By Tim Wilson
September 10, 2007
I'm sitting with Richard Rushing, chief security officer of AirDefense,
on a stone bench that sits neatly between the White House and the U.S.
Treasury Building. As we both look intently at the laptop on Rushing's
lap, a three-foot Radio Shack antenna protrudes from his briefcase,
pulling in transmissions from both of these carefully-secured national
Yup, we're "war walking" the White House. We're looking for wireless
networks that are open to hack.
As we sit, scanning the IDs of dozens of wireless networks in the area,
the shadow of a uniformed White House security officer falls over our
screen. He's the first one to notice our antenna, even though we've
passed at least eight officers on our walk so far.
Damn, I'm thinking. Now we're in for an hour of police questioning, or
maybe worse. I wonder when I'll get home tonight?
"Excuse me, gentlemen," the officer says politely. "I don't mean to
interrupt, but what is that device you have there?"
Rushing, a trained penetration tester and ethical hacker, doesn't try to
hide anything. "It's an antenna," he says.
The officer frowns for a moment and looks at the antenna more closely.
Then his face brightens. "Cool," he says. "Nice. Thank you." And without
another word, he turns and walks away, crossing the street.
And that, folks, is the only time anybody stopped us. We walked the
entire White House grounds, circling the Old Executive Office Building
and the Treasury. We passed at least 20 security officers while Rushing
pointed the wireless antenna out of his briefcase (it's that little
white box you see in the photo). Several officers appeared to notice it;
only one of them said anything.
It could be that they knew what we were doing and didn't care, confident
in the White House's wireless defenses. Or it could be that they saw it
and didn't know what they were looking at. Either way, it didn't make me
feel more confident in the security of our national institutions.
As it turned out, however, the White House's wireless defenses -- at
least inside the fences -- were pretty sound. On a one-hour walk around
the grounds, Rushing was able to collect data on 104 wireless networks.
The antenna discovered 66 wireless access points, and roughly 90
stations connected to them.
About half of the networks were unencrypted, and many of them were using
WEP, an early wireless security technology that has been proven
vulnerable on numerous occasions. But we weren't able to decipher any
IDs or addresses belonging to White House staff -- most of the "open"
connections belonged to hotels, coffee houses, and law offices in the
If President Bush was sitting on his bed, surfing ESPN via a wireless
connection to get ready for his fantasy football season, we couldn't
tell -- not from where we were sitting, anyway.
Despite our failure to intercept Laura Bush's personal email, Rushing's
war walk did provide a number of lessons for enterprise network and
security managers. Rushing, who is on a mission (along with many of his
AirDefense colleagues) to show organizations how vulnerable their
wireless networks can be, showed me some obvious flaws -- and potential
hacks -- that many companies may fall prey to in the near future, if
they haven't already.
At the Treasury building, for example, we pick up the faint trace of a
user accessing an EV-DO wireless broadband network, bypassing both the
building's wired network and local WiFi. Many employees are taking to
using their personal EV-DO cards at work so they can use Websites or
applications that aren't allowed on the corporate network.
"Some people think they're doing the company a favor by using EV-DO, but
once you're on the Internet, you're still subject to any attack on the
Web, and you're using a machine that you're planning to attach back into
the company network, if you're not connected while you're sitting at the
desk," Rushing observes. "You're still bringing risk to the company, if
you're not following policy."
Rushing brings up the access screen for a local law firm which offers
unencrypted guest access via WiFi. "Here, all you have to do is crack
the password and you're in," he says. "That's not enough security."
About 70 to 80 percent of the rogue access points that AirDefense
uncovers are created by "guests," usually consultants or other business
partners who are onsite and looking to get out to the Internet or their
own company's network.
"Occasionally, we see consultants connecting to another client's network
while they're on site with the primary client," Rushing laughs. "Talk
about double dipping."
Later, Rushing shows me how easy it is for a phisher to duplicate one of
these internal "guest" log-in screens and grab all the traffic from an
unsuspecting client. "I'm surprised we don't see more of that."
After we pass the White House press room, we pick up a network called
"ABC Wireless LAN," quite possibly a WiFi connection established for the
use of reporters and camera crews onsite. "Some companies will have a
mobile WLAN setup that they use when they deploy groups of employees out
in the field," Rushing notes. "Often, they're not doing enough to
encrypt them, or at least disguise them so that an attacker can't find
them so easily."
Rushing also shows me how wireless networks and devices are often
misconfigured. We pick up several Hewlett-Packard printers, which ship
with a WiFi capability that many companies don't bother to turn off when
they're installed. "They plug it in and it works, and they don't bother
to read the rest of the instructions," he says. "But a printer can be a
point of access into the network, just as a PC can."
In another network, the IT administrator has done a good job
camouflaging the name of the network and protecting the primary access
point with a strong password. But many administrators don't understand
that their "secondary" APs, such as those in conference rooms or office
floors, may be listed by name ("first floor conference") in sub-fields
of the WLAN software, and are just as accessible as the primary AP.
"When you do wireless, you have to give up your wired network thinking,"
Rushing warns. "You can't designate one AP as the main point of access
and put a firewall in front of it, like you do in a wired environment.
Every AP in a wireless network is equally vulnerable. And you can't
practically put a firewall in front of all of them."
A wireless network can be entered through any access point that can be
found with a simple Radio Shack antenna, such as the one we've been
using on the White House grounds, Rushing says. "In fact, in most
businesses, it's actually easier, because I can war drive into the
parking lot and collect data on any network that's within 100 yards or
so," he says. "And any AP in the building could be my point of entry."
To prove his point, Rushing later pulls up WIGLE, a war drivers'
database that contains information on some 2.8 million wireless networks
and access points that have been mapped by hackers and hobbyists around
the world. WIGLE provides much of the same antenna-generated data that
we've just collected at the White House -- only it's also got a map
function, so you can see exactly where the APs are in your area -- and
which ones are unprotected.
"Kids are adding to WIGLE all the time -- it's one of the ways you can
look cool," Rushing says. "The more APs you've mapped, the cooler you
Rushing superimposes the WIGLE map on Google's real-world satellite
photo maps, so that we get an aerial view of the White House and
surrounding area, with wireless APs represented as small rectangular
boxes. About 4,000 wireless networks and APs have been mapped in less
than one square mile around the White House -- at least eight of them
are shown within the building itself. None of them shows up as
accessible, but we can see exactly where they've been detected
Apparently, we're not the first people to have done the White House war
walk. "The one thing that most administrators don't know about
wireless," Rushing says, "is how much leakage they've got. The signal
leaks out because of poor security, or through open doors or windows, or
even because of problems with the wireless network itself that your
vendor doesn't tell you about. If an attacker sits there long enough,
they can get signals that nobody intended for them to have."
Maybe it's time somebody mentioned it to the White House guards.
Visit the InfoSec News Bookstore