Sunday, 2 December 2012

Wireless in London

Typical WiFi environment in London, everything in the 2.4GHz band, nothing in the 5GHz band

Saturday, 29 September 2012

Wigle Wifi Wardriving

Wigle Wifi Wardriving

Is slightly different to the other tools I have reviewed, it is an open-source wardriving app to netstumble, display and map found wireless networks and cell towers anywhere in the world, easily uploading to the wigle net database. According the website WiGLE was started in 2001 and now has over 59 million wifi networks worldwide.

The list screen shows the detected WiFi networks, giving details of the MAC address and encryption if any.


The map screen plots the found WiFi networks on a map


The run screen gives details of the current war drive

The Data screen allows the conversion and export of data, including the uploading to the Wigle net database


The setting screen allows configuration of the Wigle account and the wardrive


From within the list screen if you click on a network it is displayed on the map along with details of the network and when first seen.

There are a number of option available for most of the screens


Wednesday, 19 September 2012

Wireless Attack Tree

Wireless Attack Tree

As part of the my research project I'm trying to develop an attack tree for domestic WiFi, the latest version is displayed here.



Tuesday, 18 September 2012

Wi-Fi Analytics Tool

The Wi-Fi Analytics Tool by amped wireless is another of the tool I have used for investigating WiFi networking it is currently at version 3.2.1

WiFi Scanner shows the currently available networks, touching a channel allows you to connect to it.

Channel interference screen shows how congested the available channels are, the longer the bar the more congested the channel is, it also recommends a list of channels.

Channel Graph shows the signal strength on each of the channels

Signal Graph screen shows the signal strength over a period of time.

Signal Strength signal meter shows the strength of the currently selected channel

Signal Strength Widget allows you to configure a widget for use on the android display.




Monday, 17 September 2012

WiFi sniffing & Patents

As a research student looking at Wireless networking I am always keen to follow up stories about the legality of war driving and other activities.

Today I came across this article http://www.scientificamerican.com/podcast/episode.cfm?id=is-wi-fi-sniffing-a-crime-12-09-13 on the Scientific American about the legality of actual sniffing data as opposed to my definition of war driving which involves locating wireless access points and the parameters of the 802.11 network traffic ie encrypted or not.

The article says a judge (in Illinois) ruled that Innovatio IP Ventures capturing wireless traffic in order to ascertain whether their patents had been infringed was legal.

This is certainly an interesting decision and I do wonder if Google might not try claiming they were trying to protect patents in future cases. Digs at Google aside the concerns of individuals rights to privacy and about what will happen to the collected do appear to be taken into account by the Judge as the company have to issue protocols about the collection of the data.

"Innovatio sought permission to obtain a preliminary ruling on the admissibility of the information that it gains in the sniffing process. (Dkt. No. 290.) The court granted permission to Innovatio to seek an admissibility ruling (Dkt. No. 323), but expressed some concern that Innovatio's sniffing may implicate the privacy interests of the customers using the Wi-Fi networks under the federal Wiretap Act. 18 U.S.C. §§ 2510-2522. Accordingly, the court ordered Innovatio's motion to describe its proposed sniffing protocol in detail and to address the applicability of the Wiretap Act. Innovatio has submitted a proposed protocol under seal (Dkt. No. 329, Ex. A), and now requests that the court approve that protocol and issue a preliminary ruling on the admissibility of any evidence Innovatio may gather through the use of that protocol."

The conclusion of the judgement says that " the evidence Innovatio collects through the use of that protocol will not be inadmissible because of a violation of those Acts. Accordingly, if Innovatio lays a proper foundation under the Federal Rules of Evidence at trial for the information it collects through the sniffing protocol, that evidence will be admissible." this I understand as at the moment it is not legal to sniff wireless data to gather evidence of patent infringement as it is not currently admissible.

Sunday, 16 September 2012

French prosecution over insecure WiFi?

I have been following the conviction of a Frenchman over downloading two Rihanna music tracks http://www.bbc.co.uk/news/technology-19597429, and I came across this article from PC World http://www.pcworld.com/article/262313/french_piracy_law_claims_first_innocent_victim.html that in the article claimed he was convicted for an insecure WiFi network.

In the article it states "Though his wife admitted, in court, to illegally downloading two Rihanna songs, Alain Prevost was still fined for failing to secure his Wi-Fi network." however it does not follow up on what this meant.

The article goes on to say he was convicted under a French anti-piracy law known as HADOPI (Haute Autorité pour la diffusion des œuvres et la protection des droits sur internet), not a law dealing with WiFi networks.

It would of been interesting to know whether the WiFi was insecure?, did his wife/ex-wifi illegal connect to his wifi? Did he not change the encryption key after separating?  

Does lead to the through what happens when partners seperate and they have been using WiFi, the encryption key should be changed to prevent the ex-partner from reconnecting and downloading illegal material as revenge.

Sunday, 2 September 2012

WiFi Analyser

The WiFi Analyser App is another of my favourites for investigating WiFi networking it is currently at version 3.2.1 and is being Kevin Yuan.

The First screen is the channel graph and this is switch able between 2.4GHz and 5GHz channels, it shows the signal strength and the overlap with adjacent channels.


Example of 5GHz channels, toggling between the frequency bands is doing by selecting the band in the top left hand corner of the plot. The frequency band is shown for a short period before disappearing.


The signal meter shows the strength of the currently selected channel, touching the network name allows the selection of the network.


The AP List (Networks) shows the currently available networks, if the network is part of an extended network SSID, it is possible to expand and see all the access points that are visible to the ESS.



The Channel rating (Congestion) screen shows how congested the available channels are, the more stars the less congested the channel frequency is.


The Time graph shows the signal strength over a period of time, selecting the channel in the list at the top of the screen highlights the area under the signal.


At the moment only the channel graph provides an easy method of switching between bands, there are options in the settings to select channels for the channel rating screen.

