by Marc André Léger, DESS, MASc
(MIS), PhD (Candidate)
Professor, Champlain College (Saint Lambert)
Lecturer, University of Sherbrooke - Longueuil
Summary
On Saturday, March 29th, 2008 from 9:00a.m. To 12:00 noon, students from the Wireless Networking program at Champlain College Saint-Lambert under the supervision of their professor, Marc-André Léger, performed a wireless network security audit in the streets of the South Shore of Montreal, Quebec, Canada as an educational activity. This document presents an overview of what was done and a summary of the results.
En francais: Audit WiFi
Audit objectives
This was primarily intended as an educational activity inspired by media reports and documentaries on the vulnerabilities of home wireless networks. Similar activities had taken place in the city of Saint Lambert in the sping of 2007 and in the city of Montreal in the fall of 2007 with previous cohorts. As before, the principal objective from an educational point of view was to provide the students with hands-on experience in performing a wireless network security audit, or WNSA). The general objective was to perform a partial area Wireless security audit and map the wireless networks (either home or business) that where found. This would give the students an idea of the current situation of wireless networks in the Montreal South Shore region.
In the previous exercises, in a limited area, the students left a prepared notice in the mailbox of residences that appeared at risk. However, this was not done as there was very little traffic on the prepared informational website. Residents and users had shown little interest in following up on the results.
As in the previous exercises, to respect the right to privacy of residents, students where instructed to only observed IEEE 802.11x data packets and signals present outside the limits of private property, never trespassing. The students where not to look or attempt to look at the data inside the packets or attempt to gain access to data, information or computer services in any way. Students had been strictly advised that all activities where being performed on public propriety as a community service activity. No attempt to access computer facilities, files or resources was to be undertaken by students. This was also done to respect Art. 342.1 of the Criminal Code of Canada. Any student who would not respect these rules would be excluded from the activity and, should they not respect the rules would be subject to sanctions.
Activity logistics
Eighteen (18) students participated from the WLAN Fundamentals course. The students where divided in 7 teams of 2,3 or 4 students. Each team was assigned an area in various areas of the South Shore. These where located in the cities and nighborhoods known as Longueuil, Greenfield Park, Saint-Hubert and Brossard. Thess areas where selected as they had not been covered in previous war drives. The College was used as an operational command center and for lunch.
Students who participated in the exercise where required to have:
a laptop per team
a wireless (802.11b, g or n) network adapter
installed open source software (netstumbler)
a cell phone per team for security
Champlain College (Saint Lambert) provided:
a loptop for students who did not have their own
a badge to identify the students
detailed instructions
a map
water bottles (2 per student)
a briefing and a documents on the limits to respect
instruction on what to do
an assigned grid to canvas (where their team would scan)
The students arrived at the college for 9h00am and pick up their material, most started performing the audit at around 9h30. They returned for a pizza lunch offered by the teacher at 12h00, which was followed by a debriefing. Following the exercise, a few students performed additional scans as partial credits for the final assignment in the course, these additional scans where not included in this report.
War driving is the act of driving around an area searching using a laptop computer or a portable device (PDA, Scanner), to detect networks. It originated around San Francisco (California, USA) with the Bay Area Wireless Users Group (BAWUG). The name War driving comes from war dialling, which has been popularized in the 1983 movie WarGames, featuring Matthew Broderick. As for the previous exercise, it was decided to call the exercise a WLAN Security Audit as the name War Drive seemed to have negative connotations.
War driving is possible because users of wireless networks, due to lack of knowledge, lack of adequate information, ignorance or laziness leave their wireless access points unsecured. In many cases the devices are unsecured because the default configuration that was in place when the device was purchased is being used. For example, in the data presented from the exercise 5.4% of the wireless devices have default as their network identifier (SSID), 3.3% had default and where unencrypted and 51.3% used channel 6, often set as the default channel at the factory.
During the war drive a total of 8488 devices where found, which is the sample used for the rest of this article (n=8488).
