Overview of Romania 802 . 11 Wireless Security & Statistics

This paper presents a study of wireless network security and statistics in Romania aimed at raising public awareness on security issues and highlighting the prevalence of known vulnerabilities in commercial equipment. The data used for the study consist of wireless network broadcast data acquisitioned by the technique of war-driving. In order to ensure a thorough overview, the data collected includes more than 100000 unique wireless networks gathered in Bucharest, major urban areas and the surrounding rural areas. The results of the study cover security protocol usage, the percentage in which known vulnerabilities are still deployed in wireless networks and statistics regarding channel and band usage, common SSIDs in Romania, top equipment manufacturers and the situation of provider wireless access points. The study also shows that provider wireless access points on average offer better security than private networks. Received on 28 January 2017; accepted on 20 April 2017; published on 28 December 2017


Introduction
Personal wireless networks have become increasingly popular ever since smartphones and related mobile devices have penetrated daily life.The 802.11 set of specifications has backed up the rapid expansion of wireless networks.The falling costs and high availability of both wireless equipment and that of broadband internet [1] in Romania has also enabled the growth in number of wireless networks.
Users in Romania can choose between using a cable internet broadband connection and setting up their wireless network with off the shelf wireless access points or they can choose to buy wireless network access as a service from an internet provider which will supply the customer with a ready-to-go branded wireless access point connected to cable or mobile internet connection.
Although 802.11 specifications have enabled the rapid growth of personal wireless networks, the security protocols and technologies have shown weaknesses that can be exploited in order to gain unauthorized * Corresponding author.Email: cristian.liviu.leca@gmail.comaccess to the network and the encrypted communication data.Although weaknesses and exploits have been made known to the public, users often choose to ignore security recommendations.The use of outdated security protocols or the failure to address weak spots in their access points creates security risks for unaware users.
The data for the study was gathered during the months of October and November 2016 by collecting wireless network broadcasted data in Bucharest completed by ten major urban areas and their surrounding rural areas.The data set contains approximately 100000 unique wireless access points and was gathered by driving around 3000 km in Romania.
The data collected for the study is compared with world data obtained from the Wireless Geolocation Engine [2].Data from a previous study [3] published in 2012 is used in order to determine the evolution of wireless security in Romania.We also focus on highlighting weaknesses that allow well-known attacks and exploits to succeed by analyzing statistics regarding their existence in personal wireless networks in Romania.Because these exploits are well known, patching them up has become an easy job for most users.As long as users are not aware of the security concerns for running their own private network they Cristian Liviu Leca will continue to make bad security choices, for example: choosing the WEP protocol for authentication or using the default SSID of the equipment.By highlighting these weaknesses and showing their wide existence in wireless networks in Romania, we hope to raise the public awareness on wireless security and make users take better decisions when installing private networks, not only in Romania for users worldwide.The study also compares provider wireless networks and their security with privately set up wireless networks and shows that the first offer increased security protection, which means that low-skilled users can fare better on security by choosing provider services.
Personal wireless networks in Romania are analyzed using the following criteria: percentage of unencrypted wireless networks in Romania, types of encryption in use, existence of WPS (Wi-Fi Protected Setup) feature, most common network ESSID (Extended Service Set Identification), band and channel usage, provider wireless networks security and top wireless access point manufacturers sold in Romania.The results are compared between the Bucharest area, the major urban areas and the rural areas scanned in the process.
Reference [3] have gathered a database consisting of approximately 38000 access points gathered through wardriving in Romania.Their results show that rural areas adopted WPA security directly when compared to urban areas that have made the transition from WEP to WPA and still use legacy equipment.They also show that rural areas have more open networks and less security when compared to urban areas.
Reference [7] analyze a total of 29250 networks in Serbia, while other articles use a database with less than 10000 AP [4,6,12] The work in [13] is also concerned with highlighting known vulnerabilities and their spread.The authors of [13] divide the collected data into commercial or residential areas, similar to our urban/rural division.The goal of the study is to collect statistically significant data from representative areas of Romania that would ensure an objective overview of the wireless security situation in Romania.The research questions were aimed at: • drawing a comparison between wireless security in Romania and the rest of the world; • determining the existence of an improvement of the wireless security in Romania; • highlighting differences between urban and rural areas; • highlighting the existence of known vulnerabilities; The data gathering process ensured a large data set with statistical significance, that allows a deep insight into wireless network statistics in Romania.The study shows that wireless network security has improved significantly in Romania when compared to the results of a previous study in 2012.Wireless security statistics bear similarities to that resulting from worldwide data gathered by the Wigle project [2].Particularly, the study presents results regarding the spread of known vulnerabilities in wireless networks.Results also show that provider wireless networks have increased security and a larger WPA Enterprise deployment percentage when compared to private owned networks.

