Wardrivers are local attackers who drive down business or residential neighborhoods looking for open-access Wi-Fi connections. With access to your local network, an attacker could extract data from your devices or eavesdrop on traffic, which gives an attacker access to any insecure data including account usernames and passwords, social security numbers, and credit card numbers.
Finding Open Wi-Fi Connections
The term “wardriving” comes from the term “wardialing,” which is an older way to find open, insecure networks. Wardialers would use auto-calling software to dial every local number in a given area to find modems, fax machines and other computers that will accept an analog message across telecom equipment. It’s an older way for attackers to find networks with poor security that can be exploited and data exfiltrated.
With dial-up network a thing of the past, attackers have moved to finding open Wi-Fi connections. Almost every household has a Wi-Fi hotspot to support the numerous devices that most families use. Smartphones, tables, reading devices, computers and even IoT components need Wi-Fi to connect to the internet. Attackers can find numerous potential vulnerabilities using the right equipment that probes signals as they drive down a busy commercial or residential street.
Attackers have several options for software, but some applications can be hosted on specific operating systems or protocols. For instance, iStumbler targets Bluetooth-enabled Mac OSes while inSSIDer targets Windows and OS X operating systems. Other applications include Kismet, NetSpot and WiFi-Where. Note that many of these applications are used for whitehat penetration testing to help organizations find weaknesses in their corporate wireless network.
Using an attacker’s application of choice, probing open Wi-Fi can reveal information about the hotspot. An attacker can obtain the following information about your network:
• Security protocol applied to access
• Protocol (e.g. b, g, n)
• The network SSID, which is the configured name that displays when users search for an open network
• Signal strength
• Channel
• Frequency
• Band
The information obtained by an attacker can then be used to map out open local Wi-Fi networks. These maps can be useful to understand Wi-Fi locations in a commercial area, but they can also be used for malicious purposes. Simple mapping of available Wi-Fi is useful when the owner wants to make the hotspot available to the public, but private networks that don’t intend to be public can be used by malicious attackers to obtain private data.
With open-access Wi-Fi, an attacker can connect to the network and perform every function that one of your internal computers can use to find printers, open directories, backups, storage devices, and the router admin panel. With the right techniques, an attacker can place malware on the network that eavesdrops on traffic. Any traffic sent over cleartext channels could be exfiltrated and sent to an attacker-controlled machine.
Home users who want to protect their network from wardialing can use the following steps to make it more secure.
Use the WPA3 Security Protocol
When you set up a home Wi-Fi router, you’re asked to create an SSID and choose a security protocol. The SSID is the name given to the network. It’s this name that users see when searching for a Wi-Fi hotspot network. Most routers support several security protocols including older, vulnerable ones that should no longer be used. The reason insecure protocols are still supported is because older wireless devices cannot use newer protocols. Backwards compatibility is typically integrated into technology to account for older devices still in use.
Unless you have a very old device (e.g. a decade or older), you should implement WPA3. Keep in mind that older routers that support WPA3 might need to be patched with the latest firmware. WPA3 was hacked in early 2019 where security researchers were able to bypass passwords required to connect to a network (reference 1).
Older protocols are vulnerable to brute-force attacks where an attacker can obtain the cleartext password. With the cleartext password, an attacker can then connect to your network without tripping any security notifications.
The password you choose to protect your Wi-Fi network should be unique and nothing similar to other personal passwords. You should also avoid using the same password as the router admin panel password. Once an attacker gains access to your network, the admin panel on the router is often the next target.
Consider Disabling Broadcasting
By default, Wi-Fi routers broadcast their SSID for anyone searching for a hotspot. Most wardialers are looking for easy targets, and many of the applications that detect broadcasted SSIDs do not detect access points that do not broadcast a network name. By disabling broadcasting of your SSID, you add an extra layer of security to your network.
Note that hiding your SSID is not a foolproof method of protecting your network. Even modern operating systems such as Windows 10 detect hidden access point signals, but they require the user to know the SSID to connect to it. Applications such as CommView will give an attacker a list of hidden Wi-Fi networks. When a user connects to the network, this SSID will be sent to the router during the initial handshake. CommView eavesdrops on Wi-Fi data and will detect the sent SSID to obtain it from the access point. If you do not have a password set on the router, the attacker would then have access to your Wi-Fi network. Therefore, always use a password on a Wi-Fi network even if you hide the SSID from broadcasting.
Implement MAC Filtering
Every device is given a MAC address, which is an alphanumeric value that identifies it. MAC addresses are often called hardware addresses, because they are pre-programmed on a network card as the physical identification number. The MAC is exchanged when your DHCP server (usually, the Wi-Fi router on a home network), so it is a critical part of a device’s access and communication on a network.
While MAC filtering can be tedious, it is the safest defense against a rogue device connecting to your home Wi-Fi. Most modern Wi-Fi routers allow you to enable MAC filtering that blocks unwanted devices from connecting to your network. The advantage is that attackers who even obtain your Wi-Fi password would still be unable to connect. The disadvantage is that for every device that needs access, you must add it to your whitelist configured on the router.
Conclusion
Most home networks contain numerous data points that can be used in identity theft. Not every attacker is located thousands of miles away. Some attackers are right next door. It’s important to ensure that your home WI-Fi network is secure from wardialing, and these three tips can harden security that makes it much more difficult for an attacker to silently connect to your network.
References:
arstechnica.com/information-technology/2019/04/serious-flaws-leave-wpa3-vulnerable-to-hacks-that-steal-wi-fi-passwords/
