This section will introduce you to all of the tools that are required in order to successfully WarDrive. There are several different configurations that can be effectively used for WarDriving, including:
Getting the hardware
Choosing a wireless network card
Deciding on an external antenna
Connecting your antenna to your wireless NIC
The following sections discuss potential equipment acquisitions and common configurations for each.
According to the FBI, it is not illegal to scan access points, but once a theft of service, denial of service, or theft of information occurs, then it becomes a federal violation through 18USC 1030 (www.usdoj.gov/criminal/cybercrime/_1030_new.html). While this is good, general information, any questions about the legality of a specific act in the United States should be posed directly to either the local FBI field office, a cyber crime attorney, or the U.S. Attorney’s office. This information only applies to the United States. WarDrivers are encouraged to investigate the local laws where they live to ensure that they aren’t inadvertently violating the law. Understanding the distinction between “scanning” or identifying wireless access points and actually using the access point is understanding the difference between WarDriving, a legal activity, and theft, an obviously illegal activity.
The reality of WarDriving is simple. Computer security professionals, hobbyists, and others are generally interested in providing information to the public about security vulnerabilities that are present with “out of the box” configurations of wireless access points. Wireless access points that can be purchased at a local electronics or computer store are not geared toward security. They are designed so that a person with little or no understanding of networking can purchase a wireless access point, and with little or no outside help, set it up and begin using it.
Computers have become a staple of everyday life. Technology that makes using computers easier and more fun needs to be available to everyone. Companies such as Linksys and D-Link have been very successful at making these new technologies easy for end users to set up and begin using. To do otherwise would alienate a large part of their target market. In Chapter 10, a step-by-step guide to enabling the built-in security features of these access points is discussed.
In 2002, the news media latched onto something called warchalking. Warchalking is the act of making chalk marks on buildings or sidewalks to denote the presence and availability of wireless networks. Playing off of the practice of hobos during the Great Depression who would mark homes or areas to communicate information about the area to other hobos, warchalkers use a series of symbols to alert others as to what type of wireless network they will find in that area. Three primary symbols used by warchalkers are illustrated in the following figures. Figure 1.1 indicates an open node, or one in which WEP encryption is not utilized and individuals are encouraged to use. The Service Set Identifier (SSID) or network name is chalked above the symbol and the available bandwidth speed is chalked below the symbol.
Figure 1.2 indicates a closed node. One that is not open for public use. The SSID or network name is chalked above the symbol and nothing is chalked below the symbol.
The symbol in Figure 1.3 indicates a node with WEP encryption enabled. This should be viewed as an unequivocal stop sign. The SSID and contact information to arrange for authorized access are chalked above the symbol and the available bandwidth is chalked below the symbol. Aside from hot spots such as Starbucks, there have been very few actual sightings of warchalked wireless networks. Despite the media hype surrounding warchalking, it is generally viewed as a silly activity by WarDrivers. A recent poll on the NetStumbler forums (https://forums.netstumbler.com) was unable to find even one person that had actually chalked an access point. The results of the survey can be seen in Figure 1.4. More information on the NetStumbler Forums and other online WarDriving Communities is presented in Chapter 8 of this book.
These days, you might hear people confuse the terminology WarDriver and Hacker. As you probably know, the term hacker was originally used to describe a person that was able to modify a computer (often in a way unintended by its manufacturer) to suit his or her own purposes. However, over time, owing to the confusion of the masses and consistent media abuse, the term hacker is now commonly used to describe a criminal; someone that accesses a computer or network without the authorization of the owner. The same situation can be applied to the term WarDriver. WarDriver has been misused to describe someone that accesses wireless networks without authorization from the owner. An individual that accesses a computer system, wired or wireless, without authorization is a criminal. Criminality has nothing to do with either hacking or WarDriving.
The news media, in an effort to generate ratings and increase viewership, has sensationalized WarDriving. Almost every local television news outlet has done a story on “wireless hackers armed with laptops” or “drive-by hackers” that are reading your e-mail or using your wireless network to surf the Web. These stories are geared to propagate Fear, Uncertainty, and Doubt (FUD). FUD stories usually take a small risk, and attempt to elevate the seriousness of the situation in the minds of their audience. Stories that prey on fear are good for ratings, but don’t always depict an activity accurately.
