Security News > 2006 > March > Beware The Wardriver at Your Next Conference
http://www.internetnews.com/wireless/article.php/3592361 By Sean Michael Kerner March 17, 2006 Every tech conference put on today is swimming in Wi-Fi signals. Some are meant to provide public Internet access to attendees, and some are meant to be private for exhibitors connecting to corporate networks. According to research conducted by Russian security firm Kaspersky Lab, most of those Wi-Fi signals are wide open. Kaspersky conducted its "wardriving" research at the recent CeBIT show in Hanover, Germany, that bills itself as the world's largest IT trade fair. Wardriving is the act of scanning Wi-Fi signals to access open bandwidth that isn't necessarily supposed to be open. Kaspersky Senior Virus Analyst Alexander Gostev and Senior Research Engineer Roel Schouwenberg discovered at the show nearly 300 access points, which they collected data on. According to Kaspersky, "the researchers did not attempt to intercept or decrypt any traffic." They did, however, discover a number of interesting things about the nature of Wi-Fi networks. More than half (approximately 56 percent) of the detected access points offered no WEP (define) protection. Alex Gostev, senior virus analyst at Kaspersky wasn't surprised by the finding. "We expected that access points without traffic encryption will be less than in global statistics," Gostev told internetnews.com in a translated e-mail. "And it was as expected, 56 percent against 70 percent in other countries. Although we expected less unprotected networks, 20 to 30 percent." CeBIT access points for the most part were apparently not left in their default modes, either. SSIDs (define), which stands for Service Set Identifier, were in most cases changed from their factory settings, which typically are a combination of the manufacturer's name and/or device model number. A factory default SSID is an indication that the administrator has not changed the default setting and may well not have changed the default username/password, either. The Kaspersky researchers detected only two access points out of their scan of 300 that still had the factory default SSID configuration. "The fact that there were only two access points with default SSIDs was very good to see," Schouwenberg told internetnews.com. "We expected that number to be quite a bit higher." SSIDs are also typically set to broadcast their availability, which more easily enables users, both legitimate and malicious, to locate the access point. By disabling SSID broadcasting, the idea is that it is harder for malicious users to discover an access point and attempt to infiltrate it. Kasperksy's CeBIT research found that only 8 percent had disabled SSIDs and of those, 89 percent had enabled WEP encryption. Schouwenberg advised that for WLANs that need to be treated as private, tradeshow participants should disable SSID and use the best encryption. "If you want to be really secure, you should use authentication to prevent unauthorized access to the access point," Schouwenberg said. "And use a tunnel (VPN for instance) to make sure others can't intercept/decrypt traffic." Gostev warns of another threat that could potentially affect conference Goers: mobile viruses. "Creation and implementation of automatic traps of the viruses combined with Bluetooth scanners seems to me expedient," Gostev said. He suggests that the mobile equivalent of airport metal detectors is needed to help prevent mobile virus transmission. That way, he said, it will be possible to discover infected phones the minute they enter the building. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org