Peter "Evil Pete" Shipley is a well-known security expert. His exploits -- in both senses of the word -- are legendary. He's a reliable presence at Defcon and other security-oriented hacker events and he prefers to demonstrate the security flaws he's discovered as they exist "in the wild" -- which is to say, in the real world. Lately, he's been concentrating on the security -- or, more properly, on the lack thereof -- of 802.11b wireless networks.
On July 31st, 2001, I interviewed Shipley by telephone. I accidentally erased the first five minutes or so of our interview, so the following transcript doesn't include me asking permission to tape our conversation or my opening questions about Shipley's early days as a Unix hacker. I've also edited down some of my more rambling questions to make them more concise.
Any errors in the transcription are my fault.
Thom Stark: So what prompted you to begin playing with wireless networking?
Peter Shipley: I've always been analyzing networks that are insecure and I think some of my peers were talking about what the next big problem is in security and what to look out for and wireless came up quite a few times.
Thom Stark: And this would have taken place whenabouts?
Peter Shipley: About a year-and-a-half ago..two years ago. I did a bit of work with modems, actually, analyzing security of dial-up systems. And I basically was very surprised -- actually shocked quite a few people at the success rate I had at penetrating systems via wireless.
Thom Stark: So when did you start looking at security in wireless networks?
Peter Shipley: Oh, I began learning a lot about security about a year ago. About wireless security, that is. And I actually started my war-driving effort I think seven or eight months ago.
Thom Stark: So that would have been approximately the turn of the year or a little before?
Peter Shipley: No. Several months before I was actually finally able to roll the system out. The difficulty was there were actually some minor things to figure out. Conceptually it was somewhat easy, but the actual hardware -- something that can find networks for you, associate for them -- integrating the entire GPS assembly was a problem.
Thom Stark: So, what does your current setup consist of?
Peter Shipley: I've currenlly got two of them. The first one I used was based on the Lucent card. And what I do is, I have a Lucent card set up in "ANY" mode, which means "just associate with the nearest AP." And, by doing that, it goes out and I log onto a machine. The whole thing runs on FreeBSD. I effectively have a script that resets the card, associates with an AP, and then pulls the GPS of my current location and logs it to a file.
Thom Stark: So you're basically logging your location when you intercepted the AP. Do you have any kind of indicator of signal strength or anything?
Peter Shipley: I do indicate signal strength. And one thing I do in the post-processing is we quantize the samples into a grid pattern and then we do some general averaging on signal strength to figure out the location by longitude and latitude. We actually do do some triangulation based on signal strength.
Thom Stark: And you get that from multiple fixes on the same net?
Peter Shipley: Correct.
Thom Stark: Can you paint me a word picture of a typical war-driving session?
Peter Shipley: Well, the early sessions, I'd have a couple of friends with me. We'd take turns driving because we were basically more interested in the interactivity of the system and literally debugging things on the road. In that case, we'd pretty much have one or two laptops in the car. We'd have an external antenna -- we used to use one of the Lucent range extenders, but recently we've found sources for better, stronger mobile antennas. The whole thing is wired into a Lucent card. We have a Garmek Emap GPS, which is plugged into the cigarette lighter, with a data cable going into the laptop and we have a Perl script that effectively does most of the work for us.
Thom Stark: And it queries the GPS unit and incorporates the longitude and latitude results into the log?
Peter Shipley: Yes.
Thom Stark: Is that script available for download?
Peter Shipley: There'll be a link to it off the files page on dis.org.
Currently, we're tryiing to clean up the post-processing. The script itself for doing scanning works only under FreeBSD with the Lucent card. And I want to expand it to actually work with the Aironet card. I need to get the post-processing stuff working better. The post-processing actually does all the work for you.
Quite literally, when you finish the night you'll have ten thousand data points -- which will distill down to three to four hundred APs. Sometimes only eighty APs. So the first pass of the script generates a list only of the highest signal strength. That does not do any triangulation. And after that, we have a Perlgram that using Mapquest or the Tiger census mecca, we generate a map of the Bay Area with these points on it. I believe those maps are actually included in my slides.
