December 2008 Wireless network security landscape of India

Transcription

1 Wireless security survey Wireless network security landscape of India December 28 Wireless network security landscape of India 1

2 Foreword Recent high-profile exploits of unsecured wireless networks in India revealed that a substantial proportion of wireless networks were deployed without basic security measures, indicating a general lack of wireless security awareness at a national level. With the increasing popularity of wireless networks, the need to be adequately protected against threats becomes paramount. However, limited awareness about the risks of using unsecured or poorly secured wireless network devices, coupled with the wide-spread availability of affordable wireless networking equipment has exposed users to potential misuse of these unsecured wireless networks. There is an imperative need to secure wireless networks today, not only to protect one s personal or business information, but also in light of the recent wireless network security breaches by unauthorized individuals. Media coverage of the exploits evoked considerable public interest and served as a wake-up call to individuals and businesses across India. With a view to increasing wireless network security awareness among the public, the Enterprise Risk Services ('ERS') division of Deloitte Touche Tohmatsu India Private Limited ('Deloitte India') released a first of its kind Wireless Security Survey with a focus on the Mumbai metropolis in October 28. A booklet providing step-by-step details to secure commonly used wireless network equipment was also released simultaneously. By extending the survey to other cities in the country, Deloitte India has attempted to highlight the state of wireless network security on a nation-wide basis. The survey has been carried out using the WarDriving technique described in the methodology in Annexure II. This survey should be read in conjunction with the disclaimer provided on the last page of this document. We believe that increasing end user awareness and making a conscious decision to secure wireless networks will go a long way towards the goal of making India Wi-Fi secure. 2

3 Contents 1. Executive summary India landscape 5 2. Comparison across survey cities 8 3. Detailed reports for individual survey cities Risks and good practices 16 Annexure I Wireless network security landscape of India at a glance 17 Annexure II Methodology 18 Wireless network security landscape of India 3

4 Wireless network security landscape of India NCR * Jaipur 8% 92% 14% 86% Lucknow 14% 86% Ahmedabad 7% 93% Indore 18% 82% Kolkata 14% 86% Mumbai # 13% 87% Pune 16% 84% Nagpur 31% 69% Hyderabad 15% 85% Protected Vulnerable 16% 84% Bengaluru Chennai 22% 78% Group City WPA/WPA2 No encryption Low level encryption (WEP) Total Group I Bengaluru 16% 28% 56% 84% Chennai 22% 38% 4% 78% Hyderabad 15% 43% 42% 85% Survey city Protected networks Vulnerable networks Kolkata 14% 43% 43% 86% Mumbai # 13% 36% 51% 87% NCR * 14% 31% 55% 86% Group II Ahmedabad 7% 32% 61% 93% Indore 18% 51% 31% 82% Jaipur 8% 55% 37% 92% Lucknow 14% 53% 33% 86% Nagpur 31% 47% 22% 69% Pune 16% 35% 49% 84% National Average 14% 37% 49% 86% # Mumbai includes Navi Mumbai * NCR includes Delhi, Gurgaon and Noida For detailed city-wise statistics refer Annexure I 4

5 1. Executive summary India landscape The nation-wide WarDriving exercise undertaken by Deloitte India in October 28 revealed that 86% of observed wireless networks appeared to be vulnerable. Configuration errors like using manufacturer-default device names, device names that reveal business or personal details and the use of weak encryption expose such networks to a greater risk of unauthorized access. During our WarDriving exercise covering 12 cities across India ('Survey Cities'), we saw a total of 35,86 wireless networks. We used standard Windows TM laptops (Windows referred herein and after is a registered trademark of Microsoft Corporation) equipped with a manufacturer-provided wireless network card and open source software. 1.1 Wireless Network Security Based on the use of encryption, we classified wireless networks into 2 broad categories depicted below: Vulnerable networks No encryption networks Wired Equivalent Privacy ( WEP ) Protected networks Wi-Fi Protected Access ( WPA ) Wi-Fi Protected Access 2 ('WPA2 ) WEP is generally considered to offer a low level of protection whereas WPA and WPA2 are generally considered to offer a high level of protection. Approximately 86% of the total networks across Survey Cities appeared to be vulnerable, since 37% of these networks appeared to have no encryption and 49% of the networks appeared to be using WEP encryption. Wireless network protection landscape of India 5,184 (14%) 13,115 (37%) Total 35,86 networks 17,561 (49%) Total 3,676 (86%) Vulnerable networks Vulnerable networks No encryption Low level protection (WEP) Protected networks High level protection (WPA/WPA2) Wireless network security landscape of India 5

