Wifi Network Scanning Results Analysis

Analyzing cumulative Nmap network scanning results, as documented in the previous post, reminded me that I've collected a sizable amount of data on 802.11 wireless networks over the past six months. I've used a free Android app, Wigle Wifi, to enumerate WiFi networks using my phone as I travel around Austin - by foot, bike, car, bus, and train.

I classify Wigle Wifi as an 'active stumbler' tool - i.e., the program sends 802.11 broadcast probe requests, and listens for the responses; it also processes broadcast beacons. This differentiates it from a 'passive scanner'. I came to this conclusion by capturing and analyzing Wigle's active network traffic using tcpdump, and cross-referencing it with the tool's output.

Helpfully, Wigle logs cumulative results directly to a SQLite database, in addition to having the capability to export individual scan results to KML output files, which can be imported into Google Earth or similar applications for viewing.

The database tables, and the schema for the relevant 'network' table is shown below:

Again, a few simple queries present a good summary of the data I've collected -- the total number of networks discovered (over 20,000), the number of unique network names (13,282), the most common network names (mostly default manufacturer names, but also several referring to nearby educational institutions), and the most common radio frequency utilized (2437 MHz - aka channel 6).

I was more interested to learn about the security protections implemented across this wide base of networks, so I enumerated all of the 'capabilities' advertised by at least a single network. The results indicate a wide variety of formats for specifying security implementations, but generally they can be broken into four categories: no security, WEP encryption, WPA pre-shared key-based encryption, and WPA enterprise encryption.

I ran an additional query to identify the most commonly advertised security capabilities. I was disappointed to see the top two results as WEP, and '' (none). However, the following six entries were variations of WPA encryption, so I decided to do a more general comparison: a count of WPA-enabled networks versus non-WPA-enabled (WEP or no security) networks.

These results more closely reflect the reality of the situation - a slight preference for WPA-based encryption in all forms (WPA, WPA2, PSK-based, EAP-based, etc.), with 56% of the total networks implementing some variation. These results are slightly more positive as compared to a WiFi security survey of financial districts conducted by AirTight networks in 2009, which identified 43% of networks utilizing some form of WPA.

Granted, in many instances WPA-protected networks are still vulnerable to a variety of attacks. However, properly implemented WPA-based encryption significantly raises the bar for attacks against WiFi networks, so this is a positive trend to observe.

No comments:

Post a Comment