Thom Stark: The slides are a couple of months old. At that point, you were saying you'd mapped the location of around 1500 APs around the Bay.
Peter Shipley: Yeah, we're currently about 1500 to 2000 or so APs.
Thom Stark: And how much of the Bay have you covered?
Peter Shipley: I've covered the majority of San Francisco. I've not really done that much in the East Bay. And I think I' ve done half of the South Bay and half of Sunnyvale. It's very hard to cover every road. We're pretty much just sticking to the mostly-business areas and also sticking closely toward major routes.
What I want eventually to get out of this process is a good demographic sampling. And that's going to be a couple of months in the process.
Thom Stark: What trends have you noted?
Peter Shipley: A majority of people are running their APs in effectively open mode -- basically wide open, no encryption. A majority are also running in default SSID and IP ranges, which strongly implies that they've used little or no configuration when they set up their wireless LAN.
Thom Stark: What should they be doing, instead?
Peter Shipley: The only true solution I find at this point -- and probably in the future -- is to set up an IPsec. You wish to place your WAPs or APs -- your wireless access points -- on a DMZ zone. This DMZ zone should be restricted from the Internet and from your internal network. And the only thing you should allow out of this DMZ zone are connections or computers that have authenticated themselves with IPsec.
The general scenario is: you bring up the laptop, the laptop associates with the local wireless LAN. And then you set up an IP tunnel -- there are several free versions available -- and you just use that as an IPsec tunnel into your firewall.
This is very similar to the way people handle dial-up. When a company contracts out to, for instance, Uunet or other providers for worldwide dial-up access, you end up using a Uunet or Earthlink dial-up. But then you have an IPsec connection that links that laptop in the hotel room, or wherever it may be, to the corporate LAN through a secure IPsec channel. The same thing needs to be done at the local level of the wireless LAN.
Thom Stark: In your slide presentation, you state that as many as 80-85% of all the WLANs you've scanned have no encryption enabled at all.
Peter Shipley: Enabling encryption is not going to protect you, it simply stops the drive-by surveyors at a certain level. Your network will still be detected, but at least it will stop people who will pull over and end up using your system.. You can also benefit from using a decent WEP key -- not a passphrase, but actually your own WEP key.
Thom Stark: What ends up happening, though, is that they unbox the AP and, the minute they get a client to see it, it's off to the races and they never give it another thought.
Peter Shipley: That was happening six years ago -- companies were getting on the Internet. They'd install Windows 4, they'd install a Web server and then off they went, hopefully making their millions on the Internet.
We've seen very little control on wireless systems. You can quite literally walk around San Francisco and without difficulty have free wireless access.
Dan Farmer did a survey that showed that 60% of machines showed some basic vulnerabilities. Of that, approximately 30% or so showed major vulnerabilities. My war-dialing effort, where I war-dialed over 5.7 million phone numbers in the Bay Area showed similar numbers. Now this wireless survey I'm doing is, again, beginning to show the same numbers.
Now, I don't nearly have a large enough survery to definitively say this -- and hopefully in the next two or three months I'll have actually a large enough sampling to have a reasonable demographic statement.
One of my distant goals, actually, is to prove that these numbers correlate -- and I'm getting close to it now.
There are four different ways of getting on to a corporate LAN: there's over the Internet, dial-up, there's wireless and physical. I'm actually working with a group that does quite a few physical security audits -- and definitely my review of their audits are showing agreeable numbers. So hopefully toward the end of this year -- right after I publish the wireless observations -- I plan to publish a followup article which will show the correlation between these: Shipley's Constant here.
Thom Stark: (laughs) Will you self-publish or are you looking for a journal publication?
Peter Shipley: I usually look for a journal publication, but.. It's actually somewhat humorous. My war-dialing effort, for example: most journals and most conferences weren't interested in the dialing effort. When I submitted the abstract, all the replies were, "Oh, this is old news. Everybody knows this stuff." And then, once I released the actual numbers, every major security auditing company all of a sudden added war-dialing as a part of their audit business -- which it wasn't before -- three companies have released war dialers and two companies have released phone firewalls. After I published the numbers for a paper that was rejected because it was considered "old news" and "there's nothing new there."