6 1.2 SSID Broadcast We observed that approximately 7% of wireless networks across Survey Cities were not broadcasting their SSID. Based on the SSID nomenclature of balance 93% wireless networks, we classified such networks into 3 categories viz. business, residential and networks broadcasting manufacturer-default SSIDs. SSID broadcast across survey cities Total 35,86 networks 13,625 (38%) 33,523 (93%) 93% 2,337 (7%) 8,812 (24%) 11,86 (31%) SSID broadcast disabled Residential networks Business networks Manufacturer-default SSIDs 1.3 Business and Residential Network Protection Businesses and residences are increasingly turning to wireless networks as a result of the convenience they offer. We observed that 33,523 networks were broadcasting their SSID, of which 24,711 appeared to be either business or residential networks. The wireless network protection for these 24,711 business and residential networks is depicted below. India-Business and residential wireless network protection Total 24,711 business and residential networks % 47% 4 2 Vulnerable 6% Business (11,86) Residential (13,625) Protected 8% 6

7 1.4 Manufacturer-default Router SSIDs Based on our analysis of manufacturer-default SSIDs broadcast by routers, it appears that 3 manufacturers ( Make ) have 65% of market share in India. The market share of these 3 makes may differ from city to city. Commonly used routers across survey cities 3,11 (35%) 2,55 (29%) Total 8,812 networks 995 (11%) 2,157 (25%) Make 1 Make 2 Make 3 Others Wireless network security landscape of India 7

8 2. Comparison across survey cities We found 35,86 networks across all Survey Cities. For ease of reference, we have classified Survey Cities as Group I or Group II and provided city-wise break-up of networks in the following tables: Cities Survey networks Group I Bengaluru 5,355 15% Chennai 2,15 6% Hyderabad 5,351 15% Kolkata 1,84 5% Mumbai # 7,214 2% NCR * 6,628 18% 28,43 79% Percentage of overall Cities Survey networks Group II Ahmedabad 2,175 6% Indore 662 2% Jaipur 1,112 3% Lucknow 54 2% Nagpur 78 2% Pune 2,26 6% 7,457 21% Percentage of overall # Mumbai includes Navi Mumbai * NCR includes Delhi, Gurgaon and Noida 2.1 Wireless Network Protection Out of 35,86 networks found across Survey Cities, 28,43 wireless networks belonged to Group I cities and 7,457 wireless networks belonged to Group II cities. Approximately 68% of vulnerable networks belonged to Group I cities and 18% of vulnerable networks belonged to Group II cities. Group I and Group II cities - Wireless network protection Total 35,86 networks % 28% 9% No encryption 49% 4% 9% Low level protection (WEP) 14% 11% 3% High level protection (WPA/WPA2) India Group I cities Group II cities 8

9 2.2 SSID Broadcast Based on an analysis of the SSID broadcast within Group I cities, we saw that 7% of the wireless networks had their SSID broadcast disabled. Out of the balance 93% wireless networks, 4% of networks appeared to be residential, 3% appeared to belong to businesses, while the remaining 23% were broadcasting their manufacturer-default SSID. Group I cities - SSID broadcast overview 28,43 Group I networks 11,254 (4%) 8,643 (3%) 26,49 (93%) 93% 1,913 (7%) SSID Broadcast enabled 6,593 (23%) SSID broadcast disabled Residential networks Business networks Manufacturer-default SSIDs For Group II cities, it was observed that 5% of wireless networks found, had their SSID broadcast disabled. Of the balance 95% wireless networks, 32% of networks appeared to be residential, 33% appeared to be business networks, and the remaining 3% of networks were broadcasting their manufacturer-default SSID. Group II cities - SSID broadcast overview 7,457 Group II networks 2,371(32%) 2,443 (33%) 7,33 (95%) 95% 424 (5%) SSID Broadcast enabled 2,219 (3%) SSID broadcast disabled Residential networks Business networks Manufacturer-default SSIDs Wireless network security landscape of India 9

