War Walking …A student experiment

Agenda

• Project Goal

• WiFi Basics

• War Walk

• Conclusion & Lessons Learned

Our Goal

• Walk around downtown Seattle

• Locate private wireless networks on a PDA

• Record network names and addresses

• Attempt to gain access to these networks

• Determine wireless network security levels

• Stay only in public areas to ensure no trespassing laws were violated

Wireless Network Basics

• Wireless networks operate on two different frequency bands (2.4 & 5.4 GHz)

• Wi-Fi, also known as 802.11b, is the most popular broadband wireless networking. • There is also 802.11a and 802.11g

• Wi-Fi shares the same broadcast spectrum as some cordless phones, microwave ovens, and Bluetooth short-range wireless

• Network density is becoming an issue and will force private Wi-Fi networks to be secure

The World of Wi-Fi

• Wi-Fi is relatively easy to install• Provides broadband Internet access to specially outfitted

wireless devices within a few hundred feet of a Wi-Fi base station

• Avoids the time and cost of hard-wiring• Found in homes, hotels, airports, restaurants, coffee shops,

corporations, and shopping malls• North American business users account for 90% of Wi-Fi

users worldwide• By 2005 95% of new laptops will come WiFi enabled

War Walk - Location

• Downtown Seattle business district

• Between 6th and 4th Avenues

• Between Union and Madison Streets

• Hotels, retail stores, and business offices

• 9:15 to 10:15 pm

War Walk - Equipment

• Compaq iPAQ Pocket PC 2003

• Cisco 802.11b Wi-Fi Card

• HudsonMobile IPDashboard

• Our feet

War Walk - Results

War Walk - Results

1. ENET2. CNXT-FRLAN013. CD-WIRELESS4. ENET5. DEFAULT6. TAAIRPORT7. WMAOFFICE

NETWORK8. WIRELESS9. LYNKSYS10. MKA 32SW

11. CD-WIRELESS12. MKA 33SW13. NOSID14. MKA 33SE15. MKA 32SE16. LYNKSYS17. PANAMBIC18. DEFAULT19. WIRELESS20. JDDS

War Walk - Results (continued)

21. MYNEWWIRELESS-NETWORK

22. SEATAL23. MC24. VPK25. ALX26. DADCO27. DSOFFICE28. WLANNAI29. LYNKSYS30. CNET

31. WIRELESS.COM32. RNI33. RAINIER34. DEFAULT35. ACCESSTOGO36. BARTLETT37. MKA 33SE38. ELECTRICARROW39. MUSACORPHIN40. ROUTER41. NAKAMURA

War Walk – Results (continued)

• In addition to 41 network names• We were issued IP addresses and were able to get IP

addresses of the infrastructure of several companies • Gateway, DHCP server, WINS server, DNS naming, etc

• We were able to access and “surf” on several networks

• The majority of the networks were secure and required authentication

• We did not record all of the Starbucks T-Mobile Hot Spots that we encountered

Conclusions

• Downtown Seattle has high density of wireless networks

• There was high concentration of networks near large high rises

• The wireless networks located downtown may be secured to reduce “tripping into” other neighbor networks

• We did not attempt to enter any networks that required authentication. Passwords could potentially still be set at default

Lessons Learned

• WAP in highly congested areas more likely to be secured• Commercial networks in rural areas less likely to be secured• Home networks are less likely to be secured

• WAP signals bleed a great distance from high-rise buildings• Companies should turnoff SSID broadcasts to make their networks

more stealthy• There are websites like www.seattlewireless.net/index.cgi/

WarDrivingResults that have a lot of the networks already sniffed out• Companies need to be concerned about unauthorized WiFi Networks

in their buildings• Employee built• Industrial espionage• Privacy Invasion (802.11 cameras)

Questions?