Wardriving

Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer or PDA.

Software for wardriving is freely available on the Internet, notably NetStumbler for Windows, Kismet or SWScanner for Linux, FreeBSD, NetBSD, OpenBSD, DragonFly BSD, and Solaris, and KisMac for Macintosh. There are also homebrew wardriving applications for handheld game consoles that support Wi-fi, such as sniff_jazzbox for the Nintendo DS, Road Dog for the Sony PSP and Stumbler for the iPhone. There also exists a mode within for the Sony PSP (wherein the player is able to find new comrades by searching for wireless access points) which can be used to wardrive.

Etymology

Wardriving was named after the term "wardialing" from the 1983 film "WarGames", which involved searching for computer systems with software that dialed numbers sequentially to see which ones were connected to a fax machine or computer.

Warbiking is essentially the same as wardriving, but it involves searching for wireless networks while on a moving bicycle or motorcycle. This activity is sometimes facilitated by the mounting of a wifi-capable device on the vehicle itself.

Warwalking (sometimes warjogging) is similar in nature to wardriving, except that it is done on foot rather than conducted from a moving vehicle. The disadvantages of this approach consist in slower speed of travel (resulting in fewer and more infrequently discovered networks) and the absence of a convenient computing environment. Consequently, handheld devices such as Pocket PCs, which can perform such tasks while one is walking or standing, have predominated in this area. The inclusion of integrated Wi-Fi (rather than a CF or PCMCIA add-in card) in Dell Axim, Compaq iPAQ and Toshiba Pocket PCs beginning in 2002 — and, more recently, an active Nintendo DS and Sony PSP enthusiast community possessing Wi-Fi capabilities on these devices — has expanded the extent of this practice, as has the new Apple iPhone and iPod touch. Of recent note, the Nokia N770, N800, and N810 Internet Tablets have very good antennas, and will pick up nearly anything in the area — even blocks away from the unit.

Warkitting [Cite web
last = Tsow
first = Alex
title = Warkitting: the Drive-by Subversion of Wireless Home Routers.
url = http://www.indiana.edu/~phishing/papers/warkit.pdf] is a combination of wardriving and rootkitting. In a warkitting attack, a hacker replaces the firmware of an attacked router. This allows him to control all traffic for the victim, and could even permit him to disable SSL by replacing HTML content as it is being downloaded [Cite web
last = Myers
first = Steven
title = Practice and Prevention of Home-Router Mid-Stream Injection Attacks
url = http://www.cs.indiana.edu/~sstamm/papers/midstream-abs.html] .Warkitting was identified by Tsow, Jakobsson, Yang, and Wetzel in 2006. Their discovery indicated that 10% of the wireless routers were susceptible to WAPjacking (malicious configuring the firmware settings, but making no modification on the firmware itself) and 4.4% of wireless router were vulnerable to WAPkitting (subverting the router firmware). Their analysis showed that the volume of credential theft possible through Warkitting exceeded the estimates of credential theft due to phishing.

Mapping

Many wardrivers use GPS devices to measure the location of the network and log it on a website to form maps of the network neighborhood. The most popular web-based tool today is [http://www.wigle.net/ WiGLE] , while one of the pioneering mapping applications was [http://the.firehou.se/stumbverter/ StumbVerter] , which used Microsoft MapPoint automation to draw found networks. For better range, antennas are built or bought, and vary from omnidirectional to highly directional.

The maps of known network IDs can then be used as a geolocation system — an alternative to GPS — by triangulating the current position from the signal strengths of known network IDs. Examples include [http://www.deviceforge.com/articles/AT8606455669.html Place Lab] by Intel, [http://www.skyhookwireless.com/howitworks/ Skyhook] , and [http://www.navizon.com/ Navizon] by Cyril Houri. Navizon combines information from Wi-Fi and cell phone tower maps contributed by users from Wi-Fi-equipped cell phones. [Cite news
issue = 14.06
last = Rose
first = Frank
title = Lost and Found in Manhattan
work = Wired
accessdate = 2007-09-01
date = 2006-06
url = http://www.wired.com/wired/archive/14.06/posts.html?pg=4] [Cite web
last = Blackwell
first = Gerry
title = Using Wi-Fi/Cellular in P2P Positioning
work = Wi-Fi Planet
accessdate = 2007-09-01
date = 2005-12-19
url = http://www.wi-fiplanet.com/news/article.php/3572001] In addition to location finding, this provides navigation information, and allows for the tracking of the position of friends, and geotagging.

In December 2004, a class of 100 undergraduates worked to map the city of Seattle, Washington over several weeks. They found 5,225 access points; 44% were secured with WEP encryption, 52% were open, and 3% were pay-for-access. They noticed trends in the frequency and security of the networks depending on location. Many of the open networks were clearly intended to be used by the general public, with network names like "Open to share, no porn please" or "Free access, be nice." The information was collected into high-resolution maps, which were published online. [Cite web
last = Marwick
first = Alice
title = Seattle WiFi Map Project
work = Students of COM300, Fall 2004 - Basic Concepts of New Media
accessdate = 2007-09-01
date = 2005-02-15
url = http://depts.washington.edu/wifimap/] [Cite news
last = Heim
first = Kristi
title = Seattle's packed with Wi-Fi spots
work = The Seattle Times
accessdate = 2007-09-01
date = 2005-02-18
url = http://seattletimes.nwsource.com/html/businesstechnology/2002183464_wifimap18.html]

Antennas

*Cantenna
*WokFiWireless access point receivers can be modified to extend their ability for picking up and connecting to wireless access points. This can be done with an ordinary metal wire, and a metal dish that is used to form a directional antenna. Other similar devices can be modified in this way too, likewise, not only directional antennas can be created, but USB-WiFi-stick antennas can be used as well. Tools such as [http://macpod.net/software/WirelessGrapher.php Wireless Grapher Widget] can be used to measure out the antenna.