Saturday, 1 September 2012

inSSIDer review

The inSSIDer app is one of my favourite wireless research tools from MetaGeek whose range of products I use often in my Wireless research.
The entry splash screen gives details of the MetaGeek product range and news

The channels screen gives details of both the 2.4 & 5GHz channel congestion, a green bar shows that there are no or a few channels on the same frequency, a short red bar indicates a very congested frequency

The network screen gives details of the channel, this covers the channel, encryption details and signal strength, touching the channel causes more details to be displayed including MAC address, a long touch causes the channel to be selected for optimization, this can be cancelled from the additional info screen

The 2.4GHz displays shows the networks operating in this frequency range and the overlap with adjacent channels, the height of the graph shows the strength of the signal

The 5GHz channel displays the networks in the higher frequency band in the same manner as the 2.4GHz screen

The product gives a good information about the WiFi usage of the RF environment and it clearly shows congestion and channel overlap, which is important when looking at network problems in the crowded 2.4GHz band.

Friday, 31 August 2012

Android Apps

For some of the research into wireless networks I use a range of wireless apps on Android Tablets and Smart phones, here is a round up of some of the apps that I have found useful

inSSIDer
MetaGeek LLC
MetaGeek has re-imagined inSSIDer to help you choose the best channel for your Wi-Fi network, giving every user on the wireless network better performance. inSSIDer for Android logs channel data for every room in a building in order to statistically determine the best channel for wireless network performance.

Wifi Analyzer
farproc
Turns your android phone into a Wi-Fi analyzer!!
Shows the Wi-Fi channels around you. Helps you to find a less crowded channel for your wireless router.

Wi-Fi Analytics Tool
Amped Wireless
The Amped Wireless Wi-Fi Analytics Tool analyzes your Wi-Fi networks. It provides advanced signal strength graphs and analyzes Wi-Fi channels to help you optimize your Wi-Fi network setup. Features include: Wi-Fi Scanner, Channel Interference Analyzer, Wi-Fi Channel Graph, Wi-Fi Signal Strength Graph, and a Signal Strength Meter.

Wigle Wifi Wardriving
WiGLE.net
Wardriving: netstumble, display wireless networks, upload to wigle.net database.
A wardriving app to netstumble, display and map found wireless networks and cell towers anywhere in the world, easily uploading to the http://wigle.net database

OpenSignalMaps
Staircase 3, Inc.
The ultimate wifi and signal finding tool. Supports GSM, CDMA, 4G, 3G, 2G.
Now you can refresh network! Boost your bars at the touch of a button.

WiEye - WiFi Scanner
smuwireless
WiEye is a FREE 802.11 WiFi Analyzer for Android. WiEye can be used for wireless site surveys, wifi scanning, and wireless discovery. It reports the Name, BSSID, Signal Strength (dBm), Channel, and Frequency of all access points within range. It also graphs this data so you can see WiFi congestion for each available channel.
From a more professional point of view there ae tools like AirMapper App from Fluke Networks. Which they claim unlike existing solutions it can map speed and signal strength or perform throughput spot checks, the AirMapper App is the first to provide a visual throughput map, which is key to optimizing Wi-Fi networks by taking the actual user experience of mobile devices into account.

Thursday, 21 June 2012

Hiding SSID

Read an article on "Is Hiding the Wireless SSID All the Network Security You Need?" by Dale Rapp, which as the title suggests is about the security benefits of hiding the SSID, whilst I take the point the hiding the SSID may improve slightly the security of the wireless network, in my opinion it has a more dramatic affect on the performance of wireless networks than the security benefits the hiding of the SSID brings.
The main affect of hiding the SSID is that wireless clients will not see the wireless network as the broadcast function is turned off, other mechanisms that will give out the SSID are still in play and used by those interested in breaking into a wireless network.
However to many domestic users of wireless networks the problem comes from not being able to see how many networks are on a channel if the some of the networks are suppressing the broadcast of the SSID. The upshot is that often when the RF environment is examined there are many networks in close proximity using the same channel, this affects the performance of these networks, and as an increasing number of domestic networks are being used to stream video the affect of the congestion of a channel becomes problem for the users of the network.
This releationship between security and performance is the main focus of the research I am carrying out for my MSc.

Tuesday, 12 June 2012

Pineapple & DNS Spoof

Just configured DNS spoof on the Pineapple mk IV, a very simple set-up but for those like me who mainly used Windows in the past, a couple of notes on the set-up that may prove useful to others.

I have my Pineapple tethered to a Windows7 laptop, to communicate with the Pineapple I use the following programs
Logging on to the Pineapple using firefox, I find IE does not display all the screens properly (I had trouble seeing Karma log on the status page) I followed the edit link for DNS Spoof from the status page.

DNS Spoof Config

I added another line to the config file and save the config

172.16.42.1 www.<domain>.co.uk

This will cause an device connected to the Pineapple to go to the Pineapple web server (172.16.42.1 is the IP address of the Pineapple WiFi interface) if the www.<domain>.co.uk is in the URL request. They is the possibility of redirecting the browser to a server on another machine.

The www folder on the pineapple has the following pages in it.
  • error.php
  • index.php
  • redirect.php
The index.php is a simple html file that uses the META refresh to direct the browser to the redirect.php page.

The redirect.php is a php script that searches the HTTP_REFERER for a keyword (the domain to be redirected) if it exists it redirects the browser to a target page.

The error.php is a file that handles errors in the redirect.php ie. target domain has does not have a specified page to be redirected to.

Using WinSCP I connected to the Pineapple and browsed to the /www folder. The redirect.php can be edited to add additional domain redirects in the form.

if (strpos($ref, "<domain>")){ header('Location: <targetpage>.html'); }
I then uploaded a <targetpage>.html file to the www directory for the redirect.

Enabling DNS Spoofing then causes any device connecting to the Pineapple and looking for a domain to be directed to the specified page.

HoneySpot

Preparing the equipment for a Wifi HoneySpot to analyse wardrive and connection attempts to unsecure Access points as part of my research.


