SOURCE: Sophos


September 06, 2012 08:30 ET

Sophos Reveals London's WiFi Security Issues With 'Warbiking' Experiment

27 Percent of Nearly 107,000 Wireless Hotspots Found to Have Poor, or No, Security

LONDON--(Marketwire - Sep 6, 2012) - Sophos today announced the findings from a recent practical experiment into WiFi security covering the city of London. The experiment was conducted over two days by Sophos' director of technology strategy, James Lyne. The project involved using a bike equipped with dynamos and solar panels to power a computer designed to scan for wireless networks -- a technique known as 'wardriving,' or in this case 'warbiking.' In addition, a GPS-enabled device allowed the creation of a 'heat' map, depicting levels of security of wireless networks around central London.

Lyne passed more than 1,000 wireless hotspots for every mile he rode, and found that at least one in four had poor security. Analyzing the geographic mapping of the hotspots and the level of security they demonstrated revealed some interesting trends. Residential areas largely had reasonable default configurations -- although many devices had default network names like 'SKY-XYZ123,' they often had the strong 'WPA2' encryption standard enabled. At a micro level, the worst offending areas, consistently across London, were streets with collections of small businesses. 

Of the overall number of networks, 9 percent were using default network names with no random element, such as 'default' or the vendor name. This makes password hacking even faster. This figure increased to 21 percent if networks that used the default name, but which had some random element per device, e.g. 'Default-165496,' are included. These figures excluded default names of obviously identifiable, intentionally open hotspots such as those in hotels and cafes. Some providers offering packaged solutions with a plug and play router generate truly random names by default, and supply these on a sticker on the bottom of the router. It's therefore reassuring to see some vendors following best practice here, helping consumers in particular to be more secure out of the box.

More detail and a video showing the warbiking experiment can be found on the Sophos website here:

Crucially, Sophos only collected high level data within the confines of the law, which revealed the general state of wireless security (and is therefore representative of awareness of steps taken to secure networks). However, it should be noted that cybercriminals have significantly more offensive tools in their armouries and could relatively easily take this exercise further.

"With the tools available, we could have gone much further, but we carefully stayed in the confines of the law. This exercise doesn't paint the complete picture, but it shows enough to demonstrate that security best practice and education still need a lot of focus," said James Lyne, director of technology strategy at Sophos.

"Pretty much every wireless device can be configured to use secure wireless networking out of the box, so poorly configured devices show a lack of awareness rather than a lack of capability to be secure," added Lyne. "It's easy to take simple steps to protect your wireless network, making it a far less attractive target for anyone trying to snoop on your internet activities or steal personal information. If an attacker gains access to a wireless network they can cause a lot of damage, such as intercepting usernames/passwords, taking control of computers on the network, changing browsing to websites (for example to deliver malware or capture credentials), or using the network to perform any manner of anonymous or illegal activities. Unfortunately many networks are still like a Rolo -- hard on the outside but soft and gooey on the inside. Without good security as per our top tips, an organization won't know they've been attacked until perhaps the police come knocking."

Top level findings of the project include:

  • 106,874 individual hotspots detected across more than 91 miles of central London
  • 8 percent of the hotspots used no encryption and appear to be both home and business networks (this figure excludes a large number of coffee shops and other open hotspots which were identified by name of hotspot)
  • 19 percent of the hotspots used the obsolete 'WEP' encryption 
  • The remaining networks used WPA or WPA2 encryption, which represents acceptable security, providing they are not configured with default or easy to guess passwords

Sophos was concerned that so many of the hotspots detected rely on the outdated WEP encryption standard. Using readily available tools, WEP passwords can typically be cracked in just a couple of minutes. This could enable attackers to join networks and directly attack computers or devices, as well as 'sniff' network traffic, for example viewing which websites are being visited, reading emails and capturing information such as passwords. It is likely these hotspots are older and haven't been reconfigured or changed for quite some time. Modern devices tend to come with a more secure configuration out of the box.

"Enabling an attacker access to your network like this also makes it possible for them to launch other nasty attacks like 'man in the middle.' This enables attackers to sniff your usernames, passwords or other sensitive data while you think you are using a secure and private connection," said Lyne. "The minimum level of protection on any wireless network is the implementation of WPA2 encryption and, even then, this can be redundant if a strong passphrase is not also used."

The Sophos experiment has no way of testing the strength of the passwords used, as no attempt was made to access any of them. However, there are tools available that can attack WPA2 protected networks with massive wordlists at high speed. Attackers would have no qualms about using such tools, so it is critical that organizations and individuals adhere to best practice when configuring their wireless networks. Businesses should also ensure they have appropriate configuration management, logging and anomaly detection capabilities so that their configuration remains standard across the office or geographic locations." 

Moreover, most wireless routers will come with a default wireless network name (this is the name of the router as it appears on your computer when you try to connect to it. It's also known as the 'service set identification' or 'SSID,' which many users do not bother to change). Not changing this allows hackers to prepare default password look-up lists combined with common SSIDs, which speed up the password cracking process drastically, enabling them to test vast numbers of passwords per second. Having a custom SSID increases the time it takes for an attacker to break your passphrase, but when changing it, organizations should also give thought to their selected name. Calling your wireless network 'Company X' may make you more of a target as you are so easily identifiable.

Coffee shops and public hotspots will often intentionally be open so users of such services should ensure they are configured to use a VPN, which protects their traffic irrespective of the potential hazards of attackers listening in.

There are some simple steps you can take to secure your wireless network:

1) Configure it to use WPA2
2) Change your default SSID
3) Use a secure password

You'll find more detailed tips on keeping your wireless network safe on the Sophos website here.

Notes to editors

Even the latest encryption standard, WPA2, can be compromised using attacks, which employ automated processes to try billions of possible password combinations until the correct one is eventually identified. Computing power to test and break longer passwords is far greater, so using a phrase like "makemywirelessnetworksecure" instead of a shorter, more complex password like "w1f1p4ss!" offers far more security. In addition, adding numbers, special characters, and upper and lower case characters makes passwords harder to crack. For example, if your password consists of 4 digits and you only use numbers, there will be 10 times 4 (10,000) possibilities. Additionally, if you use the alphabet in only small cases, you will get 36 times 4 possibilities (1.6 million). By using numbers, special characters and upper and lower case characters, you will effectively force any cracking program used to choose from 104 characters multiplied by 11 digits, resulting in 15,394,540,563,150,776,827,904 possibilities. This increases the time needed to crack a password from seconds to millions of years. It's important to note that these techniques are being improved and enhanced all of the time. As computing power increases, so do attack methods.

About Sophos 
More than 100 million users in 150 countries rely on Sophos' complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos' award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs -- a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at

Contact Information