10 2.3 Business and Residential Network Protection During our survey, we observed a total of 35,86 wireless networks. Based on the nomenclature of SSID broadcasts, we could classify 24,711 networks as either business or residential. The balance 11,149 networks either had manufacturer-default SSIDs or were not broadcasting their SSID. Approximately 11,86 (45% ) networks were classified as business while balance 13,625 (55%) networks were residential. Business and residential - Wireless network protection Total 24,711 business and residential networks % 3% 9% Vulnerable Business 6% 5% 1% Protected 47% 39% 8% Vulnerable Residential 8% 7% 1% Protected India Group I cities Group II cities 2.4 Manufacturer-default Router SSIDs We performed an analysis of router makes derived from manufacturer-default SSIDs. The Top 3 Makes appeared to have 52% market share in Group I cities and 13% share in Group II cities, resulting in an overall market share of approximately 65% in India. The results are presented in the graph below. Group I and Group II cities-manufacturer-default router SSIDs Total 8,812 manufacturer-default SSIDs % 23% 25% 2% 35% 23% % Make 1 5% Make 2 11% 9% Make 3 2% 12% Others India Group I cities Group II cities 1

11 3. Detailed reports for individual survey cities We have analyzed select wireless network parameters for each of the Survey Cities in order to present a city-wise comparison at the Group level. Each graph in this section may be interpreted as follows: The first bar comprising of dark blue and green blocks in each of the graphs indicates percentage across all cities The values across all these bars when taken together add up to 1% The second bar comprising light blue and light green blocks in each of the graphs indicates the percentages within each Survey City The values for each of these bars individually add up to 1% We have presented graphical results for each Survey City in subsequent subsections 3.X. 3.1 Wireless Network Protection Based on the encryption mechanism found on 28,43 networks in Group I cities, we classified these networks into vulnerable and protected. Vulnerable networks are those which either have no encryption or low level WEP encryption. Protected networks use either WPA or WPA2 encryption. Group I cities - City-wise wireless network protection Total 28,43 network - Group I cities 8 7 3% 13% 3% 14% 6 3% 16% 3% 15% % 84% 2% 22% 16% 85% 1% 14% 22% 87% 2% 86% 1 Bengaluru (5,355) 6% 78% Chennai (2,15) Hyderabad (5,351) 5% 86% Kolkata (1,84) Mumbai (7,214) NCR (6,628) Across Group I cities (28,43) Protected (15%) Vulnerable (85%) Within individual city Protected Vulnerable Wireless network security landscape of India 11

12 A total of 7,457 wireless networks were found in Group II cities. The classification into vulnerable and protected networks for each of these cities is depicted below. Group II cities - City-wise wireless network protection Total 7,457 networks - Group II cities 25 2% 7% 5% 16% % 8% % 93% 2% 18% 14% 92% 1% 14% 3% 31% 25% 84% Ahmedabad (2,27) 7% Indore (544) 82% Jaipur (1,24) 6% 86% Lucknow (457) 7% Nagpur (495) 69% Pune (1,894) Across Group II cities (7,457) Protected (14%) Vulnerable (86%) Within individual city Protected Vulnerable 12

