For 3 hours last month, a Siamese cat named Coco stalked a suburban neighborhood.
The mighty Coco’s hunting was fruitful that day. The inventory of what he dragged home:
- 1 mouse carcass. Status: gifted to owner, Nancy
- 23 unique Wi-Fi hotspots
- 4 routers using WEP. Status: easily cracked, given how creaky the antiquated form of encryption is
- 4 routers completely unprotected, no password required
Just like Sophos’s James Lyne did on his warbiking escapade earlier this year, Coco was able to map data about unsecure Wi-Fi as he prowled the neighbors’ back yards because he’d been strapped with a special collar. The analog technology of claws was employed for the mouse capture.
Coco’s collar housed an open-source Spark Core chip loaded with a security researcher’s custom-coded firmware, a Wi-Fi card, a tiny GPS module and a battery – in other words, everything a wardriving cat needs to map all the networks in a neighborhood, including those with easily broken, or nonexistent, protection.
The collar was created by Nancy’s granddaughter’s husband, Gene Bransfield, a security researcher for Tenacity Solutions.
It was one of two pet projects Bransfield showcased at the DefCon hacking convention in Las Vegas: the wardriving “War Kitteh”, and his “Denial of Service Dog”.
The DoS Dog was outfitted with a saddlebag that contained the WiFi Pineapple Mark V wireless network hacker tool and the TV-B-Gone kit.
DoS Dog was taken for a walk around town during World Cup matches earlier this summer.
Bransfield used a remote attached to the dog’s lead to scan TVs being used in bars along the route and then switch them off.
DoS Dog was just for laughs – a stunt that could have gotten Bransfield in a spot of trouble if he’d been walking down the street in Buenos Aires and dared to turn off World Cup games, he told The Guardian.
If you turn an Argentina World Cup game off you are going to get in trouble...
There's no socially redeeming thing about the dog... that was just trolling. I thought it would be funny so I did it.
He said that people noticing the “Denial of Service Dog” wording on the bag simply assumed it was a police dog.
The War Kitteh project, on the other hand, was meant as a public service: a way to engage the attention of the woefully numerous people who don’t give a rat’s rump about securing their Wi-Fi networks.
After all, Bransfield told The Guardian, mixing cats into a technical discussion will likely lure less tech-savvy people into paying attention.
An increasingly popular cat-tactic – consider Owen Mundy’s recent cat-stalking geolocation privacy project, which shows how easy it is to geolocate cats with the data leaked out from sites like Flickr, Twitpic, and Instagram.
Bransfield gave his DefCon talk a threatening title – “How To Weaponize Your Pets” – but he admits that War Kitteh doesn’t illustrate a substantial security threat.
Rather, he told Wired, it was a goofy hack designed to entertain the audience.
But one thing surprised him: the number of WEP-encrypted networks the rigged cat discovered.
WEP is a form of wireless encryption that’s considered mere child’s play to break.
In the wake of the epic 2008 TJ Maxx breach which involved millions of stolen credit card details, the Payment Card Industry (PCI) Security Standards Council instituted new rules prohibiting the use of WEP in any part of credit-card processing.
The new rules deemed it verboten to use WEP in any part of credit-card processing – for example, sending card data from a store terminal to a server – after 30 June 2010, and they prohibited installation of any new WEP-enabled system after 31 March 2009.
Yet here we are in 2014, and Coco the War Kitteh found WEP-encrypted hot spots speckling the neighborhood like a bunch of fleas, said Bransfield:
My intent was not to show people where to get free Wi-Fi. I put some technology on a cat and let it roam around because the idea amused me. But the result of this cat research was that there were a lot more open and WEP-encrypted hot spots out there than there should be in 2014.
I appreciate the input from Slashdot commenter penguinoid, who noted that there’s no pussyfooting around the security implications of WarKitteh:
This, more than ever, proves that security is a cat-and-mouse game. The script kitties will be all over this - they'll milk it for all it's worth.
Seriously, though, War Kitteh should serve as a friendly, furry reminder to lock down our homes’ Wi-Fi access points.
Maybe Coco the War Kitteh wouldn’t mooch off of somebody’s open Wi-Fi or spy on the unsecure connections’ users, but other people with less scruples and opposable thumbs have no compunctions about doing so.
Coco, I’m sure, would join Naked Security in inviting you to revisit Wi-Fi network security, whether it’s in your own home or at your friend’s, or family’s, place.
Watch our video, “Busting Wireless Security Myths“.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)Follow @NakedSecurity