'War Drive' Reveals New York's Hidden Security Flaws

Computerworld - NEW YORK -- While physical security was tightened to unprecedented levels here last week for the Republican National Convention, IT security researchers uncovered an unsettling number of unencrypted wireless devices that they said created a potential information security nightmare for convention organizers and delegates.
During a two-hour "war drive" around the site of the RNC as well as Manhattan's financial district, security researchers from Boston-based Newbury Networks Inc. discovered more than 7,000 wireless devices, 1,123 of which were located within blocks of Madison Square Garden, including a network named "Wireless for Kerry." More important, 67% of those devices were access points that didn't have any built-in encryption protection.
During the war drive, to which Computerworld was granted exclusive access, Newbury technicians set up an unsecured wireless "honeypot" that masqueraded as a Linksys access point. According to a log analysis of Newbury's WiFi Watchdog monitoring system, a wireless device attempted to automatically connect to the honeypot every 90 seconds.
The findings underscore that while New York continued to focus on physical security for the convention, the large number of open, unsecured wireless networks represented a serious threat to the city's hard-wired infrastructure, said Newbury CEO Michael Maggio.
"A wireless-enabled notebook computer powered up inside Madison Square Garden by a conventioneer or media representative could automatically associate with wireless networks outside of the building," said Maggio, noting that such a security gap could allow an attacker to gain access to the wired network inside the facility. "All the security policies in the world can't stop a wireless intruder from accessing an open network signal emanating from a Wi-Fi access point or network card."
The two-hour drive around Manhattan also revealed as many as 2,161 access points and 821 client devices broadcasting unique service set identifiers. "The SSIDs beaconed by clients is really a valuable list for an attacker," said Brian Wangerien, senior product manager at Newbury. "Once the attacker knows that a client is beaconing for a particular SSID, he can change the SSID of his [access point] and trick the client into connecting to the attacker's access point."

Last week 1,123 wireless devices were found within blocks of the RNC. Image Credit: Dan Verton