Wi-Fi 'hot spots' allow laptop, PDA user to be covertly tracked

[InfoSec News <isn () c4i org>]

Forwarded from: "eric wolbrom, CISSP" <eric () shtech net>

http://seattletimes.nwsource.com/html/businesstechnology/134462403_btboston2=7.html

Monday, May 27, 2002, 12:00 a.m. Pacific

By Simson L. Garfinkel
Special to The Seattle Times

If you have one of those fancy new wireless Wi-Fi or 802.11(b) cards
in your laptop or handheld computer, you probably know about the
increasing number of "Wi-Fi hot spots" where you can get wireless
Internet access - often without paying.

What you may not know, experts warn, is that these hot spots can also
use your wireless card to track your movements as you walk around.  
Meanwhile, other people using the same hot spots can covertly monitor
all of the information that you send over the air.

"Your average person does not know that they are transmitting any sort
of serial number or identification code," says Dana Spiegel, a
volunteer with NYC Wireless.

Yet every wireless card is created with a unique serial number called
a "MAC address." This number, which is transmitted constantly whenever
the wireless card is in use, can be used to track a person's movements
as he or she carries a wireless-equipped laptop or personal digital
assistant (PDA) with them throughout a city or within an office.

Although there are no reports of businesses or individuals covertly
tracking Wi-Fi users by their MAC addresses, Newbury Networks, a
Massachusetts company, has developed a product that uses this
capability to create a system for tracking users of handheld computers
as they walk around museums and businesses. The system triangulates
Wi-Fi users using their MAC address and their wireless signal, says
Chuck Conley, director of marketing for the company.

Museums can use it to display Web pages or maps on a handheld computer
as a person moves from exhibit to exhibit.

"It's accurate to within three meters," Conley says.

The MAC address plays a vital role in wireless networks: Transmitted
with every packet of information sent through the air, the MAC address
specifies the radio that is sending the packet and the intended
recipient.

That's important because, unlike a wired network, every packet sent
through the air might potentially be received by dozens, even
hundreds, of computers. The network uses the MAC address to make sure
that information is received only by the intended recipient.

But there is nothing in principle that prevents one wireless radio
from listening to packets that are intended for another. And this,
experts say, is the cause of a second serious privacy concern with
wireless networks: It is easy to eavesdrop on other people's
communications, especially at open network access points that do not
use encryption.

"A lot of people are using these for home and business networks
without realizing the distance with which the signal can be
intercepted," says Avi Rubin, a researcher at AT&T Laboratories who
specializes in wireless-security issues.

Using special antennas, it is possible to eavesdrop upon a Wi-Fi
signal that is originating thousands of feet away. Even without such
equipment, Wi-Fi signals can be intercepted by other people in
adjacent offices or across the street.

Although Wi-Fi equipment on the market includes an encryption system
called WEP (short for Wireline Equivalent Privacy), Rubin's research
has shown that errors in the way the encryption was implemented cause
it to be largely ineffective.

Many people "believe that if they turn on the security features that
come with it, like the encryption, that they are safe," Rubin says.

But in fact, most networks using WEP can be cracked in a few hours.  
What's more, WEP is not used at Wi-Fi "hot spots." If it were, people
passing through wouldn't be able to access the networks.

In New York, NYC Wireless has tried to tackle the privacy issue by
advising people to use their own encryption. For example, Web pages
that are downloaded using the https: instead of the http: protocol are
safe from eavesdropping because they are encrypted with the SSL
protocol.

For individual users on a public network, it's best to work under the
assumption that the network is completely insecure and perhaps even
"hostile," says Spiegel. "That means using only secure channels for
your communications, which is something that we always encourage our
users to do."

Yet another privacy problem with the Wi-Fi system is that
sophisticated users can change their MAC addresses using special
tools. A person interested in conducting a crime on the Internet could
sniff your MAC address when you were at a public Internet cafe and
then set a wireless card to use your MAC address after you left.

"For the average Joe in the street, the likelihood of him being
monitored by another average Joe in the street is not that great,"  
says Richard Powers, editorial director of the Computer Security
Institute.

But many people who consider themselves to be "average" really aren't
because of the information that they have access to through their
work.

Many people, Powers says, treat the information at work as
confidential, but then they will bring it home and access it in a less
secure environment. One of the most famous examples of this involves
former CIA Director John Deutch, who took classified information out
of the CIA and accessed it on an unsecured computer in his
Massachusetts home.

Deutch's actions were pardoned by President Clinton on the president's
last day in office.

"Deutch is not a bad guy, all things considered, but he made an
incredible blunder," says Powers. Rubin, the AT&T scientist, uses a
wireless network in his house, but "I do it knowing that it is
available to somebody outside the house. So for very important
business transactions, I tunnel through a machine back at work."

As for buying things over the Web, he says, "I make sure that I'm
using SSL."

Simson L. Garfinkel is a technology journalist and author who
specializes in computer security and privacy.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.