Vous êtes sur la page 1sur 6

Digital Village Hal Berghel

Wireless Infidelity I: War Driving


Although WiFi technology security vulnerabilities are well known, the
extent of these vulnerabilities may be surprising: War driving experiences
identify many potential points of entry.

T
he concept of wireless WDN is a cluster of technolo- user, combined voice and data
networking dates back at gies primarily related to, devel- 2.5- generation technologies that
least as far as ALO- oped for, and marketed by exceed 100Kbps; and Wireless
HANET in 1970. While vendors in the telephony and Application Protocol (WAP),
this project is now of primarily handheld market. This market which provides wireless support of
historical interest, the online covers a lot of ground from basic the TCP/IP protocol suite and
overview is still worth reading digital cellular phones to relatively now provides native support of
(see en.wikipedia.org/wiki/ sophisticated PDAs and tablet HTTP and HTML. If you’re
ALOHA_network). The con- PCs that may rival notebook com- using a cellular phone with text
cept of ALOHANET spanned messaging and Web support,
many of the core network pro- you’re likely using some form of
tocols in use today, including WAP.
Ethernet and Wireless PANs began as “workspace net-
Fidelity (aka WiFi). ALO- works.” Bluetooth, for example,
HANET was the precursor is a desktop mobility PAN that
of the first generation of was designed to support cable-
wireless networks. free communication between
Wireless technologies may computers and peripherals.
be categorized in a variety of Blackberry
ways depending on their (www.blackberry.com) is like
function, frequencies, band- Bluetooth on steroids. It inte-
width, communication protocols grates telephony, Web browsing,
involved, and level of sophistication email, and messaging services
(ranging from first- through third- with PDA productivity applica-
generation wireless systems). For puters in capabilities. WDN tions. As such it blurs the distinc-
our purposes, we’ll lump them into includes protocols such as the Cel- tion between PAN and WLAN.
four basic categories: Wireless Data lular Digital Packet Data WLAN is what most of us
Networks (WDNs), Personal Area (CDPD), an older 19.2Kbps wire- think of wireless technology. It
Networks (PANS), Wireless Local less technology that is still in use includes the now-ubiquitous
Area Networks (WLANs), of in some police departments for 802.11 family of protocols, as
which the newer Wireless Metro- network communication with well as a few others. Table 1 pro-
politan Area Networks (WMANs) patrol cars; General Packet Radio vides a quick overview of some
and Wireless Wide Area Networks Service (GPRS) and Code Divi- of the 802.11 protocol space.
PETER HOEY

(WWANs) are offshoots, and satel- sion Multiple Access 2000 Note that all but the first are
lite networks. (CDMA2000), which are multi- derivative from the original

COMMUNICATIONS OF THE ACM September 2004/Vol. 47, No. 9 21


Digital Village

802.11 protocol introduced in make comparisons even more The Origins of War Driving
1997. In Table 1, “Year” confusing, there are 802.1x pro- The first formalization of the con-
denotes the approximate year of tocols like 802.16 (2001) and cept of war driving, circa 1999, is
introduction as a standard (for 802.16a (2003) that are designed attributed to Peter Shipley. His early
example, 802.11a and Standard 802.11 802.11a 02.11b 802.11g 802.11n
war driving experimenta-
802.11b were introduced Year 1997 1999 1999 2003 2005 tion was subsequently
at the same time, though Frequency 2.4GHz 5GHz 2.4GHz 2.4GHz 5GHz? introduced to the hacker
802.11a came to market Band
Bandwidth
ISM
2Mbps
UNII
54Mbps
ISM
11Mbps
ISM
54Mbps
?
100+Mbps
community at DEF-
later). The two bands Encoding Techniques DSSS/FHSS OFDM DSSS OFDM ? CON 9 in Las Vegas in
used for WiFi are Indus- July 2001; Figure 1 is
Table 1. The 802.11 protocol family.
trial, Scientific, and Medical derived from this experiment.
(ISM) and Unlicensed National for wider area coverage: the so- The basic idea behind war dri-
Information Infrastructure called Metropolitan Area Net- ving is to “sniff” 802.11 traffic
(UNII). Bandwidth is advertised works or MANs. The 802.11n with a wireless card set to monitor
maximum. Encoding, aka “spec- specifications are meager as of mode so that it accepts all traffic on
trum spreading” techniques
appear at the physical or link
layer and include frequency-
hopping spread-spectrum
(HPSS), direct-sequence spread-
spectrum (DSSS), and orthogo-
nal frequency division
multiplexing (OFDM).
Both the 802 and 802.11
landscape are somewhat more
cluttered than the table suggests.
For example, 802 also allows for
infrared support at the physical
layer. In addition, proprietary
standards for 802.11 have been
proposed. In 2001, Texas Instru-
ments proposed a 22Mbps varia-
tion of 802.11b called “b+”, and
Atheros proposed a 108Mbps
variant of 802.11g called “Super
G”. Further, there are standards Figure 1. An early WAP map, circa 2001 a frequency irrespective of intended
for enhanced QoS (802.11e) and (source: Peter Shipley, “Open WLANs—
The Early Results of WarDriving”; target. War driving is an extension
enhanced security (802.11i) that www.dis.org/filez/openlans.pdf). of the concept of war dialing that
are actually orthogonal to the tra- deserves some explanation.
ditional 802.11 family in the this writing, although the current War dialing is the technique
sense that they deal with limita- attention is on increasing used by the main character in the
tions rather than the characteris- throughput at the MAC interface 1983 movie WarGames to gain
tics of the protocol suite. To rather than the physical layer. access to computer systems. One

