Mar 08 2009
After so many weeks of cold, bracing wind and a few days of snow, a weekend of bright sun and temperatures in the mid'70's seemed like an ideal time to get out a little and do some running around while enjoying the nice weather. And so on Saturday afternoon I opened the windows, threw some gear into my backpack, slapped a GPS puck onto the roof of the TARDIS (I've grown quite attached to my Rikaline GPS-6010 - thanks again, Rhianna!) and headed over to pick up Hasufin and Mika to do a little wardriving in northern Virginia. For those of you who are already familiar with the practice you can skip right to the cut for the rest of this article. For those of you who aren't, here's a little background:
Wireless data networking has really taken off in the past decade with the introduction of wireless access points like the Linksys WRT54G2 home wireless router. Wireless networking, at its heart, was meant to make it relatively cheap, easy, and quick to set up a network. Plug in your AP, pop 802.11 cards into your laptop and desktop computers, and off you go - you don't have to worry about figuring out IP addresses, running cable, or setting up a firewall because your AP was supposed to have it all done for you (due to the presence of a DHCP server in the access point and a basic NAT configuration). Right?
Not so much. First of all, wireless networking is based around unlicensed low-power radio transceivers - the signals travel until they fade into noise due to the inverse square law, they're absorbed by metallic objects in the environment, or interference of some kind swamps the signal. This also means that it's possible to pick up a signal outside of where it's supposed to be; it is quite common to stay associated with an access point as far as the end of the driveway, for example. This means that it's possible to drive down the road with your laptop's wireless card in monitor mode and make a note of every access point whose signal is strong enough to see from the street. I'm a fan of Kismet for wireless mapping; Hasufin loaded a copy of WiFiFoFum onto his iPod Touch to do the same thing. When you get right down to it, all these applications really do is set the wireless card to passively listen to every packet from every wireless network that comes their way, grab of a copy of every packet, try to analyze it to figure out what it is (network control, data, encrypted data, or junk), and change the channel/frequency the card is monitoring to see what else is out there (because the radio spectrum which wireless networking uses is broken into channels to make configuration simpler). If you add a GPS many wardriving packages will also record the co-ordinates at which each wireless network was first detected so that they can be plotted on a map. During the four hours we spent driving around NOVA we discovered approximately 1,802 unique wireless networks. Of those networks, 626 were configured for wireless channel 06 (the default); 420 were configured for channel 01; 418 were configured for channel 11; 124 APs were reported as using channel 00 (this seems to me as if it's an artefact of something odd going on which I'll be looking into).
Analyzing the encryption methods in use proved interesting: 877 networks were configured to use WEP only to encrypt network traffic; 477 networks had no encryption configured at all. Another 444 networks advertised the use of WPA, the more secure successor to WEP, though of all of those also claimed to still support the use of WEP for associated clients. Another four networks claimed to support some unusual variants of of WEP (WEP TKIP and WEP CCMP).
When analyzing the data transmission speeds at which the networks seen were running at, the results were odd, to say the least. 624 networks advertised their speeds as 18 megabits per second. Another 514 wireless networks were found to support speeds up to 54 megabits per second (which is right in line with 802.11g). 389 wireless networks advertised speeds of 11 megabits per second (right in line with the older 802.11b standard). Another 158 APs were advertising speeds in the neighborhood of 36 megabits per second.
While performing an exhaustive analysis of all the ESSIDs (colloquially referred to as network names) seen would be counterproductive due to the creativity of the people who own the access points, it can be stated from the results that 309 of the networks did not appear to report an ESSID at all, 121 networks reported their names as 'linksys' (which suggests that the access points were running factory default configurations, but Mika and I were watching the updates in realtime and personally didn't see very many which were tagged as 'factory default' by our respective wardriving software packages), 28 of the networks reported the name 'NETGEAR' (see previous comment), and 15 appeared to be named 'default'. Among the more interesting ESSIDs we saw were 'Do Not Use', 'WirelessMama', 'Morgan Freeman', 'get your own', 'virus-infected' (thanks for the warning), 'Tie Wrap Watermellon', 'Rikki Tikki Tabby', 'El Pollo Diablo', and 'Sex Panther'.
Due to the fact that I'd configured Kismet to record GPS co-ordinates for every AP it registered, I was able to run the logs through a utility called kisgearth and generate .kml files that can then be loaded into Google Earth. Hasufin remarked today that he hopes that they never discover that the emanations from wireless access points cause cancer
I've compressed the logfiles so if you want to take a look for yourself you can download them here.
Though I should probably have spoken of this earlier, I feel a need to mention the legality of wardriving and associated variants (like war walking, war ballooning, war fortune cookie-ing (which I now feel compelled to implement), or what have you). By putting your wireless card into monitor or rfmon mode, you aren't actually a) associating with any access points or b) transmitting. The wireless card is simply listening for any traffic that might happpen to come its way, which is the nature of wave-based communications. This is anologous to listening in to someone's conversation about the latest episode of Lost in a coffee shop, as opposed to trying to join in uninvited. It seems to be when you actually associate with the access point, acquire or figure out a network address, and start actively participating in the network traffic on the other side that you actually start running afoul of the law, or at least that's what the court decisions seem to indicate.