Methodology for data gathering and analysis
Data collection was enabled by the use of the Wireless Geolocation Engine (Wigle) [2] android application.The Wigle project is aimed at collecting information about wireless hotspots from around the world by the process of crowd-sourcing.The goal of the project is to create awareness for the security needs of running wireless networks.The project allows users a limited number of queries for the location of an SSID or MAC address which causes privacy concerns.Wigle offers full database access under a commercial license.
The Wigle android application will log visible wireless networks and the geographic coordinates of the point where the scanning took place at a specified interval.The wireless information gathering process was achieved by wardriving [14] and warwalking [15].Wardriving is defined in [16] as the act of searching for Wi-fi wireless networks by a person in a moving vehicle using a portable computer, smartphone or personal digital assistant.
The data was collected over the course of October and November 2016.The gathering process was aimed at collecting data from all Romania's major regions, while also covering both urban and rural areas as shown in figure 1.
The resulting dataset contains approximately 100000 distinct wireless networks of which: 55% were collected in Bucharest, 31% were collected in major urban areas and 14% were collected in the neighboring rural areas.Fig. 1 presents the major urban areas that were sampled in the data collection process with blue pins while Bucharest is marked with a purple pin.
Figure 2 presents the results of war-driving in the city of Galati by depicting scanned wireless networks with colors between green and red (green indicates more measurements of the same network).
The resulting logs from all the devices running the Wigle app were merged into a single PostgreSQL database.The records for each distinct network were then spatialized according to the logged GPS coordinates.The aim of the spatialize operation was to allow for precise selection of the networks located in Bucharest or in urban areas, while the networks belonging to the rural areas where filtered by an inverse selection operation.
The logs were completed with information regarding the 802.11channel number according to the logged frequency.We also included information about the manufacturer of the wireless access point.Manufacturer information is available freely from the Wireshark project [17] and the IEEE Standards Association [18].
The statistics were generated using PostgreSQL queries, that were plotted or inserted into tables.
The data was analyzed primarily based on security protocol usage.The security protocols in use for 802.11 wireless networks are WEP, WPA, WPA2 and WPA2-Enterprise.Using an open access policy with no security is highly discouraged as it offers illintentioned users complete access to the network and the communications inside.WEP security has been outdated since the Wi-Fi Alliance announced WPA in 2003.The WEP protocol is easily defeated in minutes with freely available software tools [19] and commercial hardware, which makes it useless against attacks.
The WPA protocol was designed to be easily implemented on hardware running WEP and offer superior protection.WPA has shown to be vulnerable allowing attackers to decrypt short packets.Publicized attacks are not yet able to recover the password and so attackers have no access to the network.
The WPA2 protocol was introduced in 2004 to improve on WPA performances.WPA2 offers satisfactory security for the PSK (pre-shared key) authentication method but does not offer any protection or forward secrecy once an attacker manages to obtain the password.Methods that attackers use to gain access to the password include guessing a weak password using dictionary attacks or employing social engineering tactics.
Many devices, by default, offer both WPA and WPA2 security for compatibility with client devices.
WPA2 -Enterprise also known as WPA-802.1x is designed to offer security at enterprise level for businesses or Wi-Fi mobile network offload.

