Wireless Hacking

[Site map]
[In the news]

[Download PDF-version]
A 6 page report by

Kjell Jørgen Hole, Professor, The Selmer Center, Department of Informatics, University of Bergen
Erlend Dyrnes, Senior Manager, Ernst & Young
Per Thorsheim, Security Coordinator, EDB IT Drift
Abstract It is important to protect the data on Wi-Fi (IEEE 802.11b and g) networks since these networks transmit through walls, ceilings, floors, and other obstacles. The data can easily be picked up with powerful directional antennas, even from several kilometers away. Unfortunately, the built-in WEP encryption in Wi-Fi networks has been broken. Hackers may decrypt and read the data on a wireless link protected by WEP alone, and even worse, they may be able to access the data on a wired network through a Wi-Fi access point. This report assesses the level of security in Wi-Fi networks in the city of Bergen, Norway, and analyses some alternative security techniques. Suggestions on how to protect Wi-Fi networks are presented.

1. Introduction
Wi-Fi networks (based on the IEEE 802.11b and g standards) have become very popular. Many private citizens have installed Wi-Fi networks at home and numerous corporations have added Wi-Fi access points to their wired networks, giving the employees easier access to the corporate data and services. The scenario where an employee connects to the corporate network from a home network is of particular interest. While the corporate IT personnel control the Wi-Fi access points in the corporate network, they do not have the ability to control, or even be aware of, Wi-Fi access points in home networks.

All these wireless networks have given hackers new opportunities to gain unauthorized access to computer systems and their data. This report first describes the results of an investigation carried out to assess the level of security in Wi-Fi networks in the city of Bergen, Norway. It then analyzes some popular security techniques for Wi-Fi networks, and offers suggestions on how to protect Wi-Fi networks from hacking.

The rest of the report is organized as follows. Section 2 introduces several terms describing the activities of wireless hackers. Section 3 then outlines the potential threat from wireless hacking of Wi-Fi networks. Section 4 first gives a general overview of the security status of Wi-Fi networks in the city of Bergen. It then assesses the threat from wireless hacking. Section 5 analyzes three different security techniques, and Section 6 suggests how these techniques can be used to protect Wi-Fi networks from hacking.

It is assumed that the reader has a basic understanding of Wi-Fi networks. The reader may study the two first Wi-Fi lectures posted on KJhole.com to obtain the needed background information. The interested reader can find more information on 802.11 networks in the textbook by [Gast].

2. What is a wireless hacker?
A hacker is a software or hardware enthusiast who likes to explore the limits of programming code or computer hardware. The popular term also refers to a person that breaks into or disrupts computer systems or networks. The general public tend to prefer the second meaning of the term, i.e., a hacker is a bad person that uses his or her computing skills to create havoc.

The many Wi-Fi networks around the world have caused a new type of hacker to appear, the so-called wireless hacker. Wireless hackers, as well as other people interested in wireless networks, are into wardriving, a technique that involves driving through an inhabited area while mapping houses and businesses with Wi-Fi networks. Most often, a software program running on a wireless-enabled laptop is used to log these hotspots.

Warwalking, or walk-by hacking, is an alternative technique for finding hotspots by simply walking through a neighborhood. Owners of Personal Digital Assistants (PDAs) with Wi-Fi client cards may well become “unintentional warwalkers.” Often, the Operating System (OS) automatically connects a PDA to a Wi-Fi access point when the PDA owner walks by the access point. Once the connection is established, viruses, worms, Trojan horses etc. may be uploaded from the PDA.

A warwalker may be warchalking, i.e., marking special symbols on sidewalks or walls to indicate nearby Wi-Fi access. The marks indicate the security status of the local hotspots. Warchalking does not seem to be a widespread phenomenon in Norway.

3. Do wireless hackers pose a security threat?
The wireless hackers often claim that they are good people and that they don’t exploit unauthorized Wi-Fi network access to perform criminal activities. One must be very naive to believe that this is always the case. To better understand the potential security threat posed by wireless hackers, it is advantageous to discuss the security mechanisms used most often in Wi-Fi networks.

The original WEP (Wired Equivalent Privacy) encryption in Wi-Fi networks has been broken. In fact, it is possible to download programs to crack the encryption key on any WEP encrypted link, given that enough traffic is transmitted over the link. These programs are available on different platforms (see Appendix A). The fifth Wi-Fi lecture at KJhole.com describes the problems with WEP in more detail.

Textbooks such as [McClure, Ch. 10], [Edney, Ch. 16], and [Barken, Ch. 4] describe how to attack Wi-Fi networks. The books outline how different software tools can be used to map wireless networks, analyze the traffic on wireless links, crack WEP keys, and determine whether security techniques other than WEP are implemented.

Wi-Fi access points and Wi-Fi client cards that implement the interim security standard, called WPA (Wi-Fi Protected Access), are available [Edney]. Other alternative security solutions are captive portals, such as NoCat, and Virtual Private Networks (VPNs) as defined by the VPN Consortium. Many captive portals offer only user authentication and no data encryption. While it is not known how to break the encryption provided by WPA or VPNs, many Wi-Fi networks do not implement these security techniques.

If only WEP is used, one of the available cracker programs can be used to decrypt the information. A wireless hacker may also obtain an IP address from the Wi-Fi network and gain Internet access. This access may be used to upload spam or download illegal material. Once the wireless hacker has an IP address he or she may also try to access the data on the wired network attached to the Wi-Fi access point. Many freely available hacker tools exist to make this possible. Clearly, wireless hackers pose a security threat if WEP is the only form of security on the Wi-Fi network. The additional levels of security provided by WPA, VPN, and captive portals will be analyzed in Section 5.

Page 2>>