[ISN] Beware The Wardriver at Your Next Conference

InfoSec News isn at c4i.org
Mon Mar 20 03:46:15 EST 2006


By Sean Michael Kerner 
March 17, 2006 

Every tech conference put on today is swimming in Wi-Fi signals. Some
are meant to provide public Internet access to attendees, and some are
meant to be private for exhibitors connecting to corporate networks.

According to research conducted by Russian security firm Kaspersky
Lab, most of those Wi-Fi signals are wide open.

Kaspersky conducted its "wardriving" research at the recent CeBIT show
in Hanover, Germany, that bills itself as the world's largest IT trade

Wardriving is the act of scanning Wi-Fi signals to access open
bandwidth that isn't necessarily supposed to be open.

Kaspersky Senior Virus Analyst Alexander Gostev and Senior Research
Engineer Roel Schouwenberg discovered at the show nearly 300 access
points, which they collected data on.

According to Kaspersky, "the researchers did not attempt to intercept
or decrypt any traffic." They did, however, discover a number of
interesting things about the nature of Wi-Fi networks.

More than half (approximately 56 percent) of the detected access
points offered no WEP (define) protection. Alex Gostev, senior virus
analyst at Kaspersky wasn't surprised by the finding.

"We expected that access points without traffic encryption will be
less than in global statistics," Gostev told internetnews.com in a
translated e-mail. "And it was as expected, 56 percent against 70
percent in other countries. Although we expected less unprotected
networks, 20 to 30 percent."

CeBIT access points for the most part were apparently not left in
their default modes, either.

SSIDs (define), which stands for Service Set Identifier, were in most
cases changed from their factory settings, which typically are a
combination of the manufacturer's name and/or device model number.

A factory default SSID is an indication that the administrator has not
changed the default setting and may well not have changed the default
username/password, either. The Kaspersky researchers detected only two
access points out of their scan of 300 that still had the factory
default SSID configuration.

"The fact that there were only two access points with default SSIDs
was very good to see," Schouwenberg told internetnews.com. "We
expected that number to be quite a bit higher."

SSIDs are also typically set to broadcast their availability, which
more easily enables users, both legitimate and malicious, to locate
the access point.

By disabling SSID broadcasting, the idea is that it is harder for
malicious users to discover an access point and attempt to infiltrate
it. Kasperksy's CeBIT research found that only 8 percent had disabled
SSIDs and of those, 89 percent had enabled WEP encryption.

Schouwenberg advised that for WLANs that need to be treated as
private, tradeshow participants should disable SSID and use the best

"If you want to be really secure, you should use authentication to
prevent unauthorized access to the access point," Schouwenberg said.  
"And use a tunnel (VPN for instance) to make sure others can't
intercept/decrypt traffic."

Gostev warns of another threat that could potentially affect
conference Goers: mobile viruses.

"Creation and implementation of automatic traps of the viruses
combined with Bluetooth scanners seems to me expedient," Gostev said.

He suggests that the mobile equivalent of airport metal detectors is
needed to help prevent mobile virus transmission. That way, he said,
it will be possible to discover infected phones the minute they enter
the building.

More information about the ISN mailing list