Almost one-third of 34,476 wireless networks in central Sydney had no security encryption or were using easily broken WEP security, according to a novel study by security vendor Sophos.
This finding was part of Sophos’ global ‘warbiking’ project, which involved James Lyne, the company’s global head of security research, riding a computer-equipped bike through major cities to detect wireless networks.
Sydney is the latest stop on this journey, a different take on ‘wardriving’ – the act of searching for wireless networks from a moving vehicle. Lyne’s bike is equipped with the Raspberry Pi credit-card-sized computer, a network card, battery, and GPS device.
Lyne tracked unsecure wireless networks and examined user behaviours that could be exploited by hackers, during rides over two days through the Sydney CBD and across the Harbour Bridge to Milsons Point.
Sydney stacked up well compared to other cities when it came to the use of WEP but 3.98 per cent of networks were still using the algorithm, Lyne said. This compared to 9.4 per cent in San Francisco and 6.34 per cent in London.
During the Sydney rides, Lyne discovered that 23.85 per cent of the networks were open; 28.15 per cent used the depreciated WPA security algorithm; and 44.02 per cent used WPA2.
A further 35 per cent used WPS, which enables users to unlock the password for a network using a PIN or time-based connection, removing the need to type a long password.
Lyne said this is equivalent to printing a long password, putting it in a paper bag labelled ‘please don’t look in me’ and putting it in the middle of the street.Read more: NSW Privacy Commissioner investigates USB key auction
“This feature has a number of astonishingly dumb problems. For example, you can actually across the majority of these devices … brute force all of the PINs in about 11 to 12 hours.
“The majority of WPS implementations using the ‘Reava attack’ could enable you to break into one of these networks in less than a couple of hours.
"A very high percentage of [these networks] could be broken into using that Reava attack by an attacker that’s a little more patient compared to the average cybercriminal.”
Lyne said that some manufacturers still have built-in WEP as an option in their devices, which he regarded as "outright negligence" given how broken it is.
"You will still find providers that use WEP by default. Only a couple of weeks ago, we found a payment card merchant system that only supported WEP. We told them they were in violation of PCI and they said ‘what’s PCI?’”
“As a society we are failing measurably to do the basics in network and wireless security,” he said.
Throughout his ride, Lyne also created honeypot SSIDs – ‘free public Wi-Fi’, ‘free Internet’, and ‘Do not connect’, with 994 people in Sydney connecting to the networks.Read more: iPad sings a sad tune for security vendors
“We gave them a captive portal page to tell them we would be logging high level information about their browsing and the protocols that they used,” he said.
The most popular websites visited at all locations included Facebook, Twitter, Internet banking portals, Google Maps, webmail, Snapchat, and believe it or not adult websites such as Ashley Madison.
Follow Byron Connolly on Twitter:@ByronConnolly