Using a battery powered Pineapple tethered to laptop with Karma running to record coonection attempts and using CommView for Wifi to record Probe Request/Response frames

Karma running on the pineapple


CommView running on the laptop, filtering out all but probe request/response frames, to and from the Pineapple

Google & Wardriving

Google have hit the headlines again, as various regulatory bodies reopen investigations into their "wardriving" and illegal collection of WiFi data whilst they where using the Street View cars  http://www.bbc.co.uk/news/technology-18415856. It is now coming out that the engineer who wrote the code told others http://www.bbc.co.uk/news/technology-17892288 some reports have named Marius Milner author of NetStumbler http://www.crn.com.au/News/299072,netstumbler-creator-behind-google-wi-fi-snoop.aspx as being the engineer involved. The NetStumber site is not making comments on the allegation http://www.netstumbler.com/2012/05/07/is-marius-milner-the-unnamed-google-engineer/

The Street View project was an ambitious plan to photograph and map the world’s streets that also involved gathering information about local wireless networks to improve location-based searches. A Google engineer went a step further, and included code to collect unencrypted data sent from homes by computers as specially equipped cars drove by. Google has long maintained that the engineer was solely responsible for this aspect of the project. But a complete version of the F.C.C.’s report, released by Google on Saturday, has cast doubt on that explanation, saying that the engineer informed at least one superior and that seven engineers who worked on the code were all in a position to know what was going on. The F.C.C. report also had Engineer Doe spelling out his intentions quite clearly in his initial proposal. Managers of the Street View project said they never read it. Mr. Milner created a program called “NetStumbler,” the page also says, and describes the early version of NetStumbler as “the world’s first usable ‘Wardriving’ application for Windows.” The F.C.C. report notes that wardriving is “the practice of driving streets and using equipment to locate wireless local-area networks using Wi-Fi, such as wireless hot spots at coffee shops and home wireless networks.” To design Street View’s code for locating wireless hot spots, the F.C.C. report states, “Google tapped Engineer Doe.”

Engineer Doe wrote the code during the 20 percent of work time that the company gives employees to pursue ideas on their own according to Google. In 2010, after it became clear that Google’s Street View project was collecting e-mail and other personal data, Google hired a computer investigations firm, Stroz Friedberg, to examine how the software program worked. The outside investigator’s report was named, “Source code analysis of gstumbler,” http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en//googleblogs/pdfs/friedberg_sourcecode_analysis_060910.pdf  the name for the Street View application initially used inside Google. The Stroz Friedberg report does not name the developer of the gstumbler program, or other engineers who worked on Street View.

Locating and communicating effectively with Wi-Fi networks is an essential capability for mobile computing. It is an important tool in smartphone software like Google’s Android, Apple’s iOS and Microsoft’s Windows Phone, both for communicating and often for location-based services like shopping guides and Foursquare.  Data beamed from wireless networks guide those location services. But, according to industry executives and analysts, there are different approaches to using Wi-Fi transmissions. The minimal approach, they say, is to collect data on the access point and strength of the signal. A Google rival in location software, Skyhook Wireless, takes the minimal approach, said Ted Morgan, chief executive, while Google does not.

This is going to go for a bit longer in the press.

Wednesday, 30 May 2012

Why Wireless Security

The article “Why we lie” in the Wall Street Journal has a great statement about why locks are fitted to our doors, and this statement fits well with wireless security.

“Another 1% will always be dishonest and always try to pick your lock and steal your television; locks won't do much to protect you from the hardened thieves, who can get into your house if they really want to. The purpose of locks, the locksmith said, is to protect you from the 98% of mostly honest people who might be tempted to try your door if it had no lock.”

The advice above is similar to some advice I was given by the local crime prevention offices, who said “Make you house look more secure than your neighbours” which whilst good for me may not of been good for my neighbours.

With wireless security we have a range of encryption controls range from the week to the strong, with all but the strongest susceptible to breaking by techniques that can be implemented by most IT literate people, however with wireless security and the vast numbers of access points available often there is an unencrypted or weak protected wireless network nearby.

We encrypted our wireless networks to protect our data and bandwidth; if everyone was honest we would not need to be worried however there are dishonest people and those who for whatever reason decided to borrow wireless bandwidth which results in the need to ensure we adequately protect our wireless networks.

The level of protection needs to be appropriate, implementable, configuring Radius servers and implementing enterprise WPA2 is in the realm of the geek and businesses, for the home user even configuring WEP can be problematic. The use of WPS has made it easier to implement security, however even this has security weaknesses.

However for the domestic user in deciding about the level of encryption they need to look at what are they protecting, whether it’s their network, the connection to the internet, or data being transmitted and look at the threats, is it the next door neighbour, or someone walking past. They should also consider the risks whether it is reduced bandwidth if limits are exceeded, lose of personal identifiable information, compromise of machines on the network, or misuse of network by downloading illegal or undesirable material, and they are impact considerations such as additional costs for excessive data, lose of identity, possible interaction with law enforcement and subsequent reputational lose.

There is also how competent they are or whether could employ or get another person to configure the network for them and if they can maintain the network, by adding new machines to the network or changing the password.

A factor to consider is if there are weakly protected networks around them then all they need to do is to make their network more inaccessible and the risk will move to the less well protected network.

Sunday, 27 May 2012

Detecting Wardriving (Probe request frames)

Continuing the theme of the last couple of entries on this blog I am looking at detecting war driving using a wireless packet sniffer to capture probe request frames being sent by a client under the control of a war driving tool. In this case I used CommView for Wifi and viStumbler as the sniffing tool and war driving tool respectively.

I was aiming to see what would the affect by of running viStumbler for a period whilst recording probe request frames. Using a laptop running CommView for Wifi, I captured the probe request packets for an approx. period of 55 mins, during which I run viStumbler for 14 mins, the resulting plot of probe request frames / min clearly identify an increase in the number of probe request frames being broadcast.


The average number of probe request frames recorded was around 8 per minute, there where 5 access points visible from the location I was running the tests from on the same channel.

This shows the techniques will work, however need to set-up some experiments to confirm the base line of requests and whether a detectable amount of requests can be recorded from a car driving past.

