Pocket-Sized Wireless Detection
by Bob Rudis
last updated September 2, 2003

--------------------------------------------------------------------------------

There you are: sitting in your favorite bookstore/café, sipping a caramel latte and casually leafing through the latest copy of Wired magazine when you are suddenly bombarded from almost every direction without warning and with no means to stop it. Fortunately, the storm you are caught in is made up of 802.11 packets which are traveling in the 2.4 or 5 gigahertz range and pose no real physical danger to you or those around you.
It is becoming increasingly difficult not to be caught up in WiFi traffic since so many homes and businesses are taking advantage of this technology. Unfortunately, the ever-decreasing prices and ever-improving ease-of-use has also caused wireless networks to be real security problems within businesses and institutions. At a personal level, it would be useful to have a way to know where these public "hotspots" are without having to carry around equipment that makes you look like an extra from a Star Trek set. At a corporate level, it would be extremely advantageous to have a means to detect rogue WiFi equipment at all company sites without having to spend many thousands of dollars on an enterprise-level WLAN detection system.

A solution may be at hand with the appearance of two "pocket-sized" 802.11 detectors on the market: the Smart ID WFS-1 and the Kensington WiFi Finder. Both devices claim to detect 802.11b and 802.11b/g traffic and report the strength of the signals. They each cost in the area of $30 USD. The question is: how well do they work and how can you use them for both personal information gathering and corporate protection?

A Tale of Two Detectors
Both units are similar in size, with the WiFi Finder being a bit smaller that the WFS-1. Each has an LED display (two lights on the Kensington model and four on the Smart ID one) that is designed to show the existence and strength of the WiFi signals, and they both come (surprisingly) with batteries included. This, however, is where the similarity abruptly ends.
Since each operates at the push of a button, testing was very straightforward. A number of scenarios were designed to determine just how well the actual functionality meets the claims in the marketing literature.

First scenario: the lone AP. A single, 802.11b access point was taken out of the box and left configured with just the vendor defaults in an area with no other WiFi traffic (i.e. no clients and no other APs, just the single access point). This simulates an access point at an open hotspot with no client activity. The Kensington unit did not show any signal after repeated trials from various distances, including right next to the access point. The WFS-1 detected the AP immediately. As the WFS-1 was moved around the room, the signal strength varied with the position of the unit as expected. Because of the antenna/unit design, it can also be used as an effective, rudimentary directional 802.11 device locator.

When a few clients were added, the WiFi Finder managed to detect the presence of the 802.11 traffic, but it was difficult to determine the strength and source of the signal.

Second scenario: secure, small WiFi network. An 802.11b access point was configured with no SSID broadcast, WEP enabled and MAC filtering. There were a small number of clients associated to the AP, each using the 802.11 network for various tasks (e.g. file sharing, web surfing, e-mail). Even at close range, it was difficult to determine if the WiFi Finder was really picking up the traffic due to the way in which the LED display works. The amber "WiFi Finder operational light" blinks to show that the unit is working, but the green strength/signal indicators do not flash often or bright enough to be completely sure you've found a live site.

The WFS-1 picked up the signals and performed equally as well as it did in the first scenario. The bright red, flashing indicators are difficult to misinterpret.

Third scenario: enterprise 802.11 environment. The previous tests were performed with consumer/small business-grade access points. This third test was in an enterprise environment consisting of multiple, feature-rich access points. Among the many standard security measures employed, this environment also used VPN access for increased wireless network security. The WFS-1 was able to locate each distinct access point via the signal strength indicators and directional nature of the antenna on the device. The WiFi Finder showed the presence of the 802.11 signals only when a significant amount of activity was on the network.

Fourth scenario: the Borders test. Since one of the devices makes the claim of being a hotspot finder and also claims to help you locate the best place to position yourself at a hotspot, it seemed only fair to test both devices at a local Borders bookstore. Granted, you don't technically need one of these pieces of equipment to find the hotspot in this scenario as Borders advertises, right on the door even before you enter, that they are a T-Mobile 802.11 wireless network access provider. It might be useful, however, to be able to locate the best spot to drink your double espresso while reading the latest news from SecurityFocus.com.

The test started outside the store, since this Borders (as most others) has a glass front. The WFS-1 picked up a faint, steady signal while the WiFi Finder didn't report anything. Right inside the door, a quick directional scan enabled the WFS-1 to point out the best place to head while the WiFi Finder just started to indicate the presence of a signal. In the café line, both devices showed that there was a hotspot nearby, with the WFS-1 giving the best indication for where to head. The real test was on the other side of the store. Even at the suspected edge of the signal area, the WFS-1 showed the faint presence of the hotspot while nothing displayed on the WiFi Finder.

Fifth scenario: hold the phone. Since 802.11 networks share the same spectrum as a large number of devices, it is important to determine if the detection equipment will turn up false positives when in the presence of other types of signals. Both devices were used in areas consisting of cordless phone and microwave oven use since they would be the most common counterparts to WiFi waves. Neither device reported a false positive in either situation and the WFS-1 managed to indicate the presence of an 802.11b network while both a microwave and 2.4 gigahertz phone were in proximity use.

From all five tests, the Smart ID WFS-1 clearly stands out as the device of choice for detecting 802.11b networks (no 802.11g networks were tested). The directional nature of the detection, the clear signal indicators and consistent performance under multiple scenarios make this a valuable tool in any 802.11 arsenal. The only other small form-factor device that can keep up with the WFS-1 would be a Linux PDA + 802.11 card. That profile, while more complete and robust, is significantly more bulky and difficult to setup and use than the WFS-1.

A Place in the Enterprise
Small devices that do wireless network detection have a place in the security profile of many organizations. While 802.11 networks are popping up everywhere, large companies are not as quick to widely adopt the technology due to the complexities and costs of setting it up securely. There is little these companies can do to stop individuals from setting up inexpensive, insecure access points for "convenience" or making local ad hoc WLAN communities which do not conform to corporate standards. These rogue deployments are a potential threat and there needs to be some way to detect and locate the equipment.
An 802.11-equipped PocketPC-based PDA or Windows 2000/XP laptop can run NetStumbler or other free/commercial tools to perform basic detection. With the proper card and antenna, they can even be used as a directional device finder. Most of the inexpensive (or free) tools for these non-*nix platforms will not pick up those users deliberately trying to hide their WLAN presence. The commercial tools for those platforms are, themselves, somewhat cost prohibitive, especially in a large distribution.

For many organizations, it is both against corporate policy and beyond the technical capabilities of the users to run Linux and tools such as Kismet on a PDA or laptop. Even if it were allowed, these tools have a double edge to them since programs such as Kismet and Ethereal can actually capture the network traffic for later viewing/processing, which could potentially be misused in that location or other environments, especially if put into the hands of a part-time operator as might be the case in remote offices.

Centrally-managed wireless detection systems do exist. They incorporate the use of sensors which can be spread throughout multiple offices and buildings and tied together via the LAN/WAN. They can be configured to know the existing WLAN topology and integrated into most monitoring/alerting systems to raise the alarm when any new/unauthorized 802.11 devices make their way onto the premises. These systems are still relatively new and are more than relatively expensive for even the smallest deployments. They also require a server and administrators to configure and operate the service and install the sensors.




The rest here!