0

Weak Wi-Fi Security Across London

A recent research project undertaken by Sophos has identified an alarming number of homes and businesses have little to no Wi-Fi security controls. The research project, undertaken by James Lyne of Sophos, featured the use of a bike patrolling the streets of London scanning wireless networks within range. The bike was fitted with a Raspberry Pi utilising an open source Linux operating system mounted to the handlebars, this was connected to a powerful industry sized battery to allow extensive scanning to take place for a long period of time. A scanner aerial was also provided to enhance the scanning range.

The Sophos researcher used the bike to travel around London while scanning all wireless networks within range. The results were analysed to determine the security utilised and the results were staggering. The wireless scanner was able to pick up over 81,000 networks within range and determine that up to 30 percent of the networks either had a lack of encryption employed or the well publicised weak Wired Equivalent Privacy (WEP) encryption protocol. WEP has been identified as easy to crack in today’s environment, with published vulnerabilities and tools capable of cracking the algorithm in next to no time. This means that over 30 percent of networks surveyed are extremely vulnerable to traffic sniffing by even the most unsophisticated of attackers.

wifi security warbiking

Sophos researchers utilised a Linux based box to capture wireless access point information. This was achieved while cycling round London on a bike, otherwise known as warbiking after the infamous wardialling type attacks.

The researcher went on to discover that over 50 percent of other Wi-Fi networks were secured with Wi-Fi Protected Access (WPA), an algorithm that is dated and no longer provides secure communications for wireless signals. WPA-2, the successor to WPA, should have been implemented by these business and home networks many years ago, however, the research has suggested that this has only happened in a small number of cases – raising alarm bells for many security professionals.

Sophos continued their security research by creating a honey pot wireless network to monitor usage. The wireless access point was established with a lack of authentication to allow users to utilise it freely. The study found that a large number of users would willingly connect to the untrusted wireless access point with little knowledge of what they were connecting to. While the study was not able to monitor the traffic in detail on the network due to ethical reasons, users that were to do this in a live environment could expect to have all their credentials captured – including sensitive data such as bank details and passwords.

The test revealed that those connecting to the insecure wireless access point were doing so with no form of encryption, other than a select few that had utilised virtual private network (VPN) technology to secure their communications.

The results of this study are extremely concerning and this is something that occurs regularly out in the field. An attacker is able to set up a rogue wireless access point to encourage users in the nearby area to connect willingly to their network. The attacker is then able to sniff all traffic coming through the fake WAP to harvest credentials and sensitive data.

Users need to be more aware of the type of networks they are connecting to. An unsecured wireless network may seem legitimate to provide Internet access, however, these could be set up in an effort to sniff sensitive customer data and harvest bank account details. More alarmingly, however, is the lack of security many home and business networks are implementing. WEP and WPA are outdated and easily cracked and users should be aware of the risks they are running using these algorithms. WPA-2 should be utilised as soon as possible to secure networks and prevent attackers accessing, and sniffing, traffic.

Filed in: Articles, News Tags: , , , , , , ,

Get Updates

Share This Post

Recent Posts

Leave a Reply

Submit Comment

© 2017 Cyber Security News. All rights reserved.