Presentation is loading. Please wait.

Presentation is loading. Please wait.

WarDriving: Drive, Detect and Defense for Wireless Networks

Published byTânia Antunes Casado Modified over 6 years ago

Similar presentations

Presentation on theme: "WarDriving: Drive, Detect and Defense for Wireless Networks"— Presentation transcript:

1 WarDriving: Drive, Detect and Defense for Wireless Networks
Alan M. Nutes

2 Goals and Objectives The Goals and Objectives of this session are to acquaint participants with: the motives technology and; methods used by individuals which could be considered a threat to the wireless networks of a corporation. In addition, safeguards against the threat will be provided.

3 HOW WILLING ARE YOU TO ROLL THE DICE ?

4 Definitions

5 What Are Wireless Networks (WiFi)
A wireless network allows users to connect to a wired network many times supplying an internet connection, through a wireless link. Most wireless LANs are based on the b/g standard – up to 54 Mbps bandwidth at 2.4 GHz

6 Wireless Equivalent Privacy (WEP)
Referred to as “W ow E asy P rey”. WEP is part of the standard which acts as a security protocol. However, older versions of the WEP encryption key are flawed Updated firmware have started to correct this error, but most hardware is still vulnerable.

7 Wi-Fi Protected Access
(WPA) Better designed than WEP Fixes problem in WEP by using: Temporal Key Integrity Protocol (TKIP) Pre Shared Key (PSK) Implemented into newer wireless hardware devices Compatible with all standards

8 The Origins of WarDriving

9 Movie “Wargames” 1983 Depicts young hacker programming a modem to dial every possible number to access to computers Technique became know as “wardialing” Not that productive since it was time consuming

10 What’s In A Name? WarDriving is the act of driving around areas and scanning for open WiFi hotspots and mapping the population . Sometimes referred to as “Geek’s catch and release fishing”. This can include such terms as: WarWalking for walking WarBiking for bicycling and so forth

11 History of WarDriving Terminology
WarDriving probably began day after the deployment of 1st wireless access point Conducted 18 month study Results was reported at annual DefCon hacker conference Became well known when process was automated by Peter Shipley This laid ground work of the “TRUE” WarDriver

12 Threat is present and increasing
The WarDriver Motives WarDriving is done for many reasons As a community service to increase awareness As a business model to secure for profit Cause the dreaded criminal acts of spreading viruses, hack or commit fraud. Threat is present and increasing

13 Wireless Incidents

14 Wireless Invasions Best Buy – May 2002
Customer credit card/transaction data at 1900 stores are left vulnerable CULPRIT: Portable Point-of-Sale (POS) terminals and wireless LAN Network detected from a car parked in store’s parking lot System was operated without even the basic WEP This was the result of a person purchasing a wireless card, plugging it into their laptop and found they were intercepting the transactions

15 US Airports Found to Have Unsecured Wireless LANs
Wireless Invasions US Airports Found to Have Unsecured Wireless LANs Wireless local area networks at San Fransico International, Chicago O’Hare, Atlanta and San Diego airports were found to be operating without basic security protections in place. The networks handled tasks including passenger check-in and baggage transfer. ComputerWorld, October 7, 2002

16 Wireless Invasions Michigan Men sentenced with Hacking Store System November 2003 Two Michigan men (age 21) for allegedly wardriving, finding a Lowes Home Improvement network and proceeded to steal company data and credit card information. Break-ins occurred between October 25th, 2003 and November 7th, 2003. One pled guilty and was sentenced to nine (9) years in a federal prison One pled guilty and was sentenced to 26 months in prison and 2 years of court supervised release Conducted “wardriving” techniques, penetrated network and modified proprietary software to trap credit card transactions

17 North Carolina Man First in Nation Convicted of Wireless Crime
Wireless Invasions North Carolina Man First in Nation Convicted of Wireless Crime November 2003 Perpetrator (age 29) hacked into more then 2000 patient records at Wake Internal Medicine Consultants. Used a laptop from his car and penetrated the wireless network of the facility Pled guilty and received 18 months probation and $10,000 fine.