Thom Stark: (laughs) Who cares about dial-up security, anyway?
Peter Shipley: It's actually more than that. I had full access to (a local) fire company. I could dispatch trucks. I had full dispatch capability.
Thom Stark: That's kind of a hole.
Peter Shipley: In that case, what I did was..y'know anyone who's into security is pretty much on a first-name basis with the local FBI. I simply gave one of their local agents who knows me this information, because I felt that if I contacted (the local) fire department (the FBI) might actually contact me. So I contacted an agent, he contacted the fire department and they fixed it with six to eight hours.
I contacted the agent, told him the problem, described the problem -- and also informed him I was going to re-verify the problem in 24 hours. And I gave him a call up 24 hours after that saying "It's been fixed."
Thom Stark: So you have a pal in the Bureau?
Peter Shipley: I wouldn't say a "pal" in the Bureau, but, everybody knows their local agents, because, when you're working security, you eventually have to deal with them on one basis or another.
Thom Stark: That brings up the issue of the legality and/or morality of war-driving.
Peter Shipley: While I'm not an attorney, I can say that they openly transmit the beacon and they're willingly transmitting a beacon designed to advertise the presence of their AP. So the monitoring of the beacon itself, there should be no violation. Again, of course an overzealous prosecutor will find some reason to complain.
But this is an open beacon. Now, actually listening to the data that's being transmitted's a different story. Looking at the actual data falls into two categories: one, it's illegal to intercept other people's packets,. But the FBI and other agencies are pushing a concept through, based on the Carnivore, saying that "Well, we're not looking at the data, we only look at headers." And they're stating that it's okay to only look at headers, as long as you don't look at data, and they're like, bending the law a little bit in their own favor.
But this law can also be bent in our favor. This interpretation of the law can be bent in our favor, also.
Thom Stark: The "sauce for the goose" concept?
Peter Shipley: That way I could analyze those IP headers, as long as I don't look at the data..
I found that a majority of large companies, including several firewall companies, in Sunnyvale, not only have wireless access, but I was seeing BGP and IGRP broadcast -- relayed wireless. Which indicates that the AP they're using is not on a DMZ, and, not only is it on one of their networks, but on one of their primary, backbone networks. Now, if I want to be mean, if I get onto one of their routers -- very trivially -- I can even do my own broadcasts. I can insert ficticious routing information and they'll never figure out what happened.
The system's really not performing any more. There are various denial of service attacks. If you can do man-in-the-middle between two large routing broadcasts, you can basically shut down connections. And the way BGP typically works is: if it sees you lose your TCP connections, assume that most routers have gone down and drop all the routes. Just transmitting bogus default routes up until I drop out can keep a whole company offline for the better part of a day. Because, once I stop transmitting these routes, it can take the better part of a day for the corrected routes to correctly proliferate through the corporate network.
Thom Stark: That would be strictly illegal, of course.
Peter Shipley: When you describe security problems, you have to describe the dark side.
Thom Stark: What about the ethics of war-driving?
Peter Shipley: The thing is, I came forward and went public with this effort because I wanted companies to know this is out there. Since then, there are literally hundreds and hundreds of people -- copycats -- out there who have copied my hardware and are doing this. Now one thing I truly disagree with, there are actually several groups out there maintaining these database Web pages which contain lists of open APs. I strongly discourage that. One group, for example, Bay Area Wireless Users Group, bawug.org, you might want to actually list them in your site. One nice thing about them is that do have a site of open APs that you can only submit your own AP which the site will actually verify.
Thom Stark: Let's talk about the ethics of war-driving. There are inevitably going to be people who will say, "You shouldn't be doing that."
Peter Shipley: I've been hearing that for over a decade. Actually, when CERT first came out, I gave them their database. About a week after I gave them the database I said, "If you have any chance to verify some of the data -- or to extend some of it -- I'd be very interested in that update." And their answer was, "No." They would not return information to me. In fact, they didn't give me proper credit for it, even though I gave them their original database.