An unfortunate side effect of these stories has been that the reporters invariably ask the “WarDriver” to gather information that is being transmitted across a wireless network so that the “victim” can be shown their personal information that was collected. Again, this has nothing to do with WarDriving and while a case can be made that this activity (known as sniffing) in and of itself is not illegal, it is at a minimum unethical and is not a practice that WarDrivers engage in.
These stories also tend to focus on gimmicky aspects of WarDriving such as the directional antenna that can be made using a Pringles can. While a functional antenna can be made from Pringles cans, coffee cans, soup cans, or pretty much anything cylindrical and hollow, the reality is that very few (if any) WarDrivers actually use these for WarDriving. Many of them have made these antennas in an attempt to both verify the original concept and improve upon it in some instances.
The term WarDriving comes from WarDialing, a term you may be familiar with being that it was introduced to the general public by Matthew Broderick’s character, David Lightman, in the 1983 movie, WarGames. WarDialing is the practice of using a modem attached to a computer to dial an entire exchange of telephone numbers (often sequentially—for example, 555-1111, 555-1112, and so forth) to locate any computers with modems attached to them.
Essentially, WarDriving employs the same concept, although it is updated to a more current technology: wireless networks. A WarDriver drives around an area, often after mapping a route out first, to determine all of the wireless access points in that area. Once these access points are discovered, a WarDriver uses a software program or Web site to map the results of his efforts. Based on these results, a statistical analysis is performed. This statistical analysis can be of one drive, one area, or a general overview of all wireless networks.
The concept of driving around discovering wireless networks probably began the day after the first wireless access point was deployed. However, WarDriving became more well-known when the process was automated by Peter Shipley, a computer security consultant in Berkeley, California. During the fall of 2000, Shipley conducted an 18-month survey of wireless networks in Berkeley, California and reported his results at the annual DefCon hacker conference in July of 2001. This presentation, designed to raise awareness of the insecurity of wireless networks that were deployed at that time, laid the groundwork for the “true” WarDriver.
WarDriving is the act of moving around a specific area and mapping the population of wireless access points for statistical purposes. These statistics are then used to raise awareness of the security problems associated with these types of networks (typically wireless). The commonly accepted definition of WarDriving among those who are actually practitioners is that WarDriving is not exclusive of surveillance and research by automobile – WarDriving is accomplished by anyone moving around a certain area looking for data. This includes: walking, which is often referred to as WarWalking; flying, which is also referred to as WarFlying; bicycling, and so forth. WarDriving does NOT utilize the resources of any wireless access point or network that is discovered without prior authorization of the owner.
WarDriving is an activity that is misunderstood by many people. This applies to both the general public, and to the news media that has reported on WarDriving. Because the name “WarDriving” has an ominous sound to it, many people associate WarDriving with a criminal activity. Before the discussion of how to WarDrive begins, you need to understand the history of WarDriving and the origin of the name. The facts necessary to comprehend the truth about WarDriving, as well as why the media has incorrectly reported on WarDriving are provided.
Wireless networks have become a way of life in the past two years. As more wireless networks are deployed, the need to secure them increases. This chapter provides background on one effort to educate users of wireless networks about the insecurities associated with wireless networking. This effort is called WarDriving.
This chapter presents a brief history of WarDriving and the terminology necessary to understand what WarDriving is all about. This includes information on why the activity of driving around discovering wireless access points is called WarDriving, some misconceptions associated with the term, and the truth behind the idea of WarDriving. This chapter also discusses the legality of WarDriving.
In order to successfully WarDrive, there are some tools, both hardware and software, that you will need. These tools are presented along with cost estimates and some recommendations. Since there are hundreds of possible configurations that can be used for WarDriving, some of the most popular are presented to help you decide what to buy for your own initial WarDriving setup.
Many of the tools that a WarDriver uses are the same tools that could be used by an attacker to gain unauthorized access to a wireless network. Since this is not the goal of a WarDriver, the methodology that you can use to ethically WarDrive is presented.
WarDriving is a fun hobby that has the potential to make a difference in the overall security posture of wireless networking. By understanding WarDriving, obtaining the proper tools, and then using them ethically, you can have countless hours of fun while making a difference.
When I was thirteen years old and my father got an IBM PC-2 (the one with 640k!) at a company discount, my obsession with computers and computer security began. Back then the name of the game was dial-up networking. 300-baud modems with “auto dial” were in hot demand! This meant that you didn’t have to manually dial anymore!
You could see where this was going. It would be possible to have your computer dial all the phone numbers in your prefix looking for other systems it could connect to. This was a great way to see what was going on in your calling area, because seeing what was going on in long distance calling areas was just too expensive!
