Home > Articles > Cisco Network Technology > Security > Wireless Security

Wireless Security

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: Jul 16, 2004.

Chapter Description

Tom M. Thomas explains the basics of setting up security for a wireless network. He warns technicians of the various ways in which a wireless network can be breached, and provides help in protecting against those attacks.

From the Book

Network Security First-Step

Network Security First-Step

$34.95

WarGames Wirelessly

Like many of the beneficial technologies discussed in this book, wireless networks are also susceptible to a variety of threats; however, wireless is still a growing technology, and today you have the opportunity to protect and secure your network. This section takes a high-level look at some of those threats and why you should secure your network.

You might be familiar with the 1983 movie, WarGames, where a young man (played by Matthew Broderick) finds a back door into a military computer and unknowingly starts the countdown to World War III. The movie's young hacker executes this mayhem all over a modem, which coined the phrase WarDialing.

Fast-forward almost twenty years when London-based author, Ben Hammersley was writing and he wanted a cup of coffee or even a bit to eat from the café across the street. Ben installed a WAP that gave him the wireless access he wanted; he was a giving man, however, and decided to let his neighbors know that they could have free wireless Internet access. Disappointingly, no one took him up on his generosity. Enter Ben's friend, Matt Jones, who posted a set of runes on a website (http://www.blackbeltjones.com) with the intention of creating a set of international symbols that would let people know that a wireless connection is available. Ben took a piece of chalk and drew these runes on the curb in front of the café and became the first WarChalker. (See Figure 8-3.)

Shortly after Matt posted these symbols on the Internet (a.k.a. Black Belt Jones), word spread fast and these two individuals started an Internet phenomenon resulting in new words with such ominous names as WarChalking, WarSpying, WarSpamming, and WarDriving—all ultimately a part of the evolution of wireless access. To clarify, none of these new terms enhance the security of your network. They are simply terms that attackers use to describe their activities. The following sections review each of these threats.

Figure 3Figure 8-3 WarChalking Symbols

WarChalking

If you have ever seen a pirate movie in which a fancifully drawn treasure map displayed a large red X depicting where the ill-gotten gains were buried, you have some basic idea what role symbology has played in man's pursuit of riches. Much in the same way that the X marked the spot filled with gold, jewels, and silver, so did a series of runes depict areas of danger: which house a policeman might live in, or which houses were considered sympathetic to hobos during the great depression. For example, a rune in the shape of the pound sign "#" told fellow hobos that a crime had recently been committed and to avoid the area, or a casually drawn triangle might indicate that there were too many hobos working this area, so pickings were slim.

It was these "hobo hieroglyphics" from the Great Depression that inspired Ben and Matt to add a new dimension known as WarChalking. WarChalking is a practice that originated with the intention of telling fellow wireless warriors where they could get a free wireless connection on a corporate or private wireless network. The symbols utilized by these "WarChalkers" generally indicate whether the wireless access point is considered "open" or "closed," depicted either by two half-circles back to back or a single regular circle, respectively, and what sort of security is protecting this access point.

WarChalking in its original form turned out to be a momentary cult-like movement that was fascinating for everyone. However, in practice it has changed significantly to reflect the realities of what people are trying to accomplish. Very few people walk around drawing marks on buildings; however, people are "chalking" maps using GPSs to show exactly where wireless access can be gained. Searching the Internet reveals quite a few online maps marked for use (http://www.netstumbler.com/nation.php). One of the added benefits of putting the maps online is that they are not washed away when it rains.

From a security perspective, it is highly unlikely that you will ever see the side of your building or sidewalk marked with a WarChalk symbol; however, it is likely that if your wireless network is not protected properly, it will appear chalked on someone's map for anyone to use. You might be wondering how attackers are finding these access points. Consider the last time that you saw anyone walking around with a laptop and a GPS. It does happen, but it might not be obvious because WarWalkers typically use backpacks to conceal their activities. In addition to the limitations posed by equipment battery life, all this walking can become tiring. Enter the next wireless threat—WarDriving—where converters can power a laptop for as long as the car is running.

NOTE

WapChalking—A variant of WarChalking set up by the Wireless Access Point Sharing Community, an informal group with a code of conduct that forbids the use of wireless access points without permission. The group uses the WarChalking marks as an invitation to wireless users to join their community. In WapChalking terms, the two half-moon open node mark means that a wireless access device is currently indicating factory default settings and is thus easily detected.

WarDriving

WarDriving makes finding open wireless networks simple and dramatically increases the search area exponentially. The act of WarDriving is simple: you simply drive around looking for wireless networks. Part of the appeal is that you can now use GPS systems connected to your laptop, which is then powered by your car. This makes the act of WarDriving accurate and potentially rewarding for those looking for your wireless network because they can cover a much larger area with a vehicle.