22 September 2004/Vol. 47, No. 9 COMMUNICATIONS OF THE ACM


might recall that in an patterns, and so forth, for
effort to access comput- one’s own wireless environ-
ers of a computer game ment. And again, this infor-
company, the film’s main mation is useful to potential
character launched a intruders.
countdown to a nuclear One thing that distin-
war. Though modem guishes war driving (aka,
banks are technological WAP mapping, and trans-
dinosaurs, they remain in portation-centric offshoots
use and are one of the like war walking, war bik-
easiest network appli- ing, war flying, war boating,
ances to compromise. and the like) is that they all
War dialing is the art relate to the various modes
of scanning lists of of mobile sniffing of wire-
phone numbers for the less traffic. Generally speak-
carrier tones that indicate Figure 2. A “WAP map” of nine WAPs ing, if the sniffing is used in
modem lines. The target lists are revealing individual coverage areas support of the owner/organiza-
(source: www.ittc.ku.edu/wlan/
derived from sundry public- images_ittc_small.shtml). tion’s interests, the use of less
domain sources such as tele- alarming euphemisms like “wire-
phone directories (for example, less monitoring” or “vulnerability
411.com), WHOIS domain reg- one point, the good folks at testing” is encouraged.
istration Web sites such as Inter- l0pht.com even produced a But, let’s be candid about this
nic (www.internic.net/whois.html), Palm-based war dialer called situation: War driving surpasses
contact information on organiza- TBA (see www.securiteam.com/ wireless monitoring by a large
tional Web sites, and so forth. tools/TBA_-_PalmOS_ war- measure. To wit, the war drivers
The principle is relatively simple: dialer.html). have even created their own style
find an organizational telephone of war driving signage known as
number, and then sweep through War Driving Takes Shape war chalking that reveals such
the range of numbers that There is no question that there is information as the service set ID,
includes it for the presence of a a legitimate, lawful use of war bandwidth, and whether security
modem. A modem’s carrier tone dialing—to determine whether is enabled. The war chalker iden-
signifies a receptive appliance, so there are insecure modems con- tifies the characteristics of the
the war dialer records a “hit.” A nected to one’s own network. Of unwitting target on the most con-
suitably enhanced war dialer can course, this knowledge is also of venient visible surface in much
“nudge” the unsuspecting modem use to potential intruders. the same way the hobo chalkers
line to try to produce a logon Similarly, war driving is the art did during the Great Depression
prompt, and then to produce an of monitoring wireless traffic. The in the U.S.2 An annual war dri-
acceptable logon sequence. A legitimate, lawful use is to control
Web search will confirm that war signal strength, bandwidth, leakage 2
War chalking follows in the tradition of hobo tagging
dialers in both shareware and 1
The de facto standard for war dialing is THC-Scan 2.0
and tramp signing. A good source of the latter is
www.worldpath.net/~minstrel/hobosign.htm. A popu-
commercial versions abound for for Windows. It is available from The Hacker’s Choice lar war chalking resource is www. blackbeltjones.
(www.thc.org). One of many shareware Unix variants is com/warchalking/index2.html, the Google top hit, war-
both Windows (THC-Scan 2.0)1 Ward from Securiteam (www.securiteam.com/ chalking.org, was not functioning when this column
and *nix (Ward) platforms. At tools/6T0001P5QM.html). was written in July.