18 DRIVE Let’s Go WarDriving

19 HARDWARE Laptop booting Win2K or WinXP
Wireless network card with external Antenna connection 7 dbi omni-directional antenna GPS unit with serial connection Power Inverter Smaller & Compact Option

20 Software Windows 2000/XP NetStumbler
Microsoft Streets and Trips or Microsoft MapPoint Orinoco Client Utility

21 WarDriving

22

23 Lawrence, Kansas

24 And the cost of these antennas are ???

25 Mobile Netstumbler Kit w/PC Card
Specs Plugs into laptop Type-11 slot Coverage range of up to 1750 feet Provides 5dB gain performance Easy Installation IEEE b/g certified

26 Parts Cost Total: All Threaded Rod 2 Nylon Lock Washers 5 Washers
Aluminum Tubing Connector Copper Wire Construction Time: 1 hour Copper Wire 12 gauge Scrap Plastic Disc

27 With increasing need to discover more Access Points,
WarDriving have been taken to a newer “art” level.

28 WarFlying WarFlying

29 WarFlying Advantages Covers more ground in less time
Can fly over areas of interest without being restrained by where the roads lead WarFlying

30 WarFlying How It Is Done Flew at an average speed 136 mph Equipment:
Laptop running Win2K/Win XP Omni-directional antenna GPS unit attached to the laptop to record location when signal is detected Flight covered from San Diego, Encinitas, Oceanside, Vista, Escondido, Mission Valley, Pacific Beach, Mission Beach, Ocean Beach, Pt Loma, Chula Vista and then head to the airport to land

31 Flights Have Been Conducted
WarFlying Flights Have Been Conducted 4 Times: August 2001 August 2002 December 2003 April 2004 Areas Flown Over Perth, Australia San Diego, CA San Jose, CA Los Angeles, CA Flight covered from San Diego, Encinitas, Oceanside, Vista, Escondido, Mission Valley, Pacific Beach, Mission Beach, Ocean Beach, Pt Loma, Chula Vista and then head to the airport to land

32 WarFlying What Was Accomplished Flight Was Over San Diego Area
Flight lasted about 1.5 hours Detected 437 access points Flight covered from San Diego, Encinitas, Oceanside, Vista, Escondido, Mission Valley, Pacific Beach, Mission Beach, Ocean Beach, Pt Loma, Chula Vista and then head to the airport to land

33 WarFlying Silicon Valley Flight went west from Montgomery Field
then north to Silicon Valley Picked up Access Points over ocean Determined Access Points were miles away

34 San Diego to LA to Bay Area revealed 592 APs
WarFlying Silicon Valley 430 Access Points were uncovered Flew over Oracle and even Oracle’s APs were setup with default Total trip: San Diego to LA to Bay Area revealed 592 APs

35 DETECT

36 NetStumbler Laptop Version PDA Version

37 270 AP’s in 2 Neighborhoods

38 Only 61 Had Encryption, 22.6%

39 Red Dots = Encrypted Green Flags = Wide Open

40 Take Another Look – All you need to use the internet AND gain access to the router is the SSID and Vendor

41 But what about router passwords?
A searchable listing of over 1300 default logins and passwords by vendor solves that!

42 Statistical Databases

43 (WorldWideWarDrive.org)
Effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points. The goal of the WorldWide WarDrive (or WWWD) is to provide a statistical analysis of the many access points that are currently deployed. Organizers of this event mounted an effort for participants to find the most wireless networks throughout the world. Based out of Alberta, Canada

44 Four (4) Worldwide WarDrives have taken place:
August 31 to September 7, 2002. October 26 to November 2, 2002. June 28 to July 5, 2003. June 12 to June 19, 2004

45 WWWD 1 WWWD 2 WWWD 3 WWWD 4 TOTAL APs FOUND 9,374 100% WEP Enabled
2,825 30.13% No WEP Enabled 6,549 69.86% Default SSID 2,768 29.53% Default SSID and No WEP 2,497 26.64% TOTAL APs FOUND 24,958 100% WEP Enabled 6,970 27.92% No WEP Enabled 17,988 72.07% Default SSID 8,802 35.27% Default SSID and No WEP 7,847 31.44% WWWD 3 WWWD 4 TOTAL APs FOUND 88,122 100% WEP Enabled 28,427 32.26% No WEP Enabled 59,695 67.74% Default SSID 24,525 27.83% Default SSID and No WEP 21,822 24.76% TOTAL APs FOUND 228,537 100% WEP Enabled 87,647 38.35% No WEP Enabled 140,890 61.65% Default SSID 71,805 31.42% Default SSID and No WEP 62,859 27.50%

