireless points is breaking the law but I-Sec consulted its lawyers and it was deemed in the public interest to go ahead.
The Pringles container was an essential part of the kit because it formed the aerial, which was connected to the Agere Systems Orinoco wireless card. This gave a 12dB to 15dB boost to the signal. An equivalent commercial aerial would cost up to £150.
As makeshift aerials go, the Pringles tube was perfectly adequate. An old coffee tin gave a higher gain but did not detect any more wireless access points.
The Netstumbler software detects the broadcast probe, an identifier signal sent from network access points. This contains useful information for the hacker, including the service set identifier (SSID), which must be carried in the header of any packet passing across the wireless LAN to indicate it is part of a valid data stream.
Geoff Davies, managing director at I-Sec, said: "Except for Intel, most manufacturers leave the broadcast probe turned on as a default setting. All an administrator needs to do is to turn it off and the access point becomes 'invisible' to Netstumbler. This makes it harder to access the SSID."
In a 20-minute drive, the home-made kit detected 49 access points and only 13 were using wireless equivalent privacy (WEP) encryption. "Some of the SSIDs not only give you the key to the network, they also tell you the name of the company or department," said Geoff Davies. "SSIDs should be like passwords - a combination of letters and numbers that will be virtually impossible to guess.
"Just to make sure, encryption is the best protection against hackers at the next level, but WEP is a poor implementation that is relatively easy to crack - even at 128-bit. Using IPSec virtual private networks is better."
In order for companies to protect themselves, I-Sec advises network administrators to think about security before they even attach an access point to the Lan. Anyone who can gain access is behind the corporate firewall and can then work to gain control of the network. "Administrators should think carefully about what information will be carried on the network before deciding to install a wireless LAN," warned Davies.
How hackers get tooled up for £500
Second-hand Pentium II laptop: £400
Agere Systems Orinoco PC Card: £69
Pringles tube and cables: £30
Netstumbler software: Free
How to secure your wireless Lan
- Disable the broadcast probe at the access point
- Avoid default settings for passwords, service set identifiers (SSIDs) or encryption keys
- Use non-descriptive SSIDs. Mixed number and letter codes are best
- Keep access points away from external walls and partition walls in multiple-occupancy buildings
- Use WEP (Wireless Equivalent Privacy) encryption or stronger IPSec encryption, which comes as part of Windows 2000.