Friday, 25 May 2012

Probe request contents

A typical probe response will have the following information within it indicating the capabilities of the responding access point device. Giving the SSID, MAC Address, encryption supported

802.11
 Frame Control: 0x0050 (80)
  Protocol version: 0
  To DS: 0
  From DS: 0
  More Fragments: 0
  Retry: 0
  Power Management: 0
  More Data: 0
  Protected Frame: 0
  Order: 0
  Type: 0 - Management
  Subtype: 5 - Probe response
 Duration: 0x013A (314)
 Destination Address: ##:##:##:08:E0:20
 Source Address: ##:##:##:44:CA:FD
 BSS ID: ##:##:##:44:CA:FD
 Fragment Number: 0x0000 (0)
 Sequence Number: 0x09BF (2495)
Probe response
 Timestamp: 77924.059876 sec
 Beacon Interval: 0x0064 (100) - 102.400 msec
 Capability Information: 0x0411 (1041)
  ESS: 1
  IBSS: 0
  CF-Pollable: 0
  CF-Poll Request: 0
  Privacy: 1
  Short Preamble: 0
  PBCC: 0
  Channel Agility: 0
  Spectrum management: 0
  QoS: 0
  Short slot: 1
  APSD: 0
  Radio Measurement: 0
  DSSS-OFDM: 0
  Block Ack: 0
  Immediate Block Ack: 0
 SSID: <########> Supported rates
  1 Mbps
  2 Mbps
  5.5 Mbps
  11 Mbps
  18 Mbps
  24 Mbps
  36 Mbps
  54 Mbps
 Current Channel: 11 - 2462 MHz
 ERP Information: 0x00 (0)
  Non ERP present: 0
  Use Protection: 0
  Barker Preamble mode: 0
 Reserved 2f: 0x00 (0)
 RSN Information Element (802.11i)
  Version: 0x0001 (1)
  Group Key Cipher Suite: 00 0F AC 04 - CCMP
  Pairwise Key Cipher Suite Count: 0x0001 (1)
  Pairwise Key Cipher Suite List
   Cipher: 00 0F AC 04 - CCMP
  Authenticated Key Management Suite Count: 0x0001 (1)
  Authenticated Key Management Suite List
   Key Management: 00 0F AC 02 - IEEE 802.1X Key Management, preshared key
  RSN Capabilities: 0x000C (12)
 Extended Supported Rates
  6 Mbps
  9 Mbps
  12 Mbps
  48 Mbps
 Vendor specific
 Vendor specific
 Vendor specific

Detecting Wardriving

For my research one of the questions I would like to answer is how prevalent is wardriving or is it only researchers that are doing this type of activity. According to wikipedia "Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA)." Which is a definition I would agree with, when it moves from locatingWi-Fi access points to connecting to them to me that has moved away from Wardriving and starting to commit if you are within the UK an illegal act, legalisation varies around the world so I will refer to UK laws.

Although I am started with a question about wardriving, the real question is how many people are scanning for Wi-Fi networks there can connect to when they don't have authorisation to do so.

Detecting Wi-Fi networks can be done in a number of ways.

1) Listening for broadcast beacons (Passive)


Access points will broadcast there SSID and capabilities using a broadcast beacon frame at a regular interval. If you turn of "Broadcast SSID" it is this frame that is no longer broadcast.

2) Probe request & response frames (Active)


A client can issue a probe request with or without a SSID, an access point if it has a matching SSID to that within the probe will send a probe response with the access points capabilities included. If the probe response has a blank SSID then most access points will respond to the probe request with a probe response with the access points capabilities included.

3) Sniffing frames (passive)

This last method involves the client "sniffing" packet capture of frames and then decode them to identify the SSID of the Wi-Fi network.

It is impossible to detect someone using passive methods to locate a Wi-Fi network, until they connect to an access point, however this is beyond the scope of this blog entry, I'm concentrating on detecting probe request and probe responses.

Wi-Fi frames

A bit of a background to the frames used by Wi-Fi networks, the 802.11 standard defines various frame types that stations (NICs and access points) use for communications, as well as managing and controlling the wireless link.
  • Data Frames.
  • Management Frames
  • Control Frames
The first two bytes of the MAC header form a frame control field specifying the form and function of the frame. The frame control field is further subdivided into the sub-fields, the two fields I am interested are :-
  • Type: two bits identifying the type of WLAN frame. Control, Data and Management are various frame types defined in IEEE 802.11.
  • Sub Type: Four bits providing addition discrimination between frames. Type and Sub type together to identify the exact frame.
Management frames are type 0
Control frames are type 1
Data frames are type 2

Management Frames (type 0)
  • Authentication frame: subtype 11
  • Deauthentication frame: subtype 12
  • Association request frame:  subtype 0
  • Association response frame: subtype 1
  • Reassociation request frame:  subtype 2
  • Reassociation response frame: subtype 3
  • Disassociation frame:  subtype 10
  • Beacon frame:  subtype 8
  • Probe request frame: subtype 4
  • Probe response frame:  subtype 5
Identification of frames

Use a packet sniffing capable of analysing Wi-Fi packets such as CommView for WiFi or WireShark with a suitable wireless NIC we can sniff the frames being broadcast, in order to keep the exercise ethical we use a filter to ensure we only examining the Probe Request and Probe Response frames.

With wireshark we can use the following rules to formulate a filter

Management frames wlan.fc.type eq 0
Probe request wlan.fc.type_subtype eq 4
Probe response wlan.fc.type_subtype eq 5

What we are looking for is a pattern of probe requests and probe response, a person wardriving will be continually sending out probe requests with a blank SSID, which while they are in range we can detect, a person just doing a quick scan for available networks will send a short burst of probe requests with a blank SSID.

This will be continued with some examples of the findings.




Wednesday, 16 May 2012

Build your own

Found an excellent article that describes how to build minipwner which has the similar capabilities as the pineapple from Hak5

build your own article http://www.minipwner.com/index.php/minipwner-build

Devices such as the minipwner and the pineapple should not be used for illegal activities, but can provide some useful wireless testing tools and help in some pen testing scenarios

What will make these devices more useful is the use of a battery pack and there is an increasing number of battery packs design to recharge or power smartphones and tablets, these often have multiple USB sockets on them to connect USB charging cables.