When the movie “War Games” came out, it exposed War Dialing to the public, and soon after it seemed everyone was dialing up a storm. The secret was out, and the old timers were complaining that the newbies had ruined it for everyone. How could a self-respecting hacker explore the phone lines if everyone else was doing the same thing? Programs like ToneLoc, Scan, and PhoneTag became popular on the IBM PC with some that allowed dialing several modems at one time to speed things up. Certain programs could even print graphical representations of each prefix, showing what numbers were fax machines, computers, people, or even what phone numbers never answered. One friend of mine covered his walls with print outs of every local calling area he could find in Los Angeles, and all the 1-800 toll free numbers! In response, system operators who were getting scanned struck back with Caller ID verification for people wanting to connect to their systems, automatic call-back, and modems that were only turned on during certain times of the day.
War Dialing came onto the scene again when Peter Shipley wrote about his experiences dialing the San Francisco bay area over a period of years. It made for a good article, and lured some people away from the Internet, and back to the old-school ways of war dialing. What was old was now new again.
Then, along came the Internet, and people applied the concept of war dialing to port scanning. Because of the nature of TCP and IPV4 and IPV6 address space, port scanning is much more time consuming, but is essentially still the same idea. These new school hackers, who grew up on the Internet, couldn’t care less about the old way of doing things. They were forging ahead with their own new techniques for mass scanning parts of the Internet looking for new systems that might allow for exploration.
System operators, now being scanned by people all over the planet (not just those people in their own calling region) struck back with port scan detection tools, which limited connections from certain IP addresses, and required VPN connections. The pool of people who could now scan you had grown as large as possible! The battle never ceases.
Once wireless cards and hubs got cheap enough, people started plugging them in like crazy all over the country. Everyone from college students to large companies wanted to free themselves of wires, and they were happy to adopt the new 802.11, or WiFi, wireless standards. Next thing you knew it was possible to accidentally, or intentionally, connect to someone else’s wireless access point to get on their network. Hacker’s loved this, because unlike telephone wires that you must physically connect to in order to communicate or scan, WiFi allows you to passively listen in on communications with little chance of detection. These are the origins of WarDriving.
I find WarDriving cool because it combines a bit of the old school world of dial up with the way things are now done on the net. You can only connect to machines that you can pick up, much like only being able to War Dial for systems in your local calling area. To make WarDriving easier, people developed better antennas, better WiFi scanning programs, and more powerful methods of mapping and recording the systems they detected. Instead of covering your walls with tone maps from your modem, you can now cover your walls with GPS maps of where you have located wireless access points.
Unlike the old school way of just scanning to explore, the new WiFi way allows you to go a step further. Many people intentionally leave their access points “open,” thus allowing anyone who wants to connect through them to the Internet. While popular at some smaller cafes (i.e., Not Starbucks) people do this as all over the world. Find one of these open access points, and it could be your anonymous on-ramp to the net. And, by running an open access point you could contribute to the overall connectedness of your community.
Maybe this is what drives the Dialers and Scanners. The desire to explore and map out previously unknown territory is a powerful motivator. I know that is why I dialed for months, trying to find other Bulletin Board Systems that did not advertise, or were only open to those who found it by scanning. Out of all that effort, what did I get? I found one good BBS system, but also some long-term friends.
When you have to drive a car and scan, you are combining automobiles and exploration. I think most American males are programmed from birth to enjoy both! Interested? You came to the right place. This book covers everything from introductory to advanced WarDriving concepts, and is the most comprehensive look at WarDriving I have seen. It is written by the people who both pioneered and refined the field. The lead author, Chris Hurley, organizes the WorldWide WarDrive, as well as the WarDriving contest at DEF CON each year. His knowledge in applied WarDriving is extensive.
As WarDriving has moved out of the darkness and into the light, people have invented WarChalking to publicly mark networks that have been discovered. McDonalds and Starbucks use WiFi to entice customers into their establishments, and hackers in the desert using a home made antenna have extended its range from hundreds of feet to over 20 miles! While that is a highly geek-tastic thing to do, demonstrates that enough people have adopted a wireless lifestyle that this technology is here to stay. If a technology is here to stay, then isn’t it our job to take it apart, see how it works, and generally hack it up? I don’t know about you, but I like to peek under the hood of my car.
—Jeff Moss
Black Hat, Inc.
www.blackhat.com
Seattle, 2004
