Tales of a White Hat War Driver

by Alan Rothberg

The use of wireless networks has exploded in the last two years. The technology has become cheap enough and easy enough for almost anyone to install and start using it immediately. An analyst at Cahners In-Stat, Gemma Paulo, said that wireless LAN (WLAN) vendors sold 8.1 million 802.11b network interface cards last year, up from 3.3 million the year before. Paulo said she "conservatively" expected sales to reach 11 million units in 2002.

If your company doesn't already have a wireless network, chances are itís probably testing the waters for future development. But how secure is this technology? What kinds of problems will IT staff encounter? One type of problem gaining national attention is called "war driving," in which a hacker can use a laptop computer to drive around and, like tuning in radio stations, can seek out personal information on wireless networks.

In the old days of computing, hackers used a technique called "war dialing." The computer's modem was set up to dial lists of phone numbers, hoping to reach another computer system's modem. Once a computer answered, a hacker would try to gain access to the network. This new laptop technique is called "war driving," and is actually much easier to do and easier to remain undetected. A person attempting to gain access to a network could easily sit in the parking lot across the street from the building itself and have access to their internal network.

NetStumbler on the Prowl

Wireless access points (WAPs) work like small radio stations. The 802.11b standard is probably the most widely deployed type of WLAN. They transmit their signals in the unlicensed 2.4 Gigahertz (GHz) range.

Related Reading

Building Wireless Community Networks
Implementing the Wireless Web
By Rob Flickenger

A small handful of programs are now freely available on the Internet to "tune" into these network devices and retrieve useful information about them. One such program is called NetStumbler.

NetStumbler runs on Windows 2000 and W9x, and requires a Hermes-based chipset for the wireless network card, although it may work with others. When a wireless network is located, you'll find that it has discovered all sorts of information about that network. Some of the information includes, whether WEP encryption (Wired Equivalent Privacy) is turned on or off, the MAC address of the access point, and who its manufacturer is.

Also displayed is the SSID (Service Set Identifier) or network name, the channel the AP is using, and if you have a GPSR (Global Positioning System Receiver) attached, it will log your latitude and longitude, making it easier to determine the location of the access point.

A GPSR is not required for NetStumbler to work, but there is an option to use it. Configure your GPSR for generic NEMA output and NetStumbler will usually auto-detect it on your COM port. It also functions as a good SNR (signal-to-noise ratio) meter, showing signal strength versus time, useful for seeing what kind of signal you got, and for how long you got it, as you drive by. All of these statistics can be saved to a file for later evaluation.

Why should someone worry about tools such as this? If you have a secure WLAN, you probably don't need to. However, if your WLAN lacks security, as was the case in most of the ones I found, these tools in the wrong hands can reveal enough information about your network to compromise it. A hacker could easily take a free ride on your Internet connection; possibly perform some malicious act that would appear to come from your site; or armed with some of the free wireless sniffers available, sniff out passwords and other critical information from your network.

I first got acquainted with NetStumbler while finishing a large, campus-wide wireless network rollout. I used it to track down rogue access points and for some site surveys. I had heard of war driving from my wireless resources, but never made an effort to search for other networks until I read a report by the BBC in November of 2001. In that study, computer professionals found unprotected wireless networks throughout London's financial district.

Survey of Insecure Access Points

I live outside of Charlotte, N.C., a fast growing city in the sunbelt of the United States. Its population has almost doubled in size in 10 years and it has recently become the headquarters for some of the largest financial institutions in the US. I began to wonder what the wireless picture was like in my own city.

Armed with an old Dell laptop with an Orinoco Gold wireless network card, I took off. I also had Lucent's Range Extender antenna that plugged into the card, and propped that up on the dash, giving the laptop a much better signal than it could have gotten from the card's built-in antenna. Also included was my Garmin eTrex GPSR attached to the serial port of my laptop.

Be sure to set your network adapter's profile for "ANY" network name, and you can also vary the scanning speed of your network adapter under Options, Scan Speed. The only downside to scanning quicker is that it tends to consume batteries a bit faster, and causes the network adapter to heat up somewhat since it has to work harder.

Programs like NetStumbler are passive, meaning all they do is listen for networks. Doing so does not violate any FCC regulations, but when you start interacting with networks, the law gets somewhat cloudy. As a professional, I did not want to invade anyone's network. A personal firewall was installed on my laptop, not to protect me, but to protect others by keeping me off their network.

Since I live in a very rural area, I was not expecting to find any access points until I reached more populated areas. Imagine my surprise when less than 5 miles from my house, the first access point I find is from a small church out in the middle of nowhere!

It wasnít long into my trip to Charlotte before access points started popping up on my screen quicker than I could count. I found access points coming from industrial centers along the interstate's service road, along with convenience stores and other shops. Even while crossing high overpasses a few new ones would pop up.

Map of Wireless Access Points

Map of wireless access points in the Charlotte, N.C., area (Click on image for larger view)

Cruising through downtown Charlotte revealed dozens of access points. Many of the newer financial buildings are constructed mainly of glass. I found that they made great "windows" into a company's wireless network. Driving by the government area, I found several state and local agencies' networks. As I drove by the Federal Courthouse, up popped another access point, "CourtRm AP" was its SSID. "What was an access point doing in a courtroom?" I wondered.

Also, now that I was driving at slow speeds through town and my laptop was given more time to "see" each network, almost every network on the street was trying to give me a DHCP address. Of course, my firewall was configured to reject any connections. By the end of the afternoon I counted 87 networks; only 12 were shown to have WEP turned on, about 14 percent.

On my next excursion, driving by medical complexes and back through the city, I had a total count of 124 networks, with only 21 having WEP on (about 17 percent).

Finding connections in the car

I realize not having WEP turned on doesn't necessarily mean the WLAN is without security; they may be using some backend security such as IPsec, VPN or VLAN, but from studying other factors, I would guess this is not the case for most of the networks I discovered.

In many cases, the APs were named in such a way that their company name or personal names were easily traceable. Even more disturbing, many of the names of the AP were left as they were from the manufacturer. This gives a hacker inside information that, more than likely all default settings, including the password, were left as they came from the manufacturer as well. Armed with that information, a hacker could reconfigure the access point so that they could easily get into the network.

Another surprising fact is that many of the APs were inexpensive, off-the-shelf units being used in enterprise environments. Having installed a number of both SOHO and enterprise-type access points, I know the cheaper units lack the management features that aid in securing a WLAN. I was surprised to discover that even access points from Cisco and Lucent were usually left at the default settings.

Comment on this articleWhat have you discovered in the world of insecure networking?
Post your comments

Doctor offices made up a substantial number of the networks I discovered. Most of those discovered had WEP turned off, which may possibly be in violation of HIPAA (Health Insurance Portability and Accountability Act) if they are transmitting patient data using electronic means that are not secure.

James Crouch, a network engineer who also works with wireless LANs, did his own non-scientific study in the high-technology area of North Carolina's Research Triangle Park (RTP). He found the results much better than the downtown Charlotte area. About 65 percent of the networks found were WEP-enabled. But again, as with Charlotte, he found most of these Fortune 500 companies had network names that clearly broadcasted their company name and other information. In one case, we found a street address and phone number as the SSID.

Pages: 1, 2

Next Pagearrow