13 3.2 SSID Broadcast We surveyed 28,43 networks in Group I cities. Based on the SSID broadcast setting, we classified these networks depending on whether SSID broadcasts were enabled or disabled. The graph depicting the status of SSID broadcasts is given below. Group I cities - City-wise SSID broadcast overview Total 28,43 networks - Group I cities % 5% 1% 5% % 8% 2% 9% % 92%.4% 5% 17% 91%.6% 8% 24% 95% 22% 95% 1 Bengaluru (5,355) 7% 95% Chennai (2,15) Hyderabad (5,351) 6% 92% Kolkata (1,84) Mumbai (7,214) NCR (6,628) Across Group I cities (28,43) SSID broadcast disabled (7%) SSID broadcast enabled (93%) Within individual city SSID broadcast disabled SSID broadcast enabled The status of SSID broadcasts for 7,457 wireless networks found in Group II cities is depicted in the graph below. Group II cities - City-wise SSID broadcast overview Total 7,457 networks - Group II cities 25.9% 3% 3.1% 12% % 3% % 97% Ahmedabad (2,175).3% 4% 9% 96% Indore (662) 15% 97% Jaipur (1,112).3% 5% 7% 95% Lucknow (54).1% 1% 9% 99% Nagpur (78) 27% 88% Pune (2,26) Across Group II cities (7,457) SSID broadcast disabled (5%) SSID broadcast enabled (95%) Within individual city SSID broadcast disabled SSID broadcast enabled The above two graphs indicate that a majority of wireless networks across survey cities were configured to broadcast their SSID. Wireless network security landscape of India 13

14 3.3 Business and Residential Wireless Network Security Based on the nomenclature of SSIDs found during our survey of 28,43 Group I networks, we classified these networks into 2 broad categories viz. business or residential. These networks are then further classified into vulnerable and protected. Vulnerable networks are those which either have no encryption or low-level WEP encryption. Protected networks use either WPA or WPA2 encryption. Further, based on the encryption used, we derived the percentage of vulnerable and protected networks in each category. The graphs depicting this analysis are provided below. Our analysis of 11,86 business wireless networks across Survey Cities revealed the following: Group I cities - City-wise business wireless network protection Total 8,643 business networks - Group I cities % 16% 2 3% 12% 2% 8% % 84% 1% 14% 21% 88% 1% 13% 21% 92% 1% 9% 5 Bengaluru (2,414) 7% 86% Chennai (674) Hyderabad (2,84) 7% 87% Kolkata (657) Mumbai (1,982) 9% 91% NCR (832) Across Group I cities (8,643) Protected (12%) Vulnerable (88%) Within individual city Protected Vulnerable Group II cities - City-wise business wireless network protection Total 2,443 business networks - Group II cities 1 9 3% 8% 5% 12% % 92% 1% 14%.4% 6%.6% 9% 3% 37% 33% 88% 1 Ahmedabad (834) 5% 86% Indore (145) 6% 94% Jaipur (16) 7% 91% Lucknow (18) 5% 63% Nagpur (28) Pune (916) Across Group II cities (2,443) Within individual city Protected (12%) Vulnerable (88%) Protected Vulnerable 14

15 We performed an analysis of residential networks in a similar manner for 13,625 wireless networks in Survey cities, with the results shown below. Group I cities - City-wise residential wireless network protection Total 11,254 residential networks - Group I cities 45 5% 13% % 11% % 2% 1% 8% Bengaluru (1,438) 1% 19% 5% 81% Chennai (68) 2% 17% 11% 83% Hyderabad (1,522) 1% 1% 5% 9% Kolkata (591) 23% 89% Mumbai (2,976) 31% 87% NCR (4,47) Across Group I cities (11,254) Protected (12%) Vulnerable (88%) Within individual city Protected Vulnerable Group II cities - City-wise residential wireless network protection Total 2,371 residential networks - Group II cities 8 7 1% 5% 6 4% 17% 5 2% 9% % 95% 3% 21% 17% 91% 1% 9% 2% 3% 19% 83% 1 Ahmedabad (76) 9% 79% Indore (278) Jaipur (447) 8% 91% Lucknow (215) 5% 7% Nagpur (178) Pune (547) Across Group II cities (2,371) Protected (12%) Vulnerable (88%) Within individual city Protected Vulnerable Our analysis for business and residential networks across the 12 Survey Cities indicated that a large number of business and residential wireless networks were vulnerable. Wireless network security landscape of India 15