When I began posting parts of my information to alt.security and those other Usenet groups -- back when Usenet was actually usable -- they actually made an official request to U.C. Berkeley that my account be disabled, because they didn't want this information getting out.
There's a huge debate that's been going on for a long time about whether security information should be shared or not. I'm a strong believer that it should be. After a decade or so of a very close-mouthed policy, things didn't get better. Now that we have an open policy -- with Bugtraq and other groups -- things are actually getting better. Microsoft is actually pretending to care about security.
Thom Stark: (laughs)
Peter Shipley: Sun Microsystems pretends to care about security. Sun as bad as or worse than Microsoft, you realize that?
Thom Stark: Are you interested in other aspects of wireless technology? Bluetooth, Home RF and so forth?
Peter Shipley: Home RF is pretty much dead at this point. Literally, I don't really see Home RF lasting. It's going to be a legacy network. I pretty much ignore that at this point.
Thom Stark: What about Bluetooth?
Peter Shipley: Once there's actually usable implementations of Bluetooth, I plan to start doing some research into that. There's some interesting areas to look into. For example, now that I have 2.4 gigaHertz amplifiers, parabolic dishes and such, a lot of interesting data can be accomplished, if you get on top of (San Francisco's) Market Street or a large business district and beam down at people.
What are you going to use Bluetooth for? You're going to be receiving a Bluetooth query from a business client. You send it. The majority of Bluetooth security so far has been that it's a small network.
Thom Stark: A "piconet."
Peter Shipley: Well, it's not a "pico" net, if I have a decent amplifier. I can literally be 10 stories up on a business building.
Thom Stark: With a good-sized parabolic to pick up your weak Bluetooth radiation and a strong enough transmit amp to punch a signal to you.
Peter Shipley: You can buy satellite dishes cheap. This is very feasible. I could say, like, "This is the demographic data and email addresses of people who walk down Market Street at 3:00."
Thom Stark: Do that enough and you can build up quite a database.
Peter Shipley: Let's just say that one out of every 30 people or one out of every 50 people walking by have a Bluetooth-compatible device in 5 years. Given the number of people walking by, I can still walk away with thousands of people's data in an afternoon.
Thom Stark: The thing is, given the expense of Bluetooth-enabled personal electronics -- and the existing IR standard for PDAs and such -- I have trouble imagining all that big a market for it. At least, anytime in the next ten years, that is.
Peter Shipley: Well, Bluetooth has some interesting things for your domicile, along the lines of, for example, getting my coffee maker to agree with my VCR on what time it is. But that's about it.
Thom Stark: As far as I can see, Bluetooth is a marketing-based solution in search of a problem.
Peter Shipley: Have you looked at the Bluetooth protocol? The Bluetooth protocol says, "if there's interference on the channel, just re-transmit." Whereas most other protocols, for example, even cordless telephones, if a certain frequencies are in use or unusable? Stop using it.
How they're handling it, basically, is like ham radio: if someone else is using it, back away. The wireless phones are a lot like that with the headset. That does the same thing: looks for an open channel and, if it starts getting interference, backs away. It doesn't start pushing harder. Bluetooth starts pushing harder. Bluetooth literally believes it has this band and nobody else does -- which is going to make Bluetooth incompatible with the majority of cordless phones. And 802.11.
Thom Stark: And, if it does achieve ubiquity, you're going to have a whole lot of Bluetooth piconets contending with one another for the same bandwidth.
Peter Shipley: Yeah, but they're designed to work, because they actually anticipate each other -- not anticipating constant usage. Bluetooth is bursty. But for somebody who's doing a continuous transmission over a certain frequency, like I am right now -- that could be a problem.
Thom Stark: Data streams as opposed to data bursts.
Peter Shipley: Every person I know who's into Bluetooth and I've brought this up, they go, "Oh, Bluetooth handles that problem by making sure its data gets through, by re-transmitting." "But you understand, they interfere with one another." They go, "But Bluetooth will be resistant to their interference."
