_
28-Aug-2008 | 23:03:36

HOME TOOLS PUBLICATIONS SECURITY-RADAR DOWNLOAD FUN
Research | Papers | Articles | Presentations | Press & Media | Video |
Insecurity Iceberg | 0-Day Patch Metric | Wardriving | Mail Attack |
News:

.



Bookmark Page
Bookmark on digg Bookmark on deli.cio.us Bookmark on reddit Bookmark on Technorati Bookmark on stumbleupon Bookmark on Google Bookmark on Yahoo MyWeb

Wireless Wardriving in Zurich

Wireless Networks

Since 2001, there have been a number of substantial developments in the acceptance of wireless networks. Workers and privates can access networked resources from any point within range of a wireless access point (AP). A wireless LAN (WLAN) provides location-independent network access over radio waves rather than traditional cable infrastructures. Radio frequency (RF) signals are capable of passing through barriers such as standard walls or glass. Cement walls and metal tend to act as solid barriers, however due to reflection, wireless signals can be received (bounced) around corners through such barriers.

Wardriving

Wardriving is simply mapping out wireless access points (AP) by driving or walking through populated areas carring wireless equipment specialized to detect active access points. The tools used for this are available off-the shelf:

Hardware
  • Portable computer
  • Wireless card
  • GPS Global Positioning System
  • External antenna
 Software
  • Scanning software
  • Mapping program
  • Scripts to consolidate data

    • During the month August in 2002 I completed several wardriving session in the Zurich city area, discovering more than 800 Wireless access-points (AP).

    Wireless Data Gathering

    In August 2002 about 80 wardriving sessions have been completed in the Zurich city area. Wireless signals were gatherd using a 180° semi-directional antenna pointing out of the front of the car. Access points with active SSID broadcasting were gathered by the freeware programm Netstumbler together with position data from a Garmin GPS receiver.

    Data Processing

    During this effort, more than 2,100 signals from access points have been registered. Most access points have been seen more than once. This raw data was consolidated by ZoomWireless to remove duplicates and average the position information.

    Wardriving results - Zurich 2002
    Access points (incl. duplicates) 2,133
    Access points (unique) 863 [100%]
    Access points encrypted 262 [30%]
    Unique SSID's 464

    Mapping

    The output of the data consolidation is visualized on a map of Zurich using MapPoint. Every triangle depicts an access-point found (the average position of the AP if it was detected more than once).

    Wardriving Results - Zurich 2002

    Interpretation

    Hundreds of wireless access points have been discovered in the Zurich city area by just using off the shelf equipment. Of these access points, only about 30% have WEP encryption enabled. The major part of these unencrypted wireless networks can easily be misused, be it to penetrate the internal network or misuse the link to distribute malicious content or attack other systems. Unfortunately it looks like many users operate their wireless networks using default factory settings which often result in unprotected operation. Many wireless operators are obviously not aware of the security risks.

    Notes

    In this excercise, only access points with active SSID broadcasting were collected. Securely configured access points do not broadcast the SSID and therefore do not show up here. Some of the access points found do not employ encryption on purpose, (e.g. public access points, hotspots) and/or they relay on secondary encryption schemas like VPN or https. Such setups are not necessarily considered insecure. However, SSID's similar to strong passwords being broadcast in the air show there is room for improvement.

     

    Top | © 1996-2008 by Stefan Frei | IP: 38.103.63.59 | Elapsed: 0 sec | Page: 1 | VP: 86.142%