COMMUNICATIONS OF THE ACM September 2004/Vol. 47, No. 9 23


Digital Village

ving competition is held, WWWD1 (2002) WWWD2 (2002) WWWD3 (2003) WWWD4 (2004) Driving competitions.
(9374 WAPs) (24958 WAPs) (88122 WAPs) (228537 WAPs)
with results presented at By way of background,
Default SSID 29.5% 35.3% 27.8% 31.4%
the DEFCON hacker the Service Set ID
no WEP enabled 69.9% 72.0% 67.7% 61.6%
convention every sum- (SSID) in Table 2 can
Default SSID and 26.7% 31.4% 24.8% 27.5%
mer (the fourth and no WEP enabled be thought of as the
most recent competition Source: www.worldwidewardrive.org/ “name” that is assigned
occurred in June). Table 2. WorldWide war drives. to a WAP in “infra-
The typical war drive structure mode.” This name is
reveals a pattern of Wireless needed for clients to associate
Access Points (WAPs), as with it. Obviously, the first
shown in Figure 2. This step toward security is to avoid
information is derived broadcasting the SSID to the
from a wireless detector or world. The second step is to
computer with a wireless pick a name that isn’t the
card operating in monitor default set by the vendor.
(RFMON) mode. In the “Default SSID” reports the per-
early period of war driving centage of the WAPs that were
(circa 2000), the war dri- discovered using the SSID that
ver’s vehicle would have a came shrink-wrapped with the
front seat strewn with WAP hardware.
cables, antennae, GPS Wired Equivalent Privacy
equipment, and a note- (WEP) is the encryption tech-
book computer. Now, this nique used in the popular
detection is usually done 802.11 protocols. Simply
with a self-contained stated, there’s little to recom-
PDA, with analysis per- mend it as it fails virtually every
formed offline on a full- reasonable standard for data
screen computer. Figure 3 integrity, confidentiality, and
illustrates the process on a authentication in both theory
Windows CE-based PDA Figure 3. Wireless “sniffing” Palm style and implementation. While WEP
operating Air Magnet. As the with Air Magnet and a HP IPAQ Pocket will not withstand a serious attack
PC.
screen in Figure 3 illustrates, from any would-be intruder
the current scan is being per- armed with free tools available on
formed on channel 6 for on this topic in a subsequent the Internet, it will slow down the
802.11b traffic at 2.4370GHz. column. attacker if properly configured,
The two WAPs detected are and will discourage neophytes
reported, along with their War Driving Lessons who seek to authenticate with the
MAC addresses, names, and In short, war driving has demon- WAP. The only thing worse than
current signal strength. This strated that wireless technology enabling WEP is not enabling
information is collected and has opened the largest computer WEP! The data in Table 2 indi-
plotted to produce the WAP network security hole since the cates that over 60% of the WAPs
maps. While this is a cursory advent of modems. detected fail to have WEP
overview, it gets to the essence The data in Table 2 comes enabled. In the wireless realm, this
of war driving; I will expand from the four WorldWide War is akin to leaving your wallet on

