Wardriving
 |
Wardriving is often a surreptitious activity: this long-range wardriver leaves only his shadow. |
Wardriving is searching for
Wi-Fi wireless networks by
moving vehicle. It involves using a car or truck and a
Wi-Fi-equipped computer, such as a
laptop or a
PDA, to detect the networks. It was also known (as of
2002) as "WiLDing" (Wireless Lan Driving, although this term never gained any popularity and is no longer used), originating in the
San Francisco Bay Area with the
Bay Area Wireless Users Group (BAWUG). It is similar to using a scanner for
radio.
Many wardrivers use
GPS devices to measure the location of the network find and log it on a
website (the most popular is
WiGLE). For better range,
antennas are built or bought, and vary from omnidirectional to highly directional.
Software for wardriving is freely available on the
Internet, notably,
NetStumbler for
Windows,
Kismet for
Linux, and
KisMac for
Macintosh.
Wardriving was named after
wardialing (popularized in the
Matthew Broderick movie
WarGames) because it also involves searching for computer systems with software that would use a phone modem to dial numbers sequentially and see which ones were connected to a fax machine or computer, or similar device.
Wardrivers are only out to log and collect information from the
wireless access points (WAPs) they find while driving.
Some people consider
piggybacking (connecting to a network without explicit authorization) to be part of wardriving. For example, when quoting another article, an
Engadget article rewrote the
original headline from
EETimes to refer to a "Wardriver" rather than a "WiFi user". But wardriving software takes control of the wireless radio so it's impractical if not impossible to both wardrive and piggyback simultaneously.
The legality of wardriving in the
United States is not clearly defined. There has never been any conviction for wardriving, and there is the untested argument that the
802.11 and
DHCP protocols operate on behalf of the owner giving consent to use the network, but not if the user has other reason to know that there is no consent. A
New Hampshire bill which would clarify that the duty to secure the wireless network lies with the network owner has not passed yet, due to concerns that it may create a loophole for criminal activity. The specific laws, in any case, vary from state to state. A
Florida man was arrested and charged with unauthorized access to a computer network, a third-degree felony in the state of Florida. It is important to note here that the crime was gaining unauthorized access to a computer network (illegal piggybacking), not wardriving in particular, as many people consider connecting to a network after finding it wardriving irresponsible, and not what wardriving is about.
The law differs in other countries. For example, a wardriver in the
United Kingdom might be caught with the "use of a computer for a purpose for which one does not have permission" clause. This is a commonly misunderstood concept. Wardrivers do not, in fact, usually use services without authorization and may not even transmit a signal at all if using a passive mode stumbler (
Kismet or
KisMAC , but not
Netstumbler).
Wardriving is frequently cited as an example of a questionable activity. However, from a technical viewpoint, everything is working as designed: Access points broadcast identifying data accessible to anyone with a suitable receiver by necessity.
In cases of listen-only software, such as
Kismet, wardriving can be likened to listening to a radio station that happens to be broadcasting in your area. But again, this may differ in other countries. For example, in the UK it is illegal to listen on some radio frequencies or to some transmissions (such as those used by the police or armed forces).
With other types of software, such as
NetStumbler, the wardriver sends probes, and the access point responds per design. Most access points, when using default settings, are intended to provide wireless access to all who request it. Some argue that those who set up access points without adding security measures are offering their connection, sometimes unintentionally, to the community. Others argue that this reasoning is akin to stating that people who leave their doors unlocked are asking people to take what they like. In fact, when people unfamiliar to wardriving see how many open access points there are and how easy it is to find them, they sometimes want to secure their own access points. Some wardrivers go to the extent of informing the access point's administrator about their insecurity and offer steps to correct it. However, it has largely become etiquette to leave access points open for others to use just as someone expects to find open access points while on the road. This free sharing of
bandwidth is also the basis of
wireless community networks which are often considered the future of the internet.
