New risk for wireless access points

U.S. federal law enforcement officials are warning companies of a systematic effort by computer enthusiasts and possibly hackers to mark and map nonsecured Wi-Fi 802.11b wireless access points in many major metropolitan areas.

Bill Shore, a special agent with the U.S. Federal Bureau of Investigation (FBI)'s Pittsburgh field office, recently contacted private-sector members of the local FBI InfraGard chapter to warn them of a process known as "warchalking" -- the physical marking of a building to denote an open wireless access point.

InfraGard chapters are local partnerships between the FBI and businesses in particular geographic areas, established with the aim of sharing cybersecurity information. There are 56 such chapters in the U.S.

Shore likened warchalking to hobos marking public places that are willing to provide a hot meal, or the way spies mark drop locations for exchanging packages. Although the markings can be used for legitimate purposes, such as denoting a free public-access point, officials fear that the markings being made on corporate buildings will enable hackers, and possibly even terrorists, to more easily locate vulnerable wireless LANs.

The threat posed by warchalking, however, goes far beyond what might be considered isolated incidents of scanning for the presence of wireless networks.

"In Pittsburgh, the individuals are essentially attempting to map the entire city to identify the wireless access points," Shore said in an interview last week. He said there have been no reports of buildings in Pittsburgh being physically marked like some in other parts of the country. However, Web sites have popped up that provide interactive digital maps denoting the precise locations of dozens of Wi-Fi access points in cities such as Pittsburgh, Philadelphia, Boston and Berkeley, Calif., as well as regions of northeast Texas and on various college campuses.

For example, a Web site called Zhrodague Wireless Maps allows war drivers -- those who search for wireless networks -- to submit output from their war-driving escapades and then create digital street-level maps that show the location and signal strength of 802.11b access points. In some cases, satellite photos are used.

The site, which advertises itself as a service that puts "Wi-Fi on the map," includes more than 28,000 entries from war-driving results in Boston alone.

Terrorist Aid?

Shore acknowledged the threat such markings and Web sites pose to ongoing criminal and counterintelligence investigations, especially antiterrorism investigations.

The ability of criminals and terrorists to spot the markings and then use vulnerable corporate wireless networks for anonymous Internet access "poses a real problem" for law enforcement, he said.

But William Harrod, director of the investigative response division at TruSecure Corp. in Herndon, Va., and a 14-year veteran of the FBI, downplayed the security significance of warchalking. He said that terrorists or serious criminals are unlikely to rely on it for identifying access points.

Harrod also downplayed the utility of having online interactive maps for terrorist activities. "It's not terribly hard to find access and gain that access," he said.

Other security experts take the matter more seriously.

Steve Ocepek, chief technology officer at San Francisco-based wireless security consulting firm Wholepoint Corp., said warchalking is a growing phenomenon that definitely poses a security risk.

"It makes it that much easier for a hacker to launch an attack," said Ocepek, adding that online mapping can also be another important planning tool in a potential terrorist's toolbox. "Wireless is a perfect way to make yourself anonymous."

Thubten Comerford, CEO of White Hat Technologies Inc., a Westminster, Colo.-based security firm, agreed that warchalking and online warchalk maps make an already dangerous problem worse. "The risks to companies and organizations is enormous," Comerford said. "Anyone could launch an attack . . . without much fear of being traced."

Join the newsletter!

Error: Please check your email address.

More about FBIFederal Bureau of InvestigationInteractive DigitalTruSecure

Show Comments

Market Place