Welcome to the era of drive-by hacking

The slower the traffic the easier to spot wireless
networks

By BBC News Online technology
correspondent Mark Ward

BBC News Online has been shown just how lax security is on wireless networks used in London’s financial centre.

On one short trip, two-thirds of the networks we discovered using a laptop and free software tools were found to be wide open.

Any maliciously minded hacker could easily join these networks and piggy back on their fast net links, steal documents or subvert other machines on the systems to do their bidding.

None of the wireless networks we found used anything but their flawed, in-built security systems to protect against hack attacks.

On the warpath

Many people think of hacking as a sedentary pursuit, carried out in bedrooms and back rooms all over the world.

Often it is, but the growing popularity of wireless networks is making some curious folk leave their bedrooms and venture out into the fresh air.

Armed with a laptop, a wireless network adapter card, as well as some widely available software tools, you can travel the streets logging the location of these networks and picking up information that could let you attack them.

The pursuit has come to be called “war driving” if it is done in a car, “war pedalling” if done on a bike and “war walking” if on foot.

The phrase derives from the practice of “war dialling” in which phone phreaks and hackers map telephone systems by dialling a range of numbers to see which respond with tones used by data networks.

Tuning in

But, in contrast to the hacking practices carried out over telephone lines and the net, spotting and using wireless, or wifi, networks is very straightforward.

It is as easy as listening to the radio. What makes it easier is that everyone is broadcasting on the same frequency.

BBC News Online was shown just how easy it was by two ethical hackers who prefer to be known as Codex and Kuji. We drove with the pair around London’s financial district.

As we drove, we watched the screen of a notebook computer sitting on Codex’s lap. The machine was fitted with a wireless network card and a program that noted important information about any wifi nets we stumbled across.

Also attached to the laptop was a GPS handset that gave a more precise fix on where each network was detected from.

Wide open

Our journey began at the eastern end of The Strand and continued along towards Cannon Street. Within the space of one kilometre we logged the existence of 12 networks.

Only four of these had turned on the encryption system built into the wifi protocol. The other eight were wide open.

Codex said that using back and side streets to criss-cross an area would reveal even more networks.

“From an attackers point of view you want back roads because there is less road traffic,” said Codex, “and you might be able to park when you find a network.”

The pair’s past expeditions carried out on foot have spotted a lot more networks; Soho in particular.

Already websites exist which list the wireless networks in major cities. Many of those listed are doing nothing to stop people using them.

The names identifying the base stations controlling these wireless networks showed that little had been done to change the configuration of the system from the moment it was first switched on.

Good targets

Every time a new wifi network popped up on screen we eagerly looked out of the car windows to see if we could spot the building from which the signal was emanating.

Usually we couldn’t, but during our trip we passed investment banks, financial advisors and regional offices of large corporations – any one of which would be a prize target for a malicious hacker.

Codex said that many of the networks we found were likely to use a software package that automatically handed out internet identifiers to any devices joining those networks.

By using this identifier it would be possible to join the network and get access to all the services it provides just as if we were sat at a desk in the building.

Kuji said getting access via a wireless network puts you behind a firewall that usually stymies attempts to abuse a network.

Usually, wire-based hacking requires a formidable amount of knowledge, so you know which tools to use, what to look for and, more importantly, how to cover your tracks.

With wifi networks all this changes. The scary part is how easy they are to find, and how poorly protected they are.

Codex said that if companies took security seriously they would corral wireless networks behind a firewall and only allow trusted, encrypted and authenticated traffic to pass from that to the wider network.

“This mitigates against the risk of an attack against the corporate network,” said Codex, “it also limits the chance of an attacker using it to attack others, or distribute illegal material which may compromise the legal status of the company.”

Sadly, on the evidence gathered during one short trip across London, most have not done it properly, and have unwittingly created a hackers’ playground.