Professional Documents
Culture Documents
T
he concept of wireless WDN is a cluster of technolo- user, combined voice and data
networking dates back at gies primarily related to, devel- 2.5- generation technologies that
least as far as ALO- oped for, and marketed by exceed 100Kbps; and Wireless
HANET in 1970. While vendors in the telephony and Application Protocol (WAP),
this project is now of primarily handheld market. This market which provides wireless support of
historical interest, the online covers a lot of ground from basic the TCP/IP protocol suite and
overview is still worth reading digital cellular phones to relatively now provides native support of
(see en.wikipedia.org/wiki/ sophisticated PDAs and tablet HTTP and HTML. If you’re
ALOHA_network). The con- PCs that may rival notebook com- using a cellular phone with text
cept of ALOHANET spanned messaging and Web support,
many of the core network pro- you’re likely using some form of
tocols in use today, including WAP.
Ethernet and Wireless PANs began as “workspace net-
Fidelity (aka WiFi). ALO- works.” Bluetooth, for example,
HANET was the precursor is a desktop mobility PAN that
of the first generation of was designed to support cable-
wireless networks. free communication between
Wireless technologies may computers and peripherals.
be categorized in a variety of Blackberry
ways depending on their (www.blackberry.com) is like
function, frequencies, band- Bluetooth on steroids. It inte-
width, communication protocols grates telephony, Web browsing,
involved, and level of sophistication email, and messaging services
(ranging from first- through third- with PDA productivity applica-
generation wireless systems). For puters in capabilities. WDN tions. As such it blurs the distinc-
our purposes, we’ll lump them into includes protocols such as the Cel- tion between PAN and WLAN.
four basic categories: Wireless Data lular Digital Packet Data WLAN is what most of us
Networks (WDNs), Personal Area (CDPD), an older 19.2Kbps wire- think of wireless technology. It
Networks (PANS), Wireless Local less technology that is still in use includes the now-ubiquitous
Area Networks (WLANs), of in some police departments for 802.11 family of protocols, as
which the newer Wireless Metro- network communication with well as a few others. Table 1 pro-
politan Area Networks (WMANs) patrol cars; General Packet Radio vides a quick overview of some
and Wireless Wide Area Networks Service (GPRS) and Code Divi- of the 802.11 protocol space.
PETER HOEY
(WWANs) are offshoots, and satel- sion Multiple Access 2000 Note that all but the first are
lite networks. (CDMA2000), which are multi- derivative from the original
802.11 protocol introduced in make comparisons even more The Origins of War Driving
1997. In Table 1, “Year” confusing, there are 802.1x pro- The first formalization of the con-
denotes the approximate year of tocols like 802.16 (2001) and cept of war driving, circa 1999, is
introduction as a standard (for 802.16a (2003) that are designed attributed to Peter Shipley. His early
example, 802.11a and Standard 802.11 802.11a 02.11b 802.11g 802.11n
war driving experimenta-
802.11b were introduced Year 1997 1999 1999 2003 2005 tion was subsequently
at the same time, though Frequency 2.4GHz 5GHz 2.4GHz 2.4GHz 5GHz? introduced to the hacker
802.11a came to market Band
Bandwidth
ISM
2Mbps
UNII
54Mbps
ISM
11Mbps
ISM
54Mbps
?
100+Mbps
community at DEF-
later). The two bands Encoding Techniques DSSS/FHSS OFDM DSSS OFDM ? CON 9 in Las Vegas in
used for WiFi are Indus- July 2001; Figure 1 is
Table 1. The 802.11 protocol family.
trial, Scientific, and Medical derived from this experiment.
(ISM) and Unlicensed National for wider area coverage: the so- The basic idea behind war dri-
Information Infrastructure called Metropolitan Area Net- ving is to “sniff” 802.11 traffic
(UNII). Bandwidth is advertised works or MANs. The 802.11n with a wireless card set to monitor
maximum. Encoding, aka “spec- specifications are meager as of mode so that it accepts all traffic on
trum spreading” techniques
appear at the physical or link
layer and include frequency-
hopping spread-spectrum
(HPSS), direct-sequence spread-
spectrum (DSSS), and orthogo-
nal frequency division
multiplexing (OFDM).
Both the 802 and 802.11
landscape are somewhat more
cluttered than the table suggests.
