Think your network is secure? Think again. Unless you have put the time, thought and money into securing your wireless network, a key entry point for security breaches, you may find your wireless network credentials literally cat-burgled, as residents of a suburban DC neighborhood found out recently according to a Wired article by Andy Greenberg.
The Siamese feline named ‘Coco’ was outfitted with a ‘WarKitteh’ collar, which contained the following:
a Spark Core chip loaded with his custom-coded firmware, a Wi-Fi card, a tiny GPS module and a battery—everything necessary to map all the networks in the neighborhood that would be vulnerable to any intruder or Wi-Fi mooch with, at most, some simple crypto-cracking tools.
Coco apparently had a very productive outing that day:
He spent three hours exploring nearby backyards. He killed a mouse, whose carcass he thoughtfully brought home to his octogenarian owner, Nancy. And while he was out, Coco mapped dozens of his neighbors’ Wi-Fi networks, identifying four routers that used an old, easily-broken form of encryption and another four that were left entirely unprotected.
Of course, it was not the kitteh who actually built the collar. Coco’s owner’s grandaughter’s husband, Security Researcher Gene Bransfield is the one who did. Bransfield used Coco’s misadventure as the topic of a talk he gave at DefCon, the hacker conference in Las Vegas this last weekend. Bransfield explained to his audience how to construct their own WarKitteh collars, a task which has become even easier of late according to Wired “the collar’s Spark Core chip has become easier to program.” Bransfield did downplay the threat his WarKitteh collar poses, saying that “it’s the sort of goofy hack designed to entertain the con’s hacker audience.”
He was surprised by just how many networks tracked by his data-collecting cat used WEP, a form of wireless encryption known for more than ten years to be easily broken. “My intent was not to show people where to get free Wi-Fi. I put some technology on a cat and let it roam around because the idea amused me,” says Bransfield, who works for the security consultancy Tenacity. “But the result of this cat research was that there were a lot more open and WEP-encrypted hot spots out there than there should be in 2014.”
Here’s a little more detail on how Bransfield and Coco pulled this stunt off:
Over three hours, he revealed 23 Wi-Fi hotspots, more than a third of which were open to snoops or used crackable WEP instead of the more modern WPA encryption. Bransfield mapped those networks in a program created by an Internet collaborator that uses Google Earth’s API, shown in a video below. The number of vulnerable access points surprised Bransfield; He says that several of the WEP connections were Verizon FiOS routers left with their default settings unchanged.
There are some obvious pointers here for improving your own network security environment. Despite their obviousness, I’ll point them out anyways: Don’t use WEP for encryption, and don’t broadcast unprotected Wi-Fi signals! Given that it is 2014 and people are still using these outdated and naive practices, sometimes the services of Captain Obvious are required.
For Andy Greenberg’s article at Wired, click here.
- Yahoo Goes Passwordless to Access Account Services - April 6, 2015
- The Identity of Things Could Streamline Government Services - March 30, 2015
- The Third-Party Threat: Are You Safe? - March 18, 2015