Wireless Insecurity: Examining User Security Behavior on Public Networks

Wireless access points are increasingly serving as entry points to the Internet, increasing connectivity options and security concerns. Particularly significant are public access points, commonly known as hotspots, which are often located in heavily populated areas such as airports, coffee shops, and hotels, appealing to both business and casual users, but offering little or no security.^8,9

The number of worldwide commercial hotspots reached 143,700 in 2006, with an estimated 675,000 additional access points shipped during the year specifically for use in public hot spots.⁴ The growth in hotspots is expected to continue because they are inexpensive, new applications (such as voice over Wi-Fi) are emerging, and the public is becoming accustomed to the mobility and ubiquitous Internet access they provide.¹⁰

At the same time that wireless usage is increasing, computer and network security is consuming an increasing amount of time and resources for individuals and organizations. The spiraling number of viruses and outsider attacks has driven this increase and has shortened the time-frame between vulnerability announcements and the appearance of global exploits. Despite the increased risk, most wireless networks have little or no network security implemented. Surveys have determined that approximately 60% of all wireless networks use no form of encryption, and that even when encryption is enabled, approximately 75% are using wired equivalent privacy (WEP), which has several well-documented security deficiencies.^5,7,9 The problem is even more acute with public hotspots because their users are more interested in ease of use than the level of security.¹⁰

With the tendency of wireless users to connect to many different public access points, the chance of picking up malicious code increases. These threats are easily transferred to wired networks to which those users may later connect, thus extending the implications of user security to network security as well. The insecure nature of wireless networks in general and public hotspots in particular is especially problematic given the rapid increase in e-commerce. One of the cornerstones of e-commerce is the public’s trust that the information being electronically transferred is reasonably secure.¹¹ The study presented in this paper provides evidence that this is not the case for wireless networks. Since it is unlikely that the public in general and the news media in particular will be able to distinguish between data compromised via a wireless network from data compromised via a wired network, there is a risk that the insecure nature of wireless networks will erode public trust in the security of e-commerce.

Given the insecure nature of public wireless networks, it is the responsibility of users to provide for their own security.^9,10 Our study explored wireless user vulnerabilities and security practices and quantified the number of users who are not adequately protected. We also looked for instances of wireless devices compromised by malicious applications (viruses, worms, and Trojan applications). Our goal was to directly investigate how well wireless users are securing their computers and the threat level associated with wireless networks. Using a university campus wireless network, we performed a vulnerability scan of systems shortly after users associated to campus access points. The scans were performed using Nmap (www.insecure.org), a popular open source scanning tool. The results of the Nmap scans were used to determine the proportion of wireless users not using a firewall, the prevalence of malicious applications, and the proportion of users with open ports.

In particular, we are interested in the presence of open ports with well known vulnerabilities that attackers can use to gain unauthorized access to a system. For example, ports 135, 137–139, and 445 on a computer using the Windows operating system were designed for file and print sharing across computer clusters. Individual systems can use “null sessions” (no username or password required) to establish connections between computers using these ports. It is well known within the security community that it is possible for an attacker to exploit null sessions and gain access to a system through one of these ports.¹

We wish to note that all our data collection for this study was non-invasive, non-disruptive to users, and was performed with complete user anonymity. We complied with our University’s Information Technology Resource Use Policy, obtained prior approval from our Institutional Review Board, and received consent and technical assistance from our campus Office of Information Technology before and throughout this study.

Subjects for the study were authorized users of the campus wireless network. The total university population includes 18,599 students and approximately 2,100 faculty and staff. The university is a commuter campus with a non-traditional population of 15,779 undergraduate students (average age 26) and 1,663 graduate students (average age 36), with 54% female and 45% male (1% unspecified). Most students live off campus, and many have part-time jobs or full-time careers, often with one of several local high-tech firms. We view the non-traditional nature of the student subjects as a positive factor for the study as we believe it makes them more representative of the general public and workforce than traditional students would be.

Wireless traffic on campus is segregated from wired traffic through the use of virtual network segments (VLANs) and subnets, and filtered through firewalls before reaching the campus internal network or the Internet. Other than user authentication, there are no security measures (such as WEP) in place on the wireless network, although users agree at login that their system patches are current, that they are using an antivirus program, and that they understand they are subject to university computing policies. If users desire additional security, they must provide it themselves. We believe that this environment of minimal network-level security and heavy reliance on user initiative makes the campus wireless network reasonably representative of public hotspot-based wireless networks in general.

