Opinion
Architecture and Hardware Digital village

Wireless Infidelity I: War Driving

Although WiFi technology security vulnerabilities are well known, the extent of these vulnerabilities may be surprising: War driving experiences identify many potential points of entry.
Posted
  1. Introduction
  2. The Origins of War Driving
  3. War Driving Takes Shape
  4. War Driving Lessons
  5. Final Words
  6. Author
  7. Footnotes
  8. Figures
  9. Tables
  10. Sidebar: URL PEARLS

The concept of wireless networking dates back at least as far as ALOHANET in 1970. While this project is now of primarily historical interest, the online overview is still worth reading (see en.wikipedia.org/wiki/ALOHA_network). The concept of ALOHANET spanned many of the core network protocols in use today, including Ethernet and Wireless Fidelity (aka WiFi). ALOHANET was the precursor of the first generation of wireless networks.

Wireless technologies may be categorized in a variety of ways depending on their function, frequencies, bandwidth, communication protocols involved, and level of sophistication (ranging from first- through third-generation wireless systems). For our purposes, we’ll lump them into four basic categories: Wireless Data Networks (WDNs), Personal Area Networks (PANS), Wireless Local Area Networks (WLANs), of which the newer Wireless Metropolitan Area Networks (WMANs) and Wireless Wide Area Networks (WWANs) are offshoots, and satellite networks.

WDN is a cluster of technologies primarily related to, developed for, and marketed by vendors in the telephony and handheld market. This market covers a lot of ground from basic digital cellular phones to relatively sophisticated PDAs and tablet PCs that may rival notebook computers in capabilities. WDN includes protocols such as the Cellular Digital Packet Data (CDPD), an older 19.2Kbps wireless technology that is still in use in some police departments for network communication with patrol cars; General Packet Radio Service (GPRS) and Code Division Multiple Access 2000 (CDMA2000), which are multi-user, combined voice and data 2.5- generation technologies that exceed 100Kbps; and Wireless Application Protocol (WAP), which provides wireless support of the TCP/IP protocol suite and now provides native support of HTTP and HTML. If you’re using a cellular phone with text messaging and Web support, you’re likely using some form of WAP.

PANs began as “workspace networks.” Bluetooth, for example, is a desktop mobility PAN that was designed to support cable-free communication between computers and peripherals. Blackberry (www.blackberry.com) is like Bluetooth on steroids. It integrates telephony, Web browsing, email, and messaging services with PDA productivity applications. As such it blurs the distinction between PAN and WLAN.

WLAN is what most of us think of wireless technology. It includes the now-ubiquitous 802.11 family of protocols, as well as a few others. Table 1 provides a quick overview of some of the 802.11 protocol space. Note that all but the first are derivative from the original 802.11 protocol introduced in 1997. In Table 1, “Year” denotes the approximate year of introduction as a standard (for example, 802.11a and 802.11b were introduced at the same time, though 802.11a came to market later). The two bands used for WiFi are Industrial, Scientific, and Medical (ISM) and Unlicensed National Information Infrastructure (UNII). Bandwidth is advertised maximum. Encoding, aka “spectrum spreading” techniques appear at the physical or link layer and include frequency-hopping spread-spectrum (HPSS), direct-sequence spread-spectrum (DSSS), and orthogonal frequency division multiplexing (OFDM).

Both the 802 and 802.11 landscape are somewhat more cluttered than the table suggests. For example, 802 also allows for infrared support at the physical layer. In addition, proprietary standards for 802.11 have been proposed. In 2001, Texas Instruments proposed a 22Mbps variation of 802.11b called “b+”, and Atheros proposed a 108Mbps variant of 802.11g called “Super G”. Further, there are standards for enhanced QoS (802.11e) and enhanced security (802.11i) that are actually orthogonal to the traditional 802.11 family in the sense that they deal with limitations rather than the characteristics of the protocol suite. To make comparisons even more confusing, there are 802.1x protocols like 802.16 (2001) and 802.16a (2003) that are designed for wider area coverage: the so-called Metropolitan Area Networks or MANs. The 802.11n specifications are meager as of this writing, although the current attention is on increasing throughput at the MAC interface rather than the physical layer.