46 The Combined Results from All Four WorldWide WarDrives
CATEGORY 1st WWWD 2nd WWWD 3rd WWWD 4th WWWD TOTAL TOTAL% TOTAL APs FOUND 9,374 24,958 88,122 228,537 350,991 100 WEP Enabled 2,825 6,970 28,427 87,647 125,869 35.86 No WEP Enabled 6,549 17,988 59,695 140,890 225,122 64.14 Default SSID 2,768 8,802 24,525 71,805 107,900 30.74 Default SSID and No WEP 2,497 7,847 21,822 62,859 95,025 27.07

47 WiGLE WIreless Geographic Logging Engine
WiGLE is a nationwide database and mapping website which to date has mapped wireless networks since September 2001. 6,936,919 WiGLE is a submission – based catalog of wireless networks. It’s basically a “Gee Isn’t This Neat” type of engine for learning the spread of WiFi.

48 Orlando, FL area

49 WarDriving Resources

50 WarDriving Resources Tool Web Site Description www.netstumbler.com
Freeware wireless access point identifier - listens for SSIDs & sends beacons as probes searching for access points. Kismet Freeware wireless sniffer and monitor - passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds Ethereal Freeware WLAN analyzer - interactively browse the capture data, viewing summary and detail information for all observed wireless traffic. WEPCrack Sourceforge.net/projects/wepcrack Freeware encryption breaker - Cracks WEP encryption keys using the latest discovered weakness of RC4 key scheduling.

51 WarDriving Resources THC-RUT Wellenreiter thehackerschoice.com CIRT
Packetstormsecurity.nl Freeware WLAN discovery tool - Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS. THC-RUT thehackerschoice.com Freeware WLAN discovery tool - Uses brute force to identify low traffic access points; "your first knife on a foreign network." CIRT cirt.net Provides a listing of the default passwords, wireless SSIDs, default WEP numbers and the default port lists for all the major manufacturers of wireless routers, cards and switches. Mobile Airscanner Freeware wireless sniffer that can decode passwords and packets. Free download but no longer supported due to costs. AirSnort Airsnort.schmoo.com Freeware encryption breaker - passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

52 WarDriving Web Sites Wifimaps.com SeattleWireless.net
NetStumbler.com NYCWireless.net Wigle.net Michiganwireless.org nzwireless.org Wireless.net

53 The debate over the legality of WarDriving is still going on
Legalities The debate over the legality of WarDriving is still going on Currently it is not illegal for a person to use a corporations bandwidth to ride on the backbone and use it to strictly gain access for Internet surfing purposes. Once a person or persons begins to use it for data theft or other activities then and only then does it become illegal. FBI has only issued a warning to corporations to check the security of their networks

54 Security Issues

55 Wireless Security Issues
Without a proper setup, anyone can access your wireless network and anything attached Default security settings for wireless networks are not enabled on most devices Many of the optional security settings are not enough to protect a wireless network

56 Security Risks Hacker changes or steals corporate/personal information for their own use Data floods can be produced on the network to cause a denial of service attack Hacker uses your internet connection to hack another network Hacker uses the web on your bandwidth, or uses the bandwidth to distribute spam

57 SLIDE IS BLANK (state following) NOW AT THIS POINT, THE MAJORITY OF YOU ARE PROBABLY ASKING YOURSELVES Then Click

58 DEFEND

59 1. Discovery of Unsanctioned/Rogue Access Points
Securing Wireless 1. Discovery of Unsanctioned/Rogue Access Points Understand the Environment Discovery Can Be Accomplished with two Approaches Low cost of Wireless access points can result in rogue access points FOR EXAMPLE: $150 access point to wired network $70 wireless LAN card to Laptop A power surge or spike will reset all the access points to the default. Physically walking the network area with scanners 2. Monitor the wireless LAN with remote sensors.

