Guest Blog // Selected Security Content Provided By Sophos
What's This?
12:42 PM
Dark Reading
Dark Reading
Security Insights

'Warbiking' Experiment Exposes One In Four Hotspots Have Poor, Or No, Security

Excursion into central London streets finds obsolete WEP encryption standard still in use

Solutions to secure wireless networks, such as VPNs configured with and protected by WPA2, are readily available to wireless users. Still, as evidenced by the following “Warbiking” excursion, Project Warbike, 91 miles into central London proves, there are at least some users whose networks remain at modest to significant risk.

This recent practical experiment into WiFi security covering the city of London and conducted over two days by Sophos' director of technology strategy, James Lyne, found that 27 percent of nearly 107,000 hotspots were found to have poor, or no, security.

The project involved using a bike equipped with dynamos and solar panels to power a computer designed to scan for wireless networks -- a technique known as "wardriving," or, in this case, "warbiking." In addition, a GPS-enabled device allowed the creation of a "heat" map, depicting levels of security of wireless networks around central London.

Lyne passed more than 1,000 wireless hotspots for every mile he rode, and found that at least one in four had poor security. Analyzing the geographic mapping of the hotspots and the level of security they demonstrated revealed some interesting trends.

Residential areas largely had reasonable default configurations -- although many devices had default network names like SKY-XYZ123, they often had the strong WPA2 encryption standard enabled. At a micro level, the worst offending areas, consistently across London, were streets with collections of small businesses. Of the overall number of networks, 9 percent were using default network names with no random element, such as "default" or the vendor name. This makes password hacking even faster. This figure increased to 21 percent if networks that used the default name but had some random element per device, e.g., Default-165496, are included. These figures excluded default names of obviously identifiable, intentionally open hotspots such as those in hotels and cafes.

Some providers offering packaged solutions with a plug-and-play router generate truly random names by default, and supply these on a sticker on the bottom of the router. It's therefore reassuring to see some vendors following best practice here, helping consumers in particular to be more secure out of the box. Crucially, Sophos only collected high level data within the confines of the law, which revealed the general state of wireless security (and is therefore representative of awareness of steps taken to secure networks).

However, it should be noted that cybercriminals have significantly more offensive tools in their armories and could relatively easily take this exercise further. "With the tools available we could have gone much further but we carefully stayed in the confines of the law. This exercise doesn't paint the complete picture, but it shows enough to demonstrate that security best practice and education still need a lot of focus." said James Lyne, director of technology strategy at Sophos.

"Pretty much every wireless device can be configured to use secure wireless networking out of the box, so poorly configured devices show a lack of awareness rather than a lack of capability to be secure," added Lyne.

"It's easy to take simple steps to protect your wireless network, making it a far less attractive target for anyone trying to snoop on your internet activities or steal personal information. If an attacker gains access to a wireless network they can cause a lot of damage, such as intercepting usernames/passwords, taking control of computers on the network, changing browsing to websites (for example to deliver malware or capture credentials), or using the network to perform any manner of anonymous or illegal activities. Unfortunately many networks are still like a Rolo candy -- hard on the outside but soft and gooey on the inside. Without good security as per our top tips, an organization won't know they’ve been attacked until perhaps the police come knocking."

Top level findings of the project include: • 106, 874 individual hotspots detected across more than 91 miles of central London

• 8 percent of the hotspots used no encryption and appear to be both home and business networks (this figure excludes a large number of coffee shops and other open hotspots which were identified by name of hotspot)

• 19 percent of the hotspots used the obsolete 'WEP' encryption

• The remaining networks used WPA or WPA2 encryption, which represents acceptable security, providing they are not configured with default or easy to guess passwords

While the Sophos experiment has no way of testing the strength of the passwords used, as no attempt was made to access any of them, there are tools available which can attack WPA2 protected networks with massive wordlists at high speed. Businesses should also ensure they have appropriate configuration management, logging and anomaly detection capabilities so that their configuration remains standard across the office or geographic locations.

Other recommendations derived either directly or indirectly from this experiment:

1. Most wireless routers come with a default wireless network name. Known as the "service set identification" or SSID, it’s a name many users do not bother to change, which allows hackers to prepare default password look-up lists combined with common SSIDs that speed up the password cracking process dramatically and enabling them to test vast numbers of passwords for seconds. Having a custom SSID increases the time it takes for an attacker to break your passphrase.

2. Coffee shops and public hotspots will often intentionally be open so users of such services should ensure they are configured to use a VPN, which protects their traffic irrespective of the potential hazards of attackers listening in.

3. Configure your wireless network to use WPA2, which is the minimum level of protection on any wireless network.

4. Use a secure password, ideally a hard-to-hack, hard-to-guess alpha-numeric combination or passphrase.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.