Wardriving

Wardriving

June 12th, 2008
By J. Michael Butler

"Wardriving is driving around a city searching for the existence of Wireless LAN (802.11) Networks. It's locating and logging wireless access points while in motion. Often, this task is automated using dedicated wardriving software and a GPS Device."

Wardriving was invented by Peter Shipley and is now commonly practiced by hobbyists, hackers and security analysts worldwide.[1]

Wardriving can be either a defensive or an offensive action. By that, I mean that a user with malicious intent can be "offensively" looking for an easy target. On the other hand, a security expert may use wardriving to determine if their perimeter is safe, or to determine if the users of their company are plugging in "Rogue" access points that need to be removed.

A "Rogue Access Point" (Rogue AP) is a wireless access point that someone, without authorization, has plugged into a network. In many companies, it would be simple to walk in dressed in some sort of uniform, ostensibly to "do maintenance" on an air conditioner or other equipment, just to gain access to a wiring closet or a network jack. Then the pretend maintenance man would pull a wireless access point out of his tool bag, plug it in where it would not be readily seen, and walk out.

Once in place, the wireless AP would faithfully open up a wireless connection to anyone who can attach to it. Those users then have internal access to an internal network without even being in the building!

Actually, all that deceptive effort is not required in most cases, as a large percentage of APs are still not encrypted or protected in any way. It is amazing how often this author has turned on his laptop or other scanning device and discovered multiple, unprotected APs with strong signals accessible from his car, all "offering" free access to some home or business network.

Even though WEP security for Wireless APs has been known to be weak and vulnerable for years, there are still many devices using WEP. In a recent, highly publicized case, TJX unwittingly allowed thieves to sit in their parking lot and download millions of credit cards from an unprotected wireless access point in the Miami area. In that case, WEP was in use. The tools to crack WEP are simple to download and easy to use. The thieves simply broke the WEP encryption, then acquired access to the systems containing credit card data. Since they were sitting outside in a van and no one knew they were on the network, and they had nothing but time to experiment until they gained the access they desired.[2]

Wardriving can be accomplished with a laptop, a wireless card, and a free software download. Kismet is a popular option for those who prefer Linux. Net Stumbler is available for Windows users. Both of these apps are available from Netstumbler.com.[3] To enhance the search, it is possible to create a high powered, directional antenna using simple instructions from the internet and a Pringles potato chip can. (Any search for high gain Pringles Can antenna will pull up hundreds of hits.) Or, if you are in a hurry, you can buy a high gain antenna for this purpose.

It is also possible to obtain a small rechargeable or battery operated wireless device that you can put in your pocket, walk into an area, then press a button to determine if there are any APs in that location. While the amount of data collected by that device will not be as complete as that collected by Kismet or Net Stumbler, it will at least identify whether or not APs exist. If they are discovered, then using a laptop connected to a GPS device could point you to within a few feet of where the device actually sits.

In such an exercise using a laptop and GPS outside the buildings of an office campus, you will "see" devices in your own buildings as well as your competitor across the street. The application will also note where the APs are located, the strength of the signal, whether they are encrypted (WPA or WEP), their SSID, and other helpful information.

From a Security due diligence perspective, Wardriving (or walking) is absolutely necessary for the protection of your network and data. This regular task should be assigned to someone in the Security department to determine:

• There are no Rogue Access Points on the company property
• The strength of your signal(s) beyond the physical perimeter of your buildings
• If your signal needs to be attenuated to keep it from being broadcast further than necessary
• What physical areas need to be watched where persons could gain access to your network from outside your buildings
• Verify that SSIDs are hidden and that signals are encrypted using adequate algorithms

Finally, be aware that there are public efforts to map the location of every single Wireless Access Point in the world. Literally! Wigle.net calls itself a: "Wireless Geographic Logging Engine: Making maps of wireless networks since 2001"[4] A quick visit may enable you to locate your access points and their SSIDs published for the whole world to see. That information was most likely collected by someone who was "WAR Driving."

===
All links valid as of June 11, 2008
1. http://www.wardrive.net/
2. http://www.cbsnews.com/stories/2007/11/21/60minutes/main3530302.shtml
3. http://www.netstumbler.com/
4. http://www.wigle.net/