Thom Stark: Yeah. And what does that do for your telephone?
Peter Shipley: Exactly.
Thom Stark: Well, it's good that Bluetooth will be resistant. If only we all were!
Peter Shipley: Back to wireless technology, as I pointed out, I find a lot of people wide open. The majority of people literally don't care. Certain people leave their networks open, like I do. I've got a low-speed connection, which is on the outside of my firewall, and there's various firewall filters so it can't really be abused. I've got PICS between you and the world, so you really can't abuse it too much.
There's a lot of companies that don't realize this. Driving through certain areas of San Francisco, you're very shocked at the number of open networks that are out there. Even in London, for example, the Soho area was full of open networks. There was actually two or three networks per block in downtown Soho, in London.
Thom Stark: I haven't been to the Soho district of London in a long, long time. What's the business mix there these days?
Peter Shipley: There's a lot of multimedia companies in the Soho area.
Thom Stark: I immediately think, "Well, there's Soho (in London) and SoMa (South of Market, in San Francisco).
Peter Shipley: SoMa, actually, in San Francisco, there's very little. I didn't really scan that area 'til after dotcoms were beginning to melt down. So that could explain a little bit of the lack of wireless. But there really wasn't that much wireless in the SoMa area. Now, in the Mission District and the Army Street, there was actually quite a bit, in addition to the Haight-Ashbury area. That's because all these Gen-X guys with little Goth girlfriends were basically living up there and have all their tech equipment with them.
Thom Stark: Including their little two-node network -- them on one node and their girlfriend on the other.
Peter Shipley: Like I said, the majority of the companies are not realizing the openness of the thing. The purpose of my war-driving and various other information -- I've actually put together a "LAN-jacking kit" -- is basically to show people that this is a problem.
Here's another scenario for you which I find very interesting: you say you have a lot of lawyer friends who said they warned you to tell me I'm being recorded right now. Several times. Okay, you understand that in certain cases, actually, it's been recommended that lawyers do not use cell phones, especially when talking to their clients. And you understand the whole game of client-attorney privilege? If I was being deposed I reveal a little bit, I basically have waived my attorney-client privilege. So, if it can be shown that the lawyer is not performing due diligence, it is possible that the attorney-client privilege can be broken.
Now, there's a lot of legal firms that I know about that are using wireless networks. A large legal firm -- we're not talking about a one- or two-lawyer company, but a large firm -- you might have a different intern or a different partner going to each different movement of the proceedings. Which means there's very precise notes being written between conversations; there're various competing or agreeing strategies being drawn up to go against the opposition. All these are kept on a centrallized data server or information server -- document server, perhaps -- of what the plans are to do: who to serve next, what questions to ask at tomorrow's deposition, what questions not to ask at tomorrow's deposition. All of these available on the file server on a attorney's office.
Now, being if I can stand on Fremont and Market Street and have free access to that attorney -- mind you, this is not legal for me to do this, but it's extremely feasible and it's actually being done -- I can stand there and I can download these briefs, because, generally, these Microsoft office servers have no security. I've done quite a bit of work with legal offices -- helped them clean things -- and the majority of times their shares are wide open. And, if they do have any security, this is Microsoft security we're talking about.
Thom Stark: (laughs)
Peter Shipley: Thus it can be argued..I mean, this is, like, a huge thing. I don't want to be the person that takes this to court, but.. Okay, Attorney A vs. Attorney B: Attorney A cannot hire me to breach Attorney B's security, but, if I happen to get it, nothing stops Attorney B from using it, if I just offer it.
But, look, I'm not a lawyer. But, again, I don't want to debate scenarios. Your attorneys will disagree with me; your attorneys may agree with me. Who knows? But, what they will agree with is that using wireless networks without encryption or any other security is clearly a breach of the attorney-client privilege.
Thom Stark: Well, a breach of due diligence, certainly.
Peter Shipley: Right, it's just like using an analogue cell phone.
Thom Stark: I'm not a lawyer, either. I don't even play one on TV..
Peter Shipley: I've just dated a few.
