It's public knowledge for quite a few years, many WIFI networks are poorly protected. Although open unprotected WIFI networks are slowly starting to vanish, how well do the protected ones anyway? Here's a real example of challenging the security of an average residential WIFI network. The question came from a friend: Is my WIFI access point secure? Well let's see.
WIFI in a residential area
Take an average west-European city in an average street in a middle-class residential area - a typical setting where many WIFI networks can be found. WIFI network scanning tool Network Stumbler is almost tripping over the density of WIFI networks found in the neighborhood of my friend. An average WIFI access point can bridge 350 feet (106 meters) and easily comes in reach of anyone passing by or more obvious, the neighbors.
WIFI AP's across the bay in Turkey near Adana - This is how far an average WIFI access point can reach .
In this real example, the setting is some-one passing by in a car, or more specific the machine, a 22.000 lbs truck. (10.000 Kg). Not quite stealthy and therefor noticed by everyone living in the street. So as a benchmark and answer to the question of my friend how long would it take to get access to the average WIFI access point?
WIFI area survey
The Network Stumbler area survey in this residential area shows that many of the WIFI networks are locked down with either WEP, WPA or WPA2 encryption. About half of the 26 networks counted have WPA2. That's pretty good because this kind of encryption is the hardest to break. The other half has WEP based encryption and only a few had none.
My friend had managed to protect their WIFI network with a 128 bit WEP encryption key. And it wasn't easy for him to do so, it took him several hours to get it working for 3 Windows based computers. The problem emerged itself at one of the 3 computers, which somehow didn't want to switch to WEP encryption.
This with only average computer skills and little to no knowledge of WIFI network protection.
The WIFI lock picker
Now, let's do a little profiling. Who would try to break the 128 Bit WEP encryption on my friend's network? For starters it would be some-one with a bit of UNIX/LINUX knowledge and skills, because most of the lock picking tools are LINUX based. Secondly, it must be some-one who's determined enough to go through the process of learning about WIFI lock picking tools and try them on others. Thirdly and most important, what would be the motive?
Roughly speaking, it would probably be a young guy either living in the area or driving around fiddling with WIFI locks just for the fun of it. Next to that parking a car or van in the street and stay in there for several hours would be suspicious enough already. Not to mention with the machine....
The Machine - WIFI connected in Dubai at the Meydan horse race track.
Now the reason why my friend's WIFI access point used WIFI network protection was to prevent the neighbors from using their Internet connection and vice versa. Not to keep random strangers out, because a parked car with someone inside is so easily noticed in the street. For most people in their neighborhood with WPA2 encryption, the Internet provider installed their WIFI access point along with a DSL modem for Internet connection.
In terms of equipment, the list is pretty basic;
1) A laptop with WIFI, in this case a DELL Latitude D610
2) A laptop battery (or several) that lasts for several hours
3) UBUNTU 9.05 desktop installation
4) Aircrack-ng installed at the off-the shelf UBUNTU desktop installation
And in terms of location:
5) Within 350 feet (100 meters) of the WIFI access point
6) A place to sit for several hours
That's about it.
Finding the WEP code
So what did it take to find the 128 bits WEP key?
1) The WIFI signal was monitored for 65 minutes.
2) 76436 IV's (Initialization Vectors) where captured. (This is crypto talk - don't bother)
3) The resulting data capture file was about 115 Mb.
4) It took about 36 minutes of CPU processing to decide when to stop capturing
5) It took about 2-3 minutes to extract the WEP code from 115 Mb of data.
The WIFI access point was used continuously during the test. In fact Windows update was running at one of the 3 PC's connected to the WIFI access point. This generated a capture file of 115 Mb over 65 minutes, that's about 30 Kb/sec of data coming in.
The WIFI access point is a simple Belkin F5D7231-4 802.11a/b/g WIFI Router with the latest firmware version. The WIFI card in the DELL Latitude D610 is an average DELL 1370 internal miniPCI card with a Broadcom BCM43xx chipset.
The test results are not very surprising - a 128 bits WEP key can be found in about an hour or less, given the right tools, skills and knowledge and a place to sit within proximately 350 feet (100 meters) from the access point. A smaller 64 bit WEP access key would go down even quicker.
It took my friend several hours to setup basic WIFI access point protection. Although it's pretty simple for those who are Internet savvy, it is not for those who are uncomfortable with managing WIFI access points.
For most it's a frustrating experience, even the task of getting into the administration dashboard of a WIFI access point is a considerable technological barrier. In most cases it requires help of those who can.
The technological barrier was one of the reasons why WPA2 isn't adopted more quickly. Also the risk of having someone tampering with the WIFI locks is considered low in this residential area. One sticks out in the street big time WIFI lock picking in a car for about an hour. In more densely populated area's - like an apartment block - the WIFI lock picking risk increases dramatically. The motive could be quite simple, a free Internet connection.
In the meanwhile my friend's access point got upgraded to WPA2 and MAC address filtering, with a little bit of help from the outside. Problems discovered earlier where due to signal reflections.