The minipwner requires a Micro USB (B) connector whilst the Pineapple uses a 5.5mm barrel connector, on ebay and amazon there are a number of USB to power adaptors including 5.5mm barrel ones.

Monday, 23 April 2012

Follow Up

Read an Computerworld article - Why Google should be allowed to 'harvest' your Wi-Fi data By Mike Elgan on April 21, 2012 which reflects my view that actual doing wardrive http://bit.ly/I66ibO as opposed to piggybacking is legal.

The computerworld article "Why Google should be allowed to 'harvest' your Wi-Fi data" can be found at http://bit.ly/HXe4QA

I have looked at this debate a number of times as a researcher looking at the problems of securing wireless in the urban environment. In the UK which is where I have a better legal understanding, the use of radio is licensed. That means a radio station such as run by the BBC buy a licence to broadcast content on a frequency, the licensing terms allow the general public on a suitable approved receiver to pick up the radio signals and listen providing the have a TV (and radio) licence, the content copyright where it does not belong to the owner of the content ie music will belong with the radio station. The general public should not rebroadcast, record the content without permission of the radio station. This is not the case with WiFi and CB radio this have a different licencing arrangement and this is where confusion and debate takes place. WiFi in the UK uses the ISM band which is licence exempt, you don't need a licence to listen to it although the equipment must be approved within a certain specification, this means that anybody using the approved equipment can broadcast and receive the signals. This means listening to WiFi signals is not illegal; WiFI NICS do this all the time. Where the legal issues come in is listening to a communication and whether you are infringing privacy, if you connect to an Access Point you connection goes beyond the wireless transmission and starts to affect the network. AP don't give out IP addresses the DHCP server in the router does, this is different from listening to a WiFi signal or broadcasting beacons and management frames and getting a response from the AP, that is all controlled by the IEEE specification and is part of the mechanism of the transmission. Connecting to a wireless network in the UK is illegal under the Communications Act 2003 as specific offence. An unencrypted network is not authorisation just like an open door to a domestic property is not an invitation to enter.

When it comes to Google, what it was doing and what it intended aim was where different things, it aimed to collect data from Wireless location services, a lot companies such as skyhook collect data for this. What it did was to capture and record conversations. Now doing the collection and recording was infringing privacy and Google should be taken to task for it.

What I ask is could Google of collected data for Wireless Location Services without collecting and recording data packets, the answer is YES, so why I feel Google need to answer the question why did it happen.

Conclusion

My view is that Google did not need to record the personal data; either through it was effectively being publically transmitted; to complete the WiFi location data.

Collecting the details of the Access Points and their geolocation is a legal activity, and this could of be completed without infringing privacy of communication.

However broadcasting on a 'public' transmission system is a security risk, all data transmission should be encrypted to make illegal capture and recording pointless.

Saturday, 21 April 2012

Wireless & Overcrowding

I gave a talk to the Hertfordshire section Institute of Measurement & Control on the 18th April about Wireless Network and the configuration in the Urban Environment, it concentrated on some of the security risks, why these should be taken serious in the Urban environment and on how performance can be affected by the RF environment. The talk was low on the technical side as it was aimed at the interested general public. The talk was well received with some good questions, however an interesting point was that a number of people mentioned the article in the telegraph paper "How do I stop wireless hackers?" http://tgr.ph/HVieXS on the 15th April. In which a person had written in with the following question.

"I live in a block of flats and connect to the web using a wireless connection. My router is security enabled but can someone in another flat utilise my signal via their laptop? If so, is this legal? The reason for asking is that for some time now when I am on the web, I get a mystery pop-up message that states ‘I am now connected’."

The Telegraph writer did a good job in answering the question. The pop being mentioned was very likely the result of a poor connection or a possible DoS (accidental or deliberate) rather than hackers who have broken into his system. It is likely that the pop-up was caused by his device reconnecting to the wireless router after some interference on the channel he is using.

Possible sources of interference are
  • Microwave Oven which operates at 2.45GHz but leaks a wider bandwidth of energy than the WiFi usage of the 2.4GHz band
  • Phone on the 2.4GHz band
  • AV sender using the 2.4GHz
  • Wireless Baby alarm
  • Wireless CCTV camera
  • Access point closer to him than his on the same or neighbouring channel.
WiFi works on a number of channels and in the 2.4GHz band in the UK there are 13 allow channels, however most overlap and there are other sources of interference that can affect the channels as shown in the two diagrams below below.




The current urban environment is saturated with wireless networks the vast majority in the 2.4GHz band. Surveys I have done on some Urban areas show multiple Access Points (AP) in close proximity in the 2.4GHz with none in the 5GHz band. In a block of flats there is a 3D distribution of AP as opposed to the more 2D in terraced housing estate.

Most people when there set-up a new wireless access point will either use the default channel or select one of the three recommend in the manuals which are 1,6 & 11. Very few will change to the 5GHz band and most will not do a survey of the channel usage to select a channel with least interference ie the least number of strong other wireless networks.


Screen shot of the beta version of my tool
As part of my research I am working on a tool that would sit in the notification area of the windows taskbar and could indicate the number of access points per channel in the selected frequency band, a screenshot of beta tool is included above. The tool should be able to give a simple site survey ability that is easy to understand to all users. There are a number of other features I will be building into the tool over the next few months.

During the talk I showed examples of the interference from a bluetooth phone, microwave ovens, AV senders can have on the 2,4GHz environment using a spectrum analyser.

The high point for me was that one of the audience emailed me the next day to say there had looked at the number of AP's on the same channel and moved their channel selection and where getting better performance.



Tuesday, 17 April 2012

Wireless & the Law

Whilst doing research on wireless network and the state of the law about piggybacking etc, came across some interesting judgements and commentary from around the world in the last two years. The question in some countries is does an insecure wireless network make it a public network.

