Queensland: sun, sand, surf – and security

You’re probably expecting me to comment on the iPhone virus sneaking through Australia at the moment, but not everyone is head-over-heels in love with reading about iPhones, so that can wait.

Right now I want to report on my latest outing to a Sophos Signature Series Luncheon, this time in Brisbane, Queensland.

My fellow presenter was Steve Bignell of the Queensland Police Service (QPS), which is planning to take community policing into the wireless age by going on wardrives around towns and cities in Queensland. Those with insecure networks can then be advised of the risks they face.

Wardriving involves driving around, scanning for wireless networks, and recording any publicly-visible aspects of their configuration. Almost any device with a WiFi chip, such as a PSP, DS Lite, mobile phone, PDA, netbook or laptop, can be used. Numerous free software packages exist to perform the WiFi scanning and recording.

Note that wardriving isn’t immoral or illegal (though I am not a lawyer), at least if you are only listening in. The WiFi spectrum is unregulated, so those who exercise their freedom to transmit within the WiFi wavelengths implicitly authorise anyone who is in range to listen to what they have sent out. WiFi transmissions really are public, and that is by design.

When QPS first announced their wardriving ideas, back in July 2009, reactions were mixed. In particular, some observers imagined that their goal was to wipe out free internet access, assuming that the police would be unashamedly opposed to free Wifi since open access points can provide anonymity for carrying out or co-ordinating criminal activity, from spamming, through credit card fraud, all the way to terrorism.

But the Queensland coppers are not trying to be wowsers or kill-joys. Most of the insecure networks they find are not open by design, but by accident, and represent data leakage problems just waiting to happen. As more and more users rely on connecting work laptops to their home networks, WiFi insecurity poses an ever-increasing risk.

If you want to ensure security and confidentiality when using a public transmission medium such as WiFi, you must take positive steps. QPS wants the public to become aware of the steps they should be taking.

Unfortunately, there are still a few old-school myths out there about what represents a satisfactory minimum for WiFi security, so let’s bust the three most common myths very briefly.

Firstly, hiding your network name (known as the SSID, or more properly the ESSID, for Extended Service Set Identifier) does not increase security. It can increase safety, by preventing passing visitors from latching onto your network by mistake. But the ESSID is passed unencrypted to the access point whenever a legitimate user connects to your network.

So – as the Kismet screenshots on the right reveal – your ESSID is both exposed and confirmed whenever anyone connects successfully.

Secondly, Media Access Control (MAC) address filtering, which restricts access to users with specifically-numbered network cards, doesn’t increase security, either, though it helps to prevent inadvertent connections. Currently-active clients can be enumerated with a WiFi sniffer, thus exposing the list of MAC addresses which are allowed to connect to your access point. Since you can adjust the MAC address of most WiFi cards with software, an attacker can easily spoof an authorised network card and connect to your access point.

Thirdly, WEP (Wired Equivalent Privacy) encryption simply isn’t good enough. Due to a cryptographic weakness in the underlying protocol, WEP passwords can be recovered using statistical techniques from an astonishingly small amount of network traffic. In a recent experiment, I sniffed the WiFi traffic generated by downloading the latest Firefox security update (about 9MB). From this captured data alone — about 2 minutes’ worth on a 1.5Mbit/sec ADSL line — I was able to recover the WEP key in under 20 seconds.

Use WPA (WiFi Protected Access) as a minimum. Two encryption systems are supported: TKIP and CCMP. Since TKIP is based on the RC4 encryption algorithm, which contains the flaws through which WEP can easily be broken, I recommend that you choose CCMP, which is based on the as-yet-untarnished AES encryption algorithm.

Act today. Don’t wait for The Man to warn you that your WiFi is insecure!

802.11 number plate is a “share and remix” image from Woody1778a’s Flickr stream