Wardriving is not a crime

New technology puts predators on the prowl in your neighborhood. What do they want? Your location.

It takes a bit of equipment to mine the airwaves for 802.11b signals.

It takes a bit of equipment to mine the airwaves for 802.11b signals.

Photo By David Robert

The two wardrivers are parked in a lot a few blocks down from the Sparks Police Station. It’s October 2002. Sitting in the front of the SUV, their faces are bathed in the blue light emanating from their laptop computers.

One aims a modified Pringles potato chip can. The Pringles can is a directional antenna, a yagi, built with components bought in local electronics shops. “Aims” may not be a perfectly accurate description, since he’s manipulating the can based on what he sees on the screen of the Gateway laptop and not by anything he would sight down the barrel. The numbers he’s watching decrease toward zero.

“OK, try it now.”

The man in the passenger seat double-clicks “My Network Places;” and suddenly the screen is dotted with icons of small computers.

“Holy shit. It’s wide open. Lookathat: Administration, Payroll. We could send ourselves checks.”

That would, of course, be illegal. By accessing the network, the wardrivers have crossed the line. They’ve masked—"spoofed” in the parlance—their identifying MAC addresses, so they aren’t worried about getting caught, and they have no intention of sending themselves checks, but the vulnerability of a multimillion-dollar company spread out like a two-dollar whore astounds them.

There’s a secret world out there.

It’s populated by men and women who prowl the streets night and day in cars, on foot, on bicycles, even in airplanes.

There’s not a lot to set them apart physically from the population at large. Maybe the punk, anti-establishment ethic is distilled down to a goatee or hippie-length hair or a streak of color or an attitudinal T-shirt. Maybe they’re paler than most. They stalk the streets, hunting a quarry that can’t be detected with human senses. They are after something you may own. They’re after wireless computer networks.

Their language is arcane, filled with acronyms and uncommon words and numbers such as SSID, 802.11b, WEP, hot spot, honey pot, WiFi. What they do is legal in Nevada, but it can cross the line in some states. If the less ethical among them do go over the line, there’s little anyone can do to catch them—the smart ones, anyway. Preventing their access to your most private realms is another matter.

Their weapons—tools—are laptop computers, handhelds, PCMCIA cards, software, cable, antennas and the like. While their world cannot be seen, it can be mapped. Indeed, these hunters are the spiritual descendants of explorers such as Lewis and Clark, mapping a world that did not exist for most people before they discovered it and put it on the record. Some are well-known, at least among others of the same stripe. They go by intriguing names, like those who monitor the forums on Netstumbler.com: marius, blackwave, lincomatic, Mother, Thorn.

Their world is defined by geographic patterns—checkerboards and concentric patterns. Some are methodical, driving up and down every single neighborhood street. Plotting, mapping, recording, passing the information along to people of similar philosophy whom they’ve never met, connected only in their passion for mapping, for connection.

They’re the wardrivers, and they’re coming to a neighborhood near you. In fact, they’re already there.

A little history is in order. First, there was the telephone, invented in 1876. In 1969, along came ARPANET, computer networking technology advanced by the United States Defense Advanced Research Project Agency, the technology branch of the U.S. military. Then came the Internet. Then the cellular telephone arrived. Then came wireless computer networks that used radio waves instead of wires. Then came wireless connections to the Internet.

Then came wardrivers.

The raison d'être for many wardrivers is the belief that Internet access should be free. They envision a world in which ordinary citizens can go from Point A to Point B, never losing their Internet connection. Entire organizations are based on this premise. The Seattle Wireless Group, www.seattlewireless.net, has had good progress building a metropolitan area network. The Reno Area Wireless Users Group, www.rawug.org, has dreams along these lines.

In fact, entire cities have embraced the concept. For example, just this week, Cerritos, Calif., began deployment of a wireless network that will give anyone with a computer and a card access to the Internet anywhere within its 8.6-square-mile area.

The philosophy of these futurists is undoubtedly well-founded: Information should be available to rich and poor alike. There should be no digital divide that gives preference to the economically blessed while forcing the disadvantaged to keep their place or to fall further behind in the rat race.

However, what should be and what is often differ.

Ethical wardrivers are intent on giving technological and social evolution a little boost. They locate the wireless networks and place their coordinates, using global positioning devices and software, on maps, which they disseminate on the Internet for free.

Unethical wardrivers are intent on accessing networks for other reasons. Some set up virus or spam programs or screw up networks (locking out administrators, for instance) just out of meanness. Some are kids who will set up ad-hoc local area networks to play high-speed Internet games on somebody else’s dime and bandwidth.

The name “wardriving” came from the phrase “war dialing,” which was the technique of methodically dialing telephone numbers looking for a modem backdoor into a network. War dialing was the first step toward hacking a wired system.

