WIPS-2-GoBy CWNP On 11/25/2008 - 7 Comments
I've been asked (gratis of course) to help catch an intermittent 'borrower' of Wi-Fi and Internet service without the help of the company whose Wi-Fi network and Internet connection is being used. Yeah, intermittent. Normally you would use a WIPS for such security monitoring, but the company who owns the network isn't to be involved in catching the bad guy. OK, I'm up for a challenge, so sure, let's do this. First, what better than a WIPS to catch the bad guy? Nothing. So, let's use WIPS...in a way that it's really not designed to be used of course.
The good guys said, 'Hey, we can park a car near where we think the bad guy connects to the Wi-Fi network.' I said, 'Well, as long as you have a reasonable idea of where he's connecting, we should be able to catch him if we monitor long enough.' I looked around for a solution, and came up with something I thought might work fairly well. I started with an AirTight Networks 'Sentry' unit - a mini-WIPS in a single sensor. I figured that putting a 1500 KVA UPS in the car as a power source followed by a Kyocera KR2 WWAN router with a Verizon EVDO Rev-A card might do the trick. I could configure the Sentry to notify me via email as soon as an 'unauthorized' client connects to any 'authorized' AP. Of course this would mean a visit to the site to 'authorize' the network's APs. This is a quick-n-dirty way to go, and you get notified via email (on your Blackberry) with the MAC address of the bad guy. Not bad, not great. Backup plan - connect to the KR2's 802.11n radio from down the street and sit there waiting on the guy for hours: hideous.
I spoke to a wicked-smart CWSP over at AirTight who would rather figure out how to break government grade encryption than to eat or sleep. He said, 'Why not use our SpectraGuard Online (SGO) solution instead? It'll give you much more information and it'll be just as simple as what you've already come up with.' OK, so let's go see this solution I thought. HOLY SMOKES BATMAN. What a cool offering! You give a URL to the sensor, give AirTight your sensor MAC address, get a login to SGO, and BANG!...you're running a full-blown WIPS with your sensor telling your own virtual WIPS server all about what it's hearing. Now it's just a matter of setting up my SGO properly to catch the bad guy (including logging, notification, etc.). A bit less manual of course, and if you miss his intermittent visit, you at least know exactly when it happened, which AP the bad guy connected to, etc. Two more cars and two more sensors could give you bad-guy-triangulation even...the only drawback of this being 3 Verizon accounts. :) Not happening on my hacker-finding budget.
Since my CWSP friend is so adept at using his own WIPS solution, I've asked for his help in optimizing the WIPS for catching intermittent hacker bad guys. I can't wait to see if this solution will work well enough to catch the bad guy the first time he/she connects. Stay tuned. I'll update this blog post with the results.
I'd love to hear from anyone who has attempted something similar or from anyone that can add something to the equation to help me catch the bad guy.