Contained in today’s Globe And Mail is the latest issuse of TQ, the paper’s quarterly technology magazine. I wrote the cover story about wireless security hacker Brad “RenderMan” Haines. He’s a talented white hat hacker based in Edmonton, and the profile raises a lot of important issues about wireless security. The full text is up on the Globe’s website, and I’ve pasted it below.
RenderMan to the rescue
Dressed in a black trench coat and his trademark fedora, Brad Haines cruises city streets and malls on the hunt for wireless networks that are prime targets for hacking. Just be grateful he’s one of the good guys
Globe and Mail
July 22, 2008
One day last December, Brad Haines pulled a long black trench coat over his black shirt and pants, perched his trademark black fedora on top of his straight, shoulder-length hair and strapped on a backpack filled with a laptop and other electronics. And, like many people in Edmonton during the holiday season, he headed to the West Edmonton Mall.
The mall is home to more than 800 stores and occupies a space equivalent to roughly 48 city blocks, so Haines knew he’d have no trouble finding gifts. But he wasn’t here to shop. No, this expedition was all work. His mission: Take a “warwalk” of North America’s largest mall, using his equipment to search out unsecured wireless networks as he walked past the building’s stores. (Do it in a car and it’s called wardriving; on public transit, it’s warriding.) The point of wardriving isn’t to actually access anyone’s wireless network—that could result in warjailing. Rather, the idea is to simply survey the number of wireless networks within the building, evaluate their level of security and alert the owners to any vulnerabilities.
Haines, 28, had been wardriving through the streets of Edmonton since 2002 and had catalogued roughly 80,000 wireless networks, whether home-based or those belonging to companies. But the mall represented uncharted territory. “Nobody had done a good wireless survey of the West Edmonton Mall, and if you throw in Christmas shopping crowds, it’s a little more interesting,” he says. “Everything lined up for a really good guerrilla analysis, because you have big crowds and a massive amount of spending going on. If you’re thinking as an attacker, that’s the time of year you want to do something, because there are so many more targets.”
Haines’s fondness for wardriving, plus his all-black “uniform,” would lead the average executive to conclude that he’s a nefarious hacker. But since he first began mapping WiFi networks in and around Edmonton, Haines has become well known as a wireless security expert, often consulting for companies and government agencies (non-disclosure agreements prevent him from naming names). And he’s regularly invited to speak at major security and hacking conferences in North America and Europe, including DefCon, ShmooCon and Hackers On Planet Earth, or HOPE. (A few of his recent presentations: “Legal and Ethical Aspects of Wardriving,” “Standards Bodies … What Were These Guys Drinking?” and “New Wireless Fun From the Church of WiFi.”)
Though his trademark headgear says otherwise, Haines is a so-called “white hat” hacker—one of the good guys. His corporate clients know him as Brad Haines, but he has earned the most notoriety as RenderMan, the alias he uses online and within the WiFi hacking community. Haines maintains a Website, renderlab.net, where he posts his research, reports, presentations and the occasional article. “He’s pretty well known, and he’s well received at the [hacker] conventions,” says Frank Thornton, a Vermont-based security consultant and the co-author of Wardriving & Wireless Penetration Testing. “He’s a role model for some of the people out there who are getting into this stuff.”
One of Haines’s key contributions to the wardriving community is a code of ethics (see page 46). It dictates that wardrivers must never connect to a network they discover, should always obey traffic laws and stay off of private property, and never use the data collected for personal gain. The seven-point list also says wardrivers should adopt the hiker motto of “take only pictures, leave only footprints.” “It’s one of the things he’s really well known for,” Thornton says.
The countless hours spent mapping and analyzing thousands of wireless networks has enabled Haines to see firsthand the rapid growth of wireless Internet access in homes and businesses, and the lack of effort put into securing them. “To put it in perspective, the first time I went out wardriving in 2002, I found 25 networks in an evening driving all over downtown Edmonton,” says Haines. “I can now drive around my block and get 25 networks.”
