With all the media attention given to identity theft and wireless security, it came as a shock when (during a vacation trip in January) we discovered one of the most amazing security exposures that we've ever actually witnessed. Here's the story, and then we'll talk about what you can do to identify this type of exposure and how your wireless network should be configured to protect your users against this situation ever happening to them.
Testing the Wi-Fi Network's Configuration Using PING
When you attach to a public access Wi-Fi network you are assigned an IP address through a DHCP server. A correctly configured, commercial-grade access point at a well-designed HotSpot or HotZone should be configured to not allow wireless clients to detect the presence of other wireless clients. This feature is sometimes called, "Disable peer-to-peer networking", or some similar menu checkbox in the access point configuration. You can test to see if the access points are properly configured by running a simple PING scan. If you don't have a PING utility, you can try pinging the IP address that is numerically one or two digits lower than the one you've been assigned.
You can run a PING scan on any public access HotSpot or HotZone that you're using, just to verify the security and intrusion detection status of the network. In some corporate visitor access sites a PING scan may be detected as an intrusion attempt an your machine might get locked out of the network, so be careful.
Shown to the right is the result of the PING scan run at the vacation resort where this story takes place. We're not going to tell you where this was, but let's just say this is a world-class, high-end luxury resort on the ocean, with other luxury resorts on both sides along the beach. What you see in the PING scan is that multiple user devices are clearly visible. If a user's laptop computer is visible in a PING scan it is open for attack by a hacker.
Remember that these users are being exposed to unauthorized access because the network administrator or the wireless network consultant for the resort failed to click the appropriate check box in the access point configuration which would have disabled peer-to-peer communication across the wireless network. In Connect802's opinion, there is no excuse for this and exposing all the resort's users to this type of security loophole is inexcusable.
But, there's more...
A PING scan reveals that the access points are incorrectly allowing wireless clients to detect the presence of all other wireless clients. [CLICK ON THE IMAGE FOR A LARGER VIEW]
Viewing Shared File Directories Under Windows
The "My Network Places" option under Microsoft Windows causes a computer to interrogate the visible network in search of available shared file volumes. By default, every Windows machine has a directory called "Shared Documents". It's very common to find that users allow this directory to remain shared, often without even realizing that they are exposing their machine to the rest of the world.
Exposing shared files becomes a problem when a user 1) doesn't realize they're doing it (very common). and 2) when the public access HotSpot or HotZone network is improperly configured so as to allow shared files to be indiscriminately exposed.
When you click on the image to the right you'll see that a number of different user's machines are exposed. One of them turned out to be a catastrophic exposure for a user named Judy. We don't know who Judy is, but what we see is that she has some interesting directories, totally unsecured, which include:
Citi Bank Bkup
Poor Judy, she failed to heed all the warnings in the media, on television, and from any experienced computer user: "Protect Yourself From Hackers!" There's no internet security or personal firewall active on her machine, and it looks like here financial data is available for all to see.
Under Windows, clicking on My Network Places brings up a list of all shared resources that can be accessed. In this case, every wireless user's shared files were immediately visible. [CLICK ON THE IMAGE FOR A LARGER VIEW]
Judy Has Exposed Her Personal Financial Data!
Simply clicking on one of the shared directories brings up Judy's private financial data. Yep, there is it - for all the world to see. How easy would it be for a criminal to clean out this poor woman's bank accounts; all the personal information is right there, right down to social security numbers, bank account numbers, amounts of transactions... everything.
Judy has made a terrible mistake. She has allowed critical financial information to be exposed on the wireless network. Perhaps a curious high school student will download here information and use it to make on-line purchases. Perhaps the information in the SecurDataStor or Q04Files directories is her companies financial data and the company will be the victim of Internet theft and fraud. The illegal possibilities are endless!
The wireless network administrator or consultant who helped set up the resorts Wi-Fi network is equally to blame here.
IT WOULD HAVE BEEN AS SIMPLE AS CHECKING A CHECK-BOX TO PROTECT JUDY FROM HER OWN OVERSIGHT
Remember, a simple configuration option (that should be active in every public access network) would have prevented any wireless user from detecting the presence of any other wireless user. That simple change would have provided a responsible level of protection for the user's of the resort's wireless LAN.
Judy's shared files, including a complete set of QuickBooks financial data. Judy is at risk of becoming a victim of identity theft or, worse, having her bank accounts cleaned out by a criminal. [CLICK ON THE IMAGE FOR A LARGER VIEW]
How to Protect Yourself
To perform a simple security test, start by turning off your Wi-Fi adapter on your notebook computer and unplugging from the Ethernet if you are plugged in. Go to the My Network Places list (for Windows machines) and select the Add Network Place option. You will now be able to view other network locations. When you Browse for an Internet or Network Address you'll see the list of every shared resource. Since you are not connected to any network the only shared resources you're going to see are the ones you're sharing locally from your computer. If you don't have a personal firewall active on your computer then if you can see these shared resources, so can anyone else on a wireless network to which you're attached - unless the wireless network is properly configured to prevent peer-to-peer communication.
With a broadcast-type medium like television or radio, only the transmitter’s power matters, since the receiver only needs to listen, not talk. The range of this type of medium can be increased simply by increasing the output power of the transmitter. But 802.11 is not a broadcast-type medium. It is bi-directional. Client devices talk to access points and access points talk back. Therefore, the range of an 802.11 link is limited by the weakest of the two transmitters at the ends of the link. This principle is known as the Unbalanced Power Effect (UPE).
To define the UPE zone, assume that the radio with the stronger TPO is in the center of an unobstructed area (as depicted by the image shown below). The inner UPE radius is the point at which the radio with the higher TPO (in the middle) can no longer hear the transmission from the radio with the lower TPO (moving away). The outer radius is the point at which the radio with the lower TPO (moving away) can no longer receiver the signal transmitted by the radio with the higher TPO (in the middle).
