What is wardriving?  Variants include Warwalking, warflying, warriding, warbiking, etc.

Basically, it’s driving around with a laptop, a wireless card, and an antenna looking for wireless access points.  It’s completely legal, and getting more and more popular.

            We went wardriving over about a 90 minute period in Winston-Salem and found 119 wireless access points.  Of these, 100 were unencrypted (totally open to the outside world) and 19 had WEP enabled.

            Our setup – a Windows XP laptop, an Orinoco Gold wireless card, an external Lucent antenna, and a Dodge Grand Caravan.

What is WEP?

WEP stands for Wired Equivalent Privacy.  WEP is an encryption protocol used for the securing of wireless signals.  It encrypts the signal so that only recipients with the proper pre-shared key can read the data.  The problem with WEP, cryptographically speaking, is that it relies on a 24-bit initialization vector, which severely limits its effectiveness as an encryption protocol.  The result of using a 24 bit IV is that the keyspace available is limited to 2x10^24 keys, and on a busy network, the keys can repeat within an hour or so.  After collecting enough data with a wireless sniffer (such as Airsnort, free) the keys can be broken within 1 second.

Even with WEP enabled, the network is still wide open to a hacker of moderate skill with a few hours to sniff traffic.  Without WEP enabled, people driving by are often issued an IP address and are on the internal network while still in their cars.  In fact, I pick up 4 wireless access points from my office without any effort on my part, none of which are running WEP.  To be fair, there is only one that is not part of the wireless 4^th street project, but that once issued my laptop an IP address immediately upon turning on in my office.  It can hardly be considered hacking when someone else’s network is foisted upon you like that.

                        Among these 48 access points we found, several were in neighborhoods, a few were picked up driving by hotels, some were even picked up driving down I-40, but the majority came from driving around downtown and through the business parks by Hanes Mall.  There are many, many parts of Winston that we didn’t drive through, and we were using a weak antenna by Wardriver standards.  For a few dollars you can build an antenna out of a Pringles can and some hardware that will give you a strong directional signal boost, or a better alternative is to use something like a coffee can, which is more omnidirectional because of its shape.  These devices, if built properly, can boost the signal by up to 15 db.  This is substantial boost in power, since every 3db increase is a doubling in signal strength.  In practical terms, two of these “Cantennas” could bridge a distance of ten miles if configured correctly with a good line of sight.  One professional security tester I know has a large Yagi antenna and can pick up normal 802.11b wireless access points at a distance of five miles.

            Think about it – he’s in someone’s network, behind the firewall, from 5 miles away.  He doesn’t even have to pull into the parking lot and be seen by anyone.

            What should people running wireless do?

At a minimum, enable WEP.  This at least keeps people from stumbling into your network.  Kevin Mitnick, the notorious hacker, likens this to locking the front door.  It will not keep out a determined intruder, but if someone does come in after WEP is enabled, it's obviously no accident, and there is unquestionable intent to trespass.  Also, it’s a good idea to change your WEP key regularly – kind of like changing your password.  There is a new standard out called WPA – Wi-Fi Protected Access – that uses a 48 bit IV instead of 24 which significantly increases the difficulty of cracking the keys as can be done in WEP. (By the way, that’s a jump from 2^24 to 2^48, so it’s not just a doubling in the number of keys).

            In my opinion, one of the most overlooked parts to the Wireless story is the potential DoS (Denial Of Service) vulnerability presented.  Intentionally or unintentionally, wireless signals are very easily disturbed by such things as Bluetooth devices, cordless phones, and microwaves.  In fact, if you take a normal microwave and attach a small antenna to the microwave generator, it will kill 802.11b traffic for about ¼ mile radius.  If you attach the antenna to the power supply (which looks almost exactly like the microwave generator) the microwave will arc and catch fire.  J