I was gonna take a little drive last saturday around my neighborhood with my notebook to look for open APs just for fun. I've got the fastest downlink my DSL providor has so I'm not really in need of more bandwidth so I was never really intrested but I figured I'd might as well introduce myself to the world of wardriving.

After hooking up my notebook I tested it with my own AP and it was ok. After that pointed my handy dandy antena (a tin can) at the office building a little distance aways just for shiats-and-giggles and viola, 5 SSIDs 3 transmitting their SSIDs without any security and those same with DHCPd up and running. I patched myself into their networks and was happy to find an open printer share on one of the machines in one of the offices and a nice fat downlink in the other, probably a webdevelopment company.

Damn, that took all the fun out of wardriving so I just stayed home and printed out a few tips on wireless security on the printer I found. Today, I checked again and everything was as it was last week.

Oh well, if my DSL ever goes down again, I'll use the fat downlink I found.

Jesus folks, it's called WEP - it might not be very good but it's more than enought to dissuade a casual snooper.

Hmmm....

I wonder how good security is up at the capital building these days...?

I think I found myself a project.

Shut Up, if you need security over wifi, VPN is the way to go - it's a lot of overhead but you'll have point to point secure traffic.

If you don't really care but don't want snoopers or freeloaders, WEP above 128bits is Good Enough(tm). At 64 bits it's a very weak defence but if you have low traffic, it's enough as WEP key snooping depends on high traffic. You can also turn off SSID transmissions from your AP, it avoids passive listening if your traffic is very low.

However, addressing your concerns, yes. Someone can freeload without knowing what you're doing. If that same somebody wants to know what you're doing online they'll have access to it (hence VPN but SSL might be enough).

I consider it two seperate things, most users just want a free ride being that most of them are script-kiddies and/or illiterates. The few that are smart and know how to sniff traffic to obtain useful information are a hell of a lot harder to detect and block. Remember that if someone really wants to steal your information, he will.

darkhorse23, sniff the other folks traffic - find out who their SMTP server is. :)

Knoppix and tcpdump are your friends.

WEP/128 is not much better than WEP/64. Either is protection against casual eavesdropping. Neither is protection against a determined attacker.

I worked with Paul Boutin, the author of the article, at MIT. I sometimes wondered what happened to him. He left for Silicon Valley 13 years ago and that's the last I heard of him.

for those on comcast/roadrunnner or any other cable based broadband, you should check the acceptable use policy prior to putting up an AP and thinking your being nice by leaving it open for anyone. comcast AUP states that you cannot share your connection outside of your residence to other, and they WILL hold YOU responsible for anything that happens on YOUR broadband connection. DSL may or may not have the same sort of thing.

I'm surprised that nobody has said this yet:

USE WPA

WPA encryption is nearly impossible for anyone outside of intelligence services to defeat. WPA is just as easy to set up as WEP, except it actually works. You'll need to find a router and a client card that supports it, but they're not too hard to find.

Is it ethical to steal others' service? I'm thinking that if they are that stupid (ie not setting up encryption), they deserve it.

Turning off SID broadcast doesn't really do anything for security. Locking the MAC down helps, but it's not that hard to spoof a MAC. With an air sniffer, it would take less than an hour to sniff out your WEP key and your MAC address and be using your router (and probably into your computer system).

Locking it down to MAC address and using WEP helps in that it deters all but those who really want in (and most people are "casual" users who just log in because it's there), but don't fool yourself into thinking you've really protected yourself from nerds who desire to get into your internet connection.

fezziwig: Well, obviously short passwords are subject to dictionary attacks. WPA is an encryption system, and so picking a weak password will leave it vulnerable. That applies to even the strongest crypto engines out there -- you can crack 3DES in thirty seconds if someone uses a three letter dictionary word passphrase.

But the encryption system itself, like WPA, IS secure, unlike WEP, which can be brute forced in a very short time. Brute focing goes around trying to figure out the passphrase altogether and just plows at the key solutions.

A couple weeks ago, I found over 400 wireless networks in just a quick circle around my little college town.

Then well over 1000 in the "big city" near by. A frightening majority of them were residential-type networks (i.e., not easily identifiable as being public hotspots (Starbucks, community networks, etc) or corporate networks (with business names in the SSID, etc). I'd give some stats but I'm too lazy to go back and look at my results.

My two wireless networks, however, have WEP turned on (one is for me and my equipment, the other is for the roommates to hook their computers into the router without having to drill holes in the wall to run Cat-5e cable all over the place). And there are several nearby that are open, so I doubt I have anyone even trying to mooch of my DSL connection (even though it probably wouldn't hurt to rotate WEP keys every now and then). Maybe I should change one of them to serve out IP addresses on an open network, but not actually connect it to anything. Let the losers think the thing is working and waste their time and energy. :)

CyberDave

(I just realized that I was being confusing above. Brute forcing does utilize trying to find the "password" in order to retreive the key. The problem is that with WEP, no matter how strong your password is, the cryto is trivially weak and can be broken quite easily. With WPA, on the other hand, the crytpo is strong. A very short passphrase will still make it easy to dictionary attack WPA, but a decent passphrase will make WPA rather impossible to brute force, especially when you use WPA hardware capable of utilizing the AES encrytion engine. IIRC, it would take a supercomputer more than the length of the universe to brute force AES-128.)

for those who are conserned, WPA is an extention to WEP

On a Mac everything is the same except you might have to download a "traceroute" program.

Dunno what Mac experience you've had, but 'traceroute' is there on my Mac OS X box. It's in /usr/sbin/traceroute.

And as far as WEP goes, it's pretty safe if it's used for an intermittent connection. The amount of time, effort, and number of captured encrypted packets needed far outweigh the benefit you get from cracking someone's WEP encryption key. If there are other people around with open networks, your neighbors will use them and not bother with your network.

If you use your wireless connection to replace a wired connection, then your packet generation rate goes way up. Increases the potential for your WEP key getting crack.

Then again, I've heard of tools recently that can crack WEP with under a million encrypted packets--they don't have to be the "weak" kind that traditional cracking tools like AirSnort required (most, if not all, wireless hardware can now avoid creating packets that have weak encryption). Haven't had a chance to look into those new tools, though, so I can't personally vouch for their effectiveness. I can say, however, that I set up a test wireless network last spring, generated something on the order of 12 million encrypted packets (many many gigabytes of data), and was unable to crack the WEP key using the popular AirSnort tool.

/CS Grad student specializing in network security.
//This post has been brought to you by myself and several bottles of Mike's Hard Lemonade