At the end of 2017, my colleague John Shier and I had the opportunity to measure Wi-Fi security in Perth, Western Australia – on bicycles, in the summer sunshine!
TL;DR, we observed some of the best security we have seen in any city we’ve surveyed.
But even though Wi-Fi security has improved dramatically over the years, that doesn’t mean we can rest on our laurels.
The results
In Perth, just under 6% of access points (APs) were left unencrypted.
This could look bad if you forget that nearly every access point that is intended as public service – for example, those provided by municipalities, hotels, cafes and public transit – is by nature an unprotected Wi-Fi network.
This is down from between 14% and 28% in other cities we’ve measured in the past, suggesting that we have largely eliminated networks that are open by mistake, and that openness is due to generosity and purposeful sharing.
Approximately one third of one percent of APs surveyed (3 in 1000) utilized WEP.
This is very bad news for those 25 access points: using WEP is about the same as running an unprotected AP, because WEP can be cracked automatically in seconds, but it implies that the person running the AP actually wanted their communications to be private.
Just over two thirds of the APs were offering the latest and greatest protection, WPA2/CCMP, also known as WPA2/AES, because it’s based around the AES encryption algorithm.
Excellent news indeed, but 25% of the APs also supported older cryptographic standards such as WPA/TKIP, also known as WPA/RC4, after the outdated RC4 algorithm it uses for encryption.
Whether you’re an ISP, a business or a home user, don’t forget to disable old protocols that are no longer considered secure, including anything with WEP, TKIP or RC4 in its name.
Even if you also support the newer, more secure protocol versions, you need to protect against downgrade attacks, where someone in range of your network could trick one of your users into asking for a less secure connection – why allow insecure connections at all if you think they are insecure?
The manufacturers
We also looked at the manufacturers of the Wi-Fi chipsets in the APs we scanned. We found a mixed bag.
The good news?
We observed more than 125 different manufacturers, which means a lot of diversity; this makes it unlikely that a single flaw would make every device vulnerable to the same attack.
The bad news?
We observed more than 125 different manufacturers, which means a lot of diversity; this makes it difficult to study, research and disclose flaws to improve the security of Wi-Fi devices in general. (We didn’t try to uncover the current state of the device firmware, because that could have put us on the wrong side of the law.)
We observed that most home access points were provided by Western Australia’s major internet providers and that they appear to ship their devices so that they are largely secure by default.
Devices provided by Telstra, iiNet, Optus, Belong and others all had encryption enabled out of the box.
Unlike previous surveys, we also saw a lot more devices just randomly listening for Wi-Fi connections.
This included cars from Audi and Ford, printers from HP and Canon, PlayStation 3 and 4 game consoles, Roku and Chromecast TV devices, Sonos speakers, and GoPro cameras.
One manufacturer, HP, seems to enable an ad-hoc WiFi connection by default, a questionable policy that saw 262 HP devices just randomly listening for connections, nearly 4% of the APs we discovered.
What next?
The most important thing to remember is that Wi-Fi encryption is only one part of online safety.
A wireless password protects you against eavesdroppers within radio range of your home and devices, but it does not protect you on public Wi-Fi, or when your information is traversing the greater internet.
In particular, even with WPA2/CCMP Personal (that’s where you have a network password, known as the PSK or pre-shared key, shared by all users), anyone who is already connected to a Wi-Fi network when you join it can sniff out your session setup data and then decrypt all your future traffic.
Make sure you stick to websites that use HTTPS (the padlock in your browser) while you’re on Wi-Fi, adding another level of security against having your communications stolen, surveilled, or sneakily modified.
As we recently saw with the KRACK vulnerability, we cannot rely on any given layer in our security to be 100% flawless.
Defence-in-depth still wins the day.
Watch the video
Here’s a video we made of our outing:
Jim
Wow! That’s really good news.
It must be that your own good security practices are being learned by osmosis by the people who live in your area.
Do you have some kind of security-projector built into your brain or something?
Seriously, this is outstanding news. It’s probably not possible to pin down why, but it is still very good news.
Laurence Marks
I remember the contests for socks and T-shirts with the Sophos logo. When are you going to have contests for the cycling shorts and jerseys and mountain bike tires with the Sophos logo? I want some!
Paul Ducklin
The Sophos logo isn’t on the tyres – they’re deep-rim roadie wheels so the logo is on the rim. If you need to ask the price, you can’t afford them (and neither can Naked Security :-) There’s a lot of carbon fibre in that bike.
PS. You can buy all that stuff on the Sophos Store. (Including the bike, but hold your breath, the retail price requires, ahem, 5 digits.)
https://shop.sophos.com/
Lee
Any link to the how the Pi was setup etc. ? I feel like a bike ride :)
Paul Ducklin
See my comment below – a great way to get started is to download an Android-based Wi-Fi logger that simply lists the access points it finds and saves them along with their GPS location. I did close to 40km of warwalking once through the Sydney CBD (Lang Park to Lang Park, top to bottom, left to right, and back to the start, a pepper steak pie down the bottom end of George Street, blisters by Pitt Street Mall, a supergiant smoothie just near St Mary’s Cathedral) with a Nexus 7 2012 and an app whose name I forget. I easily made it on one battery charge. You don’t need a fancy antenna (but if you have one, why not?).
Tom
Is the hardware/software setup you used proprietary? If not, could you list specifics?
I do understand that providing this information may lead to inappropriate use.
Paul Ducklin
Not sure what software Chet and John used, but you may get a couple of ideas here:
https://nakedsecurity.sophos.com/2013/05/22/busting-wireless-security-myths-video/
Kismet and Aircrack-ng are popular free tools to start out with.
There’s a bunch of easy-to-use Android apps out there, too, that will take the public broadcasts from wireless APs, mobile phone towers and so on, and log them together with your current GPS location. Many people run tools like this all the time, and upload the results to community projects that aim to produce free, public Wi-Fi maps to rival the proprietary geolocation database that Google has built up using its Street View cars and bikes.
Your legal mileage may vary, so take advice before you start. If all you’re doing is listing the APs you can see around you, I’d guess you’re fine – after all, that’s what your laptop does every time you go into the wireless network configuration screen – but, for the record, I am not a lawyer…
PS. Be careful not to sniff-and-store the actual user traffic parts of network packets you observe in public Wi-Fi transmissions – Google got into serious trouble for doing that, even though it was a coding mistake that led to its “overcollection” of Wi-Fi data. Search Naked Security for “Wi-Spy” for this long and juicy saga, e.g.
https://nakedsecurity.sophos.com/2013/11/11/google-in-trouble-for-streetview-all-over-again-this-time-in-brazil/
Tom
Thanks Paul. My intention is to see my own router to see how secure it is. I live in an area where few of my neighbors have Wi-Fi. I know my signal is not good beyond my home. I know this may sound odd, but I do not use public Wi-Fi, perhaps I’ve read too many Naked Security articles. I only access personal accounts from my wired desktop. I use Sophos home and it is excellent. I’ m always shocked to see co-workers log into all kinds of personal accounts on their work computers which are often used by multiple users.
Paul Ducklin
If you are probing your router from outside (e.g. from a friend’s house), you might also want to have a go at it with Nmap. You can bet your boots (literal or figurative) that the crooks already have :-(