|
Item |
Winter 08 results |
Fall 07 results |
Winter 07 results |
|||
|
numeric |
% |
numeric |
% |
numeric |
% |
|
|
Sample |
8488 |
100 |
14906 |
100 |
330 |
100 |
|
Encryption OFF |
1925 |
22.7 |
3618 |
24.3 |
103 |
31.2 |
|
Encryption ON |
6563 |
77.3 |
11288 |
75.7 |
227 |
68.8 |
|
Configured as Access Points |
8424 |
99.3 |
14702 |
98.6 |
328 |
99.4 |
|
Peer-to-peer |
64 |
0.7 |
198 |
1.3 |
2 |
0.6 |
|
Using default SSID |
461 |
5.4 |
283 |
1.9 |
10 |
3.0 |
|
Default + unencrypted |
283 |
3.3 |
|
|
|
|
|
Channel 1 |
941 |
11.1 |
1716 |
11.5 |
33 |
10.0 |
|
Channel 2 |
101 |
1.2 |
180 |
1.2 |
8 |
2.4 |
|
Channel 3 |
134 |
1.6 |
257 |
1.7 |
2 |
0.6 |
|
Channel 4 |
323 |
3.8 |
369 |
2.5 |
3 |
0.9 |
|
Channel 5 |
85 |
1.0 |
147 |
1.0 |
4 |
1.2 |
|
Channel 6 |
4353 |
51.3 |
7406 |
49.7 |
178 |
53.9 |
|
Channel 7 |
84 |
1.0 |
172 |
1.2 |
4 |
1.2 |
|
Channel 8 |
163 |
1.9 |
272 |
1.8 |
3 |
0.9 |
|
Channel 9 |
183 |
2.2 |
295 |
2.0 |
5 |
1.5 |
|
Channel 10 |
176 |
2.1 |
332 |
2.2 |
5 |
1.5 |
|
Channel 11 |
1948 |
23.0 |
3852 |
25.8 |
85 |
25.8 |
Table 1: summary of results
There are many apparent similarities in all measures. Of the devices included in the sample, 22.7% where unencrypted. This is moderately better that the 24% identified in the previous exercise and much better than the 31% from the previous year. This shows an improvement from the previous year.
Sixty four (64) of the devices where configured in Peer-to-peer. While this type of use is highly problematic from a security point of view, it is difficult to estimate a specific problem in these case. Further investigation would be necessary to determine the security risk, but this is a definite improvement from previous results.
As in the previous exercise, the potential problem of the close proximity of multiple wireless devices using the same frequency and the same channel (6 and 11) was found. There must be performance problems experienced by the users of the devices, however, this was outside the scope of the project as the students did not have access to the tools required to evaluate this. Other channels used are 36 (1 AP), 52 (4 APs) and 64 (1 AP). This is possibly in an ill-advised attempt to implement some security.
Additional findings
A group of students performed additionals scan of the Montreal Downtown area for additional course credits and in replacement of a class assignment. Only the core business sector was scanned, which also includes three university campuses. A total of 8837 Access Points where identified in about 2 hours (n=8837). This sample is not included in the sample presented previously and has been kept separate. The following table presents the results of this additional scan:
|
Item |
Winter 08 Downtown |
Fall 07 results |
||
|
numeric |
% |
numeric |
% |
|
|
Sample |
8837 |
100 |
14906 |
100 |
|
Encryption OFF |
1870 |
21.2 |
3618 |
24.3 |
|
Configured as Access Points |
8708 |
98.5 |
14702 |
98.6 |
|
Channel 1 |
1222 |
13.8 |
1716 |
11.5 |
|
Channel 6 |
3205 |
36.3 |
7406 |
49.7 |
|
Channel 11 |
2192 |
24.8 |
3852 |
25.8 |
Table 2: Downtown area
Other WLAN channels used include: 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161.
Another student performed a wardrive in sections of Westmount, nouveau- Rosemont, Côte-de-Neiges and Plateau Mont-Royal (n=6156). These results are presented in the following table. Only channels 1 to 11 where found.
|
Item |
Winter 08 Other sectors |
|
|
numeric |
% |
|
|
Sample |
6156 |
100 |
|
Encryption OFF |
1080 |
17.5 |
|
Configured as Access Points |
6086 |
98.9 |
|
Channel 1 |
777 |
12.6 |
|
Channel 6 |
2544 |
41.3 |
|
Channel 11 |
1515 |
24.6 |
Table 3: sections of Westmount, nouveau- Rosemont, Côte-de-Neiges and Plateau Mont-Royal.
Conclusion
Overall the students seemed quite pleased by the experience as per previous years, allowing them to visualise some of the theoretical concepts seen in class. There where no problems with residents and, to our knowledge, no complaints have been received. Since no student was arrested again this time, the experience was very positive. Compared to previous years the data is good news as it shows some improvement in the level of risk and the wireless network security.
Looking at the results it seems that wireless security in networks is still not too good but it is marginally improvng. While the results may not be as catastrophic as the previous exercise indicated, it is still far from being an ideal situation in the current economic and geopolitical context. This would again support beliefs that on-going and continuous IT security awareness campaign is needed, as only through education can durable social change can be enacted.
Léger, Marc-André (2008) Class presentation for the course WLAN Fundamentals, available on www.leger.ca