WiFi Wardriving

LAS VEGAS — Chris Hurley, a.k.a. “Roamer” and founder of the WorldWideWarDrive, is a little angry with the media.

“There are a lot of myths and misconceptions floating around about WarDriving,” Hurley told a packed ballroom at the DEFCON 2003 conference, stating he had been misquoted in InfoWorld and the Wall Street Journal with several false impressions being repeated over and over again in the media.

As defined by participating members of the community, “WarDriving” is the benign act of locating and logging wireless access points while in motion. The effort is conducted to map the population of wireless access points for statistical purposes and raise awareness of the security problems associated with wireless networks. It is not about connecting to or in any way using the resources of any discovered access point without the prior authorization of the owner. Driving is the typical mode of movement, but people have been known to “WarWalk” down the crowded streets of New York City and take to the air via helicopter during WarDriving contests.

Equipment for the properly equipped WarDriver typically includes a laptop computer with a WiFi card and a portable Global Positioning System unit capable of National Marine Electronics Association output with a data cable to connect to the laptop. More effective use requires an external antenna and “pigtail” connector cable. Depending on their preferences, WarDrivers either use directional or omni-directional antennas.

Omnis are generally better for driving since they can easily be mounted on a car roof with a magnet and for detecting access points in all directions.

WarDriving software is available in both freeware and commercial versions. The most popular versions are Netstumbler and Kismet, supporting the Windows and Linux operating systems respectively. Netstumbler uses an active scanning method using a beacon request. Kismet uses a passive technique to monitor and identify traffic by APs within range, allowing it to detect “cloaked” access points. Collected data can then be used to generate location maps or data can be uploaded to web sites such as WiGLE (www.wigle.net) for online map generation.

WarDriving software support is also available for some types of PDAs running Linux and Microsoft’s Pocket PC.

Hurley’s efforts began in the summer of 2002 when he decided to organize an ad hoc effort to drive through the city of Baltimore, curious to see how many people and companies had “open,” unsecured WiFi access points. No one had published hard data and the idea was so unique that volunteers around the globe sprung up to organize their own WarDrives.

The first WorldWideWarDrive took place between Aug. 31-Sept. 1, 2002, with 100 people in six countries and two continents driving through 22 unique areas. WarDrivers discovered 9,300 access points with a paltry 30 percent having turned on WEP encryption. Due to popular demand, a follow-up WorldWideWarDrive was held between Oct. 26-Nov. 2, 2002. More than 200 people in seven countries and four continents drove through 32 areas, logging another 24,000 access points with only 27 percent of them running WEP.

The third and most recent WorldWideWarDrive took place between June 28-July 5, 2003, with 300 people surveying 52 areas in 11 countries and four continents; data from Australia was submitted, but could not be incorporated since the folks Down Under didn’t collect GPS coordinates. A whopping 88,122 access points were discovered, with 32.26 percent of them running WEP. Of those, 24,525 still used the factory default SSID while 21,822 had both the default SSID and no WEP encryption. Hurley stated that “Linksys” and “Default” were the two most popular default SSIDs.

Combining the statistics from all three WWWD events, a total of 113,529 APs have been mapped. Of those, 31.41 percent are WEP enabled, 29 percent still have their factory default SSID, and 25.78 percent of the APs have both the default SSID and no WEP. Put another way, there are more than 29,000 APs in the world that have been plugged in and turned on without additional configuration to make them more secure. It should be noted that WarDrive statistics don’t provide indicators as to what any of APs are being used for, such as “free” open access points, commercial service access points at the local hotel or Starbucks, or a business AP left open.

Moving forward, the WorldWideWarDrive will become an annual event held during the summer. At some point, Hurley intends to release a statistical generator for processing WarDrive data.

Among the myths Hurley wishes to debunk is the wide-spread practice of “warchalking,” where WarDrivers would supposedly stop near an access point, pull out a piece of chalk, and scribble a symbol on a walk or the sidewalk to indicate its availability. The practice of warchalking is supposed to come from the Great Depression when hobos would use chalk marks to leave information or warnings for other travelers. Neither Hurley nor any of the immediate circle of WWWD participants either have seen or left chalk marks. His assertion seemed to be confirmed by a poll of hands in the packed ballroom with only a few of the several hundred audience members noting they had seen a warchalking symbol.

Other myths and misconceptions associated with WarDrivers ranged from the bizarre to the mundane. Was the WWWD a “covert organization run by shady individuals to provide terrorists with information?” No. A way to promote “free” Internet access? No. An effort to sell networking security services or statistical data?

Definitely not, said Hurley, “I don’t want to” go around securing access points and WWWD statistics data is provided free. Nor is he happy about the impression that WarDriving promotes the exploitation of wireless networks or an effort to promote fear, uncertainty, and doubt.

“It’s not a cheap hobby,” Hurley said, noting the cost of equipment and gasoline.

Canadian WWWD participants encountered some self-inflicted headaches. The Canadian Security Intelligence Service became concerned after they read a press release sent out by WarDrivers announcing their intentions to scan Red Deer, Alberta. After doing their own research, the CSIS concluded the activity was not a threat to Canadian National Security.

Hurley also put together the second annual DEFCON WarDriving contest and finds new twists introduced by teams every year. In last year’s WarDriving contest, one team rented a helicopter to accelerate the process of discovering access points around Las Vegas. While the team did not win, aerial discovery was banned from 2003 competition. Twelve teams this year were given two hours to drive the eastern part of Vegas from Paradise Road on Aug. 1, 2003. A total of 2,298 APs were discovered on the first day.

Six finalist teams were given three hours to drive the territory west of Paradise Road. The winning team used a liberal interpretation of the rules and sent one member down the highway towards Los Angeles, picking up around 1,200 APs in the three-hour drive.

Verification of the team member’s efforts was provided by fast food and gasoline receipts as well as a time-stamped photo of him on the beach.

Teams entered in the DEFCON 2004 WarDrive will have to limit their activities to the boundaries of the state of Nevada.