Monday, 23 April 2012

Follow Up

Read an Computerworld article - Why Google should be allowed to 'harvest' your Wi-Fi data By Mike Elgan on April 21, 2012 which reflects my view that actual doing wardrive http://bit.ly/I66ibO as opposed to piggybacking is legal.

The computerworld article "Why Google should be allowed to 'harvest' your Wi-Fi data" can be found at http://bit.ly/HXe4QA

I have looked at this debate a number of times as a researcher looking at the problems of securing wireless in the urban environment. In the UK which is where I have a better legal understanding, the use of radio is licensed. That means a radio station such as run by the BBC buy a licence to broadcast content on a frequency, the licensing terms allow the general public on a suitable approved receiver to pick up the radio signals and listen providing the have a TV (and radio) licence, the content copyright where it does not belong to the owner of the content ie music will belong with the radio station. The general public should not rebroadcast, record the content without permission of the radio station. This is not the case with WiFi and CB radio this have a different licencing arrangement and this is where confusion and debate takes place. WiFi in the UK uses the ISM band which is licence exempt, you don't need a licence to listen to it although the equipment must be approved within a certain specification, this means that anybody using the approved equipment can broadcast and receive the signals. This means listening to WiFi signals is not illegal; WiFI NICS do this all the time. Where the legal issues come in is listening to a communication and whether you are infringing privacy, if you connect to an Access Point you connection goes beyond the wireless transmission and starts to affect the network. AP don't give out IP addresses the DHCP server in the router does, this is different from listening to a WiFi signal or broadcasting beacons and management frames and getting a response from the AP, that is all controlled by the IEEE specification and is part of the mechanism of the transmission. Connecting to a wireless network in the UK is illegal under the Communications Act 2003 as specific offence. An unencrypted network is not authorisation just like an open door to a domestic property is not an invitation to enter.

When it comes to Google, what it was doing and what it intended aim was where different things, it aimed to collect data from Wireless location services, a lot companies such as skyhook collect data for this. What it did was to capture and record conversations. Now doing the collection and recording was infringing privacy and Google should be taken to task for it.

What I ask is could Google of collected data for Wireless Location Services without collecting and recording data packets, the answer is YES, so why I feel Google need to answer the question why did it happen.

Conclusion

My view is that Google did not need to record the personal data; either through it was effectively being publically transmitted; to complete the WiFi location data.

Collecting the details of the Access Points and their geolocation is a legal activity, and this could of be completed without infringing privacy of communication.

However broadcasting on a 'public' transmission system is a security risk, all data transmission should be encrypted to make illegal capture and recording pointless.

Saturday, 21 April 2012

Wireless & Overcrowding

I gave a talk to the Hertfordshire section Institute of Measurement & Control on the 18th April about Wireless Network and the configuration in the Urban Environment, it concentrated on some of the security risks, why these should be taken serious in the Urban environment and on how performance can be affected by the RF environment. The talk was low on the technical side as it was aimed at the interested general public. The talk was well received with some good questions, however an interesting point was that a number of people mentioned the article in the telegraph paper "How do I stop wireless hackers?" http://tgr.ph/HVieXS on the 15th April. In which a person had written in with the following question.

"I live in a block of flats and connect to the web using a wireless connection. My router is security enabled but can someone in another flat utilise my signal via their laptop? If so, is this legal? The reason for asking is that for some time now when I am on the web, I get a mystery pop-up message that states ‘I am now connected’."

The Telegraph writer did a good job in answering the question. The pop being mentioned was very likely the result of a poor connection or a possible DoS (accidental or deliberate) rather than hackers who have broken into his system. It is likely that the pop-up was caused by his device reconnecting to the wireless router after some interference on the channel he is using.

Possible sources of interference are
  • Microwave Oven which operates at 2.45GHz but leaks a wider bandwidth of energy than the WiFi usage of the 2.4GHz band
  • Phone on the 2.4GHz band
  • AV sender using the 2.4GHz
  • Wireless Baby alarm
  • Wireless CCTV camera
  • Access point closer to him than his on the same or neighbouring channel.
WiFi works on a number of channels and in the 2.4GHz band in the UK there are 13 allow channels, however most overlap and there are other sources of interference that can affect the channels as shown in the two diagrams below below.




The current urban environment is saturated with wireless networks the vast majority in the 2.4GHz band. Surveys I have done on some Urban areas show multiple Access Points (AP) in close proximity in the 2.4GHz with none in the 5GHz band. In a block of flats there is a 3D distribution of AP as opposed to the more 2D in terraced housing estate.

Most people when there set-up a new wireless access point will either use the default channel or select one of the three recommend in the manuals which are 1,6 & 11. Very few will change to the 5GHz band and most will not do a survey of the channel usage to select a channel with least interference ie the least number of strong other wireless networks.


