Many wireless networks open to attack

Wireless networks are growing but security in most is woeful at best. Two teens are listening in on transmissions to expose the weakest links.

It is a Friday afternoon, and Peter Shipley and Matt Peterson are sitting in a late-model Saturn in a Silicon Valley parking lot, balancing notebook computers on their laps, checking out e-mail and looking after files.

Not their own e-mail and files, but those of Sun Microsystems Inc., in whose lot the two are sitting and on whose corporate network they are, in effect, spying.

"Look, there's someone transferring a file," says Peterson, looking down at his computer. Shipley sees even more: "There -- someone just turned on an NT machine and is getting mail."

Despite outward appearances, Shipley and Peterson aren't malevolent hackers. To the contrary, their aim is utterly benign: to expose one of the newest and potentially most dangerous security holes in U.S. business, in the form of wireless computer networks.

These are the increasingly popular systems that connect computers in offices or homes to other computers, or to printers, by using radio signals, much as cellphones do. These networks are remarkably convenient; they not only dispense with cables but also allow someone to roam around an office with a laptop computer while staying connected to the Internet.

More affordable
While wireless technology isn't new, prices have dropped dramatically in the last year or so; a small network can be set up for a few hundred dollars. And so usage has taken off: About 6.2 million wireless devices will be shipped world-wide this year, according to market researcher Cahners In-Stat, and double that in two years.

The problem is that many companies appear to be setting up these networks forgetting about the fact that -- unless special steps are taken -- anyone can detect what is being said on them, even strangers just sitting out in the parking lot.

Which is precisely the point of the demonstration by Shipley and Peterson. In the course of a recent 90-minute drive around a small stretch of Silicon Valley, using mostly standard personal-computer equipment, the two men found more than 40 corporate networks where basic security steps did not appear to have been taken. The men say they have spotted hundreds more on other trips and can find 10 or more on a single block in downtown San Francisco.

Security specialists aren't surprised. One estimates that a majority of the wireless networks in operation today have no security whatsoever. That means anyone in the neighborhood can likely read the network's e-mail and files, says Shipley, and, worse yet, probably be able to gain access to corporate passwords, log on to servers, take over a Web site -- or shut the network down entirely.

"Wireless security today is worse than cellular security was years ago," says Alan Paller, of the System Administration, Networking and Security Institute, a computer-security outfit that has just scheduled its first seminar on security issues posed by corporate wireless networks.

It is easy to make a wireless network secure; the "virtual private network" software, or VPN, commonly used over the Internet will keep a wireless network hidden from prying eyes. But the software is often never turned on. John Drewry, a senior director of business development at 3Com Corp., says many wireless users are so enamored of the convenience of their devices that "security is often an afterthought. A lot of education needs to happen."

White hat hacker
And education is something Shipley and Peterson believe in. Shipley, 35 years old, is a security consultant who is well known in "white hat" hacker circles; Peterson, 19, is a wireless buff who wants the technology to be used with appropriate security. The men have been driving around the San Francisco Bay Area logging the networks they find as part of a research undertaking. "People don't believe they have a problem until you prove it to them," Shipley says.

When they find an unprotected network, the men only look at the technical data the network is passing around, and not the actual contents of the files or the e-mails being transmitted. While any number of computer programs that circulate widely in the hacker community could actually read the messages and files, doing so is a felony. Already, there are reports of sealed court suits in Silicon Valley involving wireless theft of trade secrets.

One of the men's research outings begins in a Sunnyvale parking lot, where they set up their gear. While Peterson favors a big plastic "boom" antenna, Shipley relies on a much smaller one, the sort used in everyday offices.

Two seconds after driving off, they get their first hit. A network called "tutsys" appears on the men's computer screen; a building belonging to computer-network supplier Tut Systems Inc. is located across the street. "Wow, we are already seeing stuff," says Peterson. (A Tut spokeswoman said later that network was used by engineers, and that it would quickly be making it more secure.)

Every block or so, another network name pops up on the two men's computers, which are running special monitoring software. But because all wireless networks operate on the same frequency and with the same equipment, anyone with a Windows notebook and a $100 wireless networking card could do much the same thing. The two men see more than 40 networks in all, usually without stopping the car. One network is spotted while the men are taking a freeway off ramp. Most of the networks appear to be completely insecure.

On one network, Peterson notices that a printer is broadcasting its availability, something network printers do whenever they are turned on. He notes that had he wanted to, he could have sent the printer something to print out from his laptop computer, even while driving by.

Shipley says that when he misses a network on a quick drive-by of a company, he often finds one later prowling around the back sides of its parking lot. He says these "rogue networks," are often set up by a few employees without the knowledge of a company's computer department, typically to connect a few computers to a printer. But even the smallest network can be deadly, he says, since they give a hacker a way to bypass the sturdiest corporate firewall.

At Sun Microsystems, a network is detected right in front of the building. There is a lot of traffic, most of it coming from PCs running Microsoft Corp.'s Windows. "Wow, we're really drinking from the fire hose," Shipley says.

(A Sun spokeswoman said later that any network heard that day was part of a Sun test, though she didn't know what was being tested, and added that the network was no longer operational. Shipley was skeptical, saying that if the network was a test, it was an extremely insecure one, since it appeared to have made much of Sun's larger corporate network vulnerable in the process.)

A mile or so away from Sun, the men find a small network at a building belonging to Nortel Networks Corp., which, among other things, sells VPN software. They can spot the network from the street; when they pull into the Nortel parking lot, Peterson was able to sit in the car and surf the Web, courtesy of Nortel's network. (Nortel wouldn't comment.)

Shipley and Peterson say it isn't necessary to be close to a network to listen in. For a coming project, they plan to head for the hills above San Francisco, where they will use a special amplifier to pick up networks in downtown office buildings, many miles away. Says Peterson: "That ought to really scare people."