Salesmen in China are making money from long-known weaknesses in a Wi-Fi encryption standard, by selling network key-cracking kits for the average user.
Wi-Fi USB adapters bundled with a Linux operating system, key-breaking software and a detailed instruction book are being sold online and at China's bustling electronics bazaars. The kits, pitched as a way for users to surf the Web for free, have drawn enough buyers and attention that one Chinese auction site, Taobao.com, had to ban their sale last year.
With one of the "network-scrounging cards," or "ceng wang ka" in Chinese, a user with little technical knowledge can easily steal passwords to get online via Wi-Fi networks owned by other people.
The kits are also cheap. A merchant in a Beijing bazaar sold one for 165 yuan (US$24), a price that included setup help from a man at the other end of the sprawling, multistory building.
The main piece of the kits, an adapter with a six-inch antenna that plugs into a USB port, comes with a CD-ROM to install its driver and a separate live CD-ROM that boots up an operating system called BackTrack. In BackTrack, the user can run applications that try to obtain keys for two protocols used to secure Wi-Fi networks, WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access). After a successful attack by the applications, called Spoonwep and Spoonwpa, a user can restart Windows and use the revealed key to access its Wi-Fi network.
To crack a WEP key, the applications exploit weaknesses in the protocol that have been known for years. For WPA, they capture data being transmitted over the wireless network and target it with a brute-force attack to guess the key.
Security researchers said they did not know of similar kits sold anywhere besides China, even though tutorials on how to crack WEP have been online for years.
The kits appear to be illegal in China and it is unclear who is bundling the software with the USB adapters. One of the adapter makers is Wifly-City, a company that operates a Wi-Fi network covering coffee shops and other areas in Taipei, Taiwan. A woman surnamed Ren who answered the phone at the company said it does not supply the software that often appears with its products.
A developer of BackTrack said the operating system is meant for penetration testing, not malicious attacks. "It sounds like BackTrack is being abused in China for illegal purposes. This is done without our knowledge or approval," the developer, who goes by the name Muts, said in an e-mail.
One of the kits took over an hour to crack the WEP key equivalent to the password "sugar" in a test attack on a personal router set up for the purpose using 40-bit encryption.
"Depending on many factors, WEP keys can be extracted in a matter of minutes," Muts said. "I believe the record is around 20 seconds."
The brute-force attacks on WPA encryption are less effective. But while WEP is outdated, many people still use it, especially on home routers, said one security researcher in China. That means an apartment building is bound to have WEP networks for a user to attack.
Since the kits capture data packets to perform their attacks, they may also let a user steal sensitive personal information that a victim sends over a network, the researcher said.
The kits have stayed popular despite Chinese laws against hacking.
"No matter where you go, you can use the Internet for free," the researcher said.