Security

SQL, WiFi, Security: Dangerous Open Networks

Casey

4 min read
SQL, WiFi, Security: Dangerous Open Networks
Photo by Misha Feshchak / Unsplash

I love to experiment with freely available data, including data just fluttering in the air, being created by our own movement in life.

For a week, I ran an app called WiGLE, to scan every wifi/bluetooth device my mobile phone can pick up. This app adds all 'seen' systems and devices to a SQLite database.

This is the first article, about this little data adventure. There are some core findings, but also some rather interesting facts to consider.

Personal Goals and Rules

I dislike how corporations mislead us by not sharing the whole truth transparently. I set some rules for this exercise.

  1. Cause no harm, and don't invade anyone's privacy.
    I will anonymize or aggregate the data that I show in this article.
  2. I will not upload to WiGLE's central database. I will not share this data.
  3. Don't share things that might equip a stalker.
  4. Use all free/open source software for processing.
    I utilized Linux, PostgreSQL/PostGIS, and SQLite Client. All freely available.
  5. Identify bias or uncertainty.
    Sample size/collection rate and time: A finger in the wind.
    Collected over a week of driving, walking, and living life.
    Only covered a fraction of square miles in linear paths, in towns, cities, offices, and in the general public. We traveled to another state, in popular tourist destinations. Not from a central database with multi collection points
  6. Share ways to address potential issues/security gaps.

Core Findings

Core Finding 1: Consumer devices - A misplaced trust.

Hardware is generally trusted by consumers. We might purchase a router at Best Buy, on Amazon, or rely on something our internet provider provides.

Why is that a problem?
Consumer grade devices do not always receive updates to address CVE's (common vulnerabilities and exposures). Obsoleted/end of service life devices show up at thrift stores all the time, to be reused by an unsuspecting deal-seeker.

When there is a security update, most consumers simply don't know it is available, or how to apply an update.

Consumers just want something to "make it go."
Enterprise hardware, such as Mikrotik, or even OpnSense/PFSense routers are better about security updates - some for a fee, but ultimately these are not typical for consumer uses. Only nerds like Casey enjoys those things.

ISP provided and managed devices are slightly better, however...
ISP devices generally receive updates to ensure the security of the ISP's network. However, there was an incident years ago with AT&T Pace branded fiber gateways having an easily guessed default password to control the device (and your network). I hear this was fixed.

If it is ISP managed, they can communicate with your internal network as well, which might be a deal-breaker for a business. It's their device, after all.

Core Finding 2 - Consumer devices vendors provide little education about wireless security standards.

Do you know how to: choose a good wifi channel, encryption protocol, strong password, and set key rotation?

If not, your home network may be at best sub-optimally configured, and at worse using a default or possibly insecure password and security mode.

At the time of this writing, WPA3 is the new standard for encryption/wireless security for the home. It's best to have a relatively complex, non-default password, other than the one on the bottom of your device. WiFi channels are another topic, but overlap means you're competing with other WiFi systems - and these channels can overlap each other.

Interesting Data Aspects

Out of 96252 observations of WiFi Hotspots...
(Primary Key: BSSID + SSID [Network Name])

9.8% - 9519 records were open hotspots, no password.
  • Many of these were protected by captive portals, but traffic on these networks were unencrypted, unless your browser used HTTPS (Secure/SSL) for the website you were on.
  • 1/4 of these open hotspots were Comcast xfinity subscriber hotspots, or hotel lodging hotspots. We were in a tourist area, so this would be a data bias impact.
    These will be removed for the next 3 bullet points.
  • ✅ 130 has OWE encryption, which allows for an open hotspot to encrypt connection between itself and the client PC/device. This is a good thing for an open hotspot.
  • RESOLVED: In my previous scan a year ago, Hoover Police had a Vizio TV in dispatch with open direct cast access. It was a situational awareness display. I did not publicize this fact until now, due to safety ramifications.
    I know this is resolved/no longer broadcasting an open connection.
  • ⚠️ 92 were default settings from consumer or ISP router hardware.
    That means, these networks were open enough for a casual passerby to log in, and potentially capture network traffic, get access to home network resources, systems, files, etc. Ouch!
  • 🕵️ Spying/Privacy Vulnerabilities
    30 Ring Doorbell/Cameras in open pairing mode. We couldn't tell if these were exterior or interior cams, but the devices were accessible. We didn't attempt entry, for ethical reasons.
  • 🖨️ 46 HP Inkjet printers, open, and you can print to them.
  • 👀 Misc Chaos Goblin Vulnerabilities
    2 unpaired digital projectors. That can be used to show inappropriate things.
    10 WiFi home theater soundbars in pairing mode, which could be used to play inappropriate sounds, such as Rick Rolls.
    21 Ezlynk Smart Home Controllers.
    21 thermostats. A bad actor might play freeze-out, or attack the local power grid using thermostat control to trigger inrush current.
    1 smart bulb, 6 smart plugs, 3 power strips, unpaired.
45 WiFi Access Points using WEP

WEP is quite obsolete, and only exists for compatibility in many cases. It's ancient, insecure, and takes a few seconds to brute force/compromise.

  • 2 businesses used WEP
  • An assortment of direct connect devices, printers mostly. The issue here, is it was an unsecured Honeywell smart thermostat that led to the Target debit card terminal/network compromise a while back. Simple but ancient devices can be a gateway into your network.
  • Some weren't real hotspots - funny or troll access points. Probably security researchers.
7210 WiFi Access Points using WPA

Once again, not super secure. Better though. WPA2 is better.

  • 🚌 306 Vehicles
  • 518 ISP Default Settings
  • 17 Cast Devices which were HP Sprout Interactive Displays
  • 3 Rokus
  • 5 churches
  • 22 Security Systems
  • 3324 mobile phone hotspots
  • 14 funny/memes

Stay tuned... there will be more fun facts.

Read more