by Marc
André Léger, DESS, MASc (MIS), PhD (Candidate)
Professor, Champlain College (Saint Lambert)
Lecturer, University of Sherbrooke - Longueuil
La version francaise est disponible ici
The results from the October scan are here.
Summary
On Saturday, May 19th, 2007 from 10:00a.m. to 4:00p.m., students from the Wireless Networking program at Champlain College Saint-Lambert under the supervision of their professor, Marc-André Léger, performed a wireless network security audit in the streets of the city of Saint-Lambert (Quebec) as an educational activity. This document presents an overview of what was done and a summary of the results.
Introduction
The city of Saint Lambert is an affluent suburb located on the south shore of Montreal. It can be easily found on a map as it is located between the Jacques-Cartier and Champlain bridges, with the old Victoria Bridge right at it’s middle. Statistics Canada data for the city, presented in the table below, indicates that that median family revenue is higher (68.7%) than the provincial median and higher than it’s neighbour Longueuil, with which it was amalgamated for a brief period.
|
Variable |
Saint-Lambert |
Longueuil |
Québec (Province) |
|
Population in 2001 |
21,051 |
128,016 |
7,546,131 |
|
Total private dwellings |
10,513 |
59,445 |
3,452,300 |
|
Population density per square kilometre |
2,584 |
2,909.2 |
5.3 |
|
Land area (square km) |
8.15 |
44 |
1,357,743 |
|
Estimated household internet availability (2001) |
48% |
|
44.5% |
|
Median revenue by family |
84,753$ |
48,557$ |
50,242$ |
Table 1: Statistics Canada data for Saint-Lambert
The objectives
This was primarily intended as an educational activity inspired by numerous recent media reports and documentaries on the vulnerabilities of home wireless networks. The most significant objective from an educational point of view was to provide the students with hands-on experience in performing a wireless network security audit, or WNSA). The general objective was to perform a city wide Wireless security audit and map the wireless networks (either home or business) that where found.
At the same time, as a community service and because the professor believed that it was his diligent duty to share any vulnerability found with the residents so they can be made aware and, thereafter, make informed decisions in regards to their own situation and maximize the return on their technology investments with acceptable exposure to the inherent risks of wireless networks. For this purpose the students left a prepared notice in the mailbox of residences that appeared at risk to the students.
To respect the right to privacy of residents, students where instructed to only observed IEEE 802.11x data packets and signals present outside the limits of private property, never trespassing. The students where not to look or attempt to look at the data inside the packets or attempt to gain access to data, information or computer services in any way. Students had been strictly advised that all activities where being performed on public propriety as a community service activity. No attempt to access computer facilities, files or resources was to be undertaken by students. This was also done to respect Art. 342.1 of the Criminal Code of Canada. Any student who would not respect these rules would be excluded from the activity and, should they not respect the rules would be subject to sanctions.
The note left to residents indicated that students performing an exercise had detected signals, likely coming from a wireless network router, a laptop computer, or game console with an active wireless adapter. Residents where informed that there was no reason to be alarmed; if they haven't had any problems in the past there is no reason to believe that they are suddenly at risk, however it would be prudent that they take a few minutes to ensure that adequate protections are in place considering their particular situation and tolerance to risk. The note suggested that they should start by looking at the manuals that came with their devices and the websites of the wireless equipment manufacturers for advice on information security risks associated with WLAN use and how to mitigate risks associated to their use to maintain an acceptable level. We included a link for any resident who needed additional information: http://www.leger.ca/CHAMPLAIN/ . In the following days (from Saturday to Wednesday), the English web page was visited 29 times and the French 5 times.
Activity logistics
Twenty (20) students participated from the WLAN Fundamentals course and two (2) additional students from another course (Intrusion Detection Systems) given by the same professor, for a total of twenty-two (22) students. The students where divided in 8 teams of 2 or 3 students. The students are all adults, many having graduate diplomas from foreign universities not currently recognised in the province of Québec. The professor qualifies this class as above average, based on his previous college and university teaching experience.
Each team was assigned an area in the city. Seven areas where determined, as described in the table below:
|
Area |
Description |
|
1a |
Préville sector, north of Queen |
|
1b |
Préville sector south of Queen |
|
2 |
Delimited by Queen, Victoria, the Montreal Country Club and Alexandria |
|
3 |
Delimited by Queen, Riverside, the Montreal Country Club and Alexandria |
|
4 |
From Alexandria to the CN rail tracks and from Victoria to Riverside |
|
5 |
A triangle formed from Notre-Dame to CN rail tracks to Riverside |
|
6 |
Tiffin to Notre-Dame and Desaulniers to the CN Rail tracks |
|
7 |
Tiffin to Notre-Dame and south of Desaulniers |
Table 2: areas delimited for the exercise.