Confusion with piggybacking

Wardrivers are only out to log and collect information about the wireless access points (WAPs) they find while driving, without using the networks' services.

Connecting to the network and using its services without explicit authorization is referred to as piggybacking.

The terms have been interchanged in the press, however. For instance, an EETimes article with the headline "WiFi user charged for not buying coffee" [ [http://www.eetimes.com/news/semi/showArticle.jhtml?articleID=189600767 WiFi user charged for not buying coffee] ] refers to a user who "piggybacked off the shop's wireless Internet service for more than three months". When reposted by Engadget, the term "wardriving" was substituted, and the headline changed to "Wardriver arrested for snagging coffee shop signal". [ [http://www.engadget.com/2006/06/23/wardriver-arrested-for-snagging-coffee-shop-signal/ Wardriver arrested for snagging coffee shop signal] ]

Typical wardriving software actually takes control of the wireless radio, making it impractical, if not impossible, to wardrive and piggyback simultaneously.

Legal and ethical considerations

Some portray wardriving as a questionable activity (typically from its association with piggybacking), though, from a technical viewpoint, everything is working as designed: access points must broadcast identifying data accessible to anyone with a suitable receiver. It could be compared to making a map of a neighborhood's house numbers and letter box labels. [ [http://slashdot.org/comments.pl?sid=39261&cid=4194976 Worldwide WarDrive Aftermath ] ]

There are no laws that specifically prohibit or allow wardriving, though many localities have laws against unauthorized access of a computer network. Whether this could be applied to wardriving is unknown, though no one has ever been convicted for it.

Passive, listen-only wardriving (with programs like Kismet or KisMAC) does not communicate at all with the network; merely logging its broadcast address. This can be likened to listening to a radio station that happens to be broadcasting in the area.

With other types of software, such as NetStumbler, the wardriver actively sends probe messages, and the access point responds per design. The legality of active wardriving is less certain, since the wardriver temporarily becomes "associated" with the network, even though no data is transferred. Most access points, when using default settings, are intended to provide wireless access to all who request it. Liability can be minimized by setting the computer to a static IP, instead of using DHCP. This will prevent the network from granting the computer an IP address or logging the connection. [Cite web
last = Wei-Meng Lee
title = Wireless Surveying on the Pocket PC
work = O'Reilly Network
accessdate = 2007-09-01
date = 2004-05-27
url = http://www.oreillynet.com/lpt/a/4876]

In the United States, the case that is usually referenced in determining whether a network has been "accessed" is "State v. Allen". In this case, Allen had been wardialing in an attempt to get free long distance calling through Southwestern Bell's computer systems. When presented with a password protection screen, however, he did not attempt to bypass it. The court ruled that although he had "contacted" or "approached" the computer system, this did not constitute "access" of the company's network. [Cite web
last = Brenner
first = Susan
title = "Access"
work = CYB3RCRIM3
accessdate = 2007-09-02
date = 2006-02-12
url = http://cyb3rcrim3.blogspot.com/2006/02/access.html] [Cite journal
volume = 67
issue = 5
last = Bierlein
first = Matthew
title = Policing the Wireless World: Access Liability in the Open Wi-Fi Era
journal = Ohio State Law Journal
accessdate = 2007-09-01
date = 2006
url = http://moritzlaw.osu.edu/lawjournal/issues/volume67/number5/bierlein.pdf] [Cite journal
volume = 9
issue = 7
last = Ryan
first = Patrick S.
title = War, Peace, or Stalemate: Wargames, Wardialing, Wardriving, and the Emerging Market for Hacker Ethics
journal = Virginia Journal of Law & Technology
accessdate = 2007-09-01
date = 2004
url = http://ssrn.com/abstract=585867 - Article on the ethics and legality of wardriving ] [Cite journal
volume = 2
issue = 4
last = Kern
first = Benjamin D.
title = Whacking, Joyriding and War-Driving: Roaming Use of Wi-Fi and the Law
journal = CIPerati
accessdate = 2007-09-01
date = 2005-12
url = http://www.abanet.org/buslaw/committees/CL320010pub/newsletter/0009/] [ [http://www.mcguirewoods.com/news-resources/publications/technology_business/Whacking_Joyriding_and_War_Driving.pdf Alternate PDF] - Law review article on the legality of wardriving, piggybacking and accidental use of open networks]

Software

* NetStumbler
* Kismet
* KisMAC
* iStumbler

Concepts

* Honeypot (computing)
* Hotspot
* Warchalking
* WarXing
* Warspying
* Wi-Fi Network (FON)

References