Google was capturing your wireless packets

Tuesday, May 18, 2010

Ray Tan


Last month the German government decided that it needed to take a closer look into Google's data collection methods. Google's Street View cars are equipped with wireless antenna's and pick up any available wireless signal along the way. It was originally thought that the Street view cars were just collecting SSID and MAC address to provide location based services to mobile users. It turns out that they were also capturing data from any network that wasn't secured with WEP or WPA.

The problem, according to Google, is that their engineers were working on an experimental project in 2006 to collect data over publicly available wireless networks. They transferred the code to the Street View cars to collect the SSID and MAC address for their location services but forgot to take the data collection part out.Although Google has stopped the data collection and they are currently reaching out to regulators in the relevant countries about how to quickly dispose of it. Our privacy are under risk if we do not realize it, we need to protect ourselves better.

MAC address and SSID are tools by which your network can be identified and if people want to overtake your network, they can– potentially irrespective of the encryption you place on said network. The information collected was from unsecured networks.An unencrypted wireless network is not just a security risk to the owner of the network, but potentially to everyone else on the Internet. Once someone has anonymous access to a wireless network, they can do whatever they want on the Web with total anonymity. Do yourself and your fellow Net citizens a favor and take the steps to secure your network:

  1. Turn off broadcasting of your SSID. The “Service Set Identifier,” or SSID, is a broadcast message notifying every device within range of your network’s presence. All wireless routers have the option to turn off broadcasting your SSID. This is by far the easiest way to prevent drive-by crackers from accessing your network. While your data is still not encrypted, most wardrivers won’t know that you have a network and as a result, won’t try to access it. Some computers or wireless cards have problems connecting to wireless networks that don’t broadcast the SSID so there is a small possibility that this may not work for everyone.
  2. Change the default settings of your router’s Web-based administration. While changing your admin login won’t stop anyone from intercepting your wireless traffic, it will prevent them from changing your settings. Most wireless routers allow you to change your admin name and password. While you’re at it, change the name of the SSID. If someone detects your SSID as being named “Linksys,” they can assume that your default username is “admin” and your default password is “admin” because that is the way Linksys networks are setup at the factory. If anything, changing your default setup will show a wardriver that you at least know something about setting up a wireless network.
  3. Enable WEP or WPA encryption. WEP (Wireless Equivalent Privacy) or WPA (Wireless Protected Access) are ways of forcing users to enter a password, which is encrypted, before they can access a wireless network.

    You have several choices for wireless encryption:

    64-bit WEP (Wired Equivalent Protection). The original wireless encryption standard, it is now outdated. The main problem with it is that it can be easily "cracked." Cracking a wireless network means defeating the encryption so that you can establish a connection without being invited.

    128-bit WEP. An updated, more secure version of the original WEP. However, skilled attackers can still crack 128-bit WEP in a few hours or less, giving them access to your network.

    WPA-PSK (also known as WPA-Personal). A more secure alternative to WEP, but because it is newer, it is not as widely supported. Microsoft Windows XP with Service Pack 2 supports WPA, so this type of encryption is the best choice if you plan to connect only Windows XP computers to your wireless network. However, if you have wireless devices that don't support WPA, such as media extenders or wireless cameras, you'll have to use WEP on your network instead.

    You might also see the security method called "WPA-Enterprise." As the name suggests, this method of network encryption is designed for business use. Setup for WPA-Enterprise is more complex than for other types of encryption, and it requires special network infrastructure.

    WPA2. The newest type of wireless encryption, WPA2 provides the highest level of encryption available. WPA2 encryption should be your first choice if your wireless router and all of your wireless computers and devices support it.

    Even though one type of encryption may be better than another, any type will dramatically improve your network's security by making you a more difficult target.

  4. Allow access based on MAC address. A MAC address (Machine Access Code) is a unique number that every network-enabled device can be identified by. Most wireless routers will allow you to set up access based on MAC addresses, allowing access to only those computers or devices which you have entered into the table. This can be more time-consuming but will certainly prevent all but the most well-equipped crackers from accessing your network.  

This article was originally published on

Possibly Related Articles:
Privacy General
Google Wireless Privacy
Post Rating I Like this!
James Mulholland Does anyone actually believe such nonsense as this excuse. Clearly the data being captured must be acquired and stored in some sort of standardized format and it would be very obvious how such radically different formats would affect the ingress and volume requirements of the application in the field as well as it's subsequent aggregation.
Rod MacPherson Ray, your give the impression that MAC address locking is somehow more secure than encrypting. "[Allowing access only to specific MAC addressess] will certainly prevent all but the most well-equipped crackers from accessing your network".

