Wardriving: Hackers on Wheels
"We just got one," says Xam. "It's a LinkSYS system, probably from that building." He points to an office building. "Xam," the nickname used by a hacker and student, is showcasing the weakness of business computing's hottest new tool: wireless networks. "This one's wide open," he says. "Let's go find some more."
Wireless networks are now cheap enough that businesses and organizations of all sizes are installing them. These networks allow employees to easily access databases, e-mail and the Internet from remote locations. But, as Xam is pointing out, they create a massive potential security risk.
Most wireless networks, says Xam, are "about as secure as a screen door." Finding them is as easy as taking a ride through town with the right equipment.
The practice of roaming around looking for open networks is called "wardriving," an homage to the classic hacker movie War Games. All it takes is a laptop computer and a card that Best Buy and Circuit City sell for about $100.
As Xam navigates the streets, his laptop's screen periodically explodes with bursts of data. Wireless systems, he explains, "run what's called access point code. It recognizes that your computer is in range and broadcasts its identifier ten times a second." He chuckles. "It makes it really easy to find the networks and if you respond to their broadcast, you can associate to their network and they don't really have any way to keep you from doing it."
And while Xam's interest is benign, this capability opens the door to all manner of mischief. "You can sniff communications on their network," he says. "You use their network to send lots of virus-laden spam on their tab. Or if there was someone you wanted to whack on the Internet, you could use their network to do it." By "whack," he means actions that range from crashing servers to altering the content of public Web sites.
Wireless network weaknesses popped up in the news recently as the airline industry hustled to meet a Jan. 18 deadline to screen all checked bags for explosives. American Airlines and Southwest Airlines are both using this technology for bag matching and check-in services at selected airports. Alleged infiltration by private security firms led FAA Information Security Director Mike Brown to announce that airline wireless systems would be subject to "increased scrutiny."
Christopher Gerg, network security engineer at Berbee, a consulting firm and Web-hosting services provider, says most people don't realize the risks associated with wireless networks and for the most part, that's okay.
"For a home user, it's not that big a deal. Chances are you don't have the formula for a cancer cure on your computer, so likely you don't have to worry too much about people messing with your data," he says. "But people with nefarious intentions can still associate to your network and use it to launch attacks on another network."
The real kicker: "It's an almost untraceable attack." If someone infiltrates a wireless network for the purpose of waging an attack on someone else, efforts to trace the source of this attack will led back to the wireless network, and end there. Says Gerg, "It's almost the perfect crime because the hacker has an anonymous access point."
And wireless systems provide a point of entry for outsiders with a desire to snoop. "The big risk is to business," reflects Gerg. "It used to be that e-mail and databases were a convenience, but now they are the oil that keeps the business machine running, so to speak, and there's a lot of sensitive proprietary information rolling around in there."
To a large degree, the problem is with the wireless systems that are on the market. FBI Special Agent Mark Bowling, computer intrusion program coordinator, says the security precautions built into most on-the-shelf wireless systems "are based on rudimentary encryption schemes which provide minimal security" and "virtually no privacy." And "while I can't say that all corporations are implementing these systems foolishly, I can say that many are introducing a degree of risk that may be unacceptable in the long term."
This point is not lost on the local hacker community. "Yagibare," the handle of a hacker-cum-information-technology professional who, like Xam, wardrives, sees the problem as a matter of resources.
"You see a small business with say, 50 employees," says Yagibare. "They hire a consultant, or get the secretary's husband to set up their wireless because he knows a little about computers. They likely don't have a clue as to how to set up a wireless network so that it is both robust and secure. And the biggest thing they miss is the mental picture of the wireless signal."
Yagibare sweeps his arms through the air. "It goes through walls. You can see where a cable ends, and people just figure it's the same with wireless." He shakes his head. "It's not."
Even large institutions are not immune. In the course of their wardriving, both Xam and Yagibare have found numerous open networks on University campuses. Brian Rust, communications manager for DoIT, a University of Wisconsin campus information technology service, isn't shocked. While he can speak at length about security measures in place for his campus' Wireless WiscWorld network, he says "there are other wireless networks on campus that schools, colleges and departments have set up on their own" that are less secure. Admits Rust, "The networks are open in some places and not open in others."
Indeed. Gary Smulka, assistant director of information services for UW Hospital, says wireless networks are only used for patient data "in the emergency room, and that system is complete with current encryption technology." But he confirms that, last November, the hospital discovered "a vulnerability in a pilot program we had running" in the pharmacy. "We have since sealed that hole and have encryption in place."
Xam knows about that hole; he found while wardriving, "I'm not a doctor, but I saw what looked like patient data." Names? "Yeah." UW Hospital spokesperson Linda Brei says that because of security concerns "we are implementing wireless systems very, very slowly, in spite of demands from doctors for the technology."
Despite popular characterizations, not all hackers are nefarious. Some see themselves as good guys who want to alert unsuspecting businesses that their fly is down, rather than run roughshod over their ignorance. But these "white-hat hackers" are often loath to break the news.
Law enforcement takes a dim view of their actions. "I don't buy into the white-hat, gray-hat hacker routine," says Bowling of the FBI. "I think that people have a right to privacy under the Fourth Amendment and nowhere in the Fourth Amendment does it give anybody else the ability to intrude in that privacy for the sake of curiosity. What you see are people who would be outraged if the government violated their right to privacy, and they are out flagrantly violating somebody else's right to privacy because they are curious. That's hypocrisy at its core."
Okay, but what should hackers do if they want to report something? Replies Bowling, "I would prepare a letter to the chief information officer of the company with a copy to the CEO of the company and the board of directors, advising them that this vulnerability exists and that it creates a number of possible risks that could result in lost of data, network reliability, customer confidentiality, etc, etc."
But hackers are wary. "If you call up a company and say, 'Hey, I was in your parking lot and I found this vulnerability in your wireless,' they may say 'thanks' and they may call the cops and prosecute you for breaching their security," says Yagibare. "They could try to associate any damage that's ever happened to you, or drag you into court, just as a deterrent. They can say, 'You forced an upgrade of our systems and it cost 200 man hours.' The court doesn't know how long it really took."
Sitting cross-legged on the tailgate of a truck in the parking lot of a business park, Xam discovers yet another open network. "Whoa," he says, "these people aren't just open, they're wide open. I don't even have to try and I'm in. Look."
He turns around his laptop, which is showing the raw HTML code for yahoo.com. He's on the Internet, through someone else's network. "Usually it takes at least a few minutes, like trying a locked door with all the keys on your key ring when you know one will work," he says. "But these people don't have any security measures enabled. I could basically do whatever I want right now and there's nothing they could do about it."
Matt Olson is a freelance writer in Madison, Wisconsin.