May 2010: In Germany, the country's top criminal court ruled that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party. The ruling came after a musician sued an Internet user whose wireless connection was used to download a song, which was then offered on an online file-sharing network. The user was on vacation when the song was downloaded. Should of turned the AP off when not in use.

March 2011: A Dutch court has ruled that hacking into Wi-Fi connections is not a crime providing any connected computers remain untouched. However Wi-Fi freeloaders would still lay themselves open to civil proceedings. The unusual ruling came in the case of a student who threatened a shooting rampage against staff at students at Maerlant College in The Hague. The threat was posted on 4chan, the notoriously anarchic Internet image board, after the student broke into a secure Wi-Fi connection. The unnamed student was caught and convicted of posting the message but acquitted on the hacking charge.

Feb 2011: A senior court judge has pointed to severe problems with the way the Digital Economy Act enables copyright owners to accuse people of illegal filesharing. Judge Birss QC said on Tuesday that the process of connecting copyright infringement to a named individual based on their use of an Internet address is fraught with difficulties because Internet connections, or IP addresses, are often used by more than one person. The use of "unsecured" Internet connections which allow others to "piggyback" on their network leads to more complications, Birss said, adding that these issues are "key" in proving copyright infringement before a court of law. That could create serious problems for copyright owners seeking to enforce their rights under the Digital Economy Act. Although the law allows for a "three strikes" provision in which Internet service providers (ISPs) would be required to write to the people who are using an IP address at a time that it is found to be infringing, it has not yet been implemented.

Apr 2011: Orin Kerr, a professor at George Washington University Law School when discussing the raid on a Buffalo homeowner for downloading child porn which was done buy his neighbour, "The question," said Kerr, "is whether it's unauthorised access and so you have to say, 'Is an open wireless point implicitly authorising users or not?' "We don't know," Kerr said. "The law prohibits unauthorised access and it's just not clear what's authorised with an open unsecured wireless."

The law may not be too clear in some countries but in the UK piggybacking is illegal, how harmonisation of laws across Europe will affect this in the future is hard to predict. From a homeowner's point of view I would say encrypt or risk legal problems.

Microsoft Forgetful USB Patent

Reading an article about the ultimate USB stick on the BBC reminded my about a patent that was awarded to Microsoft for a forgetful USB. A google search later I found a article Microsoft patents self-destructing USB key for forgetful types http://www.engadget.com/2006/11/20/microsoft-patents-self-destructing-usb-key-for-forgetful-types/ the self-destructing USB memory keys, with enough battery life in them to power the key for one hour, after which the data disappears completely.

This was Microsoft's solution to copying secure configs between devices on a wireless network, although it could be used for any secure config transfer. In case it got lost then the data would be automatically deleted when the device lost power. All well and good if it took less than an hour to get between locations.

Monday, 16 April 2012

Honeyspot

 
For my research one of the aims is to investigate are people connecting to access points they are not supposed to use, in order to find out if this is happen and will be deploying a Honeyspot to see if anyone connects to it.

A HoneySpot is portmanteau of Honeypot and Hotspot.

Honeynet Project definition (http://www.honeynet.org/misc/faq.html) of a Honeypot is, “a system whose value is being probed, attacked, or compromised, you want the bad guys to interact with it”.

TheWikipedia definition for a hotspot is (http://en.wikipedia.org/wiki/Hotspot_%28Wi-Fi%29), “A hotspot is a venue that offers Wi-Fi access. The public can use a laptop, WiFi phone, or other suitable portable device to access the Internet”.

A HoneySpot has been defined by the The Spanish Honeynet Project (SHP) in their document "HoneySpot: The Wireless Honeypot" as a "venue that offers Wi-Fi access whose value is being probed, attacked, or compromised, you want the bad guys to interact with it”

Two types of HoneySpots have been defined:

· A Public HoneySpot simulates a public wireless data network, that is, a pure hotspot. Hotspots are commonly available at hotels, airports, coffee shops, libraries, as well as other public places where there is a high interest in offering Internet connectivity to visitors and customers.

· A Private HoneySpot simulates a private wireless data network, such as those available in corporations or at home. Typically, a private network offers access to a wired network (corporate or home network) to legitimate wireless clients without the physical barriers associated to wired connections.
For my experiment I will be using a WiFi Pineapple Mk4 to create the Honeyspot, which is a wireless router combined with a custom version of OpenWRT that allows it to be used for Wireless security research and auditing. It has installed utilities such as Karma and DNSspoof and or URLSnarf with which I can detect unauthorised connections.

I will be continuing this with more details of the configuration and the results as the experiment progresses.


Monday, 9 April 2012

Wardriving

Wardriving is defined by Wikipedia as is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA), however they are series of related terms relating to the mode of transport from warwalking to warflying. The term wardriving itself is generally considered to be derived from the term Wardialing which is where a modem was used to dial through a list of telephones numbers searching for computers, bulletin board systems and fax machines. A modern call centre uses a similar technique to dial numbers which if are answered by a human are put through to call centre staff, if an answer phone or other device is detected the call is dropped and the next number dialed.

Wardialing was popularised by a character played by Matthew Broderick in the film WarGames and it is thought that the term orginated from the film and the computer programs that followed the film emulating the programs used by Matthew Broderick in the film to dial numbers, 'WarGames Dialer' programs where found on bulleting boards and due to the restriction of the 8.3 dos names these files where called wardial.exe.

The activity of Wardriving is controversial and not helped as it is used in conjunction with or confused with piggybacking and warchalking. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network, similar to hobo markings in the USA and Gypsy marking used in Europe, the different marks left where a wireless network was detected  indicate how the encryption and SSID of the network. Piggybacking is where an unauthorised user connects to and makes use of a wireless network, in the UK this is an offence under the Communications Act 2003

Warchalking cymbols, image from the Wikimedia Commons

Wardriving and legality

Is Wardriving illegal in the UK, this is a question that Google does not seem to give a good answer to, and there is a variety of views on the subject. My own view is that wardriving itself is not illegal and I will explain why I think this.

