There's a dodgy-looking car cruising slowly by your office, with an antenna taped to the roof, or a man pointing his laptop out the window. Curious to know what he's doing? He's reading your e-mail and your financial details from inside his car. Welcome to the brave new world of drive-by hacking.
Dozens of wireless computer networks around London are sitting ducks for illegal hacking attacks in a new type of threat to data security – ether-cracking.
Hal2001, Europe's largest open-air hacking festival, was held last week in the Netherlands; more than 3,000 people attended. Two wireless security experts, Peter Shipley and Frank Rieger, described there how they had cruised around London, Berlin and San Francisco in a set of experiments to show just how easy it is to get into other people's wireless networks.
Tapping into such networks in hospitals, companies and homes, Shipley and Rieger explained how once inside these networks, they could easily have opened data files or e-mails or intercepted traffic. Rieger said the effect was the same as "having an ethernet plug outside your building [that] would let everybody plug inside your network".
Armed with a laptop, some customised software, a wireless card slotted into his machine and a $60 omni-directional antenna hooked up to the top of his car, Shipley said he drove around London slipping into all sorts of wireless networks. He found more than 200 networks, of which more than 60 per cent were "wide open", meaning that a cracker could easily break into them and extract data.
"Just driving down the street is sufficient exposure to detect the LAN [local area network]," he told his Hal2001 audience of several hundred hackers, crackers and assorted uber-geeks in a giant tent at the centre of the gathering's camp in the University of Twente. The majority of "script kiddies" – inexperienced teenage crackers who rely on automatic programs – could break into these networks "in about five to 10 minutes".
The San Francisco area turned up even more exposed networks. In less than one week's worth of total cruising time, he'd counted 2,500 APs, or "access points" [base stations] into people's individual wireless networks. Surprisingly, most of these were in low-rent areas. He joked to the blue-jeans-clad Hal2001 crowd that this was because wireless network users spent all their money on computer gear and didn't have anything left over for rent.
However, you don't even need a car to ether-hack: you can just do it from your window. In London, Shipley said he simply pointed his antenna out the window of his friend's apartment and suddenly he was tuned into the computer network of a large security company. The window had direct line-of-sight to the company's offices about a kilometre away. Shipley said: "[I had] full access to their network, their MIS [management information systems] department, accounting systems – I could see all the pending documents in the financial department."
In Berlin, Rieger abandoned the antenna and still found he could drift silently into and out of other people's computer networks while driving through neighbourhoods. "We just opened the window and waved the laptop around," he said.
"You see the networks popping up on screen. Hospitals, companies, homes – in Berlin, you find one to two each hour of driving around." After a short hunt, Rieger had found five hospitals with easily cracked wireless networks.
The focus of Hal2001 – Hal stands for "hackers at large" – was on hacking, or experimenting with cutting-edge technology, rather than cracking, or illegal intrusions into other people's systems. Cracking is, in essence, hacking for malicious purposes. Rieger reflected this in how he handled his probing of the hospitals' networks.
"We didn't intrude into the network. We just monitored the traffic," he said. But when Rieger found one hospital's prescription database and the computers "associated with individual beds in the hospital" completely exposed, he felt compelled to act. "We told the local IT guy, 'You have a problem. We can show you'. We found an Airport hub [a wireless base station]. It was simply forgotten. The professor who had installed it was long gone," he said. "The IT staff simply hadn't known it was there. The IT guy was quite glad that he could finally prove that IT security isn't something to take lightly in a hospital environment." Rieger said it was vital that people secured their own computers.
Like Rieger, Shipley also used the hacker technique of playing with technology on the edge rather than cracking systems illegally or maliciously. "The system that I have is non-interactive."
While Shipley didn't access private data, his program scooped up all sorts of information that could be used to build a profile – or to crack systems. "I get the name of the network, the channel they're on, and if they are using encryption or not. I also get the hardware address, [which gives] the make and model of the machine," he said. Data leaking from poorly secured wireless networks was a privacy problem on "a massive scale" Rieger said.
Wireless communications privacy was a hot topic at Hal2001 – but not all the concern was about crackers. Maurice Wessling, the director of the Dutch privacy and civil liberties group, Bits of Freedom, presented statistics revealing the worrying trend of governments increasing access to mobile-phone data, including private conversations, without a proper public debate on whether this was appropriate.
In the Netherlands in the early Nineties, Dutch law enforcement tapped 3,000 phone numbers per year, he said. By 1998, it was tapping 10,000 phones per year. The dramatic increase was all owing to the spread of mobile phones.
"I am worried about these high figures, and I know they will rise even higher," he said. Worse, law enforcement agencies appeared to be trying to hide the extent of their phone tapping because it was very difficult to get annual statistics on wiretaps, he said.
But it wasn't all doom and gloom. The frenetic pace of geeking going on at Hal2001 amid loud techno music and pizza-flavoured Pringles seemed to inspire creativity. Londoner "Muttley", who didn't want to give his real name, said he came to Hal2001 for the sense of community – and the buzz. "I've written more code in the last few days [here] than I have in the last few weeks."
The Dutch authorities tried to stop the festival, held once every four years, from going ahead. Significant pressure was brought to bear on the University of Twente to drop the event, despite the festival's long-standing sponsorship by respected companies such as the Dutch internet service provider XS4ALL. One senior police officer reportedly told the university that it shouldn't co-operate with "enemy-of-the- state anarchists". The officer later denied making the statement.
However, in the best tradition of hacker irreverence, every member of the volunteer team managing the Hal2001 campsite's temporary one-gigabit network donned a specially printed black T-shirt labelling them as "enemy-of-the-state anarchists". It was the inside joke of the festival, since even the police later acknowledged that the festival's technical support team contained a number of Europe's most talented network professionals.
The organisers of Hal2001 said this had been the most successful festival yet – and there had been no major security problems.Reuse content