For example, 802 also allows for
infrared support at the physical
layer. In addition, proprietary
standards for 802.11 have been
proposed. In 2001, Texas Instru-
ments proposed a 22Mbps varia-
tion of 802.11b called “b+”, and
Atheros proposed a 108Mbps
variant of 802.11g called “Super
G”. Further, there are standards Figure 1. An early WAP map, circa 2001 a frequency irrespective of intended
for enhanced QoS (802.11e) and (source: Peter Shipley, “Open WLANs—
The Early Results of WarDriving”; target. War driving is an extension
enhanced security (802.11i) that www.dis.org/filez/openlans.pdf). of the concept of war dialing that
are actually orthogonal to the tra- deserves some explanation.
ditional 802.11 family in the this writing, although the current War dialing is the technique
sense that they deal with limita- attention is on increasing used by the main character in the
tions rather than the characteris- throughput at the MAC interface 1983 movie WarGames to gain
tics of the protocol suite. To rather than the physical layer. access to computer systems. One
ving competition is held, WWWD1 (2002) WWWD2 (2002) WWWD3 (2003) WWWD4 (2004) Driving competitions.
(9374 WAPs) (24958 WAPs) (88122 WAPs) (228537 WAPs)
with results presented at By way of background,
Default SSID 29.5% 35.3% 27.8% 31.4%
the DEFCON hacker the Service Set ID
no WEP enabled 69.9% 72.0% 67.7% 61.6%
convention every sum- (SSID) in Table 2 can
Default SSID and 26.7% 31.4% 24.8% 27.5%
mer (the fourth and no WEP enabled be thought of as the
most recent competition Source: www.worldwidewardrive.org/ “name” that is assigned
occurred in June). Table 2. WorldWide war drives. to a WAP in “infra-
The typical war drive structure mode.” This name is
reveals a pattern of Wireless needed for clients to associate
Access Points (WAPs), as with it. Obviously, the first
shown in Figure 2. This step toward security is to avoid
information is derived broadcasting the SSID to the
from a wireless detector or world. The second step is to
computer with a wireless pick a name that isn’t the
card operating in monitor default set by the vendor.
(RFMON) mode. In the “Default SSID” reports the per-
early period of war driving centage of the WAPs that were
(circa 2000), the war dri- discovered using the SSID that
ver’s vehicle would have a came shrink-wrapped with the
front seat strewn with WAP hardware.
cables, antennae, GPS Wired Equivalent Privacy
equipment, and a note- (WEP) is the encryption tech-
book computer. Now, this nique used in the popular
detection is usually done 802.11 protocols. Simply
with a self-contained stated, there’s little to recom-
PDA, with analysis per- mend it as it fails virtually every
formed offline on a full- reasonable standard for data
screen computer. Figure 3 integrity, confidentiality, and
illustrates the process on a authentication in both theory
Windows CE-based PDA Figure 3. Wireless “sniffing” Palm style and implementation. While WEP
operating Air Magnet. As the with Air Magnet and a HP IPAQ Pocket will not withstand a serious attack
PC.
screen in Figure 3 illustrates, from any would-be intruder
the current scan is being per- armed with free tools available on
formed on channel 6 for on this topic in a subsequent the Internet, it will slow down the
802.11b traffic at 2.4370GHz. column. attacker if properly configured,
The two WAPs detected are and will discourage neophytes
reported, along with their War Driving Lessons who seek to authenticate with the
MAC addresses, names, and In short, war driving has demon- WAP. The only thing worse than
current signal strength. This strated that wireless technology enabling WEP is not enabling
information is collected and has opened the largest computer WEP! The data in Table 2 indi-
plotted to produce the WAP network security hole since the cates that over 60% of the WAPs
maps. While this is a cursory advent of modems. detected fail to have WEP
overview, it gets to the essence The data in Table 2 comes enabled. In the wireless realm, this
of war driving; I will expand from the four WorldWide War is akin to leaving your wallet on
of breed tools for wireless sniffing nothing inherent in the “sniffing” they’re put. Knowledge and vigi-
(Kismet for the *nix platforms; technology that encourages lance are formidable adversaries
Air Magnet for Windows) are socially unacceptable or illegal of misuse. I’ve endeavored to
used by both air jackers and wire- behavior. The tools a hacker contribute to the former in this
less guardians, though toward dif- might use to intercept organiza- column. c
ferent ends. This is a familiar tional wireless traffic are the same
story in network security—most tools that are used to harden the Hal Berghel (www.acm.org/hlb) is a
professor and the director of the UNLV School
of the products developed have organizations’ wireless infrastruc- of Computer Science, and director of the
benevolent and malevolent uses. ture. University’s Center for Cybermedia Research and
(Although Dug Song’s switch The solution to the problem of co-Director of the National Identity Theft and
flooder, Arpspoof, stretches this misuse is awareness, both in Financial Fraud Research and Operations Center.
claim). The lesson to be learned terms of the capabilities of the
from war driving is that there is tools and the uses toward which © 2004 ACM 0001-0782/04/0900 $5.00