Wireless Security - Swindon Survey
On 12 December 2008, CBR Networks carried out a survey of wireless (802.11b/g) access points in and around Swindon in Wiltshire. Of the 1137 that were discovered, 51% were insecure; 12% had no security whatsoever and 39% were using Wired Equivalent Privacy (WEP) which has widely been considered insecure since 20011.
A press release with further images of the survey is available here:
Swindon Wireless Security Survey (PDF) [4.4 MB]
Right Click the link and select 'Save Target As...' (Internet Explorer) or 'Save Link As..' (Firefox) to download to your machine.
Route
The route taken can be seen in the following map. Beginning in Lyneham where we are based, we included Wootton Bassett, Swindon Old Town, Swindon Town Centre and finished at the Mannington Roundabout; a total of 15.4 miles:
.gif)
(Map courtesy of Google Maps).
What Tools Did We Use?
The survey was carried out using only a standard laptop and wireless card (a Ubiquiti SRC 300). To ensure we stayed legal, the laptop was .jpg)
running Slax Linux and using Airodump to passively capture the beacons that are constantly transmitted by all APs that have not had their SSID broadcast turned off. (There are tools available for Windows but they are generally active and need to transmit data to interrogate the APs).
What Vulnerabilities Were Assessed?
Given that we were carrying out a totally passive survey to stay within the bounds of the law, the number of vulnerabilities we could assess were limited. The 2 factors we were able to assess were:
a. Method of Encryption (None / WEP / WPA / WPA2)
b. SSID (the name of the network).
The encryption tells us most of what we need to know. If the network was using none (ie. Open) or WEP then the network was considered insecure.
The SSID was assessed for two reasons. Firstly, many of the APs seen were using default SSIDs. This tells us 2 things; firstly that it is unlikely that the AP has been changed from default and therefore likely to have further vulnerabilities such as a default admin password, MAC filtering turned off and DHCP enabled. Secondly, it often gives us more information on the manufacturer (eg. BT Home Hub) or address (eg. 10StreetName or MyBusinessName) of the AP.
It should be remembered that with permission from the owner there are many more tests we could have carried out but require active techniques. This was clearly not practical for a survey of this scale.
Results
The results from Airodump were exported into a spreadsheet format:
After analysis, the following statistics emerged:
A total of 1137 APs were discovered.
Encryption Used
| Encryption |
Number of APs | % of total APs discovered | Comments |
| Open | 134 | 12 % | Extremely Insecure. No security at all. Anyone with wireless card can connect. |
| WEP | 444 | 39 % | Very Insecure1 Requires pass key to connect which discourages casual users but key can be recovered automatically in minutes by anyone using freely available software. |
| WPA | 400 | 35 % | Generally Considered Secure2 (if configured correctly). Has some limited vulnerabilities but they do not allow the key to be recovered and automatic tools are not freely available. |
| WPA2 | 159 | 14 % | Generally Considered Secure2 (if configured correctly). Has some limited vulnerabilities but they do not allow the key to be recovered and automatic tools are not freely available. |
Insecure - Top 10 AP SSIDs Ordered by Manufacturer3
| Manufacturer / SSID |
Number of APs | % of total APs discovered | Comments |
| BT Home Hub | 133 | 23.0 % | |
| BT Business Hub | 34 | 5.8 % | |
| Belkin | 30 | 5.2 % | |
| BT Openzone | 25 | 4.3 % | Hotspot Service. Relies on SSL to secure data. |
| Netgear | 24 | 4.2 % | |
| O2 | 18 | 3.1 % | |
| Linksys | 17 | 2.9 % | |
| TalkTalk | 14 | 2.4 % | |
| BT Voyager | 13 | 2.2 % | |
| 2Wire | 11 | 1.9 % | |
| Totals: | 319 | 55.2 % |
Additionally, it was noted that a significant proportion were using SSIDs that unnecessarily gave away more information to a potential attacker. This included what appeared to be surnames, addresses and obvious company names.
Summary
a. A significant number of APs (12% in our survey) are still using no security at all and are vulnerable to attack even from the casual user.
b. Despite WEP being proven as vulnerable in 2001, a significant number (39% in our survey) are still reliant on this method to 'secure' their network. These networks are vulnerable to attack using freely available software that carries out the attacks with very little knowledge required.
c. Over 55% were using what appeared to be a default network name or 'SSID'. This is indicative of the network having more vulnerabilities.
d. The most common access point with default SSID was the BT Home Hub (23%) which was closely followed by the BT Business Hub (5.8 %).
e. In addition to default SSIDs, there were a significant number that unnecessarily gave the attacker more information such as surname, address or company name.
Conclusions
It is obvious from the results that there is still significant risks being taken when it comes to wireless security. This is not necessarily bad as an individual or company may have taken an informed decision, are aware of the risks involved and still do not wish to use employ better security for any number of reasons. For the majority though, I do not believe this is the case. I can only summise at why this is but I think it is likely to be for the following reasons:
a. Difficulty in Configuration. Wireless security can be difficult to configure, especially when AP and client devices are built by different manufacturers. Although the majority of APs currently being used can be configured securely without any extra hardware, some users are reluctant to change anything once the network is initially 'in and working' with the default settings.
b. Default Settings. Although manufacturers are slowly changing (eg. introduction of WPS), for a long time APs have been shipped with standard settings that have the security switched off. It is generally believed this is to reduce the numbers falsely returned due to configuration difficulties.
c. False Sense of Security. Although WEP has been publicly insecure since 2001, the casual user is unlikely to know this. By entering a passkey the user may falsely believe the network is secure.
d. Wireless Installations by Non-Specialist Companies. Out of courtesy, we spoke to most of the companies that had insecure networks and that were easily identifiable by their SSID. Most were outsourcing their IT support to companies that did not specialise in wireless installations and security. Therefore, the company was not even aware of the risks they were taking.
References / Footnotes:
1. http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
2. http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
3. It is possible that the SSID has been renamed therefore this is not foolproof but it is considered far more likely that these SSIDs have been left as default rather than be renamed to imitate another manufacturer.