Data collection was performed continuously during a 41-day period from April 27 to June 7, 2006. During that time 3,331 unique, non-university-managed computers connected to the wireless network. The data collection process consisted of two main components:

• Device detection: A continuously running script polled the entire set of access points to retrieve a list of associated computers.
• Vulnerability scans: For each associated computer that had not been previously scanned, a vulnerability scan was performed using Nmap.

Where we were able to identify wireless clients as university-owned and maintained devices via their MAC address, we removed these from the analysis because security controls are outside the control of their users. The number of devices so identified was 30, less than 1% of the total number of systems studied.

User vulnerability scans were performed using Nmap. This tool has been used for port scanning by other vulnerability researchers and computer security analysts, and is considered an efficient and effective tool for this purpose.⁶ The output of the Nmap scan was parsed and relevant data entered into database tables. This data was then analyzed to determine the percentage of connected systems that: were not using a firewall, had detectable open ports, and were infected with malicious applications.

We used Nmap’s default settings, scanning the first 1024 TCP ports as well as higher ports in the nmap-services database. The first 1024 ports are designated well-known by the Internet Assigned Numbers Authority (IANA, www.iana.org) in that they are associated by IANA with specific services and thus are often open. The default settings also use the nmap-services-probe database, which contains probes to verify the identity of services located at specific ports. In total, 1,663 TCP ports were scanned for each connected computer.

Firewall detection and port vulnerabilities using nmap. Nmap reports the status of TCP ports both with and without a service detected. The status of each port is either closed, which means that the port is accessible but there is no application listening to the port, or filtered, which means that Nmap could not determine if a port was open because packet filtering was preventing probes from reaching the port. This provided the basis for our decision rule to determine if a specific computer was using a firewall. If the ports with no detectible application listening were closed, then the decision was that the computer was not using a firewall. If the ports with no detectible application were filtered, then the decision was that the computer was using a firewall. Note that we use firewall as a general term for a number of possible filtering mechanisms that could be present, including both hardware and software-based firewalls. These decision rules are summarized in Figure 1.

We validated our firewall detection methods by scanning machines with known security configurations. Using two popular software-based firewalls (Windows XP firewall and Zone Alarm personal firewall), we turned firewall features on and off before associating to the wireless network, followed by scanning the systems to confirm that the firewall status was properly detected. In every test case the scanning process and our decision rules correctly determined whether a firewall was present.

Many security vulnerabilities are related to TCP ports either left open inadvertently, or deliberately enabled and used by insecure applications. Any open port is a potential security problem, but of particular interest are ports with well known vulnerabilities.

Results from the study. To determine the percentage of wireless systems not using a firewall we examined Nmap results as described in Figure 1. We found that 9.13% of the 3,331 computers scanned were not using a fire-wall, as shown in Table 1.

Even with a firewall enabled, systems can have open ports. Since any open port is a potential security risk, this was the second issue we examined. In our study, 8.62% of the 3,331 computers scanned had at least one detectable open port, as shown in Table 1. In addition, Table 1 shows the proportion of open ports having well known vulnerabilities. This is disturbingly high—when a user had open ports, more than 65% of the time at least one of these was a port that posed an important security risk.

Table 2 shows the frequency of open ports found in our scans, ordered by decreasing frequency. The third issue studied was whether the ports that were open tended to be those with well known vulnerabilities. The second column in Table 2 indicates if the port has well known vulnerabilities that attackers can exploit.

As can be seen in Table 2, the most frequently open ports are also some of the most dangerous. As mentioned above, the top three open ports, (139, 445, and 135) were designed for file and print sharing across computer clusters and can potentially be exploited by attackers through null sessions.¹

A total of 17 computers (0.5% of the computers scanned) had at least one malware application installed. Although a small number relative to the total number of wireless users, the existence of malware is important because any one of these infected systems may be used to launch attacks against the larger client population. A complete list of the malware found and the number of infected computers detected is presented in Table 3.

A more detailed description of each malware application can be found at the CA Security Advisor Web Site.² Many infected computers had multiple malware applications present. Of particular interest, and somewhat alarming, is the presence of network monitoring and packet sniffing applications. Of the 17 infected computers, 12 also had at least one network monitoring/packet sniffing application. The most common network monitoring tools found were Nessus, Bigbrother, and Netsaint.