Before I go into my reasons I would say that unauthorised use of someones network, whether it is protected or not is illegal. I would say unless it was very clear that public access had been granted ie. a public hotspot than access to a wireless network is illegal. Whether warchalking is legal or not I don't know the laws on Graffiti etc or whether it would be covered under a conspiracy to commit, or solicitation or incitement to commit.

I don't think wardriving is illegal as

  1. WiFi operates in a licence exempt band to which anyone with appropriate equipment ie within specified parameters, can use to broadcast and listen, it in effect it is a public radio network.
  2. Wardriving only uses the specific mechanism as defined in the IEEE 802.11 specification to identify the wireless network, ie. the management and broadcast frames of the access point.
  3. It is using techniques that are built into all wireless devices to detect wireless networks, ie it listens for an SSID or broadcasts an SSID to get a response.
So wardriving is legal providing the following statements are true:-

Only equipment is used that meets the requirements for use on the wireless licence exempt band and has not been modified to increase performance beyond the requirements it is legal. The equipment does not need to meet WiFi or IEEE specifications, only the requirements of the licensing authority in a particular country and in the UK that is Ofcom.
The hardware and software used is operating within the IEEE specifications to access the management and broadcast frames as per the IEEE requirements.
The recording of data packets does not occur as that could be regarded as infringing a person's privacy.

Summary
  • Wardriving is the location of wireless networks, often with the GPS location.
  • Piggybacking is where an unauthorised user access a wireless network to gain access to the Internet.
  • Warchalking is where chalk mark are used to indicate the type of wireless network
Follow up

I will be doing some posts on active and passive identifaction of wireless networks and a discussion on whether wireless packet sniffing is illegal.


Interesting Wireless tools

Looking at some ideas to monitor wireless wardriving and found a range of wireless tools and articles that interested me.

I will start with an article I found on using Mallory MiTM Proxy as a Wireless Access Point, Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications. Part 1 of the article can be found at http://pentesterconfessions.blogspot.co.uk/2012/04/mallory-mitm-proxy-as-wireless-access.html Now waiting for part 2 of the article.

Whilst do some background reading came across this article http://www.teoti.co.uk/hardware/113811-the-little-white-box-that-can-hack-your-network.html about using the Pwnie Express box
http://www.pwnieexpress.com/eliteplug.html, which was developed from the SheevaPlug http://www.globalscaletechnologies.com/p-46-sheevaplug-dev-kit.aspx both the  Pwnie Express and the SheevaPlug are interesting devices especially the Pwnie Express

In terms of wireless devices the Pineapple http://hakshop.myshopify.com/collections/frontpage/products/markiv-first-dibs is one of the most notable devices along with the wifi Robin http://www.wifirobin.com/ which can be used to attack wifi networks. Along these lines are the minipwner  http://www.minipwner.com/index.php/what-is-the-minipwner

There are various articles on using android devices for pentesting, ZImperium is offering easy-to-use and friendly pentesting toolkit Anti http://zimperium.com/index.html

Tuesday, 27 March 2012

Is wireless insecure! Yes it is!

One of the factor I will need to cover is the question "Is wireless insecure?" we know the answer is yes, we know about vulnerabilities and exploits that affect the wireless LANs, we see paper published about them etc. So what I need to answer is not only is there insecurity in wireless networks but there are incidents of people using these exploits in the real world.

Here are examples I have come across which I think prove the point that wireless exploits are being used but also people are not doing enough to protect they networks and there can be serious consequences to having a WiFi network hacked.

We have the granddad of the privacy concerns when Google was found to be not only locating wireless access points to speed up the fixing of location, but also capturing wireless packets containing data.

This was reported in the Register in June 2010 in the UK
http://www.theregister.co.uk/2010/06/09/google_wi_fi_sniffing/

There is also the recent reported case where burglars where caught using WiFi as reported on the Infsec Island blog. http://www.infosecisland.com/blogview/20757-Wireless-Security-Wi-Fi-Hacking-Burglars-Get-Busted.html

This is similiar to the TK Maxx security breach in 2005 & 2006 when hackers broke in and stole the records which included millions of credit card numbers via a WiFi network. http://www.sec.gov/Archives/edgar/data/109198/000095013507001906/b64407tje10vk.htm

Other examples I have found are listed below, but if you know of other cases with reference links can you please send the links to me by sending me a tweet to @GeraintW

November 2003 in Toronto, Canada, a man was arrested with a WiFi-enabled laptop in his car - and his pants down. He was wardriving and tapping into unprotected wireless networks. Ultimately, however, he was charged not for that, but for the illegal paedophile pornography he was in the process of downloading. http://www.theregister.co.uk/2003/11/26/wifi_hacker_caught_downloading_child/

July 2005, a UK man was fined £500 after a British jury found him guilty of using a neighbourhood wireless broadband connection without permission. Gregory Straszkiewicz, 24, was also sentenced to a 12 months conditional discharge after he was convicted of dishonestly obtaining an communications service and related offences at London's Isleworth Crown Court.  http://www.theregister.co.uk/2005/07/25/uk_war_driver_fined/

March 2006, an Illinois man was fined for piggybacking on a Wi-Fi System. David M. Kauchak, 32, pleaded guilty in Winnebago County to remotely accessing someone else's computer system without permission. http://www.governmentsecurity.org/forum/topic/20063-illinois-man-fined-for-piggybacking-on-wi-fi-service/

April 2007, Two people have been cautioned for using people's wi-fi broadband Internet connections without permission. Neighbours in Redditch, Worcestershire, contacted police on Saturday after seeing a man inside a car using a laptop while parked outside a house. He was arrested and cautioned. A woman was arrested in similar circumstances in the town earlier this month. http://news.bbc.co.uk/1/hi/england/hereford/worcs/6565079.stm
Oct 2008, Lincolnshire police have arrested a 16-year-old suspected of hacking into next door's Wi-Fi after his neighbour complained the connection was running a bit slow. Police arrived at the lad's house after nine o'clock on Sunday October 5, and arrested him under the Computer Misuse Act 1990. http://www.theregister.co.uk/2008/10/30/wi_fi_arrest/