How is wardriving done? It’s pretty simple, really. First, you need a basic laptop or a handheld computer and a wireless network card. To do the “real” wardriving, you need software like Netstumbler for Windows, Kismet for Linux or MacStumbler for Macintosh. This software merely locates networks; it doesn’t help with cracking WEP (wired equivalent privacy) encryption. That takes something like Ethereal, Airsnort or WEPCrack.

The card fits into the computer, and a pigtail connects the computer to either a yagi (a directional antenna) or an omni (a multidirectional antenna).

For the pure wardriving experience, which requires mapping, a global positioning system receiver is necessary. It records the longitudinal and latitudinal coordinates of the hot spot.

There’s one final component.

Wardrivers also need people—marks, if you will—rich enough to buy a wireless router (one of those cute little boxes with rabbit ears that allow you to surf the Web from the comfort of your living room couch; Linksys and D-Link make some of the most popular) but dumb or generous enough not to enable the encryption or change the default login or password.

A little more than a year ago, a drive around the McCarran loop would yield only a couple dozen APs, or access points. This month, an evening wardrive yielded 81.

Once coordinates are collected, the files are uploaded to one of several mapping sites, such as wigle.net, allyour80211barebelongtous.org or the World Wide WarDrive. Wigle adds the statistics to maps and pages, so wardrivers can keep track of their contributions. All Your 80211b Are Belong to Us is run by an anonymous group known as “The Collective.” The Collective accepts .ns1 files and compiles them with other .ns1 files to create one massive file, which it e-mails back to the submitter.

The well-equipped wardriver. <br> <a href="/issues/reno/2003-12-18/coverpic.pdf">Click here </a>for larger image with labels.

Photo By David Robert

The Collective’s file lists 135,839 open networks across the United States. Out of those, 46,938 are unprotected networks—default SSID and no WEP. That means that 35 percent of wireless networks are wide open. Anyone with wardriving equipment and rudimentary computer knowledge can own the network for whatever purposes he or she chooses. Wigle.net claims more than 639,571 total unique networks in its database.

In California, there are laws forbidding the publication of networks without the network owner’s permission, but that law doesn’t seem to have slowed down wardrivers. On Sept. 12, California Deputy Attorney General Robert M. Morgester of the Special Crimes Unit posted on the Wigle Web site, demanding that people stop posting their .ns1 files. Postings do not appear to have decreased.

In Nevada, there are no such laws. But be careful: Cross the line beyond simple recording of wireless networks, and you may run into the laws that regulate computer hacking or even trespassing.

Lorrie Adams, program coordinator for the Cyber Crime Task Force of Nevada in the Attorney General’s Office, said that while sniffing the airwaves is legal, it has come under the scrutiny of law enforcement.

“The task force is currently looking at what other states have done with their legislation to make that illegal,” she said. “So that even surfing the airwaves will be illegal.”

Since the Nevada Legislature meets only every two years, wardrivers are safe to pursue their prey at least until 2005.

Still, it’s the invasive stuff, such as getting on someone’s network without permission, that crosses the line. That’s called intrusion, hacking. Laws already exist to protect businesses and individuals from invasion of privacy or theft of information or resources.

“A company with a few safeguards in place has a presumed privacy,” Adams said. “They’ve got a firewall, they’ve got VPS, and they’ve got anti-virus software up; they should be able to conduct their business wirelessly. They’ve done their part to protect their proprietary information. If somebody actually gets onto their network, that falls under ‘intrusion.’ Intrusion or hacking just means having unauthorized access onto a system. Just logging in, you’ve already crossed the line, like breaking and entering or trespassing. You can’t touch or feel [a network]; it’s not a property line, but it is considered [as having] a boundary. As soon as you’ve crossed it, you’ve trespassed; you’ve intruded on their network, and you’ve caused a security breach.”

Adams was uncertain if companies that didn’t take the minimum security precautions had the same presumption of privacy.

A claim of legality isn’t an implication that law enforcement authorities aren’t willing to make opportunities for less-than-ethical wardrivers. For example, one local agency maintained an open WAP (wireless-access point) at its office in the South Meadows, nhp2fbi. Wardrivers call this a “honey pot,” a trap by law enforcement to monitor MAC addresses and catch fools stupid enough to try to access the network.

Mike Konieczka has been wardriving since the hobby was in its infancy—a year and a few months.

The 6-foot-3, bespectacled vice president of operations for Video Maniacs laughed unselfconsciously when talking about his love of the hobby.

“The funny thing about wardriving is you have to keep saying to yourself, ‘This is not illegal, this is not illegal, this is not illegal,’ “ he said. “You feel like you’re breaking the law, but all you’re doing is seeing what’s out there. It’s so fun, it feels like it must be illegal.”