16 4. Risks and good practices The rapid adoption of wireless networks without a commensurate increase in wireless network security awareness, both at homes and businesses, is indeed a growing concern. We have attempted to highlight several risks of using unsecured or poorly secured wireless networks and some good practices everyone should follow to ensure a minimum level of security. 4.1 Risks of using vulnerable wireless networks The use of unsecured wireless networks exposes users to the following major risks: Unauthorized users might visit objectionable sites, send threatening s and download or post offensive material on websites Illegal activities might be performed from the owner s unsecured network. If there is a subsequent criminal investigation, logs will indicate that the owner s IP address was used to commit the illegal activity If folders are shared on the wireless network, they may be available to unauthorized users who connect to unsecured wireless networks If the wireless network is connected to the internet, it would be possible for intruders to surf the internet free of charge. Not only would this clog the network but also consume upload and download limits set by the service provider, possibly incurring additional internet usage charges for the owner Unauthorized users may sniff sensitive data such as bank account details, online transaction passwords and communication transmitted over the unsecured wireless network, possibly causing monetary loss to the owner 4.2 Wireless network security good practices You are strongly advised to protect your wireless network from unauthorized use. The following are some good practices to provide secure connectivity: Ensure that your wireless access point has the latest firmware installed (obtained from router manufacturers website) so that you can take advantage of more secure encryption mechanisms such as WPA or WPA2 Ensure that the SSID of wireless access point is changed from the default manufacturer SSID in order to reduce the risk of intruders directing targeted attacks against your wireless network to exploit known vulnerabilities. Further, ensure that your SSID does not reveal identifiable information about you or your business Ensure that your wireless access point does not broadcast its SSID Change the default administrator password on the router in order to reduce the risk of compromise of your wireless access point Enable WPA2 on your access point with a passphrase having alphanumeric characters and special characters. This might make it more difficult for an intruder to crack the passphrase. If your wireless access point does not support WPA2, you must enable WPA or WEP Always activate MAC address filtering to limit the computers which are able to connect to your wireless network Ensure that your wireless network is switched off when not in use Place the router in a physically secure location Note: The above points represent general wireless network security good practices. Deloitte India is not responsible for comprehensiveness or accuracy of the recommendations presented above. You are encouraged to seek assistance from an IT Security Professional for expert advice. Refer to your wireless device manufacturers instructions to implement security for the device you are using for wireless connectivity. For more information on the India Wireless Security Survey, please contact us at ersindia@deloitte.com 16

17 Annexure I Wireless network security landscape of India at a glance The following table summarizes the level of wireless network protection/vulnerability for Survey Cities across select parameters. Groups Cities Survey networks Protection business/residential/others SSID broadcast Protected Vulnerable Business Residential Others δ Enabled Disabled WPA/WPA2 P V P V P V No encryption Low level encryption (WEP) Group I Bengaluru 5,355 7% 38% 5% 22% 4% 24% 92% 8% 16% 28% 56% 84% Chennai 2,15 5% 29% 6% 27% 11% 22% 95% 5% 22% 38% 4% 78% Hyderabad 5,351 5% 34% 5% 23% 5% 28% 91% 9% 15% 43% 42% 85% Kolkata 1,84 5% 31% 3% 29% 6% 26% 92% 8% 14% 43% 43% 86% Mumbai # 7,214 2% 25% 5% 36% 6% 36% 95% 5% 13% 36% 51% 87% NCR * 6,628 1% 11% 8% 53% 5% 22% 95% 5% 14% 31% 55% 86% Group II Ahmedabad 2,175 3% 35% 2% 31% 2% 27% 97% 3% 7% 32% 61% 93% Indore 662 3% 19% 9% 33% 6% 3% 96% 4% 18% 51% 31% 82% Jaipur 1,112 1% 14% 4% 36% 3% 42% 97% 3% 8% 55% 37% 92% Lucknow 54 3% 3% 4% 36% 7% 2% 95% 5% 14% 53% 33% 86% Nagpur 78 11% 18% 8% 17% 12% 34% 99% 1% 31% 47% 22% 69% Pune 2,26 5% 36% 4% 2% 7% 28% 88% 12% 16% 35% 49% 84% National Average 4% 27% 5% 3% 6% 28% 94% 6% 14% 37% 49% 86% Total # Mumbai includes Navi Mumbai * NCR includes Delhi, Gurgaon and Noida δ Networks with SSID broadcast disabled or manufacturer-default SSIDs P V Protected business/residential/other networks Vulnerable business/residential/other networks Wireless network security landscape of India 17