Results on security protocol usage
In this section, we present results of the study concerning wireless security.Results are compared with world data and with a previous study which gave an overview of wireless security in Romania in 2012 [3].
Available data from [2] offers statistics about Open, WEP encrypted, WPA and mixed WPA2 (WPA & WPA2 or WPA2 only) security for Wi-Fi networks scanned during the same interval as our data gathering process.We compare this information with the results of our study in Table 1.
The results in Table 1 highlight a higher percentage of open access networks in Romania compared to world statistics.The greatest percentage of open is seen in rural areas at 11%.In the case of public organizations that offer open access, this is not really an issue because even if using WPA encryption an attacker can decrypt all traffic on the network by using the provided key.The WPA and mixed security are on average with world statistics showing the public understanding of the need for wireless security.
We also compare historic all-time data regarding Romania wireless security with world data in fig. 3.
The results concerning WPA2 or mixed security show that wireless security in Romania has improved with a fast pace.The growth is observed by comparing all-time data with the present situation.The security situation in Romania is level with present world levels as shown in Table 1.
The evolution of the security situation can be traced when comparing our data with data from a previous study in 2012 concerning the Bucharest area [3] as shown in Fig. 4.
By comparing the results in 2012 with the results of our study we see a major improvement in wireless security over the course of 4 years.This is reflected in the increase of WPA2 secured networks which closes 90% for the Bucharest area.
The use of open access has also decreased as shown in Table 2.
The results in Table 2 can be explained by the fact that urban and rural area users have increased their security awareness and gave up on allowing open access to their networks.The situation in Bucharest went largely unchanged due to two reasons: first -the high number of open networks belonging to businesses and second -   The gathered data also offers a detailed insight into different security setups.Table 3 presents the top 20 most used security capabilities for wireless networks in Romania.The top 20 capabilities cover 89% of wireless networks in the country while the others cover the remaining 11% of networks.Enterprise secured wireless networks represent 8% of all scanned networks, of which 82% are WPA2-Enterprise, 17% Mixed WPA-Enterprise and 1% WPA-Enterprise.The use of EAP-SIM access points is under the threshold of 1% which shows that mobile network operators are only in the beginnings of the process of implementing mobile data offload to 802.11 networks.

Security vulnerabilities and their extent
This part of the study highlights the existence and scale of vulnerabilities in Wi-Fi networks in Romania.The aim is to raise awareness and to encourage users to avoid using these practices security flaws in the configuration of their wireless network.
The most concerning vulnerability is the usage of the Wi-Fi Protected Setup protocol.WPS has been shown to be vulnerable to online [19] and offline brute force attacks while also depending heavily on physical security for all implementations (PIN labeled on the device, pushbutton, near field or USB transfer).Online brute force attacks can recover the WPA2 key in under four hours [19] with no notification to the user that an attack is in place.The attacker gets full access inside the network despite best efforts by the users to use WPA2 security.WPS statistics are presented in Table 4.
The use of the WPS feature is not entirely insecure due to various security patches introduced by manufacturers in the original implementation, but proving a WPS implementation is secure is difficult for the majority of users.Resulting statistics show that 45% of networks in Romania have WPS enabled.Taking into account the available exploits and the difficulties in proving a WPS implementation secure we consider this to be the major vulnerability of Romanian wireless networks.
The breaking of the WEP protocol meant that old hardware was rendered useless unless a security protocol was designed that was able to use the same resources as WEP.The result was the Temporal Key Integrity Protocol implemented as WPA-TKIP [20].The WPA-TKIP protocol has seen packet spoofing and limited packet decryption attacks which can compromise the confidentiality of the network traffic but will not grant the attacker the access key inside.Fortunately, around 4% of networks in Romania still use this security protocol in WPA only or mixed configurations, resulting in a low spread of the WPA-TKIP vulnerability.A recently published vulnerability [21] raises concerns about the security of mobile network provider access points and the use of Voice over Wi-Fi.Mobile network operators are implementing the offloading of data and voice traffic from the mobile RAN (radio access networks) to 802.11 access points using the Enterprise WPA-EAP-SIM or WPA-EAP-AKA authentication methods.
The vulnerabilities presented in reference [21] offer an attacker access to information about the target's location and that of the IMSI of the SIM card inside the mobile device.The vulnerabilities are based on the EAP-SIM and EAP-AKA protocol which sends identity information (IMSI number) in plain.Enterprise EAP-SIM network setups represent under 1% of Enterprise networks in Romania which does not cause great concerns regarding this vulnerability yet.
Using the default SSID [22] for the wireless access point is discouraged by security experts as it offers hints to an attacker regarding the equipment manufacturer or internet provider.This information can then be exploited in order to use default credentials on forcing access to the network.Also, the use of personal information in naming the SSID favors attacks based on social engineering or facilitates the generation of passwords for more precise dictionary attacks.Our study reveals that networks using the top 20 more common SSIDs in Romania represent 12% of the total  5.

