We first set out to find out exactly how many wireless networks there were in our local area. To do this we employed the practice of wardriving. For many people this can be as simple as a windows laptop w/ a WiFi card and a program called
Netstumbler that detects WiFi networks, and possibly a GPS to map where their location. But for our discovery phase we chose to use a Linux laptop running a detection tool, Kismet (more robust than NetStumbler), a handheld GPS (Garmin Venture), and a homemade directional Yagi antenna. Kismet was set to channel hop, switching the channel that our card was listening on ~3 times a second (there are 12 channels in 802.11b). There are many advantages to this setup over the previously described windows way.
- The wireless card runs in "promiscuous mode" so you don't actually transmit any packets and thus are rendered undetectable.
- Kismet presents a wealth of information compared to Netstumbler (AP manufacturer, whether network is in factory default settings, client list, etc.) since it not only detects the network but can also sniff the packets on that network.
- There is also more flexibility in what to do with our data that we collect since we get XML output of our networks found. From this information we can create a variety of maps: power levels, range radiuses, etc.
- The directional Yagi gives us an extra 15 dB SNR (signal-to-noise) and allows us to pick up any network that's in line of sight (45 degrees to each side).
We focused on two main areas for our field research (wardriving).
- Neighborhoods in and around N.C. State University
- Downtown Raleigh Area
WEP Enabled Color Plot
Packet Plot based on Power
This allowed us to break up our study between the findings for predominantly residential users and those of government (being the state capital, downtown Raleigh is home to most all state agencies) and business.
Overall we found 505 wireless networks, 442 in what we would classify as our residential area and 63 downtown. It is important to note that the residential area covered a much larger land area, so although there were less networks downtown overall the density was higher (see maps above). Looking at range and power maps you can see that the area is quite saturated with wireless networks just about anywhere you go you are within range of someone's wireless Access Point. It is also important to note that there are lots of WiFi "hotspots" where you may have many networks overlapping each other, these areas are mostly high density housing such as large apartment complexes, townhouses, and so on. In addition, it was interesting to note that the vast majority of WiFi's operate on channel 6. This is due in large part because the most popular APs (Linksys, Netgear, Lucent) all default to channel 6.
We also kept track of how many of the networks had WEP (Wired Equivalency Protocol; see page 3) enabled. Overall we had 35.5% of networks with WEP enabled: 74.6% downtown and 29.4% in residential areas. Many of those networks downtown were state government agencies and are
required to use encryption, furthermore they appeared to be using Cisco's LEAP protocol (see page 3). Another item of note is that a large percentage (~24%) of those WEP enabled
residential nodes were Lucent access points that come out-of-the-box with WEP turned on, so its not that people actually took the time to secure those they were already secured for them (granted they still had to enter the key into their client PCs). Each Lucent AP has its factory default ssid as 2wireXXX (X: 0-9), One possible vulnerability that may show down the road is that each 3-digit code has a predetermined factory key. With lots of websites collecting and analyzing this sniffing data its not inconceivable to think that each of the 1000 default passphrases could be discovered and posted somewhere online.
Next we moved on to an analysis of the unencrypted traffic on the wireless network.
|