Wireless access point receivers, such as the
Apple AirPort, can be "upgraded" to extend their ability for picking up and connecting to wireless access points. This can be done with an ordinary metal wire, and a metal dish that is used to form a directional antenna. Not only the Airport can be modded in this way, but other similar divices can be modded in this way too, likewise, not only directional antennas can be created, but usb-WiFi-stick antens can be used aswell. At last, tools such as
Wireless Grapher-widget can be used to measure out the antenna.
According to techweb.com an Illinois man was fined for
piggybacking on a Wi-Fi System. David M. Kauchak, 32, pleaded guilty in Winnebago County to remotely accessing someone else's computer system without permission, the Rockford Register Star newspaper reported. A Winnebago County judge fined Kauchak $250 and sentenced him to one year of court supervision.
Kauchak has the dubious distinction of being the first person to face the charge in Winnebago County, and prosecutors say they're taking the crime seriously.
"We just want to get the word out that it is a crime. We are prosecuting it, and people need to take precautions," Assistant State's Attorney Tom Wartowski told the newspaper.
A police officer arrested Kauchak in January after spotting him sitting in a parked car with a computer. A chat with the suspect led to the arrest, Wartowski said.
In Toronto, Canada, a man was arrested with a WiFi-enabled laptop in his car - and his pants down. He was tapping into unprotected wireless networks. Ultimately, however, he was charged not for that, but for the illegal pedophile pornography he was in the process of downloading. Presumably some thought should be given to potential charges against the operators of the unsecured access points, surely they could be reasonably demonstrated to be complicit in the act by either allowing access or failing to take reasonable precautions to only provide auditable access as is a requirement in many countries.
It is important to note in both of the above cases the individual was NOT charged with a 'wardriving' crime but for a crime related to a completely different activity - e.g., pedophilia and 'stealing' bandwidth.
More security-conscious network operators may choose from a variety of security measures to limit access to their wireless network, including:
*
MAC address authentication in combination with discretionary
DHCP server settings allow a user to set up an "allowed MAC address" list. Under this type of security, the access point will only give an
IP Address to computers whose MAC address is on the list. Thus, the network administrator would obtain the valid MAC addresses from each of the potential clients in their network. Disadvantages to this method include the additional setup. Methods to defeat this type of security include MAC address spoofing, detailed on the
MAC address page, whereby network traffic is observed, valid MACs are collected, and then used to obtain DHCP leases.
*
IP security (IPsec) can be used to encrypt traffic between network nodes, reducing or eliminating the amount of
plaintext information transmitted over the air. This security method addresses privacy concerns of wireless users, as it becomes much more difficult to observe their wireless activity. Difficulty of setting up IPsec is related to the brand of Access Point being used. Some access points may not offer IPsec at all, while others may require firmware updates before IPsec options are available. Methods to defeat this type of security are computationally intensive to the extent that they are infeasible using readily-available hardware, or they rely on
social engineering to obtain information (keys, etc) about the IPsec installation.
*
Wired Equivalent Privacy (WEP) can be used on many Access Points without cumbersome setup, but offers little in the way of practical security. It is cryptologically very weak, so an access key can easily be stolen. Its use is often discouraged in favor of other more robust security measures, but many users feel that any security is better than none. In practice, this may simply mean your neighbors' non-WEP networks are more accessible targets. WEP is sometimes known to slow down network traffic in the sense that the WEP implementation causes extra packets to be transmitted across the network. Some claim that "Wired Equivalent Privacy" is a misnomer, but this is untrue in most cases because wired networks are not particularly secure either.
*
Wi-Fi Protected Access (WPA) is more secure than WEP but is not yet very widespread. Many Access Points will support WPA after a
firmware update.
*
VPN options such as tunnel-mode IPSec or
OpenVPN can be the (respectively) most difficult to set up, but often provide the most flexible, extendable security, and as such are recommended for larger networks with many users.
*
Wireless intrusion detection systems can be used to detect the presence of
rogue access points which expose a
network to security breaches. Such systems are particularly of interest to large organizations with many employees.