18 Annexure II Methodology The Wireless Security Survey was conducted using the methodology depicted below: Area Selection Observation Data Analysis Survey Results Area Selection Our effort was to obtain a representative sample of wireless networks deployed across the Survey Cities covered during our exercise. Areas in each of these cities were short listed from our understanding of Internet usage in the city, based on the distribution of residences and businesses. Observation In this phase, we adopted a technique known as WarDriving. This involved driving around short listed areas using standard laptops equipped with a built-in wireless card which could capture information about wireless networks in the vicinity. No special hardware was used in this activity. The laptops had standard Microsoft Windows Operating Systems, manufacturer-provided wireless card utilities and open source wireless network identification software. Data Analysis During this phase, we analyzed and segregated data observed during WarDriving using data analysis tools. The wireless network information was analyzed for the Survey Cities based on the following parameters: Encryption mechanism that might have been implemented SSID broadcast setting status Classification into business and residential networks based on their SSID broadcast Make of wireless devices used All percentages were rounded to the nearest value. Survey Results In this phase, we interpreted the data to the best of our ability/knowledge while maintaining the confidentiality of all gathered information. The results are generalized and no personally identifiable information is presented in this survey. The purpose of this survey and presentation of findings is to help spread public awareness with regards to wireless network security. Some of the inherent limitations of our WarDriving survey are as follows: Networks 5 feet away from the car may not be found e.g. above 6th floor Access points that are deployed behind walls may not be found Survey Cities and wireless networks observed within these cities may not be representative of the wireless networks across India Some important precautions taken during this survey include: During the observation phase, the WarDriving team configured their wireless network cards to prevent inadvertent connections to unsecured wireless networks by disabling the TCP/IP stack for the laptop s wireless network card We have taken reasonable measures to keep information obtained during this survey confidential. All persons involved in conducting the survey have signed non-disclosure agreements 18

19 Contacts Deloitte Touche Tohmatsu India Private Limited 3rd Floor, NASEOH Building, Postal Colony, Chembur, Mumbai India Tel.: +91 (22) Fax: +91 (22) ersindia@deloitte.com Deloitte Touche Tohmatsu India Private Limited 7th Floor, Building 1, Tower-B, DLF Cyber City Complex, DLF City Phase-II, Gurgaon India Tel.: +91 (124) Fax: +91 (124) Wireless network security landscape of India 19

20 Disclaimer This document / publication contains general information only, and none of Deloitte Touche Tohmatsu, its member firms, or its and their affiliates are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. None of Deloitte Touche Tohmatsu, its member firms, or its and their respective affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this publication. Survey users should be aware that Deloitte has made no attempt to verify the reliability of such information. Additionally, the survey results are limited in nature, and do not comprehend all matters relating to wireless security that might be pertinent to your organization or residence. The information is provided as is, and Deloitte makes no express or implied representations or warranties regarding the information. Without limiting the foregoing, Deloitte does not warrant that the information will be error-free or will meet any particular criteria of performance or quality. Deloitte expressly disclaims all implied warranties, including, without limitation, warranties of merchantability, title, fitness for a particular purpose, non-infringement, compatibility, security, and accuracy. Your use of the information is at your own risk and you assume full responsibility and risk of loss resulting from the use thereof. Deloitte will not be liable for any direct, indirect, special, incidental, consequential, or punitive damages or any other damages whatsoever, whether in an action of contract, statute, tort (including, without limitation, negligence), or otherwise, relating to the use of the information. If any of the foregoing is not fully enforceable for any reason, the remainder shall nonetheless continue to apply. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in 14 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte s 165, professionals are committed to becoming the standard of excellence. Deloitte s professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients, commitment to each other, and strength from cultural diversity. They enjoy an environment of continuous learning, challenging experiences, and enriching career opportunities. Deloitte s professionals are dedicated to strengthening corporate responsibility, building public trust, and making a positive impact in their communities. Deloitte Touche Tohmatsu India Private Limited refers to one of the member firms of Deloitte. 28 Deloitte Touche Tohmatsu India Private Limited. All rights reserved.