Wardriving in Monterrey – Mexico

Following Brazil, we turned our attention toward Mexico, as here we can find a very high and distributed level of technology. Thus, we headed to Monterrey to start our research. This Mexican city features a large number of businesses which make of it an important location. In addition, Monterrey’s geography is very well suited for implementing WiFi networks as it is rich in flat lands, hills and mountains – which is precisely why we chose to conduct research in this city instead of a different location.

Network Topology

To start, let’s consider the topologies of the detected networks:

Topologies

Only 3% of the WiFi networks are ad-hoc. The way in which connections are managed in these networks could mean a serious threat to users seeking to link up to it. The greatest danger lies in the fact that it is actually possible to catch all traffic processed by the host equipment as it is used as an access point allowing a connection to the network. In a way, it is as if the man-in-the-middle attack was being launched by streaming all traffic in the network through one PC. We have already made a thorough analysis of this technique in a previous report.

Network SSIDs

Now let’s analyze the names of the networks – technically known as SSIDs – that we managed to detect.

WiFi networks – SSIDs

Around 92% of all WiFi networks in Monterrey have a defined SSID. Only 8% have an invisible SSID, which means that the names of these networks are not broadcast.

7% out of the 92% of networks with SSIDs keep their predefined names, i.e. the default names provided by the manufacturers which are displayed when the network is initially set up. For example, “default”, “Linksys”, etc.

Types of SSID

The main problem with using the default name is that can allow anyone to figure out the type of hardware used at the network’s access point. Let’s pretend that someone maliciously attempts to break into a network and gain unauthorized access: the default name of the network would allow the attacker to know the exact type of equipment to target.

Obviously, in order to avoid these attacks, the administrators should define the SSID instead of using the default. In addition,In addition iIt is not necessary to use an SSID related to the company’s name, department, or any other information related to the owner of the network, whether a company or an individual. The SSID could be a generic name meaningful only to the administrator or to other users in order to identify the access points they need to connect to.

Likewise, some administrators may prefer to have an invisible SSID, i.e., prevent these names from being broadcasted.

Such a decision could take into account such factors like the objective of the network, the profile of its users, internal policies, etc.

In Monterrey we spotted something uncommon in other countries: the sequential pattern of network names. We do not mean just a specific area where a company may have incorporated a number of access points to create a broad WiFi network. On the contrary, such networks with sequential names were found all around the city of Monterrey. For example, networks such as 2WIRExxx (where ‘x’ refers to the network’s ID number of the network) or INFINITUMxxxx (where ‘x’ also refers to the network’s ID number).

Such a situation leads us to think that it could be one of the largest internet service providers covering a large portion of the city. Our data shows this picture:

Sequential SSIDs

Around 32% of networks in Monterrey have SSIDs managed in a sequential fashion. So Soif the SSIDs correspond to a single large provider offering access to Internet through WiFi, it controls at least a third of all networks in Monterrey.

Equipment manufacturer

Now let’s deal with the “physical” aspects of these networks: The most renowned hardware brand names widely used in the access points are:

Access points by brandnames

As the graph shows, the market leader in Monterrey is 2Wire. In fact, such equipment is used nearly in all networks with sequential SSID. Most likely, the provider itself uses this equipment and installs it for its clients. If that is the case, this would explain why 2Wire ranks first for brands of equipment used as access poiunts in the city. In addition, CISCO ranks second and Linksys third.

If the reader remembers our previous article, “Wardriving in Sao Paolo”, D-Link was the leading brand in that city. In the case of Monterrey, it is 2Wire. But in both cases, Linksys appears among the three most widely-used brands in both cities. Apparently, such equipment meets the needs of local users because it offers the best performance at the lowest cost.

Transmission speed

MMost of the WiFi equipment used in Monterrey is new, as equipment using the 802.11g protocol allows speeds up to 54Mbit/s. Only 20% of all equipment in Monterrey uses the previous 802.11b protocol.

Transmission speed

Channels Used

The breakdown of channels used in Monterrey is shown in the following graph:

Channels used

A very large number of access points operate on channel 6, which is usually preset by the manufacturer. Around 77% of the WiFi networks use this channel. The least used channels are 2, 3, 4 and 7.

Traffic encryption

During the analysis, the following types of encryption were found:

Types of encryption

As the graph shows, more than a half of the networks – 58% – are using WEP encryption. 35% of the undetected networks apparently did not use any kind of encryption, though this does not necessarily mean that they lack security measures. Sometimes, administrators prefer to use straightforward methods to control access to the network, such as MAC address filtering. In other cases, they prefer more advanced security techniques, such as captive portals. This research did not aim at finding out what kind of security devices were used in networks that did not have encryption.

Surprisingly, only 6% of the WiFi networks used WPA encryption and only 1% used WPA2, which is a stronger encryption.

T This leads us to the biggest question: If (according to the previous graphs) most of the equipment uses the 802.11g protocol and the equipment using this protocol works with WPA/WPA2 encryption, then why is it that administrators do not use this coding instead of WEP, which is less secure?

WEP vulnerabilities are well known by administrators. Such vulnerabilities are extremely critical as they allow the attacker to collect the necessary amount of IV (initialization vector) packets to extrapolate the coding key and thus gain access to the network.

WEP coding is used by most of the consecutive SSIDs, as seen before. This means that if we are talking about only one Internet provider, based on the analogy of the network names we could infer that the encryption keys were generated in the same manner leading to a similar pattern for WEP keys. SoAnd if the keys are identical or have a sequential pattern and a malicious user was able to figure out one of the WEP keys – which is not hard to do – it is possible that he or she could gain easy access to at least 32% of the networks in the city.

As for the groups of coding systems in networks with WPA/WPA2, we can identify the following:

92% use the TKIP (Temporal Key Integrity Protocol) algorithm. This algorithm was specifically designed to replace WEP.

The key management systems are the following:

Keys management

More than half of the networks manage keys through PSK (pre-shared key). And 37% of the networks with coding WPA/WPA2 manage their keys through IEEE 802.1X/EAP.

In the article “Wardriving in Sao Paolo”, we briefly described how both work, including advantages and disadvantages of each kind of management.

Conclusions and recommendations

SSIDs of new networks should be customized when the network is set up. Users with access to the Internet through already-existing wireless access points installed at home or in their offices should check the SSIDs and customize them if they are default SSIDs. In addition, if allowed by the vendor, the SSID should not be broadcast. This measure aims to improving basic security in the networks and minimize the likeliness of intruders.

On networks with access points that are capable of WPA or WPA2 encryption, it is wise to activate it, thus replacing WEP encryption which is vulnerable and allows an attacker to gain easy access to the network.

When planning a new WiFi network, it is a good idea to analyze which channels are used by neighboring access points in the coverage area. In any case, it is not a good idea to use channel 6, as it is almost certain to be overcrowded.

If you are in a public place where the use of WiFi is allowed, thoroughly analyze the kind of topology used by the existing networks to protect personal data from malicious users.