The image below shows a representation of the Unbalanced Power Effect with two different transmitters. The transmitters have a 5 dB difference in their receive sensitivity (one has a receive sensitivity of -90 dBm, while the other has a receive sensitivity of -95 dBm). The stronger transmitter has 1 dB more output power than the weaker transmitter. The total difference in their range adds up to 6 dB (5 dB of difference in their receive sensitivity plus 1 dB of difference in their transmit power).
When the inner UPE radius is reached, the connection between the two radios fails. Connectivity must be bi-directional and at the inner UPE radius, the weaker radio is no longer able to push its signal to its partner. The lower power transmitter is the weak link in this chain of connectivity. Notice, in the model shown above, that with a 1 dB difference between the stronger and weaker TPO and a 5 dB difference in receive sensitivity, the UPE zone has a width of 640 feet.
Various factors complicate the UPE zone and should be considered. First, as the example to the right illustrates, the receive sensitivity of the devices factors into the location of the UPE zone. The UPE zone occurs because the two devices have different ranges. Remember that range is a function not only of transmit power, but also of receive sensitivity. Therefore, one device’s weaker transmit power can be made up for if the other device has better receive sensitivity. For example, if one device transmitted at 20 dBm and had a -90 dBm receive sensitivity, and another device transmitted at 23 dBm and had a -90 dBm receive sensitivity, then there would be a 3 dB difference in their range, and the UPE would exist. But if the second device had -93 dBm of receive sensitivity, the extra 3 dB of sensitivity at the receive side would make up for the 3 dB less of output power at the transmit side, and UPE would not exist.
The second factor that complicates the UPE zone is the variable data rates that can be used by 802.11 transmitters. Each data rate has a different receive sensitivity, with lower data rates requiring less signal strength. Therefore, if the weaker station enters the UPE zone, it can compensate by dropping its data rate, thereby “stretching” its range to get its signal back to the stronger station. This would result in asymmetric data rates on the connection, where one station might be using 54 Mbps and the other station might be using only 24 Mbps.
An illustration of the UPE Zone, with specific distances
based on difference in output power.
Since output power and receive sensitivity will hardly ever align perfectly, the UPE will almost always exist to some degree. It can be difficult to determine whether you’re in the UPE zone, since real-world coverage patterns are seldom circular. How can you tell if you’re being affected by the UPE? When a station is in the Unbalanced Power Effect zone, it might manifest the following symptoms:
Signal strength is reported to be fine, but the station cannot actually connect to the access point, or the station connects but no data will actually get through (the station fails to get an IP address via DHCP). This is caused because most devices calculate signal strength based on the Beacons coming from the access point. If the access point is the stronger transmitter (which it usually will be), then its Beacons will arrive at the station just fine, but the station won’t be able to get any packets back.
Data rates on packets coming from the weaker station are unexpectedly lower than data rates on packets coming from the stronger station. There are other factors, such as environmental noise, that can cause a station to lower its data rates, but in the absence of those factors, the UPE might be the explanation.
What can be done? The most important thing is to design the network with the Unbalanced Power Effect in mind. Determine the probable range of the lowest-range devices that are expected to be on the network and then design the network such that those devices can always get adequate connectivity. If devices on the network are expected to have a wide variety of ranges, it might make sense to design such that lower-range devices need to use lower data rates, while higher-range devices can always use higher data rates. Remember that a lower-range device can “stretch” its range by dropping to a lower data rate. Designing a network this way can allow a good balance of various factors. The number of access points required is lower than if you tried to give maximum data rates to all stations. Higher-powered stations receive the best performance. Lower-powered or less sensitive stations must use lower data rates, but still can achieve some useful connectivity.
Ask the Expert
Extending Municipal Wi-Fi?
My city has installed municipal Wi-Fi throughout. I can see the signal on the street, but inside my house it’s not strong enough for me to connect. If I buy a router, can I connect? What if I put the router on my front porch? What should I do?
Buying a router will probably not allow you to connect to the municipal Wi-Fi signal. If the signal isn’t strong enough for your laptop client to connect, then it probably won’t be strong enough for a router to connect either. More fundamentally, few Wi-Fi routers have the ability to do what you’re asking for: wirelessly connect to an access point and then pass through signals from a client.
The piece of equipment that you’re looking for is known as a wireless repeater. It picks up a weak wireless signal and then repeats it, boosting its signal strength in the process. The challenge here is that the repeater has to be within usable signal range of the original access point, which probably means that it’ll need to be on your porch or somewhere else that’s in range of the municipal Wi-Fi network.
Another issue with wireless repeaters is that many of them only work with a single vendor’s access point. The vendor who makes the repeater must be the same as the vendor who makes the access point. Truly vendor-neutral wireless repeaters are rare and more expensive.
Connect802 sells a full range of wireless connectivity products, including a vendor-neutral wireless repeater.
The Pew Internet & American Life Project reports that “some 34% of internet users have logged onto the internet using a wireless connection. 27% have logged on wirelessly from a place other than home or work. 19% have a wireless network in their home.” These numbers should come as no surprise to The Wireless Connectivity Update’s readers, who understand that Wi-Fi is a major force in modern connectivity.
At Connect802 we're your PAGE ONE resource for wireless networking!
Connect802 has the experience, expertise, and resources to help you with your wireless network system. Use your favorite search engine and see what Connect802 is doing. Each month we give you some suggested search terms for you to explore. Here's this month's list. As you look down the search engine results you'll find Connect802 either at the top, or on the first page (true for Google and Excite, unknown for the rest).