He says that five or six years ago, roughly 70% of wireless networks were completely unprotected. That means that no encryption (such as the standards WEP and WPA) was used to protect the data flowing over the network, and no password was required to join. Today, that number has shrunk to 30%, but it’s still dangerously high when you factor in the huge growth in the number of networks, and the fact that many of them are now run by companies. “In absolute numbers, there are more unsecured business networks out there than before, because there’s a high underlying growth,” says Toffer Winslow, vice-president of product management for encryption company RSA. His company conducted a study of wireless networks in 2007 that revealed that 25% of business networks in New York, London and Paris had no encryption whatsoever. A year earlier, a survey by research firm Gartner Inc. found that 64% of U.S. businesses were planning to expand their use of wireless networks.
At the time, analyst Rachna Ahlawat said wireless networks were fast becoming a “standard part of enterprise networks, covering entire facilities, not just meeting rooms.”
That means they’ve also become a standard target for those looking to infiltrate corporate networks. One particularly devastating corporate wireless security breach was on Haines’s mind as he began planning his mall warwalk late last year. The victim was TJX Cos. Inc., a company that operates discount chains such as T.J. Maxx and Marshalls in the U.S., and Winners and HomeSense in Canada. In January, 2007, TJX revealed that attackers had gained access to systems that process and store transaction data. This enabled them to steal customer credit card numbers and driver’s licence information. In the end, more than 45 million credit card numbers were compromised between 2005 and early 2007, making it the largest breach on record. “The chink in their armour seems to have been their wireless network,” Haines says. “It had been a year since that happened, and so many people I know had to get new credit cards because of it. My thought was: Has anybody actually learned anything?”
So, on Dec. 12, Haines strapped on his gear-filled backpack, straightened his fedora, and set out to warwalk the West Edmonton Mall.
Haines understands that his is a strange passion. Most people he knows wouldn’t want to spend hours driving or walking around with a laptop and antenna searching for something that can’t be seen, heard, smelled or touched. When asked to describe the appeal of wardriving, he likens it to bird watching. “Some people are big into bird watching, and the biggest moment for them is when they spot a specific bird,” says Haines. “Most people are like, ‘That’s the stupidest sport I’ve ever heard of.’ Some people say the same about wardriving. It makes no sense to some people, but for us, it’s neat.”
In true geek fashion, Haines also compares his hobby to The Matrix, a film built on the premise that our world is nothing more than a computer simulation meant to enslave humans. Only those who have been “liberated” can see “the Matrix” for what it is. Wardrivers, he says, are able to peer beyond what’s visible to the naked eye. “You are able to see beyond the real. I’m sitting in my kitchen right now looking at my backyard, but I know that just beyond my perception, the Internet is literally overlapping the physical world. To see something others can’t
is kind of a neat thing.”
Aside from consulting work and a measure of fame in the WiFi hacking community, Haines’s ability to see beyond the real has also attracted the attention of the Canadian Security Intelligence Service (CSIS). In late August, 2002, the agency sent out a confidential memo to government and law enforcement agencies alerting them to International Wardriving Day, set for Aug. 31. The CSIS bulletin contained basic information about the dangers of unsecured wireless networks, as well as the following statement: “A computer enthusiast from Edmonton issued a press release on August 21, 2002, stating that he was arranging a wardriving exercise in Red Deer, Alberta, on 31 August 2002 as a component of the internationally scheduled event.”
The enthusiast in question was Haines, who had helped to organize the event, along with WiFi security hackers around the world. The plan was to spend the day mapping out wireless networks in cities such as Boston, Los Angeles, Chicago and Baltimore—while adhering, of course, to the aforementioned seven-point ethical manifesto. Haines and a friend from Calgary completed their map of Red Deer as planned, completely unaware that CSIS had deemed their efforts worthy of a confidential intelligence brief. It was only months later that he learned about the kerfuffle, when a reporter who’d unearthed the memo through a Freedom of Information request gave Haines a call. He was surprised that CSIS had made note of his work. “If you read the memo they sent out, it’s not accusing us of being evil, but it’s not painting us in the best light, either,” he says.
“It’s the nature of CSIS,” he adds. “They like to be secretive. But there’s nothing nefarious [going on] when you send out a press release with your phone number on it.”