CAUTION

Before delving too deeply into this subject, it is important to remember that WarDriving or "LAN jacking" an unwary subject's WAP is possibly illegal, depending on the part of the country in which you live. The reason you would consider even building an antenna in the first place is to remain as far away from the WLANs that you are sniffing in the first place. To get the latest information on legalities and updates on this front, consult your local computer club or perform an Internet search on "war driving and legalities."

It is disturbing that almost anyone can find your wireless network so easily, isn't it? Vendors turn everything on by default, regardless of network security concerns; this makes it easy for WarDrivers. By default, wireless access points broadcast a beacon frame that identifies (broadcasts the SSID) the wireless network they are a part of, every 10 milliseconds.

The average antennae on a wireless PCI card NIC is not sensitive enough to do a good job of zeroing in on low to medium-powered WAP signals, so many WarDrivers have resorted to using a USB wireless NIC outfitted with a homemade "directional Yagi" design antennae hardwired into the USB NIC, as shown in Figure 8-4 (http://3nw.com/pda/wireless/wi_fi_pringles_can_yagi_antenna.htm). Various designs yield better or worse results depending on the signal type of the wireless traffic you are trying to snoop. The wireless network is identified by a 32-bit character known as a Service Set Identifier (SSID). For a WarDriver, the easiest networks to find are those that are broadcasting this SSID. Perhaps I do not have any special applications but only a laptop with Windows XP. From a security perspective, Windows XP is wireless-aware and perhaps too friendly because it easily picks up any SSID broadcasts and automatically tries to join any available wireless network. With such a friendly operating system, who needs all the special tools?

Figure 4Figure 8-4 Pringles Can as a Yagi Antenna

By default, the SSID is included in the header of the wireless packets broadcast every 10 milliseconds from a WAP. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device is not permitted to join the wireless network unless it can provide the unique SSID. Because an SSID can be sniffed from a packet in plain text, it does not supply any security to the network, even though it does function as a wireless network password. It is strongly recommended that WAPs have the broadcasting of their SSID disabled.

The presence of an SSID in a wireless network means that those engaging in the search should have more powerful wireless antennas that allow them to pick up and detect wireless signals. For example, if you want to "LAN jack" 802.11b/2.4-Ghz wireless network connections, you would most likely opt for a "helix" or "helical" design, which is basically tubular in design with a series of copper wire wrappings around a central core. This custom-made antennae style can be difficult to build because of its exacting standards and rather pricey parts list. On the other hand, a "wave guide" style can be made from rather inexpensive components such as a Pringles can (as shown in Figure 8-4), coffee can, or juice can.

The basic premise of building these specialty "signal stealers" is to mount them on the roof or hood of your car, connect the antennae to your wireless NIC, and drive around town looking for unsecured access points. Again, WarDriving for the purposes of stealing Internet access and snooping around a private network is illegal and earns you a visit from men in blue suits with no sense of humor. WarDriving was invented by a man named Peter Shipley, who had the vision to take WarChalking to the next level:

Most recently I invented Wardriving, while I am not the first person to go out and search for open wireless LANS (a few before me ventured around with in a with a laptop, pencil & paper manually scribbling notes). I was first to automate it all with dedicated software and a GPS. When I started this project the usage of WEP was around 15%, after going public with my findings, a year later WEP usage is now 33%. Thus it is good to know people are getting the message. Some maps I generated from these exercises can be found at http://www.dis.org/wl/maps/.

Depending on your frame of reference (and why you are reading this book), you might be wondering whether WarDriving is a crime. Of course, those doing the WarDriving do not view it as such; however, those of you who own the wireless networks might have a slightly different perception. While doing research, I stumbled across a quote—supposedly from the FBI—that states their position as follows:

Identifying the presence of a wireless network may not be a criminal violation, however, there may be criminal violations if the network is actually accessed including theft of services, interception of communications, misuse of computing resources, up to and including violations of the Federal Computer Fraud and Abuse Statute, Theft of Trade Secrets, and other federal violations.

Therefore, if you are deploying a wireless network, you are likely to have someone try and find it, so your security depends on that individual's understanding that it is his responsibility to ensure that he does not violate any local, state, or federal laws that might pertain to his area. To slightly rephrase: you have gone through all the trouble of purchasing equipment, learning the process, loading the tools, and setting everything up. Your wireless network is not secured, and law enforcement expects the WarDriver not to do anything illegal. Are you prepared to leave your network vulnerable to those who do not support this law-abiding scenario? If you are, go back to Chapter 1, "Here There Be Hackers!" and start reading again!