Band & Channel usage
The Wigle Android App also allows gathering information regarding the channel in use by a wireless network.This allowed us to compile statistics abound channel and band use in Romania.The 802.11 bands in use in Romania are the 2.4 GHz (802.11b/g/n) and the 5 GHz (a/h/j/n/ac) bands.The devices used for war-driving were compatible with both bands.The results show that 94% of access points use the 2.4 GHz band while the rest of 6% function in the 5 GHz band.We take notice that these results can be biased by the fact that the 5 GHz band is affected by higher atmospheric and building attenuation resulting in less observed networks.
The use of the 2.4 GHz band generally follows the distribution of non-overlapping 802.11 channels as shown in Fig. 6.Using non-overlapping channels guarantees minimum interference between access points functioning in close proximity.
The 5 GHz band usage is presented in Fig. 7.The 5 GHz band is subject to transmit power control and dynamic frequency selection regulations with  the aim to reduce interference between neighboring networks.Channels 36 to 64 are subject to a restriction for outdoor usage resulting in a lower usage.Channel 112 is by far the preferred channel in the 5 GHz band due to default software settings of the equipment.

Manufacturer
By analyzing each access point's MAC addresses by its OUI (Organizationally Unique Identifier) we were able to determine the top equipment vendors in Romania.The information regarding OUIs was compiled from the databases offered by the Wireshark Project [17] and the IEEE [18].The top 10 equipment manufacturers in Romania are plotted by their percentage in Fig. 8.

Service providers
Wireless network access is sold as a service in Romania by different internet providers.This is done by offering the client both internet access by cable or 3G/4G modem and the hardware access point that is used for wireless internet access.The providers broadcast their brand by making it a part of the SSID belonging to the leased equipment.Users are generally not able to completely remove the branding from the SSID.Instead, they can add their desired name as a suffix to the brand.This makes it easy to gather statistics about wireless internet providers in the country which show that 30% of wireless networks scanned belong to an internet provider as depicted in Table 6.Moreover, we provide an analysis of the share each provider has in our data collection in Fig. 9.
Provider Wi-Fi security situation is better than that of private networks.This is reflected in Table 7.
Table 7 shows that enterprise security levels are hard for private users to implement with a percentage of around 1% of the networks.Providers on average offer better security with lower percentages of open, WPA only and of the WPS feature.Providers also offer the majority of the enterprise secured networks in Romania.WEP networks are used with a higher percentage by providers which poses a high security risk as mentioned before.

Conclusions
This article presents an overview of the wireless security situation in Romania.The data used in the study is statistically significant as it consists of more than 100000 unique records of wireless networks in Romania gathered in all three major regions of the country.
The study is aimed at increasing public awareness on wireless network security and to highlight existing vulnerabilities in personal networks that are simple to avoid.We compare the results concerning wireless security with world data and with results of a previous study in 2012, and we notice that the wireless security situation has improved in Romania consequently being now at level with world statistics.The increase of wireless security in recent years is also observed by similar work in the field [4,6].
We also publish results on most common SSIDs in use, channel and band usage, equipment manufacturers, wireless internet providers.The security situation of provider wireless networks is shown to be significantly better than that of private networks.This prompts us to advise users with no technical skills to opt for provider services rather than setting up their own network, as this operation can lead to the usage of a vulnerable security setting or practice.
Further work should be concentrated on expanding the data set in order to ensure greater statistical significance.If data was to be collected on a permanent basis, the resulting database could be used to help service providers analyze market opportunities while also advertising the fact that they offer enhanced security while compared to privately setup networks.The data set could also be used to analyze the distribution of 802.11 protocols (a,b,g,n,ac).

Figure 3 .
Figure 3. All-time data comparison between Romania security and World security

Figure 4 .
Figure 4. Bucharest area wireless security overview in 2012 vs 2016

Figure 5 .
Figure 5. Analysis of Table 3 security capabilities

Figure 8 .
Figure 8. Top equipment manufacturers on sale in Romania

Table 1 .
Open, WEP, WPA and mixed networks statistics for October and November 2016

Table 2 .
Open access networks in 2012 vs 2016

Table 3 .
Detailed capabilities of WLAN in Romania

Table 3
can be resumed by analyzing Enterprise WPA2 only, mixed WPA, WPA only, WEP and open networks as presented in Fig. 5.

Table 4 .
WPS availability in Romanian wireless networks

Table 5 .
Top 20 most common SSIDs in use in Romania

Table 6 .
Provider wireless networks percentage analysis

Table 7 .
Provider wireless networks percentage analysisMixed WPA WPA2 only Enterprise Open WPA only WEP WPS