Mapping all the Wi-Fi networks in a small town in Norway

equipmentIn February and March of 2012, a fellow student and I performed some Wi-Fi data gathering as part of our Bachelor’s thesis. This activity, known as wardriving, consisted of driving in as many streets as possible in the city of Narvik, Norway, equipped with a laptop (running inSSIDer), a 25 dBi omni-directional antenna and a GPS receiver.
The purpose of the experiment was to determine the current distribution of security algorithms, in particular to see how many still use WEP almost ten years after its deprecation. Since the initial practical attack was published by Fluhrer, Mantis and Shamir (the “FMS attack”) in 2001 [1], many improved attacks have been published making it possible to retrieve the key of arbitrary complexity from 64-bit and 128-bit WEP secured networks in a matter of minutes. While the FMS attack required approximately 1,000,000 to 4,000,000 collected packets to achieve a success probability of 50%, the KoreK attack published in 2004 reduced the required number of collected packets to approximately 700,000 [2, p. 54].

Currently, the most efficient attack is the Pyshkin, Tews and Weinmann (the “PTW attack”) published in 2007, requiring only 40,000 collected packets to achieve a success probability of 50% or 85,000 to achieve 95%. The active version of this attack works by reinjecting a collected ARP packet to quickly collect a sufficient number of packets, which can be performed in less than a minute [3, p. 1, 7, 14]. The PTW attack is currently the default attack in aircrack-ng, the state of the art software collection of Wi-Fi cracking tools.

Attackers may have several motivations for gaining access to Wi-Fi networks. In its simplest form, the motivation may be just to have free Internet access. More malicious attackers may seek to sniff the network packets in order to collected sensitive information, such as login credentials, payment card numbers, sensitive conversations, business documents etc. Furthermore, they may seek to connect to the network to exploit computers within the same subnet of the access point. One real life example of such was uncovered in 2007, when adversaries compromised a computer through an insecure Wi-Fi network and extracted 100 million payment card numbers and other personal information belonging to customers of the company TJX [4].

The result of our mapping experiment is presented in the following table:

Security mode Number of broadcasting devices Percentage
Open 577 ~ 9.92 %
WEP 1158 ~ 19.9 %
WPA/WPA2 4082 ~ 70.18 %
Total 5817 100 %

As the table shows, we collected information about 5817 access points, among these 1158 (~19.9%) using WEP. Furthermore, we found 704 (12.1%) networks with SSIDs (broadcasted name of network) indicating that they were vulnerable to the default key generation algorithm published in [5]. This flaw gained some media attention in Norway in 2010, after a user published a list of 10,000 networks inluding their SSID, GPS coordinates and WPA key on an online forum [6].

In practise, this means that ~32% of the collected networks seem to be vulnerable to attacks although they use protection mechanisms. This percentage does not include WPA/WPA2-secured networks that may use very weak keys, as this obviously would require performing illegal cracking. It neither includes the 9.92% of networks that do not use encryption, nor those vulnerable to the Wi-Fi Protected Setup (WPS) attack as described in [7].

All the networks in Narvik
All the networks in Narvik

An experiment similar to ours was performed in an area of Germany in 2006, where the result was approx. 61% WEP and 22% no security [8][p.10]. Comparing the results of these two experiments, we can conclude that WEP usage seems to be declining but is still popular. The images to the right and below show the collected networks plotted on a map. For privacy reasons, the coordinates have been slightly adjusted.

[1] Adi Shamir, Scott Fluhrer and Itsik Mantin, Weaknesses in the Key Scheduling Algorithm of RC4, Selected Areas in Cryptography, Lecture Notes in Computer Science Volume 2259, pp 1-24, 2001.

[2] Erik Tews, Attacks on the WEP protocol, IACR Cryptology ePrint Archive, 2007.

[3] Ralf-Philipp Weinmann Tews, Erik and Andrei Pyshkin, Breaking 104 bit WEP in less than 60 seconds, Information Security Applications. Springer Berlin Heidelberg, 2007.

[4] CBSNews, How Hi-Tech Thieves Stole Millions Of Customer Financial Records, 2007, [Online; accessed 30. December-2013].

[5] pagvac, Default key algorithm in Thomson and BT home hub routers, 2008 [Online; accessed 30. December-2013].

[6] Gilbrant, J M., 10 000 Telenor-kunder kan nå nettovervåkes av hackere, 2010 [Online; accessed 30. December-2013].

[7] Sean Gallagher, Hands-on: hacking WiFi Protected Setup with Reaver, 2012 [Online; accessed 30. December-2013]

[8] Stefan Dörhöfer, Empirische Untersuchungen zur WLAN-Sicherheit mittels Wardriving. Diplomarbeit in Informatik, 2006, [Online; accessed 30. December-2013].

Leave a Reply

Your email address will not be published. Required fields are marked *