'War Biking' San Francisco Reveals Lousy Wi-Fi Security
Sophos' James Lyne bikes through San Francisco. Credit: Sophos
SAN FRANCISCO — A tour of San Francisco on a specially equipped bicycle revealed that many Wi-Fi networks in this high-tech city used outdated security — and that more than a thousand people were happy to connect to a random open Wi-Fi network without using any protection.
James Lyne, a security researcher at the British anti-virus firm Sophos, spent four days biking around the city last week, riding a rig that had several Wi-Fi and Bluetooth wireless adapters connected to a Raspberry Pi minicomputer and two battery packs.
Lyne's travels were a variant on "war driving," an old method of driving around a city looking for open Wi-Fi networks. He and fellow Sophos security researcher Chet Wisniewski, who jointly gave a presentation Tuesday (Feb. 25) at the RSA security conference here, referred to the method as "war biking."
"War driving is still relevant," Lyne said, adding that some security researchers would disdain study of such an old issue. "As security professionals, we should not ignore painfully old hacks and problems such as these. It's still a real issue in the real world."
Bay to Breakers breakdown
In all, more than 70,000 different Wi-Fi networks were detected, and more than 190,000 individual Wi-Fi clients: smartphones, tablets, laptops and, surprisingly, a lot of Wi-Fi enabled office printers.
About 20 percent of the networks were open, which sounds like a security nightmare until you remember how many cafes, parks and other public places use deliberately open networks.
The bad news came when Lyne and Wisniewski analyzed the password-protected Wi-Fi networks, whose users imagine they're shielded by some level of security.
Ten percent of the protected networks used the long-outmoded Wired Equivalent Privacy (WEP) standard, which was declared unsafe 10 years ago. Hackers won't take long to crack through the encryption on a WEP network.
"Using WEP is like having the condom open on both ends," Wisniewski joked.
Fifty-seven percent of the networks were using the first generation of the Wi-Fi Protected Access (WPA) protocol, which has various security problems of its own.
"Not so great," Lyne said.
Only 13 percent of detected Wi-Fi networks were using the current-generation Wi-Fi Protected Access II (WPA2) protocol, which has the fewest security issues.
However, nearly half of the Wi-FI networks that used WPA/WPA2 were endangering themselves by having Wi-Fi Protected Setup (WPS) turned on. WPS is an optional method of simplifying the login process on home and small-office wireless routers which is vulnerable to hacker attacks.
Opening the honeypots
Lyne and Wisniewski also wanted to test how many people they could lure to their own open Wi-Fi hotspots. They rigged the bike's electronics to with three open "honeypot" networks: "FreeInternet," "FreePublicWifi" and "DO NOT CONNECT."
"We had 27 people connect to that last one," Wisniewski observed.
In all, 1,512 Wi-Fi users connected to Sophos' networks — random networks that, for all the users knew, could have tried to install malware on their devices — over the course of the four days.
Of those users, 1,397 connected to the Web using the standard unprotected HTTP protocol all or part of the time, meaning anyone on the same Wi-Fi network could have eavesdropped on their communications. Only 672 people ever used the secure HTTPS standard.
Of the people who accessed their email accounts, 242 used the insecure POP or IMAP protocols, which would have let attackers read their emails. (Many smartphones primarily use secure email delivery.)
Six percent of the opportunistic Wi-Fi users on Sophos' networks used virtual private network (VPN) software that encrypted all their Internet activity. The rest were wide open.
Of the 1,512 devices that connected to the honeypots, there were 484 iOS devices, 358 Android ones, 295 Windows computers, 181 Mac OS X ones and 194 that couldn't easily be classified.
Wi-Fi wasn't the only wireless protocol the Sophos team scanned for. On the bike were three receivers fine-tuned to pick up diffent Bluetooth protocols.
A total of 3,412 Bluetooth devices were detected, mostly smartphones, satellite-navigation devices and cars themselves.
"People's names were very common" in the logs, Lyne explained, "because iOS devices just call their output 'John Smith's iPhone' or whatever."
A surprising number of the relatively new Bluetooth Low Energy (BTLE) devices were spotted.
"We saw them everywhere," Lyne said, adding that the iBeacon feature on the latest iPhones, as well as FitBit fitness bands and Pebble smartwatches, all use BTLE.
Security experts recommend that users of Bluetooth devices turn off Bluetooth unless they need it — most Bluetooth connections are "paired" by a four-digit PIN, which is often factory-set to something like "1234" or "0000."
How to not become a war-driving victim
The results of Lyne's four days on the bike showed that in this tech-centric city, thousands of people had no idea of how to safely use short-range wireless networks.
"What's answer?" Lyne asked. "Public awareness, maybe."
To that end, Lyne's war-biking tests will continue in other cities and countries in the coming months, and videos of his rides will can be seen on YouTube.
In order to make sure you're connecting as safely as possible, take these steps:
— If you have an old router that supports only WEP, replace it. If you can choose between WEP and WPA, choose WPA or, even better, WPA2.
— If your WPA/WPA2 router has the option of using the WPS easy login protocol, disable it.
— Install a VPN client such as AnchorFree so that you can use open Wi-Fi networks without fear.
— Turn off Bluetooth when you're not using it, and change the default pairing PIN if you can.