Konieczka said he’s into the challenge of keeping up with the new technology. He likes the idea of furthering the use of wireless Internet by helping with the worldwide efforts to map its growth.

“The technology is always changing. When I first put up my wireless network at home, I got the D-Link card, and I thought I was styling. Once I got into wardriving, I found out it wasn’t the best card to have because Netstumbler doesn’t work with it. It’s an educational process. After that first time, I’ve done a lot of research, and I’ve read all that I can about the equipment, so now I’m having a better time with it. Instead of getting signals from close-by APs, I can use the yagi or the omni-directional antenna, and I can reach out further.”

He’s not one of the malicious wardrivers who would send spam—unwanted e-mail—from a server or invade a private business’s network for personal financial gain, but he acknowledges that there are some of those types out there, and the software for those with nefarious minds is easily gotten from the Web.

“Ethereal or whatnot—packet sniffers—captures the packets, the information that is being passed between computers and the access point. The sniffer captures those packets, and you are able to read them. The packets have all different types of information—passwords, private information about a person.”

Here in the Truckee Meadows, not all the WiFi network access is illicit. Some individuals and businesses have opened parts of their networks free to the public. Coffee shops like Walden’s offer free access. Starbucks offers access to a pay per use system.

One huge AP, right downtown, has the SSID MADCON. The acronym SSID stands for Service Set Identifier, and it’s the network’s name. This network belongs to Project ReTRAC, the train trench. It’s a huge pipeline, about 10 megabytes per second in bandwidth, and anyone with a WiFi card (the Windows wardriving community standard is the Gold card by Orinoco) can access the network.

“It’s funded through the ReTRAC funds, which are public funds, and there was no reason for our use to be secure, so why not let everybody benefit?” said Mark Demuth, owner of MADCON, the group in charge of ensuring the train trench gets built without doing undue damage to the environment. “We deliberately left it open for the public.”

DeMuth may be a few years ahead of his time, but his situation illustrates many of the reasons WiFi will become even more relevant for businesses.

“We did it because, we estimate, it saves 1.5 hours per employee day. With the wireless Internet connection, they can basically do anything from the field. They can do their report writing in the field. They can view our library of reference materials from the field. We’ll be connecting a wireless WebCam [to monitor] for compliance with dust regulations.”

The University of Nevada, Reno, also recently powered up an AP at the Getchell Library that’s available to anyone with the technical know-how to access it. It began its test rollout on Oct. 27.

The university’s ultimate goal is to cover the whole campus in a wireless cloud, said Network Security Manager Jeff Springer.

“We’re really in the initial stages where we’re concentrating on about 20 buildings. By the beginning of spring, we’ll have the first three or four buildings done. By the end of summer, we’ll have the first 20 done. During that time, we’ll also be looking at other wireless technologies to do a bigger cloud. Right now, we’re just doing individual buildings, so, if you’re in the building, you’ll have access.”

The university’s wireless system is somewhat different than the MADCON system. First, the university uses a fairly high level of encryption, VPN, virtual private network, which requires a password of anyone who accesses the network. It’s far more secure than a simple WEP key. All students, workers and faculty have “NetID” accounts.

The university system doesn’t yet cover the campus’ outdoor areas, although someday students will be able to turn in papers from the quad and maybe even the Breakaway—although efforts will be taken to keep the “cloud” over the campus proper. Finally, the university uses the 802.11g wavelength, which could be considered next-generation wireless. It’s faster than 802.11b but will still work with the old cards.

Erich Hohman, a local-government IT specialist and member of the Reno Area Wireless Users Group, said the Truckee Meadows should get prepared for the wireless revolution.

“We’re going to get out the word about wireless; we’re going to promote the free access whenever possible,” he said. “We can set up businesses for wireless. All they have to do is provide the bandwidth and equipment, and we can maintain it for them. [We can make it] secure enough that hackers won’t be coming through all the time, but secure enough that customers can get on for free.”

December 2003: The two wardrivers are joined by a third in the same SUV, the same spot. They’ve returned to the street down from the Sparks Police Department to do a network neighborhood search on the wide-open network, a quick screen grab and get gone—a sort of a trophy.

Nearby, the number of wireless networks has increased exponentially from the year previous, and Netstumbler, which makes a submarine sonar sound every time it makes contact with one, is pinging with the insistence of an alarm clock.

“There it is. That’s the one.”

But there’s a closed padlock sign next to the network’s name. That indicates that WEP is enabled. In other words, the network access is encrypted. The trio of hunters moves on. As they pull out of the parking lot, a Sparks police cruiser passes in the opposite direction. Nobody waves.


Cover story sidebar
How to protect your network from wardrivers
Click here