Commentary Sophos Security Insights
'Warbiking' Experiment Exposes One In Four Hotspots Have Poor, Or No, Security
Excursion into central London streets finds obsolete WEP encryption standard still in use
Solutions to secure wireless networks, such as VPNs configured with and protected by WPA2, are readily available to wireless users. Still, as evidenced by the following “Warbiking” excursion, Project Warbike, 91 miles into central London proves, there are at least some users whose networks remain at modest to significant risk.
This recent practical experiment into WiFi security covering the city of London and conducted over two days by Sophos' director of technology strategy, James Lyne, found that 27 percent of nearly 107,000 hotspots were found to have poor, or no, security.
The project involved using a bike equipped with dynamos and solar panels to power a computer designed to scan for wireless networks -- a technique known as "wardriving," or, in this case, "warbiking." In addition, a GPS-enabled device allowed the creation of a "heat" map, depicting levels of security of wireless networks around central London.
Lyne passed more than 1,000 wireless hotspots for every mile he rode, and found that at least one in four had poor security. Analyzing the geographic mapping of the hotspots and the level of security they demonstrated revealed some interesting trends.
Residential areas largely had reasonable default configurations -- although many devices had default network names like SKY-XYZ123, they often had the strong WPA2 encryption standard enabled. At a micro level, the worst offending areas, consistently across London, were streets with collections of small businesses. Of the overall number of networks, 9 percent were using default network names with no random element, such as "default" or the vendor name. This makes password hacking even faster. This figure increased to 21 percent if networks that used the default name but had some random element per device, e.g., Default-165496, are included. These figures excluded default names of obviously identifiable, intentionally open hotspots such as those in hotels and cafes.
Some providers offering packaged solutions with a plug-and-play router generate truly random names by default, and supply these on a sticker on the bottom of the router. It's therefore reassuring to see some vendors following best practice here, helping consumers in particular to be more secure out of the box. Crucially, Sophos only collected high level data within the confines of the law, which revealed the general state of wireless security (and is therefore representative of awareness of steps taken to secure networks).
However, it should be noted that cybercriminals have significantly more offensive tools in their armories and could relatively easily take this exercise further. "With the tools available we could have gone much further but we carefully stayed in the confines of the law. This exercise doesn't paint the complete picture, but it shows enough to demonstrate that security best practice and education still need a lot of focus." said James Lyne, director of technology strategy at Sophos.
"Pretty much every wireless device can be configured to use secure wireless networking out of the box, so poorly configured devices show a lack of awareness rather than a lack of capability to be secure," added Lyne.
"It's easy to take simple steps to protect your wireless network, making it a far less attractive target for anyone trying to snoop on your internet activities or steal personal information. If an attacker gains access to a wireless network they can cause a lot of damage, such as intercepting usernames/passwords, taking control of computers on the network, changing browsing to websites (for example to deliver malware or capture credentials), or using the network to perform any manner of anonymous or illegal activities. Unfortunately many networks are still like a Rolo candy -- hard on the outside but soft and gooey on the inside. Without good security as per our top tips, an organization won't know they’ve been attacked until perhaps the police come knocking."
Top level findings of the project include: • 106, 874 individual hotspots detected across more than 91 miles of central London
• 8 percent of the hotspots used no encryption and appear to be both home and business networks (this figure excludes a large number of coffee shops and other open hotspots which were identified by name of hotspot)
• 19 percent of the hotspots used the obsolete 'WEP' encryption
• The remaining networks used WPA or WPA2 encryption, which represents acceptable security, providing they are not configured with default or easy to guess passwords
While the Sophos experiment has no way of testing the strength of the passwords used, as no attempt was made to access any of them, there are tools available which can attack WPA2 protected networks with massive wordlists at high speed. Businesses should also ensure they have appropriate configuration management, logging and anomaly detection capabilities so that their configuration remains standard across the office or geographic locations.
Other recommendations derived either directly or indirectly from this experiment:
1. Most wireless routers come with a default wireless network name. Known as the "service set identification" or SSID, it’s a name many users do not bother to change, which allows hackers to prepare default password look-up lists combined with common SSIDs that speed up the password cracking process dramatically and enabling them to test vast numbers of passwords for seconds. Having a custom SSID increases the time it takes for an attacker to break your passphrase.
2. Coffee shops and public hotspots will often intentionally be open so users of such services should ensure they are configured to use a VPN, which protects their traffic irrespective of the potential hazards of attackers listening in.
3. Configure your wireless network to use WPA2, which is the minimum level of protection on any wireless network.
4. Use a secure password, ideally a hard-to-hack, hard-to-guess alpha-numeric combination or passphrase.
Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.