Screen shot of the beta version of my tool
As part of my research I am working on a tool that would sit in the notification area of the windows taskbar and could indicate the number of access points per channel in the selected frequency band, a screenshot of beta tool is included above. The tool should be able to give a simple site survey ability that is easy to understand to all users. There are a number of other features I will be building into the tool over the next few months.

During the talk I showed examples of the interference from a bluetooth phone, microwave ovens, AV senders can have on the 2,4GHz environment using a spectrum analyser.

The high point for me was that one of the audience emailed me the next day to say there had looked at the number of AP's on the same channel and moved their channel selection and where getting better performance.



Tuesday, 17 April 2012

Wireless & the Law

Whilst doing research on wireless network and the state of the law about piggybacking etc, came across some interesting judgements and commentary from around the world in the last two years. The question in some countries is does an insecure wireless network make it a public network.

May 2010: In Germany, the country's top criminal court ruled that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party. The ruling came after a musician sued an Internet user whose wireless connection was used to download a song, which was then offered on an online file-sharing network. The user was on vacation when the song was downloaded. Should of turned the AP off when not in use.

March 2011: A Dutch court has ruled that hacking into Wi-Fi connections is not a crime providing any connected computers remain untouched. However Wi-Fi freeloaders would still lay themselves open to civil proceedings. The unusual ruling came in the case of a student who threatened a shooting rampage against staff at students at Maerlant College in The Hague. The threat was posted on 4chan, the notoriously anarchic Internet image board, after the student broke into a secure Wi-Fi connection. The unnamed student was caught and convicted of posting the message but acquitted on the hacking charge.

Feb 2011: A senior court judge has pointed to severe problems with the way the Digital Economy Act enables copyright owners to accuse people of illegal filesharing. Judge Birss QC said on Tuesday that the process of connecting copyright infringement to a named individual based on their use of an Internet address is fraught with difficulties because Internet connections, or IP addresses, are often used by more than one person. The use of "unsecured" Internet connections which allow others to "piggyback" on their network leads to more complications, Birss said, adding that these issues are "key" in proving copyright infringement before a court of law. That could create serious problems for copyright owners seeking to enforce their rights under the Digital Economy Act. Although the law allows for a "three strikes" provision in which Internet service providers (ISPs) would be required to write to the people who are using an IP address at a time that it is found to be infringing, it has not yet been implemented.

Apr 2011: Orin Kerr, a professor at George Washington University Law School when discussing the raid on a Buffalo homeowner for downloading child porn which was done buy his neighbour, "The question," said Kerr, "is whether it's unauthorised access and so you have to say, 'Is an open wireless point implicitly authorising users or not?' "We don't know," Kerr said. "The law prohibits unauthorised access and it's just not clear what's authorised with an open unsecured wireless."

The law may not be too clear in some countries but in the UK piggybacking is illegal, how harmonisation of laws across Europe will affect this in the future is hard to predict. From a homeowner's point of view I would say encrypt or risk legal problems.

Microsoft Forgetful USB Patent

Reading an article about the ultimate USB stick on the BBC reminded my about a patent that was awarded to Microsoft for a forgetful USB. A google search later I found a article Microsoft patents self-destructing USB key for forgetful types http://www.engadget.com/2006/11/20/microsoft-patents-self-destructing-usb-key-for-forgetful-types/ the self-destructing USB memory keys, with enough battery life in them to power the key for one hour, after which the data disappears completely.

This was Microsoft's solution to copying secure configs between devices on a wireless network, although it could be used for any secure config transfer. In case it got lost then the data would be automatically deleted when the device lost power. All well and good if it took less than an hour to get between locations.

Monday, 16 April 2012

Honeyspot

 
For my research one of the aims is to investigate are people connecting to access points they are not supposed to use, in order to find out if this is happen and will be deploying a Honeyspot to see if anyone connects to it.

A HoneySpot is portmanteau of Honeypot and Hotspot.

Honeynet Project definition (http://www.honeynet.org/misc/faq.html) of a Honeypot is, “a system whose value is being probed, attacked, or compromised, you want the bad guys to interact with it”.

TheWikipedia definition for a hotspot is (http://en.wikipedia.org/wiki/Hotspot_%28Wi-Fi%29), “A hotspot is a venue that offers Wi-Fi access. The public can use a laptop, WiFi phone, or other suitable portable device to access the Internet”.

A HoneySpot has been defined by the The Spanish Honeynet Project (SHP) in their document "HoneySpot: The Wireless Honeypot" as a "venue that offers Wi-Fi access whose value is being probed, attacked, or compromised, you want the bad guys to interact with it”

Two types of HoneySpots have been defined:

· A Public HoneySpot simulates a public wireless data network, that is, a pure hotspot. Hotspots are commonly available at hotels, airports, coffee shops, libraries, as well as other public places where there is a high interest in offering Internet connectivity to visitors and customers.

