While I was creating my wireless exploit videos I started to wonder how releavent it really was. I began researching for data on wireless networks. I found a few hits but they were either too old or not vendor neutral. The curiousity was killing me so I gathered my gear and took the initiative myself. My primary goal was to gather as much information as I could and decipher it later.
My setup was very simple. I had my fully charged laptop with a Backtrack 5 R1 vm installed. With BT I used Kismet as the software to capture raw 802.11 frames. I used my Alfa AQUS051NG wireless card with a 9dbi antenna for high gain wireless monitoring. And of course, I had my car.
The initial drive itself was a lot of fun. I decided to drive in a suburban area. I chose this because I was interested in home 802.11 usage rather than buisness usage. (perhaps I can do another run for buisness wifi) After the fun, I went home to see what I was able to capture.
I used wireshark to analyze the packet dump:
Date: Sat. Feb. 11th
Elapsed time: 00 hrs 58min 06 sec
Captured file size: 1,757 KB
Packets captured: 9417
Now that I know how many and what I am dealing with I can dive deeper into the data I captured. The first thing that spiked my interest was what type of encryption home users have if any? I looked into the kismet log file to search for strings of text that matched each type of encryption. One thing I noticed right away is that way too many people are using WEP encryption. 12.6% of home users are still using WEP but this still wasn't as scary as the 27.69% of them who had NO encryption at all. This is scary because anybody can come onto their network and poke around.
After seeing the multiple security threats I was curious to see how many people have their APs set up with default SSIDs. Again I searched the common default SSIDs in the kismet log file. I looked for the big ones such as: linksys, belkin, myqwest, and actiontec. While I was at it I also was curious to see how many took the extra step and configured their AP to hide the SSID.
The first thing I found is that a "myqwestxxx" address (ex. myqwest324) is very popular. This is not surprising because Qwest, or now called CenturyLink, is a common service provider in my area. The disturbing thing about it is that Qwest cleary does not inform, or attempt to change, the default SSID. And if there is a default SSID, it is a safe assumption that the default username and password will be used to remotely log on to the wireless router.
You might also notice that the amount of Hidden SSIDs. 8.69% of home users took the extra step to hide their SSID. I just hope that most of them took further security measures. Just because an SSID is hidden does not mean it cannot be quickly retrieved.
The next thing I harvested from my war driving data was the channel number used. The statistics I got was interesting. Because channels 1, 6, and 11 do not overlap they are used by different manufacturers as a default channel. In the chart below you will notice that almost all the channels are on 1, 6, or 11. If these channels were all left default, then 79.25% of home users stayed on their default channel.To avoid overlapping with your neighbors wireless, scan to see what channel they are on and configure yours away from it.
The last graph I have is about the wireless chipset manufacturers. This graph shows that Cisco and Netgear easily dominate the wireless world. I searched for strings of text that included the manufacturers name so this data includes both clients and access points.
Even though my data was limited, I am confident enough to say that I have a pretty good feel on how home users deploy their wifi. The amount of wireless data I was able to capture in just under an hour is ridiculous. I cannot imagine how many networks I could get in a whole day.
If you take anything from this, I hope it is that you see the need to secure your wireless network. It was very easy, affordable, and fast for me to gather this data. With more sophisticated equipment, an attacker could easily penetrate your wireless network from very far away. Kismet is even capable of matching discovered networks with a location if you have a gps card.
Wireless is fun, but my advice is simply to avoid it. Use a wired network anytime you can. If you need to go mobile, look into a 3G or 4G solution. The security is much better than wifi. And if you must use wifi, look into a VPN solution (especially if you are in a public hotspot), set up WPA2 personal encryption at minimum with a COMPLICATED passphrase at home, and make sure you are using an AV and firewall on your PC.
No comments:
Post a Comment