Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA).
Software for wardriving is freely available on the Internet, notably NetStumbler, InSSIDer or Ekahau Heat Mapper[1] for Windows; Kismet or SWScanner for Linux, FreeBSD, NetBSD, OpenBSD, DragonFly BSD, and Solaris; and KisMac for Macintosh. There are also homebrew wardriving applications for handheld game consoles that support Wi-fi, such as sniff_jazzbox/wardive for the Nintendo DS, Road Dog for the Sony PSP, WiFi-Where for the iPhone, and G-MoN and Wardrive for Android and WlanPollution[2] for Symbian NokiaS60 devices. There also exists a mode within Metal Gear Solid: Portable Ops for the Sony PSP (wherein the player is able to find new comrades by searching for wireless access points) which can be used to wardrive. Treasure World for the DS is a commercial game in which gameplay wholly revolves around wardriving.
Contents |
Wardriving originated from wardialing, a method popularized by a character played by Matthew Broderick in the film WarGames, and named after that film. Wardialing in this context refers to the practice of using a computer to dial many phone numbers to try to find an active modem.
Warbiking is similar to wardriving, but is done from a moving bicycle or motorcycle. This practice is sometimes facilitated by mounting a Wi-Fi enabled device on the vehicle.
Warwalking, or warjogging, is similar to wardriving, but is done on foot rather than from a moving vehicle. The disadvantages of this method are slower speed of travel (resulting in fewer and more infrequently discovered networks) and the absence of a convenient computing environment. Consequently, handheld devices such as pocket computers, which can perform such tasks while users are walking or standing, have dominated this practice. Technology advances and developments in the early 2000s expanded the extent of this practice. Advances include computers with integrated Wi-Fi, rather than CompactFlash (CF) or PC Card (PCMCIA) add-in cards in computers such as Dell Axim, Compaq iPAQ and Toshiba pocket computers starting in 2002. More recently, the active Nintendo DS and Sony PSP enthusiast communities gained Wi-Fi abilities on these devices. Further, many newer smartphones integrate Wi-Fi and Global Positioning System (GPS).
Warrailing, or Wartraining, is similar to wardriving, but is done on a train/tram/other rail-based vehicle rather than from a slower more controllable vehicle. The disadvantages of this method are higher speed of travel (resulting in fewer and more infrequently discovered networks), and often limited routes.
Warkitting is a combination of wardriving and rootkitting.[3] In a warkitting attack, a hacker replaces the firmware of an attacked router. This allows them to control all traffic for the victim, and could even permit them to disable SSL by replacing HTML content as it is being downloaded.[4] Warkitting was identified by Tsow, Jakobsson, Yang, and Wetzel in 2006. Their discovery indicated that 10% of the wireless routers were susceptible to WAPjacking (malicious configuring of the firmware settings, but making no modification on the firmware itself) and 4.4% of wireless routers were vulnerable to WAPkitting (subverting the router firmware). Their analysis showed that the volume of credential theft possible through Warkitting exceeded the estimates of credential theft due to phishing.
Wardrivers use a Wifi-equipped device together with a GPS device to record the location of wireless networks. The results can then be uploaded to websites like WiGLE, openBmap or Geomena where the data is processed to form maps of the network neighborhood. There are also clients available for smartphones running iOS or Android that can upload data directly. For better range and sensitivity, antennas are built or bought, and vary from omnidirectional to highly directional.
The maps of known network IDs can then be used as a geolocation system — an alternative to GPS — by triangulating the current position from the signal strengths of known network IDs. Examples include Place Lab by Intel, Skyhook, Navizon by Cyril Houri, SeekerLocate from Seeker Wireless, openBmap and Geomena. Navizon and openBmap combines information from Wi-Fi and cell phone tower maps contributed by users from Wi-Fi-equipped cell phones.[5][6] In addition to location finding, this provides navigation information, and allows for the tracking of the position of friends, and geotagging.
In December 2004, a class of 100 undergraduates worked to map the city of Seattle, Washington over several weeks. They found 5,225 access points; 44% were secured with WEP encryption, 52% were open, and 3% were pay-for-access. They noticed trends in the frequency and security of the networks depending on location. Many of the open networks were clearly intended to be used by the general public, with network names like "Open to share, no porn please" or "Free access, be nice." The information was collected into high-resolution maps, which were published online.[7][8]
Wireless access point receivers can be modified to extend their ability for picking up and connecting to wireless access points. This can be done with an ordinary metal wire, and a metal dish that is used to form a directional antenna. Other similar devices can be modified in this way too, likewise, not only directional antennas can be created, but USB-WiFi-stick antennas can be used as well.
Wardrivers are only out to log and collect information about the wireless access points (WAPs) they find while driving, without using the networks' services.
Connecting to the network and using its services without explicit authorization is referred to as piggybacking.
The terms have been interchanged in the press, however. For instance, an m-indya article with the headline "WiFi user charged for not buying coffee"[9] refers to a user who "piggybacked off the shop's wireless Internet service for more than three months". When reposted by Engadget, the term "wardriving" was substituted, and the headline changed to "Wardriver arrested for snagging coffee shop signal".[10]
Typical wardriving software actually takes control of the wireless radio, making it impractical, if not impossible, to wardrive and piggyback simultaneously. Sometimes having 2 network adapters solves this glitch.
Some portray wardriving as a questionable practice (typically from its association with piggybacking), though, from a technical viewpoint, everything is working as designed: many access points broadcast identifying data accessible to anyone with a suitable receiver. It could be compared to making a map of a neighborhood's house numbers and mail box labels.[11]
There are no laws that specifically prohibit or allow wardriving, though many localities have laws forbidding unauthorized access of computer networks and protecting personal privacy. Google created a privacy storm in some countries after it eventually admitted systematically but surreptitiously gathering WiFi data while capturing video footage and mapping data for its Street View service.[12] It has since been using Android-based mobile devices to gather this data.[13]
Passive, listen-only wardriving (with programs like Kismet or KisMAC) does not communicate at all with the networks, merely logging broadcast addresses. This can be likened to listening to a radio station that happens to be broadcasting in the area.
With other types of software, such as NetStumbler, the wardriver actively sends probe messages, and the access point responds per design. The legality of active wardriving is less certain, since the wardriver temporarily becomes "associated" with the network, even though no data is transferred. Most access points, when using default "out of the box" security settings, are intended to provide wireless access to all who request it. The war driver's liability may be reduced by setting the computer to a static IP, instead of using DHCP, preventing the network from granting the computer an IP address or logging the connection.[14]
In the United States, the case that is usually referenced in determining whether a network has been "accessed" is State v. Allen. In this case, Allen had been wardialing in an attempt to get free long distance calling through Southwestern Bell's computer systems. When presented with a password protection screen, however, he did not attempt to bypass it. The court ruled that although he had "contacted" or "approached" the computer system, this did not constitute "access" of the company's network.[15][16][17][18][19]