Thom Stark: (laughs) Sorry. As I understand it, the issue turns on the concept of duty -- and that, in turn, comes down to knowledge. If you don't know your network is exposed, no breach of duty exists. At least, that's the way the lawyers explain it to me.
Peter Shipley: Yeah, but there's also the argument, "Is ignorance truly an excuse?" Can a lawyer today literally say, "I've no idea that cell phones can be intercepted?"
I'm actually working with somebody who's writing up something for the legal journals describing this problem. So it will be published in, hopefully, one of the bar associations' or one of the other legal journals. They can't write the article, because they don't have the technology -- and I don't have the law reference. In addition, a legal journal like that is only going to publish something with legal references and they're not going to take legal references that come from anyone but a lawyer.
Thom Stark: Sounds like you have the makings of a beautiful partnership: a lawyer to take care of the legal references and a technologist to handle the technology.
Peter Shipley: Yup. It's possible I'll be an expert witness, also.
Thom Stark: If that were to happen any time soon, I'd appreciate seeing a copy -- or getting a pointer to an online version.
Peter Shipley: We've got, basically, a set of abstracts printed now and we're going to write it anyway. And publish it somewhere.
Thom Stark: Do you have anything you'd like to communicate to the audience about wireless that I haven't covered in my questions thus far?
Peter Shipley: Well, there's a few things, I guess, that I haven't mentioned yet, but you saw some of it in my slides. One of which was my ability to quite literally log onto a network from over twenty miles an hour..twenty miles away, that is. I got on to the Berekely Hills -- I don't know how familiar you are with the Bay Area topology?
Thom Stark: Pretty familiar.
Peter Shipley: Okay. I went up to the Lawrence Hall of Science (in the hills above the U.C. Berkeley campus) with my parabolic dish and I logged on to a site which is near the Exploratorium (in western San Francisco, near the Golden Gate Bridge anchorage.) That's fifteen miles, not counting the height difference.
What I did was, I scanned for the farthest networks I could reach. So I didn't know exactly where I was receiving, I just logged MAC addresses of the APs, which is part of the beacon. And, when I compared my database -- and my database, of course, had that longitude and latitude of these sites, based on my driving -- and I was able to produce X,Y distance. And did the same thing from the Hayward Hills.
And I think we'll show that, with a parabolic dish, with or without an amplifier -- it really depends on the weather, I guess -- I can link onto a remote network. And the remote site is not using a A-type, amplified antenna. I was able to get Cliff's network (Clifford Skolnick's steam.org, in San Jose) with no problem -- I wasn't looking looking for his network, I was looking for other people's -- I was able to associate with various other corporate networks without any difficulty and, quite literally, over the horizon. The horizon's three-and-a-half miles at sea level.
Thom Stark: I think the Lawrence Hall is at 1200 feet or thereabouts.
Peter Shipley: Actually, if you actually stand there, you can actually look out and you actually have the horizon of the Earth and the Lawrence Hall is coming from over the horizon.
I've actually heard various people make these statements of, "Well, we just have a strong security and, if any kids park in our parking lot, we'll find them." They're not going to find them.
Being that we've also broken the twenty-mile limit, this makes some very interesting things in the way of let's talk about jurisdiction here. This is actually, probably a state or federal mandate, I really can't escape jurisdiction too much, but you have to go outside the city, which makes it a little more difficult to get the proper arresting officers in place. Secondly, in Washington, DC, Virginia or even the New York City area, I can cross several city and state lines in a twenty-mile range.
Thom Stark: And in the Washington area -- and in New York, for that matter -- you have any number of embassies that are legally foreign soil.
Peter Shipley: And what's our current international border line?
Thom Stark: I could swear we claim a twenty-mile ocean boundary.
Peter Shipley: Well, it may be pushing that, but how far is it from London to Paris? Just under water. Sealand, for instance, is only seven miles out. So, it is theoretically possible with this technology to actually intercept several..there's several places where you can actually intercept border lines in international waters and have access to this type of data, or, you know, wireless networks. So the fact is the risk isn't just me or somebody with the proper equipment in a car, driving at 80 miles an hour.