24 September 2004/Vol. 47, No. 9 COMMUNICATIONS OF THE ACM


the front porch for safekeeping. percentages do not seem to be coin. A similar point is made in
The worst of all possible changing much over time. an earlier column of mine on
worlds is to not employ encryp- Internet Forensics (August 2003).
tion and at the same time broad- Final Words The relevant skill sets of those
cast the name of your WAP to The difference between wireless who attempt to compromise net-
the entire neighborhood and any hacking and wireless monitoring work security and those who seek
passersby—approximately 27% of is intent and moral orientation. to protect them are for all practi-
the WAPs found have achieved From a technology perspective, cal purposes identical.
that status. Most alarming, the they are two sides of the same Therein lies the rub. The best
URL PEARLS
ore information on the originator of the term war At this writing, the best wireless detectors I am aware
M driving, Peter Shipley, is available at his Web site:
www.dis.org/shipley/. Details of his presentation at Def-
of are Kismet (www.kismetwireless.net) for *nix plat-
forms and Air Magnet (www.airmagnet.com) for Win-
con 9 in 2001 are available at ww.defcon.org/html/ dows.
defcon-9/defcon-9-speakers. html and in “Open A useful guide to 802.11 wireless technology is
WLANs—The early results of WarDriving” at www.dis.org/filez/ Matthew Gast’s 802.11 Wireless Networks: The Definitive
openlans.pdf. For general treatment of the topic of war dri- Guide, O’Reilly & Associates, 2002.
ving, visit wardriving.com. A useful definition of war driving
is available on Paul McFedries’ Word Spy site, www.word- More on Alternate Data Streams
spy.com/words/wardriving.asp. The results of the four I received a good amount of reader correspondence
International war driving competitions are documented regarding my December 2003 column on Alternate Data
at www.worldwidewardrive.org; information, computer, Streams and continue to receive feedback months after
and network security issues are prevalent at the DEFCON the issue appeared. Most of the reader comments were
site (www.defcon.org). sympathetic to the idea that the negative publicity sur-
Dug Song is one of the world’s premier hackers. He rounding Window’s ADSs is undeserved. If Microsoft is to
founded monkey.org and through it has distributed a be faulted, it’s for not releasing enough technical docu-
suite of very popular tools within both the white hat and mentation to ensure that ADSs can be deployed effec-
black hat communities. Examples include dsniff (a net- tively, efficiently, and securely.
work sniffing utility), fragroute (a generic packet frag- Some readers noted there was an error in the column
menting tool), the switch state table flooder discussed pertaining to reporting on the Mac OS X lineage. It was
in this column, and dozens of other tools. In the past incorrectly reported that Mac OS X was built on a Linux
few years he has restricted access to some of these kernel; it is actually built on Mach micro kernel derived
resources—see www.linuxsecurity.com/articles/ from FreeBSD. OS X using Apple’s HFS+ file system still
cryptography_article-3624.html, though most remain uses file forks; the alternative UFS (Unix File System)
easy to find via Web search. uses .rsrc files instead.
WAP mapping is an interesting multimedia exercise in In addition, there was a typographical error in the
its own right. Figure 2 was produced by the University of December column: In the third paragraph, “non-
Kansas’ Wireless Network Visualization Project monotonic” should be replaced by “non-monolithic.”
(www.ittc.ku.edu/wlan/). The coverage maps are par- Our general-purpose Alternate Data Streams location
ticularly revealing from the point of view of wireless and editing tool, wantADS, is available as a free down-
leakage. A more general source of “cybermaps” is the load from the Center for Cybermedia Research site at
Atlas of Cyberspace site at www.cybergeography.org/atlas/. ccr.i2.nscee.edu. c

COMMUNICATIONS OF THE ACM September 2004/Vol. 47, No. 9 25


Digital Village

of breed tools for wireless sniffing nothing inherent in the “sniffing” they’re put. Knowledge and vigi-
(Kismet for the *nix platforms; technology that encourages lance are formidable adversaries
Air Magnet for Windows) are socially unacceptable or illegal of misuse. I’ve endeavored to
used by both air jackers and wire- behavior. The tools a hacker contribute to the former in this
less guardians, though toward dif- might use to intercept organiza- column. c
ferent ends. This is a familiar tional wireless traffic are the same
story in network security—most tools that are used to harden the Hal Berghel (www.acm.org/hlb) is a
professor and the director of the UNLV School
of the products developed have organizations’ wireless infrastruc- of Computer Science, and director of the
benevolent and malevolent uses. ture. University’s Center for Cybermedia Research and
(Although Dug Song’s switch The solution to the problem of co-Director of the National Identity Theft and
flooder, Arpspoof, stretches this misuse is awareness, both in Financial Fraud Research and Operations Center.
claim). The lesson to be learned terms of the capabilities of the
from war driving is that there is tools and the uses toward which © 2004 ACM 0001-0782/04/0900 $5.00

26 September 2004/Vol. 47, No. 9 COMMUNICATIONS OF THE ACM