60 2. Sanction Only Authorized Laptops
Securing Wireless 2. Sanction Only Authorized Laptops Use the Highest Level of WEP/WPA (WPA2/802.11i strongly preferred) 2. SANCTION ONLY AUTHORIZED LAPTOPS Unsanctioned wireless devices are making their way into enterprises from users who are quick to adopt this technology. Intel’s Centrino wireless chip is progressing to a point where all laptops will be wireless LAN ready. These new laptops will have to be configured to secure the user from connecting to unknown WLANs To protect one’s self from this, current policies have to be reevaluated as corporate executives are beginning to use the embedded wireless chips in their laptops DISCOURAGE AD HOC NETWORKS Similar top rogue access points, ad hoc networks represent another major concern. Wireless LAN cards enable peer to peer networking between laptops without an access point. Can allow a user to transfer corporate documents to unauthorized persons. Solution: monitor for ad hoc networks and policy enforcement.

61 Enable MAC based filtering
Securing Wireless Enable MAC based filtering Note: MAC Addresses can be changed easily by an attacker 5. Lock Down All Access Points Change Default Service Set Identifiers (SSID) Configure to disable broadcast mode Wireless points act as beacon Change Default Passwords SSIDs are essentially the public names of each access point CISCO default = tsunami Linksys default = linksys Intel & Symbol default = 101 Alerts hackers to vulnerable wireless LANs Change to something meaningless Broadcasts SSID as beacon for stations to connect to. Increase data Rates User stations should be set with a connection rate of 5.5Mbps or 11 Mbps Access points with connection speeds of 1 MBPS or 2Mbps indicates suspicious activity or degrade performance.

62 Check for updates and new releases.
Securing Wireless Update the firmware and drivers on your access points and wireless cards. Check for updates and new releases. 7. Use a virtual private network (VPN) 8. If possible, turn off your access points when you are not using them

63 Securing Wireless 9. Establish the Policies/standards and Procedures for Wireless Networks 10. KEY ELEMENT ENFORCEMENT

64 Securing Wireless 9. Establish the Policies/standards and Procedures for Wireless Networks 10. KEY ELEMENT ENFORCEMENT

65 Securing Wireless 9. Establish the Policies/standards and Procedures for Wireless Networks 10. Regularly TEST the security of your wireless network, using the latest Wardriving Tools

66 Securing Wireless 11. KEY ELEMENT ENFORCEMENT

67 THE FUTURE ??

68 Future Wireless Security Methods
WEP2 in development WPA still being updated Longer keys are being implemented which take longer to crack i with embedded encryption will replace b/g networks

69 The End For Now . . .

70 QUESTIONS

71 Thank You

Download ppt "WarDriving: Drive, Detect and Defense for Wireless Networks"

Similar presentations

Wireless LAN Security Understanding and Preventing Network Attacks.

Wireless LAN Security Understanding and Preventing Network Attacks.
SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.
Securing A Wireless Home Network. Wireless Facts Range about 50 - 200 feet from access point Security anyone can eavesdrop on an unsecured wireless network.

Securing A Wireless Home Network. Wireless Facts Range about feet from access point Security anyone can eavesdrop on an unsecured wireless network.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Wardriving 7/29/2004 The “Bad Karma Gang”. Agenda Introduction to Wardriving The Tools of Wardriving Wardriving Green Lake.

Wardriving 7/29/2004 The “Bad Karma Gang”. Agenda Introduction to Wardriving The Tools of Wardriving Wardriving Green Lake.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Chapter 7 Securing your Wireless Network (WIFI). Synopsis What is a wireless home network? What damage can a wireless network snoop do? Who are the snoopers?

Chapter 7 Securing your Wireless Network (WIFI). Synopsis What is a wireless home network? What damage can a wireless network snoop do? Who are the snoopers?
December 17, 2002 1 Wi-Fi Mark Faggiano GBA 576. December 17, 20022 Purpose of the Project  I hear Wi-Fi, WLAN, 802.11 everywhere  What does it all.

December 17, Wi-Fi Mark Faggiano GBA 576. December 17, Purpose of the Project  I hear Wi-Fi, WLAN, everywhere  What does it all.
Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.

Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.
Improving Security. Networking Terms Node –Any device on a network Protocol –Communication standards Host –A node on a network Workstation 1.A PC 2.A.

Improving Security. Networking Terms Node –Any device on a network Protocol –Communication standards Host –A node on a network Workstation 1.A PC 2.A.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Wireless Security.

Wireless Security.

Similar presentations

Ads by Google