Haines was particularly surprised by the CSIS bulletin because, earlier that same month, he’d had a far more pleasant encounter with the secret agency at DefCon. That was the year the venerable hacker conference held its first wardriving competition, which saw hackers divide into groups and drive around Las Vegas mapping access points. Haines ended up recruiting a CSIS technical services employee to join his team. “She was making up a wardriving kit for the agency to give to people to survey their stuff,” he says, noting that the CSIS techie was completely open about who she worked for. “It was a surreal moment to be driving down
Las Vegas Boulevard with a person from a four-letter agency in the backseat, while the Judas Priest song Breaking the Law was playing on the radio.”
Haines says the CSIS employee was happy to join in, and she ended up holding an antenna outside the window of the car. “I want to protect things. CSIS’s job is to protect things,” he says. “We’re on the same team.”
As bustling crowds of Christmas shoppers flowed past him inside the West Edmonton Mall, Haines trekked past stores and into every nook and cranny he could find. He carried in his hand an antenna linked to a laptop running software that enabled it to capture the basic information of any wireless networks in range.
Haines ended up making three trips to the sprawling mall in order to complete his audit. During his travels, he came to several conclusions, which he later noted on his website. Not surprisingly, he discovered that the mall is a lot “of ground to cover and it really hurts to walk it all several times with a heavy coat and backpack on.” Also: “If you look like you want to spend money, no one will ask anything about the odd blinky thing sticking out of your backpack (or why you are wearing a backpack
with a trench coat).”
Most importantly, however, he discovered that there were roughly 250 individual wireless networks being used by businesses inside the mall—the vast majority of which had poor security or were wide open, just begging for a malicious person to steal corporate or financial data. (The mall operates its own massive wireless network that can be used by the public for a fee. Haines says it offers decent security.) “A great
many retailers in one of the largest malls in the world are running very poorly secured wireless networks that put customer data at risk, along with company assets and intangibles like reputation,” Haines concluded.
Prior to making his findings public, he e-mailed the mall’s administrators to alert them to the potential problem with their tenants’ unsecured networks. Haines hoped the information would be passed on to the relevant parties. “When you’ve got, like, 800 stores and so many networks, how do you as a good citizen let these people know?” he says, noting that his message boiled down to, “Hey, emperor, you have no clothes on.”
The mall never replied to the e-mail. A week later, Haines published his findings on renderlab.net. He didn’t reveal which specific networks were vulnerable, but he did offer anonymous examples of businesses that either had completely unsecured networks or were using the vulnerable WEP encryption standard. A knowledgeable attacker could crack a WEP-protected network in about a minute, according to Haines. That’s bad news for a medical office inside the mall that “likely has patient data travelling over [its network] and is only using WEP encryption.” Or the “beverage company” that appeared to be sending customer transaction data over its WEP network. “Basically, every [network] was either open or WEP only,” Haines says.
Combine the number of retailers and other businesses who either had very poor or no security with the constant foot traffic, and Haines says you have the perfect environment for anyone interested in trying to replicate the TJX attack on a smaller scale. He calls the mall a “dense area with dense people.” “You could be sitting in a coffee shop with a latte in your hand and a laptop and you’re not immediately going to draw a lot of suspicion,” he says. “But no one knows what you’re connecting to.”
Haines believes his mall warwalk is a case study in how businesses rush to set up wireless networks, but ignore the need to maintain and secure them. “You have to think of the implications of a wireless network,” he says. “Would you run an Ethernet cable out to your parking lot? No. But if you’re leaving a wireless network wide open, that’s what you’re doing.”
Haines says he has recently cut down on his wardriving activities due to the price of gas and the fact that he’s already investigated most of Edmonton. Plus, he’s busy creating a new presentation for hacker conferences titled “10 Things That Are Pissing Me Off and What We Can Do About Them.” Still, he says, he may once again break out the backpack and retrace his mall warwalk this fall. “I should do a follow-up to see if things have changed,” he says. “I don’t know if the mall sent out a memo to tenants or what, but if you get this information in Google and word gets around, then hopefully it gets to the right people who can take care of it.”
So don’t be alarmed if you find yourself in the West Edmonton Mall and spot a tall man in a black fedora with a backpack slung over his trench coat, holding a strange device in his hand. RenderMan is there for your protection.
Craig Silverman is a Montreal writer and the co-author, with Michael Calce, of the forthcoming book Mafiaboy: How I Cracked the Internet and Why It’s Still Broken (Penguin)