Back to Top

The Origins of War Driving

The first formalization of the concept of war driving, circa 1999, is attributed to Peter Shipley. His early war driving experimentation was subsequently introduced to the hacker community at DEFCON 9 in Las Vegas in July 2001; Figure 1 is derived from this experiment.

The basic idea behind war driving is to “sniff” 802.11 traffic with a wireless card set to monitor mode so that it accepts all traffic on a frequency irrespective of intended target. War driving is an extension of the concept of war dialing that deserves some explanation.

War dialing is the technique used by the main character in the 1983 movie WarGames to gain access to computer systems. One might recall that in an effort to access computers of a computer game company, the film’s main character launched a countdown to a nuclear war. Though modem banks are technological dinosaurs, they remain in use and are one of the easiest network appliances to compromise.

War dialing is the art of scanning lists of phone numbers for the carrier tones that indicate modem lines. The target lists are derived from sundry public-domain sources such as telephone directories (for example, 411.com), WHOIS domain registration Web sites such as Internic (www.internic.net/whois.html), contact information on organizational Web sites, and so forth. The principle is relatively simple: find an organizational telephone number, and then sweep through the range of numbers that includes it for the presence of a modem. A modem’s carrier tone signifies a receptive appliance, so the war dialer records a “hit.” A suitably enhanced war dialer can “nudge” the unsuspecting modem line to try to produce a logon prompt, and then to produce an acceptable logon sequence. A Web search will confirm that war dialers in both shareware and commercial versions abound for both Windows (THC-Scan 2.0)1 and *nix (Ward) platforms. At one point, the good folks at l0pht.com even produced a Palm-based war dialer called TBA (see www.securiteam.com/tools/TBA_-_PalmOS_wardialer.html).

Back to Top

War Driving Takes Shape

There is no question that there is a legitimate, lawful use of war dialing—to determine whether there are insecure modems connected to one’s own network. Of course, this knowledge is also of use to potential intruders.

Similarly, war driving is the art of monitoring wireless traffic. The legitimate, lawful use is to control signal strength, bandwidth, leakage patterns, and so forth, for one’s own wireless environment. And again, this information is useful to potential intruders.

One thing that distinguishes war driving (aka, WAP mapping, and transportation-centric offshoots like war walking, war biking, war flying, war boating, and the like) is that they all relate to the various modes of mobile sniffing of wireless traffic. Generally speaking, if the sniffing is used in support of the owner/organization’s interests, the use of less alarming euphemisms like “wireless monitoring” or “vulnerability testing” is encouraged.

But, let’s be candid about this situation: War driving surpasses wireless monitoring by a large measure. To wit, the war drivers have even created their own style of war driving signage known as war chalking that reveals such information as the service set ID, bandwidth, and whether security is enabled. The war chalker identifies the characteristics of the unwitting target on the most convenient visible surface in much the same way the hobo chalkers did during the Great Depression in the U.S.2 An annual war driving competition is held, with results presented at the DEFCON hacker convention every summer (the fourth and most recent competition occurred in June).

The typical war drive reveals a pattern of Wireless Access Points (WAPs), as shown in Figure 2. This information is derived from a wireless detector or computer with a wireless card operating in monitor (RFMON) mode. In the early period of war driving (circa 2000), the war driver’s vehicle would have a front seat strewn with cables, antennae, GPS equipment, and a notebook computer. Now, this detection is usually done with a self-contained PDA, with analysis performed offline on a full-screen computer. Figure 3 illustrates the process on a Windows CE-based PDA operating Air Magnet. As the screen in Figure 3 illustrates, the current scan is being performed on channel 6 for 802.11b traffic at 2.4370GHz. The two WAPs detected are reported, along with their MAC addresses, names, and current signal strength. This information is collected and plotted to produce the WAP maps. While this is a cursory overview, it gets to the essence of war driving; I will expand on this topic in a subsequent column.