A pub owner has been fined £8,000 because someone unlawfully downloaded copyrighted material over their open Wi-Fi hotspot, according to the managing director of hotspot provider The Cloud. http://www.zdnet.co.uk/news/networking/2009/11/27/pub-fined-8k-for-wi-fi-copyright-infringement-39909136/

April 2011. A man recently found a swarm of armed federal agents descending on his Buffalo, New York, home after a neighbour accessed his open Wi-Fi network and used it to download child pornography. http://www.theregister.co.uk/2011/04/26/open_wifi_networks/

July 2011 Barry Ardolf, 46, repeatedly hacked into his next-door neighbour's WiFi network in 2009, and used it to try and frame them for child pornography, sexual harassment, various kinds of professional misconduct and to send threatening e-mail to politicians, including Vice President Joe Biden. http://arstechnica.com/tech-policy/news/2011/07/wifi-hacking-neighbor-from-hell-gets-18-years-in-prison.ars

Thursday, 22 March 2012

InfoSec Island: Wireless Security: Wi-Fi Hacking Burglars Get Busted

This is a copy of a blog from the Infosec Island http://www.infosecisland.com/ that I have been given permission to reprint here. All rights to the content of the blog belong Infosec Island and Robert Siciliano. I would like to thank Infosec Island and the author for the permission to reprint the blog.

I was looking to blog on some incidents involving Wireless Security when I found this entry, and I think it adequately shows why wireless security is important to implement correctly.

Wireless Security: Wi-Fi Hacking Burglars Get Busted
Thursday, March 22, 2012
Contributed By:  Robert Siciliano

http://www.infosecisland.com/blogview/20757-Wireless-Security-Wi-Fi-Hacking-Burglars-Get-Busted.html

In Seattle 3 men have been arrested for hacking the wireless networks of over a dozen businesses along with 41 burglaries.

They are alleged to have stolen at least $750,000 in funds, computer equipment and other items.

SeattlePI reported their Wi-Fi hacking techniques included “wardriving,” in which hackers mount a high-strength Wi-Fi receiver inside a car and search for networks that can be penetrated.

Once a Wi-Fi network is located through wardriving, hackers can remotely watch for information that may reveal the network’s security setup and vulnerabilities.

Police said they used sophisticated electronic equipment to break through networks using a 12-year-old security algorithm — Wired Equivalent Privacy, or WEP protection.

Right out of a Mission Impossible movie these burglars hacked wireless networks and stole employee and client data. Their burglaries involved stealing laptops they used those laptops to crack payroll accounts and steal banking information.

Once they turned the data into cash they turned the cash into prepaid debit cards.

Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security. But WEP has been cracked, hacked, and decimated.

Home or office Wi-Fi with a WPA encryption is better. Wi-Fi Protected Access is a certification program that was created in response to several serious security vulnerabilities researchers found in WEP, the previous system. WPA and WPA2 are tougher to crack, but not impossible.

Small businesses would fare much better if they also installed a monitored security alarm system with cameras. It’s not enough to lock doors especially if there is thousands of dollars in technology waiting for a burglar to take it.

Robert Siciliano is a personal and small business security specialist to ADT Small Business Security. Disclosures

Tuesday, 20 March 2012

Projects

As part of the wireless research I am doing towards my MSc by research, I am working on the following projects

Wardrive comparison of Luton, UK. I did a survey of Luton in 2005 and I am now in the process of completing another war drive of Luton. The aim is to identify changes over the 6 years between the war drives to see what has changed, in particular I'm looking at the number of access points with no security to see if the home user have become more security aware. As part of this I have developed a series of python scripts that take the results for scans by viStumber and put them into a PostgreSQL database and the retrieve data depending on criteria and plot the results on Google earth using a custom set of icons to identify, channel, frequency band, security etc. and a KML file.

Development of an utility that sits in the notification area and monitors the number of wireless networks on each channel, this is to aid in the selection of channel to reduce collisions due to nearby networks on the same channel.

A series of war drives to monitor whether access points are being left on or being turned off when not in use. As part of this looking at developing a sensor that can be left running to monitor wireless network up/down time using a micro PC with wireless card.

I will also be doing some work on security testing of wireless networks and access points testing the encryption and features such as WPS to evaluate the tools and whether the videos on You Tube are acting as a good source of material for those wishing to abuse wireless networks.

Some of the software I an working may be made into open source tools and hence my interest in bitbucket and git.

There are a couple of ideas that I want to develop involving mobile wifi hotspots involving tablets, smart phones and the use of 3G dongles and security configuration. Especially since BYOD is becoming more popular, although this won't be part of my MSc by research I will be covering all my activities in wireless networking in this blog.

Sunday, 18 March 2012

Wireless tools - Part 1

Here are just some of the tools that I am using for research and consultance work in wireless network, in particular I specialise in 802.11 WiFi network

Linux Equipment
  • Acer Laptop
  • Backtrack 5r1
  • Alfa AWUS036H
Android
  • Motorola Xoom
  • Wolf wifi pro
  • wi-fi analytics
  • wifi analyzer
  • wardrive
  • etc

Windows
  • HP Laptop
  • Wi-Spy DBX
  • Chanalyser
  • InSSIDer
  • vistumbler
  • commview for wifi
  • Airpcap TX
I have a range of directional and hi-gain antenna to with various wireless network devices along with several access points

Monday, 5 March 2012

BitBucket

Just signed up for a Bitbucket repositories too do the development of the software artefact for my MSc by Research, this will be a private repository until after I have completed the MSc when I will probable make the tool open source.

Friday, 2 March 2012

Resurrection

Meet with my supervisor to resurrect my MSc by Research into Wireless security, particular around home based wireless networks, my studying has been been in a hiatus due to leaving the University where I was a staff member and starting work in the commercial world and confusion of status and fees, hope to get it resolved shortly.

Will be transferring my blog of the research activities from the pebblepad blog to this blog.