Many wireless access points around Barcelona are wide open with no form of encryption. On the bus ride to school one morning, which takes us up Escorial, across Traveserra de Dalt, up General Ronda Mitre, and finally up Diagonal, a simple scan of wireless networks found 58 wireless networks. While there are no hard numbers available, on average well over half of wireless networks at least use some type of encryption, regardless of how easy it may be to break. On my bus ride, 44 of the 58 networks (76%) were totally unprotected, meaning they were available to be used and monitored by anyone with a laptop, and certainly for neighbors. Below is a partial list of the open networks found and all the information that was collected with it.
From the knowledge given to me by the network scanning program Netstumbler, I can quickly tell the MAC address, SSID, channel, speed, manufacturer, type, and even signal strength to correspond with every signal retrieved. The speed and signal strength information could help you choose the best network to gain access to, and also tells you about what versions of the standard are in use. Simply by connecting to one of these networks you can use a protocol analyzer such as EtherReal to watch traffic sent on the network, no IP address necessary.
Protocol Analyzers capture the data in raw form that flows across a network packet by packet, and display it in a useful manner, usually separating parts of the packet by layer. This lets you say just look at the AIM message, instead of seeing the details of source and destinations, TCP control data, and IP network routing data, all of which are used to help transfer data, but don't carry any user data. You can use the captured data to figure out some in formation about a network or to track specific users. Using such a tool helps you make sense of the destinations and sources of many of the packets, since the listed address will be the MAC of the router, which is often the AP (access point) too. If the router on the network is not running DHCP, meaning IP addresses must be manually configured, this information can be used to determine the IP of the network's gateway router, the most important piece of information needed to actually use the network to connect to the internet. Once you have the gateway's IP, you must simply configure your machine to have an IP on the same subnet as the gateway, and tell your computer to use the now known IP address of the gateway. This, and some DNS server addresses, and you are free to surf.
The vendor information can give you a hint as to whether the AP is just that, or if it also is the router and NAT box for the network. Many of these networks still have the default SSID for their models, and this can also be a big clue. Having already gained access to a network, you can access both the internet and any local machines. If the name of the wireless network hasn't been changed, and there is no security set up, its not a bad guess that the password for the administrative interface hasn't been changed either. Most companies ship their wireless products out in working condition so you can plug it in, turn on your laptop, and you are online. They also start with really easy username and passwords, and these differ by company, but are all just as simple. Linksys routers default to username admin, password admin, Dlink to Admin/password, and Netgear to admin/blank, although it can vary by model. You can read the support documents right on each company's web site to determine this. Getting access to the admin interface allows you to do many things from opening ports in the firewall to restricting access from the people meant to be using the device (by MAC address filtering).
Having WEP (wired equivalency protocol) encryption on your wireless network does not really perform as well as its name implies. While having encryption is a good start for security, it is only a deterrent. Someone looking to get online will most likely try all open networks before spending time to break the encryption of secure networks. However, a corporation or specific target is a different case. The WEP encryption standard was broken, and it is now easily breakable with only two requirements: a specific software tool and a decent amount of real network traffic. The tools look at the data in these packets over time and are able to infer certain parts of the key. They then try the parts of the key they know with all possibilities for the missing part until it either guesses right, or is able to determine the whole key. Depending on traffic levels this can take from 20 minutes up to a few hours.
The most well known tool for this is called AirSnort, and is available for free for both Linux/Unix systems and Windows, which means it can be run on all sorts of machines. The newest version has a network scanner built in too, and as soon as you turn it on it displays a list of active networks, what type of encryption is used if any, and the percentage of the cracking process, no need to even push start.
The only consolation for home users is many home networks might not have enough interesting traffic for the program to work. While in class at UPC in some of the classrooms that did not get the FIBNETLESS network, the one we were provided access to, we ran AirSnort to try and break the key for any of the other networks, but there seemed to be almost no traffic at all on the network, making any access impossible without the key. But certainly any larger commercial network would have plenty of useful data flowing all the time, and these problems would not occur. The Georgia Tech LAWN network has enough traffic at any time of the day to break its short key in about 30 minutes. This network, as well as FIBNETLESS, both also use authentication as further security, which is for the most part effective to keep unauthorized users out. This does not stop others from reading the messages sent on the network.