Students who participated in the exercise where required to have:
a laptop per team
a wireless (802.11b, g or n) network adapter
installed open source software (netstumbler)
a cell phone per team for security so they can reach me during the exercise
Champlain College (Saint Lambert) provided:
a badge to identify the students
a copy of the city permit for the event
detailed instructions
a colour map
water bottles (2 per student)
a briefing and a documents on the limits to respect (in particular the legal ones)
instruction on what to do
an assigned grid to canvas (where their team would scan)
The city of Saint Lambert, trough the city’s Director General, Mrs Michele V. Lortie and the Permits division, approved the exercise and supplied a solicitation permit at no cost. We received assistance from Selwyn House, a very reputable private school located in Westmount (Quebec). Two students in the course who are employees of that institution offered to loan laptop computers to students who did not have one from a pool of computers they have available for their students. The activity web site was prepared by a small group of students who, by looking at the results (http://www.leger.ca/CHAMPLAIN/ ), had abilities and talent in this area. The students arrived at the College for 10h00 and where out performing the audit at around 10h45. They returned for a pizza lunch offered by the teacher at 12h30 until 13h13. From 13h30 until 15h00 they continued the audit.
War driving is the act of driving around an area searching using a laptop computer or a portable device (PDA, Scanner), to detect networks. It originated around San Francisco (California, USA) with the Bay Area Wireless Users Group (BAWUG). The name War driving comes from war dialling, which has been popularized in the 1983 movie WarGames, featuring Matthew Broderick.
At the suggestion of the Director of Continuing Education, Mr Mark Wallace, it was decided to call the exercise a WLAN Security Audit as the name War Drive seemed to have negative connotations.
War driving is possible because users of wireless networks, due to lack of knowledge, lack of adequate information, ignorance or laziness leave their wireless access points unsecured. In many cases the devices are unsecured because the default configuration that was in place when the device was purchased is being used. For example, in the data presented from the exercise 3% of the wireless devices have default as their network identifier (SSID) and 53.9% used channel 6, often set as the default channel at the factory. (More information about doing your own War driving)
Using the results of two (2) teams that where available after the exercise, an opportunistic sample of 335 was created and used to present some of the results. The area covered by the two teams, areas 5 and 6, represent roughly 10% of the total land area of the city and included the main commercial sector. In this area it would be reasonable to expect around 500 residences with internet access based on the data available from Statistics Canada.
10% x Total private dwellings (10,513) x Estimated household internet availability (48%)
Therefore a number of 335 identified wireless devices seems possible with 33% of all networks using wireless devices. However, no specific data was found that would permit validation of these numbers.
In that sample 5 devices where eliminated as they had been identified as being onboard a VIA passenger train to was observed during the audit. VIA Rail Canada offers free wireless access to certain customers, which provided a reasonable justification for an unsecured network. So the sample used for the rest of this article is of 330 (n=330).
|
Item |
Results (numerical) |
Results |
|
Sample |
330 |
100% |
|
Encryption OFF |
103 |
31.2% |
|
Encryption ON |
227 |
68.8% |
|
Configured as Access Points |
328 |
99.4% |
|
Peer-to-peer |
2 |
0.6% |
| Using default as SSID |
10 |
3% |
|
Channel 1 |
33 |
10% |
|
Channel 2 |
8 |
2.4% |
|
Channel 3 |
2 |
0.6% |
|
Channel 4 |
3 |
0.9% |
|
Channel 5 |
4 |
1.2% |
|
Channel 6 |
178 |
53.9% |
|
Channel 7 |
4 |
1.2% |
|
Channel 8 |
3 |
0.9% |
|
Channel 9 |
5 |
1.5% |
|
Channel 10 |
5 |
1.5% |
|
Channel 11 |
85 |
25.8% |
Table 3: summary of results
Of the 330 devices that are included in the sample, 108 where completely unsecured with no encryption activated. This is one third of the total number. Such a high number was not expected. To give the reader an idea of the problem, if this where the case at the provincial level, it would represent over 167,000 completely unsecured wireless networks in Québec.
Total private dwellings (3,452,300) x Estimated household internet availability (44.5%) x 33% using wireless devices x 33% unsecured
While others did use encryption, all seemed to use the Wired Equivalent Privacy mode, or WEP, an encryption technology that has many flaws and vulnerabilities. A knowledgeable individual can obtain the WEP cipher key by various methods documented on the internet in a few minutes to a few hours.
Two (2) of the devices where configured in Peer-to-peer. While this type of use is highly problematic from a security point of view, it is difficult to estimate a specific problem in these case. Further investigation would be necessary.
A potential problem that would require further investigation is the close proximity of multiple wireless devices using the same frequency and the same channel. There must be performance problems experienced by the users of the devices, however, this was outside the scope of the project as the students did not have access to the tools required to evaluate this. One team of students did bring a software tool, called AirMagnet (http://www.airmagnet.com/ )which indicated the potential for significant problems in one city block in the area they covered.
Conclusion
Overall the students seemed quite pleased by the experience. They have indicated that they where able to visualise some of the theoretical concepts seen in class, as expected in this type of exercise. There where no problems with residents and, to our knowledge, no complaints have been filed with the city. Since no student was arrested the experience was very positive. On the other hand, the data is not such a good news. (see a Powerpoint presentation by a student)
Looking at the results it seems that wireless security in residential networks is catastrophic. This would support past beliefs that a provincial wide IT security awareness campaign is needed, as only through education can durable social change can be enacted… and the situation calls for action if Quebec is to claim any kind of leadership in Information Technology.
Léger, Marc-André (2007) Class presentation for the course WLAN Fundamentals, available on www.leger.ca
Statistics Canada (2007) Community highlights for Saint-Lambert (Québec), accessed online may 23rd 2007