The FBI quote seems to be an accurate representation of law enforcement agency positions on WarDriving; contests are held to see who can find the most wireless networks. Individuals involved in the wireless industry and dedicated to a certain bias in this debate, clearly maintain these websites, but check them out:

http://www.worldwidewardrive.org/

http://www.wardriving.com/

You will find links to various WarChalked maps that show the GPS locations and, in many cases, much more about open wireless networks worldwide. In doing my research for this chapter, I stumbled across a few people who have taken WarDriving to the next level, literally, in the form of WarFlying.

WarFlying

I have heard only of two cases of WarFlying, but it is such an interesting endeavor that I just had to include it. WarFlying (a.k.a. WarStorming) is simply searching for wireless networks while flying in an airplane. However, because not many people have access to a small plane and the tools necessary to pull off WarFlying, the occurrences of WarFlying will be less than WarDriving. Because of the limited range of wireless LANs, the plane must fly below 1500 meters. WarFlying was first recorded in Perth, Australia.

WarFlying has some clear limitations because you do not have the ability (at least today) to triangulate on the access point, which could be several miles from where it was detected. Regardless, however, it is interesting, and I suggest checking out the three-part article on how Silicon Valley was WarFlown. I am not sure if that statement is grammatically correct; however, you get the point. Check out the rest of the story at http://www.arstechnica.com/wankerdesk/3q02/warflying-1.html.

WarSpamming

Everyone has received spam or junk mail; it is a plague on the Internet and, frankly, in my mailbox at home. I believe in free speech; however, that freedom does not give you the right to be heard. Fortunately, law makers and politicians around the world are beginning to notice our feelings on this matter and developing laws to penalize spammers. These laws might or might not be effective—time will tell. However, is it is becoming more difficult for spammers to source their spam from countries that are beginning to develop these laws. There are also organizations that list IP addresses of places where spam has originated from, so what is a spammer to do? Many are now sourcing their spam from other countries; this presents all sorts of logistical problems and additional costs to our spammers. As a spammer, what if I could drive downtown or hire someone to find an open wireless network, join that network, and send my spam?

Remember the concept of downstream liability discussed in Chapter 3, "Overview of Security Technologies?" It would be simple to find an open wireless network and join it to send spam. The attacker (spammer) could be sitting in a café across the street, and you might never know. Now fast-forward a bit; the spam is sent to thousands of people who report that they received it, and yet another wrinkle–the spam was pornographic in nature. Yes, it can be even worse than that (remember, we are not talking about people who have morals—they are driven by other goals and needs). A quick check reveals your network's IP address, which is then blacklisted and reported to your ISP— and do not forget about the new antispamming laws. The result is that all outgoing e-mail from your company is blacklisted. How embarrassing when your customers get the bounce message saying that your company is spamming, the ISP shuts off your Internet connection, and law enforcement comes knocking. Also, if you have one of those Internet connections where you are billed by usage, expect a big bill this month.

The truth of the matter in WarSpamming is that your network did, in fact, spam others and, while it might have been as a result of an attacker, you are now liable because your wireless network was not secured properly. Who do you think is responsible for that and are they looking for a new job? Expect to see WarSpamming increase as it becomes more difficult for spammers to operate. Those who want to do questionable things will always find a way; some will stop as it becomes too difficult, and others will not.

WarSpying

A nice follow-up to WarSpamming is WarSpying, which is a relatively new phenomenon coming to a wireless video network near you. The most popular method of WarSpying is using those wireless X10 cameras. X10 is the camera featured in pop-up ads all over the Internet and they invariably have some gorgeous woman in them. X10 is also a means by which to automate your home, as in a smart house; however, that topic is beyond the scope of this book.

WarSpying was first documented in the magazine 2600, an interesting read if you can find the few nuggets of technical worth from the rants it prints. Regardless, it outlined how to make a wireless device that can pick up wireless surveillance systems transmissions. Since then, many people have explored and documented the topic online, and there are now reports of people tapping into all sorts of cameras that are transmitting over a wireless network. You can learn more about WarSpying at http://rhizome.org/RSG/RSG-X10-1/.

Notice I have completely avoided all discussions of the other nefarious uses into which this could develop. The key is awareness and an understanding of how to protect your network.

Many places that sell kits to start someone WarDriving—plans, maps, and so on are also readily available. A simple Internet search shows the results:

http://www.kenneke.com/index.html

http://www.hotspotlist.com/

http://www.wi-fiplanet.com/

This section was rather revealing about how wireless networks are found and, to a lesser degree, what some of the threats are. In addition, a variety of more specific threats are possible. Plus, after an attacker joins a wireless network, you have a host of other problems. The following sections examine these topics in more detail.

5. Wireless Threats | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020