by Marc
André Léger, DESS, MASc (MIS), PhD (Candidate)
Professor, Champlain College (Saint Lambert)
Lecturer, University of Sherbrooke - Longueuil
Summary
On Saturday, October 27th, 2007 from 9:00a.m. to 4:00p.m., students from the Wireless Networking program at Champlain College Saint-Lambert under the supervision of their professor, Marc-André Léger, performed a wireless network security audit in the streets of Montreal, Quebec, Canada as an educational activity. This document presents an overview of what was done and a summary of the results.
Introduction
The city of Montreal is the metropolis of the Province of Quebec, in Canada. It is the principal economic and business center east of Toronto, metropolis of Canada.
The objectives
This was primarily intended as an educational activity inspired by media reports and documentaries on the vulnerabilities of home wireless networks. A similar activity had taken place in the city of Saint Lambert a few months earlier with a previous cohort, it is documented here. As before, the principal objective from an educational point of view was to provide the students with hands-on experience in performing a wireless network security audit, or WNSA). The general objective was to perform a partial city Wireless security audit and map the wireless networks (either home or business) that where found. This would give the students an idea of the current situation of wireless networks in Montreal.
In the previous exercise, in a limited area, the students left a prepared notice in the mailbox of residences that appeared at risk. However, this was not practical for this new attempt due to the multiplex nature of residential buildings in Montreal and the presence of high rise buildings in commercial areas.
As in the previous exercise, to respect the right to privacy of residents, students where instructed to only observed IEEE 802.11x data packets and signals present outside the limits of private property, never trespassing. The students where not to look or attempt to look at the data inside the packets or attempt to gain access to data, information or computer services in any way. Students had been strictly advised that all activities where being performed on public propriety as a community service activity. No attempt to access computer facilities, files or resources was to be undertaken by students. This was also done to respect Art. 342.1 of the Criminal Code of Canada. Any student who would not respect these rules would be excluded from the activity and, should they not respect the rules would be subject to sanctions.
Activity logistics
Twenty-two (22) students participated from the WLAN Fundamentals course. The students where divided in 7 teams of 3 or 4 students. The students are all adults, some having graduate diplomas from foreign universities not currently recognised in the province of Québec.
Each team was assigned an area in a limited sector of the city, known as Hochelaga-Maisonneuve. This area was selected as it is located near the residence of the professor. This esidence was used as an operational command center and for lunch. Seven areas where determined all near public transport subway terminals (called Metro), at the stations listed below:
Papineau
Frontenac
Préfontaine
Joliette
Pie-IX (2 teams)
Viau
Students who participated in the exercise where required to have:
a laptop per team
a wireless (802.11b, g or n) network adapter
installed open source software (netstumbler)
a cell phone per team for security
Champlain College (Saint Lambert) provided:
a badge to identify the students
detailed instructions
a map
water bottles (2 per student)
a briefing and a documents on the limits to respect
instruction on what to do
an assigned grid to canvas (where their team would scan)
The students arrived at the assigned starting point, their assigned Metro station for 9h00am and called in to indicate they where ready to start, most started performing the audit at around 9h30. They returned for a pizza lunch offered by the teacher at 13h00, which was followed by a debriefing. Following the exercise, a few students performed additional scans as partial credits for the final assignment in the course.
War driving is the act of driving around an area searching using a laptop computer or a portable device (PDA, Scanner), to detect networks. It originated around San Francisco (California, USA) with the Bay Area Wireless Users Group (BAWUG). The name War driving comes from war dialling, which has been popularized in the 1983 movie WarGames, featuring Matthew Broderick. As for the previous exercise, it was decided to call the exercise a WLAN Security Audit as the name War Drive seemed to have negative connotations.
War driving is possible because users of wireless networks, due to lack of knowledge, lack of adequate information, ignorance or laziness leave their wireless access points unsecured. In many cases the devices are unsecured because the default configuration that was in place when the device was purchased is being used. For example, in the data presented from the exercise 3% of the wireless devices have default as their network identifier (SSID) and 53.9% used channel 6, often set as the default channel at the factory. (More information about doing your own War driving)
With the initial war drive and the additional scans done by students, a total of 14906 devices, which is the sample used for the rest of this article (n=14906).
|
Item |
A08 Results | H07 results | ||
|
Results (numerical) |
Results |
Results (numerical) |
Results |
|
|
Sample |
14906 | 100% |
330 |
100% |
|
Encryption OFF |
3618 | 24.3% |
103 |
31.2% |
|
Encryption ON |
11288 | 75.7% |
227 |
68.8% |
|
Configured as Access Points |
14702 | 98.6% |
328 |
99.4% |
|
Peer-to-peer |
198 | 1.3% |
2 |
0.6% |
| Using default SSID | 283 | 1.9% |
10 |
3% |
|
Channel 1 |
1716 | 11.5% |
33 |
10% |
|
Channel 2 |
180 | 1.2% |
8 |
2.4% |
|
Channel 3 |
257 | 1.7% |
2 |
0.6% |
|
Channel 4 |
369 | 2.5% |
3 |
0.9% |
|
Channel 5 |
147 | 1% |
4 |
1.2% |
|
Channel 6 |
7406 | 49.7% |
178 |
53.9% |
|
Channel 7 |
172 | 1.2% |
4 |
1.2% |
|
Channel 8 |
272 | 1.8% |
3 |
0.9% |
|
Channel 9 |
295 | 2% |
5 |
1.5% |
|
Channel 10 |
332 | 2.2% |
5 |
1.5% |
|
Channel 11 |
3852 | 25.8% |
85 |
25.8% |
Table 1: summary of results
There are many apparent similarities in both measures. Of the devices included in the sample, 24% where unencrypted. This is moderately better that the 31% identified in the previous exercise. However, this may have a simple explanation because the area covered included many commercial dwellings, which are more likely to implement basic security measures, compared to the previous area which is predominantly residential. The full Netstumbler NS1 file can be found here: CHAMPLAIN/NS1/Large-20071116.ns1.
One-hundred-ninety-eight (198) of the devices where configured in Peer-to-peer. While this type of use is highly problematic from a security point of view, it is difficult to estimate a specific problem in these case. Further investigation would be necessary.
As in the previous exercise, the potential problem of the close proximity of multiple wireless devices using the same frequency and the same channel (6 and 11) was found. There must be performance problems experienced by the users of the devices, however, this was outside the scope of the project as the students did not have access to the tools required to evaluate this. Other channels used are 40, 52, 56, 60, 64, 149, 153 and 157. This is possibly in an ill-advised attempt to implement some security.
Conclusion
Overall the students seemed quite pleased by the experience. They have indicated that they where able to visualise some of the theoretical concepts seen in class, as expected in this type of exercise. There where no problems with residents and, to our knowledge, no complaints have been received. Since no student was arrested the experience was very positive. On the other hand, the data is not such a good news.
Looking at the results it seems that wireless security in networks is not too good. While the results may not be as catastrophic as the previous exercise indicated, it is still far from being an ideal situation in the current economic and geopolitical context. This would again support beliefs that a provincial wide IT security awareness campaign is needed, as only through education can durable social change can be enacted.
Léger, Marc-André (2007) Class presentation for the course WLAN Fundamentals, available on www.leger.ca