A walk on the wireless side

[InfoSec News <isn () c4i org>]

http://www.linuxworld.com/site-stories/2002/0218.wardriving.html

By Joe Barr
February 19, 2002

(LinuxWorld) -- The idea was innocent enough: Enable my girlfriend to
use a laptop computer to surf wirelessly from the sofa while watching
TV. That, however, is not quite how things worked out. As I put the
finishing touches on this story I am:

* Packing my gear.
* Making sure my laptop is fully charged.
* Checking to see if I have the latest versions of all the 
  prerequisite "tools."

Okay. All set. Me and the laptop are wardriving again.

A month or two back I wrote a column about an Austin, Texas firm named
RockSteady. As part of the research for that story, I installed a
"Rock Box," a dedicated firewall/network appliance. Included in it was
a wireless NIC. All I had to do to be able to check e-mail or do
research from the living room or the deck was to get a wireless PC
card for my laptop. Temptation proved too great. I recently sprang for
a D-Link DWL-650 802.11 wireless LAN card.

Beginning with a fresh installation of Red Hat 7.2 on my Sony Vaio
(PCG-XG700K), I added the latest releases of pcmcia-cs and wlan-ng to
get the most out of my Prism2 based D-link card. Your own card might
require different tools, depending on what chipset it uses. At the
time, the latest releases were pcmcia-cs-3.1.31 and
linux-wlan-ng-0.1.12. You can find them at the sites noted in
Resources. I won't walk you through compiling and installing them, but
I will mention that many wireless tools require you to have the kernel
source code available for them to compile.

I found myself guessing at some of the options in the
/etc/wlan-ng.opts configuration file simply because I wasn't familiar
with wireless terminology. Adhoc or infrastructure? Naturally, I chose
the wrong one for the RockBox setup the first time. When I changed the
option setting to adhoc, it worked just fine. For the benefit of any
other late arrivals to the wireless party, I've included a brief
primer explaining some the terms I ran across which were new to me. I
also recommend spending some time on IRC visiting with the folks on
the #wireless channel on openprojects.net.

With a little more fiddling, I had the configuration set for adhoc
mode and an SSID of RockNet. That's all it took. Since then, I've
learned that an SSID of "Any" works as well. There I was, surfing from
my armchair in the living room, feeling like this was the way Internet
access always have been. Now, at last, if I feel like it, I can
respond to those annoying realtime polls all the networks are doing in
prime time TV. Susan can get on the 'net to exchange e-mail, shop, or
visit dating sites to find a less nerdy boyfriend. Ah, the high life
-- wireless Web surfing without leaving the flickering glow of the
monocular monster, our TV.

Trouble in paradise

Alas, the wireless lifestyle is not all joy and light. Yes, wireless
802.11 cards and access points are flying off the shelves. People want
and find easy connectivity with 802.11-standard products. Ah, there's
the rub, and a real dilemma it presents. Once again, we are caught
between ease of use and security. It's almost enough to make me feel
sympathy for Microsoft's chronic security problems, which are often
excused as being the result of those same two choices. There are two
major problems with wireless today. One is that all too often it is
implemented without any kind of security at all. The other is that the
out-of-the-box security options, if the consumer switches them on, are
completely ineffectual.

Wireless is so wide open, in fact, that it has given birth to a new
geek Olympic sport: wardriving. Wardriving is to wireless like
wardialing used to be to modems. The game is all about seeing how many
potential targets you can find. Wardriving is a lot easier than
wardialing, and a lot less intrusive. All you need to play is a
laptop, a wireless PC card, and some software. In my case, the
software I needed is called Prismstumbler, designed to play nicely
with the chipset my D-Link card is based on.

IANAL, (I Am Not A Lawyer) but my understanding is that wardriving is
completely legal. (Ed. Even if he was a lawyer, the laws in your
jurisdiction might vary.) Prismstumbler, for example, is less
intrusive than Windows XP. According to what I've read on the 'net, a
wireless XP box tries to associate with every wireless beacon it
hears. Prismstumbler simply listens and tells you what it has heard.  
It is completely passive. Unless Microsoft is operating under a
completely separate legal system than the rest of us, scanning for
wireless beacons can't be illegal. On second thought, perhaps I should
come up with a different analogy.

Wardriving can get sophisticated. You can connect an external antenna
to your wireless card and put it on the roof of your car. You can
attach a GPS device to the laptop, and an external antenna to that.  
Then you can concentrate on driving and map the results later. I kept
it simple, no GPS, and no antenna. Nevertheless, I still had a lot of
fun and was surprised at how easy the game really is.

My first excursion was to a small town of about 50,000 souls. I
started up my Prismstumbler script and watched its findings appear by
pointing my browser at http://localhost:9000. Suddenly, there it was.  
My first "catch"! It was a used car dealership with not one, but two
access points. Then another access point appeared, and then another. I
drove only a couple of miles into the center of town and found more
than a dozen. Most appeared to be unprotected. Only one was using the
built-in encryption.

The encryption used for wireless LANs, however, is useless. It has
been cracked and the method to do so made public. One program
(Airsnort) claims to be able to crack WEP in about a second, given the
right number of packets to examine. The first line of defense for
wireless -- the built-in encryption -- is just about as useful as
ROT13.

Making matters worse is the ease of installing access points. I wonder
how many IS shops have them in place and aren't even aware of it. I
wonder how many are in place behind conventional lines of defense.

I have fun with my wardriving, and I've even alerted a few folks to
the problems they invite with unprotected wireless. But trust me. Not
everyone out there wardriving is satisfied at stopping with a little
innocent fun.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.