I have to disagree. Anyone who is capable of bypassing WEP or WPA/WPA2 is well equipped to spoof a MAC address.

Anyone who can learn the SSID of a non-broadcasting AP probably also has the tools and knowledge to spoof the MAC. Given that they would be learning the SSID from a client that has access, they'd already know a valid MAC to use.
Ray Tan Rod,

As a security analyst, you should know that not everyone is sophisticated like you, so many people did not realize the risk they are facing, how can they protect themselves?
User awareness training is always the first thing we need to do, I am not saying that MAC address locking is everything you need to do.
MAC address locking, encryption and other way can prevent you from the usual attacks, and it is easy to conduct for most of the user.
Obviously, there is no absolutely security, there are so many ways to bypass those limitations, such as social engineering and so on.
James Mulholland The more you clamp down on the potential routes for compromise the longer your attacker will be required to camp on your network which invites discovery. There will be less information available for capture on the whole which will tend to increase relative costs and reduce the payout. It's simple economics.
Ray Tan James, you are correct.
We need to increase the technical difficulties and time it needs to compromise a network, then there will be less attacks, it reduces the risk of being attacked, too.
Victor Berenshteyn Ray, you're absolutely right. While there's no panacea against skilful intruders, and every certain defence could be breached, employing various security measures simultaneously could dramatically increase overall system sustainability. Practically, I follow these 6 rules (just complimenting yours):
1. Modify Admin credentials
2. Disable SSID broadcast
3. Implement MAC address filtering
4. Configure WPA2
5. If using WPA(2)-PSK, then set very long password string
6. Decrease antenna power so that it could be sufficient to cover only designated area.
“I think I’m paranoid.”
Rod MacPherson Victor, I don't think you are paranoid, I think that sounds like a reasonable approach. step 6 is a little further than I would probably take it, unless I was just wanting to be a friendly neighbor and not compete with other people's signals unnecessarily, but from a security point of view it doesn't hurt to try and limit how far your signal goes. Many large companies spend a lot of money making sure their enterprise wireless effectively covers their building without much bleed out into public spaces.
James Mulholland What is needed is an immunity model that recognizes "natives" versus "foreigners" in the context of network activity. There should be intelligence built into the network that permits it to enter into a learning mode and construct a shorthand grammar for what defines a "native' within the prescribe network ecology. If we implement a logic lattice based upon certain facets of network participation we can quickly identify intruders and block their access as well as distribute alerts to peers within the context of specific network dimensionality.
James Mulholland What is needed is an immunity model that recognizes "natives" versus "foreigners" in the context of network activity. There should be intelligence built into the network that permits it to enter into a learning mode and construct a shorthand grammar for what defines a "native' within the prescribe network ecology. If we implement a logic lattice based upon certain facets of network participation we can quickly identify intruders and block their access as well as distribute alerts to peers within the context of specific network dimensionality.
Fred Williams James, I think you are on the $$$. Intrusion Detection Systems can operate in two modes - signature based and anomoly based. The anomoly based IDS will require a period of time, say 1 week, to learn patterns of what is considered "normal" activity. Then after the learning period, any patterns that deviate from normal will be considered abnormal and flagged as a foreigner as you mention.

So to provide more depth, use a good IDS on your network to help in thwarting possible attacks.
James Mulholland What would make sense to me is to collapse as many of the current intricacies of network communication into a brokerage type interface. By constructing a closed corridor for communications and a finite application grammar space we could block out intruders. Imagine a Russian Doll arrangement that lets you enter into a series of "closed grammar" environments and as you pass through each layer you must surrender a token that represents a portion of your credentials. Unless you successfully transit the full spectrum to arrive at your target you will not be able to recover the full compliment of your credentials. At the inception of your request you must identify full depth of your resource request and at that point your token will locked in a secure space that one step beyond your target. The only way you can recover a token is to request it from the authority after a successful transaction. If you keep screwing with services you will essentially get a bad credit rating by having failed to recover your tokens.

Think of it as a digital visa.
Ian Tibble Just curious - has anyone actually ever seen an anomaly-based IDS working in the wild, actually in production in a large organisation?
It's neat idea, but it really belongs in a research lab. With IDS you cannot escape from the constant battle with false positives.
James Mulholland I'd be incline to develop security models more along the lines of demanding participants to justify why they should have access to resources. Having credentials that lack awareness is a recipe for reconnaissance within any organizational structure. There should be a method to translate network based activity into common language that provides supervisory agents with a concise narrative that articulates attribution, intent, and motive.

Why not just have users presented with challenges based upon network usage depending upon who they are and where they are within the network and what they are doing. An enforced journal mechanism that serves to construct a narrative as they interact with resources.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.