Defcon "Warballoon" Finds 1/3 of Wireless Networks Unsecured

avatar4d writes "Networkworld is reporting about a warballooning operation (similar to wardriving) that was disallowed by the management at the Riviera Hotel in Las Vegas, but was covertly launched anyway. The team found approximately 370 networks, and about a third of those were unsecured. In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"

Networks on The Strip

[superj711]

I don't believe this a good test of "security" since the majority of the hotels on the Strip have multiple unsecure Wifi networks for their guests. You have to go to a launch page first before you're even allowed access, sometimes entering a code.

Only 1/3?

[superid]

Last weekend I made a quick 5 mile drive and found 105 systems in my average residential neighborhood. 46 were unsecured. About 25 were running WEP.

Re:Networks on The Strip

[Anonymous Coward]

Even if you don't "broadcast the SSID", that just means you're broadcasting an empty SSID: the beacons are still there and contain all information which is necessary to uniquely identify your access point and tell if it's encrypted and how. So yes, of course those networks are going to show up in their stats.

Re:Networks on The Strip

[espiesp]

As somebody that currently lives a block away from the Luxor and Mandalay Bay, I can accurately say that you don't have to drive far from the strip to find a very high density of wireless access points, with approximately this ratio of secured to unsecured points. Within reach of the confines of my condo I have a buffet of wide open AP.

Take the strip out of the equasion and I think it's still valid.

Re:Only 1/3?

[anagama]

I'm not sure if you are making a joke, so just in case you aren't, I'll point out that MAC address filtering is no security at all. Your laptop is transmitting it's MAC as part of the regular wifi transmissions so sniffing it out of the air is trivial with Kismet or Kismac. Spoofing a MAC address is trivial on Linux and Windows machines, a bit more involved to make your OS X Leaopard system able to spoof but not rocket science, and apparently trivial with "spoofmac" on Tiger.

Here's an overview:

http://www.irongeek.com/i.php?page=security/changemac [irongeek.com]

For Linux, if you just want a random MAC to make yourself even more anonymous:
http://www.alobbs.com/macchanger [alobbs.com]

Similar software exists for windows (google "windows macchanger")

Re:Networks on The Strip

[dfn_deux]

Thanks for this, I have repeated this comment hundreds of times to various people setting up their networks and yet they still seem to think that setting the essid as "hidden" is providing some small extra security, when in fact it only obscures your network for legitimate users, since anyone sniffing for a networks will see it regardless of whether you have it set to broadcast or not.

Re:Only 1/3?

[zn0k]

Spoofing a MAC address is trivial on Linux and Windows machines, a bit more involved to make your OS X Leaopard system able to spoof but not rocket science, and apparently trivial with "spoofmac" on Tiger.

bash-3.2$ uname -a
Darwin Laptop.local 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:36:17 PDT 2008; root:xnu-1228.5.20~1/RELEASE_PPC Power Macintosh
bash-3.2$ ifconfig en0|grep ether
        ether 00:11:24:d5:57:9e
bash-3.2$ sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff
Password:
bash-3.2$ ifconfig en0|grep ether
        ether aa:bb:cc:dd:ee:ff

It's trivial on OS X (Leopard and Tiger), too.

Re:Networks on The Strip

[geekymachoman]

Depends with what software they have been 'sniffing'.

SSID is broadcasted in 802.11 beacon frame, along with some other stuff.

So if you turn off the SSID broadcasting, you'r removing the SSID info from the body of beacon packet, so regardless you have traffic or no, your AP is gonna show up (without ssid so you will not know the name of ap) in something more advanced then netstubmler. Kismet for example.

This has nothing to do with traffic amount.

Re:i hate you all

[icebike]

It could just as well mean that the authors were delighted and found it commendable that the police did not make a fuss about an innocent site survey.

If you read it that way, English must be a second language for you. It was CLEARLY disparaging of the police, tauntingly so.

That you mistake it for gleeful respect suggests a very naive outlook.

Re:i hate you all

[icebike]

Easy. Don't allow traffic between any IPs behind the router, other than TO the router itself.

This is trivial with Iptables.

That would force users behind the router to connect via its external NIC to talk to each other, and that can be filtered easily as well.

You can't really spoof a machine on your own subnet.