Discussion of results and implications for practice. The campus wireless network we studied shares many similarities with public hotspots—both free and fee-based. The network employs no form of security other than simple user authentication and uses only voluntary policies requesting that users employ security measures such as fire-walls. Therefore, this study provides insight into the behavior of unsecured wireless network users concerning their security precautions and the level of danger present to users of wireless networks. The campus user population is reasonably similar to the general public because of the large number of non-traditional students. These users connect to the wireless network with a variety of personal and employer-owned laptop computers, and perform a variety of tasks including personal, school-related, and work-related activities. If anything, because of security awareness and guidance provided by the university and their employers, they may be somewhat more security conscious than the general public, possibly understating the average wireless network user’s vulnerability.

Our results indicate that an uncomfortable number of wireless network users are not using a firewall (9.13%) and/or have detectable open ports (8.62%) that leave them vulnerable to outsider attack. In addition, we found 17 computers that had been compromised by various forms of malware. Also disturbing was the presence of network monitoring (and potential hacking) tools such as Nessus. This implies that these infected computers may be used not only to infect other unprotected computers on the network, but also to act as packet sniffers, password collectors, and vectors to launch other threats such as man-in-the-middle attacks. Wireless users are particularly vulnerable to man-in-the-middle attacks in which a hacker impersonates a legitimate access point with the specific intent of capturing log-in credentials. These attacks focus on layer 2 of the OSI model and therefore are not prevented by layer three precautions such as firewalls.⁹

Two areas of concern are highlighted in this research. First, users engaging in electronic commerce transactions may not understand the potential risks of using public or otherwise unsecured wireless networks. Those who are unaware of these risks and have not proactively secured their computers against the numerous potential threats increase the chances they will be victims of identity theft, illegal bank account access, or credit card fraud.

The second area of concern is the implicit threat to corporate networks if employees use unsecured wireless networks. While it might be assumed that corporate devices and networks are more tightly controlled than public hotspots, there is no assurance of this fact unless the organization employs proactive measures. Automated vulnerability assessment applications that verify the security state of the device before users are allowed to authenticate offer the highest level of wireless security. These, unfortunately, are not widely implemented because of their high cost. Without mandatory vulnerability scanning, internal network security is dependent upon the voluntary compliance of users.

One might reasonably question whether the proportion of users we found not effectively using firewalls (9.13%) or having open TCP ports (8.63%) is really of importance given that a large majority of users did have secure devices as measured by these two criteria. We think that our results reveal important security considerations for several reasons. First, a small proportion of insecure devices can still be a large absolute number and a large threat with very important implications. In our case over 300 of the 3000-plus users had insecure devices. This is not just 300 cases of individual user vulnerability; it is also 300 possible attack vectors against the remaining users and the network as a whole. Even with a small proportion of users being insecure, networks with many simultaneous users will be likely to have insecure users at any given point in time.

Second, in today’s environment of rapidly-replicating viruses and other malware, a small number of infected machines can infect many others very quickly. This makes it critically important to minimize the chances of an outbreak occurring by minimizing the number of initially infected machines.

Finally, there is a cumulative threat posed by the existence of multiple vulnerabilities. In our case even though the proportion of users having no firewall was about 9% and the proportion having open ports was also around 9%, the proportion having either of these problems was approximately 12%. If we had investigated additional possible security weaknesses such as open UDP ports, unpatched operating systems, etc. the proportion of users with at least one security weakness could only rise.

For organizations without the resources to implement automated assessments products, a self-auditing process using our scanning technique would serve as a possible first step in assuring wireless user compliance. Such a program strengthens organizational policy, and users made aware that they will be audited are more likely to remain compliant. Our technique is easily replicated, is non-invasive in terms of individual privacy, collects only anonymous data, and can be implemented with minimal investment in time and resources without an unreasonable traffic impact on the network. Any successful security program requires strong policy, communication to all users, education about potential threats and vulnerabilities, and regular reinforcement of policy to maximize user awareness and compliance. A successful security model also requires proactive auditing to measure the level of compliance and network vulnerability, and achieve the desired level of organizational protection.

Back to Top

Back to Top

Back to Top

Back to Top

Back to Top

Back to top