· A Private HoneySpot simulates a private wireless data network, such as those available in corporations or at home. Typically, a private network offers access to a wired network (corporate or home network) to legitimate wireless clients without the physical barriers associated to wired connections.
For my experiment I will be using a WiFi Pineapple Mk4 to create the Honeyspot, which is a wireless router combined with a custom version of OpenWRT that allows it to be used for Wireless security research and auditing. It has installed utilities such as Karma and DNSspoof and or URLSnarf with which I can detect unauthorised connections.

I will be continuing this with more details of the configuration and the results as the experiment progresses.


Monday, 9 April 2012

Wardriving

Wardriving is defined by Wikipedia as is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA), however they are series of related terms relating to the mode of transport from warwalking to warflying. The term wardriving itself is generally considered to be derived from the term Wardialing which is where a modem was used to dial through a list of telephones numbers searching for computers, bulletin board systems and fax machines. A modern call centre uses a similar technique to dial numbers which if are answered by a human are put through to call centre staff, if an answer phone or other device is detected the call is dropped and the next number dialed.

Wardialing was popularised by a character played by Matthew Broderick in the film WarGames and it is thought that the term orginated from the film and the computer programs that followed the film emulating the programs used by Matthew Broderick in the film to dial numbers, 'WarGames Dialer' programs where found on bulleting boards and due to the restriction of the 8.3 dos names these files where called wardial.exe.

The activity of Wardriving is controversial and not helped as it is used in conjunction with or confused with piggybacking and warchalking. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network, similar to hobo markings in the USA and Gypsy marking used in Europe, the different marks left where a wireless network was detected  indicate how the encryption and SSID of the network. Piggybacking is where an unauthorised user connects to and makes use of a wireless network, in the UK this is an offence under the Communications Act 2003

Warchalking cymbols, image from the Wikimedia Commons

Wardriving and legality

Is Wardriving illegal in the UK, this is a question that Google does not seem to give a good answer to, and there is a variety of views on the subject. My own view is that wardriving itself is not illegal and I will explain why I think this.

Before I go into my reasons I would say that unauthorised use of someones network, whether it is protected or not is illegal. I would say unless it was very clear that public access had been granted ie. a public hotspot than access to a wireless network is illegal. Whether warchalking is legal or not I don't know the laws on Graffiti etc or whether it would be covered under a conspiracy to commit, or solicitation or incitement to commit.

I don't think wardriving is illegal as

  1. WiFi operates in a licence exempt band to which anyone with appropriate equipment ie within specified parameters, can use to broadcast and listen, it in effect it is a public radio network.
  2. Wardriving only uses the specific mechanism as defined in the IEEE 802.11 specification to identify the wireless network, ie. the management and broadcast frames of the access point.
  3. It is using techniques that are built into all wireless devices to detect wireless networks, ie it listens for an SSID or broadcasts an SSID to get a response.
So wardriving is legal providing the following statements are true:-

Only equipment is used that meets the requirements for use on the wireless licence exempt band and has not been modified to increase performance beyond the requirements it is legal. The equipment does not need to meet WiFi or IEEE specifications, only the requirements of the licensing authority in a particular country and in the UK that is Ofcom.
The hardware and software used is operating within the IEEE specifications to access the management and broadcast frames as per the IEEE requirements.
The recording of data packets does not occur as that could be regarded as infringing a person's privacy.

Summary
  • Wardriving is the location of wireless networks, often with the GPS location.
  • Piggybacking is where an unauthorised user access a wireless network to gain access to the Internet.
  • Warchalking is where chalk mark are used to indicate the type of wireless network
Follow up

I will be doing some posts on active and passive identifaction of wireless networks and a discussion on whether wireless packet sniffing is illegal.


Interesting Wireless tools

Looking at some ideas to monitor wireless wardriving and found a range of wireless tools and articles that interested me.

I will start with an article I found on using Mallory MiTM Proxy as a Wireless Access Point, Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications. Part 1 of the article can be found at http://pentesterconfessions.blogspot.co.uk/2012/04/mallory-mitm-proxy-as-wireless-access.html Now waiting for part 2 of the article.

Whilst do some background reading came across this article http://www.teoti.co.uk/hardware/113811-the-little-white-box-that-can-hack-your-network.html about using the Pwnie Express box
http://www.pwnieexpress.com/eliteplug.html, which was developed from the SheevaPlug http://www.globalscaletechnologies.com/p-46-sheevaplug-dev-kit.aspx both the  Pwnie Express and the SheevaPlug are interesting devices especially the Pwnie Express

In terms of wireless devices the Pineapple http://hakshop.myshopify.com/collections/frontpage/products/markiv-first-dibs is one of the most notable devices along with the wifi Robin http://www.wifirobin.com/ which can be used to attack wifi networks. Along these lines are the minipwner  http://www.minipwner.com/index.php/what-is-the-minipwner

There are various articles on using android devices for pentesting, ZImperium is offering easy-to-use and friendly pentesting toolkit Anti http://zimperium.com/index.html