I have done strong link coordinations at eighty miles an hour, by the way.
I can do these things, quite literally, from the next city.
Thom Stark: So, if you're counting on distance to keep you safe, you're living in a fool's paradise.
Peter Shipley: Distance is not a solution. I can see several military solutions. For example, you might have the five-mile no-man's-land around an Army base. Let's just say we're in a Gulf War situation. Don't think you can use wireless LANs on your base, even though nobody's allowed within five miles of your base. That's not going to fly.
Thom Stark: All they have to do is get a little altitude and use a parabolic on you. A helicopter being an excellent platform for that.
Peter Shipley: They might quite literally have a..actually my friends while in the Service include quite a few people with various expertise. And Wyatt actually has three machines and owns a machine shop. I quite literally dropped a couple of my favorite antennas into FedEx, had them shipped out to his machine shop in Modesto. Within several days, I got sent back the literally prototypes for mounting brackets for both my parabolic dish and my Yagis that go onto my camera tripod. The dish is, I think, about three pounds or so, the tripod I believe is three pounds, so, literally, in about eleven or twelve pounds, I have something that fits in my backpack, only weighs twelve pounds, allows me to sit up on a hill and basically pick up any connection that I can see.
Thom Stark: Over a space of miles.
Peter Shipley: Over twenty miles.
Thom Stark: I hope that's going to open some eyes among the folks who read this stuff.
Peter Shipley: Again, when people hear about "war-driving", they're going to say, "Well, we'll just keep an eye out for long-haired guys in cars." No. That's not going to work. WEP encryption simply stops people pulling over and attacking your network instantaneously. With the way (inaudible) is using password WEP encryption, it can be broken in literally seconds. It turns out to be only about 21 bits of actual encryption, net. If you're using a 128 WEP server -- rolling random dice or something like that for each variable key -- Ian Goldberg's software can do it within 5 and 8 hours.
Thom Stark: That's an exploit I missed. Ian Goldberg?
Peter Shipley: Yes. Ian Goldberg has..there's actually two papers I can forward you, if you'd like. One is Ian Goldberg's stuff. One is actually theoretical stuff from the woman at AT&T. You know how WEP actually works? MD5 (sic) actually works on the data stream, so it's just a matter of time. You just have to wait 'til the MD5 cycles. Which turns out to be, I think, about a gigabyte or so of data. But either way, that breaks it down to only a few hours.
Thom Stark: Well the IV keyspace that everything is drawn from is only 24 bits wide. Bernard Aboba of Microsoft gave a presentation at the IEEE meeting in Orlando, in May, where he talked about how, even if you're only getting 5 megabits of transmission, incrementing the key value by 1 for every packet you transmit, you'll run through 24 bits in, like, half a day.
Peter Shipley: Yeah. And even with the 40-bit attack, just parking and doing a passive attack on your site -- which literally can be done from my dish -- I'll eventually acquire enough data that I simply have to do..you quite literally start XORing your packets together and -- well, you know how XOR works -- and XOR your packets and eventually you'll extrapolate a key.
Thom Stark: And if you're in a position to exploit known plaintext, it goes a lot faster.
Peter Shipley: Well, the majority of your packets are ARP packets. There's your first plaintext attack. Now, of course, if your AP has security as an optional feature -- in other words, it will use WEP if you have a key, if not, you don't need it -- this allows me to do a passive attack on your site. Whereas, basically, I do a broadcast. I can ARP a random number. And what happens is the AP will retransmit that ARP over the encrypted cloud. And that's basically, obviously a cleartext attack. So all I've got to do is start doing creative ARPs and gives you direct plaintext attacks directed that direction.
Thom Stark: I'm starting to run out of tape.
Peter Shipley: Well my general recommendation is using IPsec. And the least you can do is monitor your network. Are you familiar with the program ARPwatch? I recommend running ARPwatch on your wireless network. ARPwatch, in short, looks for new ARPs on your network, which imply new hardware appearing on your network. They'll also appear, basically, if your MAC address or IP address changed. You can make that note, also. So, by running ARPwatch on your network, you can at least detect if you've been scanned or also if you've become a victim of drive-by IP service.