Back to Top

War Driving Lessons

In short, war driving has demonstrated that wireless technology has opened the largest computer network security hole since the advent of modems.

The data in Table 2 comes from the four WorldWide War Driving competitions. By way of background, the Service Set ID (SSID) in Table 2 can be thought of as the “name” that is assigned to a WAP in “infrastructure mode.” This name is needed for clients to associate with it. Obviously, the first step toward security is to avoid broadcasting the SSID to the world. The second step is to pick a name that isn’t the default set by the vendor. “Default SSID” reports the percentage of the WAPs that were discovered using the SSID that came shrink-wrapped with the WAP hardware.

Wired Equivalent Privacy (WEP) is the encryption technique used in the popular 802.11 protocols. Simply stated, there’s little to recommend it as it fails virtually every reasonable standard for data integrity, confidentiality, and authentication in both theory and implementation. While WEP will not withstand a serious attack from any would-be intruder armed with free tools available on the Internet, it will slow down the attacker if properly configured, and will discourage neophytes who seek to authenticate with the WAP. The only thing worse than enabling WEP is not enabling WEP! The data in Table 2 indicates that over 60% of the WAPs detected fail to have WEP enabled. In the wireless realm, this is akin to leaving your wallet on the front porch for safekeeping.

The worst of all possible worlds is to not employ encryption and at the same time broadcast the name of your WAP to the entire neighborhood and any passersby—approximately 27% of the WAPs found have achieved that status. Most alarming, the percentages do not seem to be changing much over time.

Back to Top

Final Words

The difference between wireless hacking and wireless monitoring is intent and moral orientation. From a technology perspective, they are two sides of the same coin. A similar point is made in an earlier column of mine on Internet Forensics (August 2003). The relevant skill sets of those who attempt to compromise network security and those who seek to protect them are for all practical purposes identical.

Therein lies the rub. The best of breed tools for wireless sniffing (Kismet for the *nix platforms; Air Magnet for Windows) are used by both air jackers and wireless guardians, though toward different ends. This is a familiar story in network security—most of the products developed have benevolent and malevolent uses. (Although Dug Song’s switch flooder, Arpspoof, stretches this claim). The lesson to be learned from war driving is that there is nothing inherent in the “sniffing” technology that encourages socially unacceptable or illegal behavior. The tools a hacker might use to intercept organizational wireless traffic are the same tools that are used to harden the organizations’ wireless infrastructure.

The solution to the problem of misuse is awareness, both in terms of the capabilities of the tools and the uses toward which they’re put. Knowledge and vigilance are formidable adversaries of misuse. I’ve endeavored to contribute to the former in this column.

Back to Top

Back to Top

Back to Top

Figures

F1 Figure 1. An early WAP map, circa 2001 (source: Peter Shipley, “Open WLANs—The Early Results of WarDriving”; www.dis.org/filez/openlans.pdf).

F2 Figure 2. A “WAP map” of nine WAPs revealing individual coverage areas (source: www.ittc.ku.edu/wlan/images_ittc_small.shtml).

F3 Figure 3. Wireless “sniffing” Palm style with Air Magnet and a HP IPAQ Pocket PC.

Back to Top

Tables

T1 Table 1. The 802.11 protocol family.

T2 Table 2. WorldWide war drives.

Back to Top

    1The de facto standard for war dialing is THC-Scan 2.0 for Windows. It is available from The Hacker's Choice (www.thc.org). One of many shareware Unix variants is Ward from Securiteam (www.securiteam.com/tools/6T0001P5QM.html).

    2War chalking follows in the tradition of hobo tagging and tramp signing. A good source of the latter is www.worldpath.net/~minstrel/hobosign.htm. A popular war chalking resource is www.blackbeltjones.com/warchalking/index2.html, the Google top hit, warchalking.org, was not functioning when this column was written in July.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More