24% of wireless networks in Montreal are unsecured

The city of Montreal is the metropolis of the Province of Quebec, in Canada. It is the principal economic and business center east of Toronto, metropolis of Canada.On Saturday, October 27th, 2007 from 9:00a.m. to 4:00p.m., students from the Wireless Networking program at Champlain College Saint-Lambert under the supervision of their professor, performed a wireless network security audit in the streets of Montreal, Quebec, Canada as an educational activity. This article presents an overview of what was done and a summary of the results.

War driving is the act of driving around an area searching using a laptop computer or a portable device (PDA, Scanner), to detect networks. It originated around San Francisco (California, USA) with the Bay Area Wireless Users Group (BAWUG). The name War driving comes from war dialling, which has been popularized in the 1983 movie WarGames, featuring Matthew Broderick. As for the previous exercise, it was decided to call the exercise a WLAN Security Audit as the name War Drive having negative connotations.

War driving is possible because users of wireless networks, due to lack of knowledge, lack of adequate information, ignorance or laziness leave their wireless access points unsecured. In many cases the devices are unsecured because the default configuration that was in place when the device was purchased is being used. For example, in the data presented from the exercise 1.9% of the wireless devices have default as their network identifier (SSID) and 49.7% used channel 6, often set as the default channel at the factory.

This exercise was intended as an educational activity inspired by media reports and documentaries on the vulnerabilities of home wireless networks. A similar activity had taken place in the city of Saint Lambert a few months earlier with a previous cohort. The objective from an educational point of view was to provide the students with hands-on experience in performing a wireless network security audit. A general objective was to perform a partial city Wireless security audit and map the wireless networks (either home or business) that where found. This would give the students an idea of the current situation of wireless networks in Montreal.

To respect the right to privacy of residents, students where instructed to only observed IEEE 802.11b and IEEE 802.11g data packets and signals present outside the limits of private property, never trespassing. The students where not to look or attempt to look at the data inside the packets or attempt to connect or gain access to data, information or computer services in any way. Students had been strictly advised that all activities where being performed on public propriety as a community service activity. No attempt to access computer facilities, files or resources was to be undertaken by students.

Twenty-two (22) students participated from the WLAN Fundamentals course. The students where divided in 7 teams of 3 or 4 students. The students are all adults, some having graduate diplomas from foreign universities not recognised in the province of Québec.

Each team was assigned an area in a sector of the city, known as Hochelaga-Maisonneuve, between Sherbrooke and Ste-Catherine. This area was selected as it is located near the residence of the professor, used as an operational command center and for lunch. Seven areas where determined all near public transport subway terminals (called Metro), at the stations between Papineau and Viau on the green line. Some teams used private vehicules. These teams where able to cover a larger area, which extended the exercise into the downtown business sector from Berri, west up to Atwater. Students who participated in the exercise where required to have a laptop per team with a wireless (802.11b-g) network adapter, Open Source software NetStumbler and a cell phone per team for security.

The students arrived at their assigned Metro station for 9h00am and called in to indicate they where ready to start. Most started performing the audit at around 9h30. They called in to the operational center every hour to indicate progress. Teams returned for a pizza lunch at 13h00. Lunch was followed by a debriefing. Following the exercise, a few students performed additional scans as partial credits for their final assignment in the course, in lieu of an other assignment. All the results where integrated into a single Netstumbler file and converted to Google Earth using KNSGEN for an in-class presentation and discussion.

Findings

With the exercise data and the additional scans done by students, a total of 14906 devices where found and used to create a sample (n=14906). The table below shows a summary of the results and the results from the spring War drive.

                       October      %          Spring   %
Sample:              14906     100            330     100
Encry OFF             3618     24.3           103     31.2
Encry ON            11288     75.7           227     68.8
APs                    14702     98.6           328     99.4
Peer-to-peer          198       1.3              2       0.6
default SSID          283       1.9            10       3
Ch 1                    1716     11.5            33     10
Ch 2                      180      1.2              8       2.4
Ch 3                      257      1.7              2       0.6
Ch 4                      369      2.5              3       0.9
Ch 5                      147      1                 4       1.2
Ch 6                    7406     49.7           178     53.9
Ch 7                      172      1.2              4       1.2
Ch 8                      272      1.8              3       0.9
Ch 9                      295       2                5       1.5
Ch 10                    332       2.2              5      1.5
C 11                    3852      25.8            85    25.8 

Table 1: summary of results

There are many apparent similarities in measures from the spring exercise and the October exercise. Of the devices included in the sample, 24% where unencrypted. This is moderately better that the 31% identified in the previous exercise. However, this may have a simple explanation because the area covered in October included many commercial dwellings, which are more likely to implement basic security measures, compared to the previous area which is predominantly residential. 198 of the devices where in Peer-to-peer mode. While this type of use is often problematic from a security point of view, it is difficult to estimate potential risks as they may be devices such a WiFi telephones or game consoles. Further investigation would be necessary.

As in the previous exercise, the potential problem of the close proximity of multiple wireless devices using default settings (channels 6 and 11) was found. There must be performance problems experienced by the users of the devices, however, this was outside the scope of the project as the students did not have the tools to evaluate this in the field. Non typical channels where found to be used (40, 52, 56, 60, 64, 149, 153 and 157). This is possibly to create an illusion of security.

Conclusion

Overall the students seemed pleased by the experience. They indicated that they where able to visualise some of the theoretical concepts seen in class, as expected in this type of exercise. There where no problems and, to our knowledge, no complaints have been received. On the other hand, the data is not such a good news.

Looking at the results it seems that wireless security in networks is not too good in Montreal. While the results may not be as catastrophic as the previous exercise indicated (31% unsecured), it is still far from being an ideal situation in the current economic and geopolitical context. These results would support this authours beliefs that IT security awareness is needed, as only through education can durable social change can be enacted.

by Marc André Léger,
   Professor, Champlain College (Saint Lambert, Quebec, Canada)
   Lecturer, University of Sherbrooke (Longueuil, Quebec, Canada)