END OF TAPE SIDE ONE
Thom Stark: Okay, the tape is running again.
Peter Shipley: Okay, here's the scenario: you and I are using a legal wireless service -- Starbuck's, for example, because I love to pick on Starbuck's -- in addition, across the street, there's a bank, or let's just say a very paranoid institution. But unfortunately their network isn't as it should be. As soon as I set down my notebook -- of course I'm going to see my notebook's Lucent card is set to "ANY" -- means I'm going to associate with the nearest AP. There's a chance that a badly-faced AP or just luck, I'm going to reassociate with the corporate LAN across the street or perhaps right upstairs.
Now you and I might not know this, since we're simple businessmen talking about car parts or lightbulbs we're about to sell. And we start using their network. If they notice this, they might be able to track us down and we would get arrested, because we have violated the law; we have done computer trespassing. You know..God forbid we decided to check out some porn.
Thom Stark: And we've done it entirely innocently.
Peter Shipley: We've done it in a way that we could not have even known. Unless you have your AP monitor window on your screen, displaying current information, it's possible in some cases that your card could reassociate with somebody else's AP and you not even know it. It's a feature of 802.11 called "roaming".
That's something you might want to add to your article. That makes every person who has a wireless card a potential felon. This quite literally makes every one of your readers a potential felon. They might already be a felon without their knowledge. And it's just a matter of time before they get caught.
Thom Stark: And, if they turn you over to the FBI..
Peter Shipley: Even if it doesn't get turned over to the FBI, by the time I get to arraignment, I'm already ten thousand dollars, twenty thousand dollars in debt to my attorney. It's going to cost me at least ten grand for a half-decent attorney.
Thom Stark: Well, the point I was trying to make is that, as the Skylarov case points out, even if the nominally injured party has second thoughts about prosecuting you, that's not binding on the Feds. Under the DMCA, the FBI can go ahead and prosecute you as a criminal case, rather than a civil one.
Peter Shipley: I find a lot of Federal police are very much like..I call them Boy Scouts. You know, you have a Boy Scout -- in order to keep your kid out of trouble, you get him involved in this whole badge system, where you concentrate him on getting his next badge, as opposed to getting in trouble. Cops are very similar. They build these huge resumes, where they want to have a successful prosecution of a cybercrime case; a successful whatever -- child porn case. And a lot of them are just out there to do this. And they see you as their next potential case. They're going to lock you up and you're gong to have a hard time getting free.
If you have time, there's a conference I'd recommend for you, actually. Well, a few conferences. Have you heard of HTCIA? High-tech computer crime? This is quite a number of prosecutors and sargeants from local police departments. I believe the next one's going to be in New Jersey. Basically it's pretty interesting because it's like going into a talk from the perspective of "This is how you entrap the victim. This is the information they have and this is the information that you want. This is how you get that information. This is how you confiscate hardware." And it's very educational at several levels.
I'm actually heading off to HAL next week. That's the hacker one in Amsterdam? And it's free for me. I'm a speaker and they're actually paying $500 of my expenses. Frequent flyer miles that fly me out first class to Amsterdam -- actually I'm coach out there, but first class on the way back.
Thom Stark: If you can only fly first class one direction, for me it's out there, 'cause that's the direction the jet lag really gets you.
Peter Shipley: I usually don't suffer jet lag very much. Being nocturnal, I usually have no problems going to London. Last time, actually, going to London was a bit much. That's only because I touched down and those bastards literally met me at the airport with a gin-and-tonic.
Thom Stark: (laughs) Damned friends..
Peter Shipley: It was pretty bad. There's a couple of times where I had something to do in the morning, I quite literally was walking to my friend's house, where I was staying, you know, getting out of the taxicab from the nightclub at eight in the morning. My flight's at five in the morning, so it doesn't make a damned bit of difference.
RECORDING ENDS AS THE TELEPHONE CONNECTION IS ABRUPTLY BROKEN
(Copyright© 2001 by Thom Stark--all rights reserved)