Effective Wardriving

Warchalking

As I explained in Chapter 10, there is no single directory that lists all public hotspots; in fact, there's no single directory that even comes close. So knowing where public hotspots are (and among public hotspots, the non-commercial community hotspots most of all) is a serious problem. Wardriving is certainly one way to locate hotspots, but as I'll explain later in conjunction with the NetStumbler utility, just detecting a hotspot tells you nothing about its private/public status.

Sometimes a high-tech problem has a decidedly low-tech solution. Londoner Matt Jones probably didn't expect to become a legend from an idea that he first published in mid-2002. He and some friends had been warwalking in downtown London, cataloging wireless networks, and thought it would be useful to be able to put a physical marking (say, on a wall or a sidewalk) to indicate to other wireless users that a public access point was nearby.

Matt's geistesblitz was to create a 21st century version of the Depression-era secret symbols used by hobos to communicate key facts about the marked locale to other hobos. Perhaps the best-known hobo symbol is a sketch of a smiling cat, indicating that a kind-hearted woman lived in the house bearing the symbol. Other symbols indicated vicious dogs, places where one could hear a sermon and get fed, doctors who would treat a patient without charging, places where the water was not drinkable, and so on.

Twenty-first century wireless hobos ('wibos' as another related warmeme puts it) don't need to know quite such a long list of things. A node is either there or it isn't, and a node that exists is either open or closed, or perhaps open to those who know the WEP password. So there's really only three necessary symbols, as summarized by the 'warchalking card' that Matt Jones published first on his own site, and later at- http://www.warchalking.org.

The card is shown in Figure 18.2.

click to expand
Figure 18.2: The Warchalking Quick Reference Card.

At this writing, warchalking remains a downtown London thing, mostly, though news reports regularly give excitable accounts of 'secret' warchalking symbols turning up all over the world. I myself have never seen a warchalking symbol anywhere in my travels within the United States. I was amazed, however, at how quickly and completely it became a global meme, reported everywhere on the Web and in print media, irrespective of its obvious drawbacks, like being arrested for defacing private or public property. (There are laws in most cities against graffiti.)

What I suspect the warchalkers are hoping is that the symbols will be adopted as a de facto standard by the growing number of wireless Internet providers, especially in the cores of large cities. So instead of forcing wibos to draw the symbols on the sidewalk with chalk (chalk? Do you know what a mess it is to carry around chalk? ) wireless node providers would display a card with an appropriate symbol in their windows where prospective customers could see it. This would actually be extremely useful; for example, some of the Starbucks coffee shops in the larger cities now have a fee-based wireless Internet system, but the Starbucks shops in my city do not. Being able to tell at a glance would be useful to people anxious to log into the Net while on the road, as I frequently am. Just last week, as I write this, Schlotzky's Deli announced that they would actually have their managers warchalk outside those Schlotzky's restaurants implementing their new Deli Cool Cloud Network of free and open (we'll see how long that lasts!) Wi-Fi hotspots. So Matt's vision may in fact become reality.

On the other hand, the usefulness of the 'closed node' symbol is open to question.

I think what made warchalking a meme is its mythic allusion to hobo life, with the connotation of freedom and setting your own agenda. Wireless networking is definitely in its delicious early life, cherished by its enthusiasts and mostly unsuspected by the world at large, even by the uninformed who buy wireless access points and cards and use them without understanding what they're doing. Sooner or later, all that will pass away (think of the very clubby insider's Internet before the public was admitted in the early 1990s) and Wi-Fi will become… ordinary. Enjoy it (as I do!) while it's still mythic!

Legality and Ethics

The legality of wardriving is untested. A lawyer friend of mine opined a few years ago that the law will never catch up with technology, because technology evolves much faster than law. Keep in mind here the crucial difference between 'laws' and 'law.' Laws may be made by any legislative governmental body; but law is the cumulative body of precedent that comes from years (sometimes decades, or even centuries) of court cases, legal opinion, and numerous individual laws that interact in nonobvious ways. Laws may happen overnight but law does not, and in that fact lies a great deal of peril for things that evolve as quickly as computer technology.

The mainstream press, when they've covered wardriving at all, typically declare it to be of a piece with hacking into networks or even terrorism. (Anything that somebody doesn't like these days, alas, tends to be called 'terrorism.') The truth depends entirely on how you wardrive. Consider what NetStumbler or MiniStumbler do: They poll for beacons, then listen for the SSID beacon of a wireless access point (AP) and report various items included in the beacon, like the SSID, the signal strength, and (if a GPS receiver is integrated with the system) the AP's longitude and latitude.

Is this hacking? No. Consider: The AP is broadcasting its SSID in a continuous beacon. In other words, it wants people to know that it exists-that's what 'broadcast' means. Furthermore, all APs offer their owners the option of turning off the beacon, so that the SSID is no longer broadcast. Once the SSID broadcast is turned off, NetStumbler and MiniStumbler have no way to know that the AP is there, and will not report its presence, even if its radio signals are received by the wireless card.

That's the NetStumbler family of utilities, of course, and there are others. The Kismet utility for Linux goes a great deal further, and will detect a wireless network whether or not its beacon is enabled. It can place compatible wireless cards (currently cards based on Intersil's Prism chipset) into RF monitoring mode, which means it will detect and attempt to interpret any 802.11b radio signal received at the card's antenna. It can sniff packets (that is, capture them nondestructively) and record them, and can even reverse-engineer Wired Equivalent Privacy (WEP) passwords due the well-known flaws in the WEP cryptographic algorithm. (I discuss these flaws in some detail in Chapter 13.)

This definitely sounds like hacking, but whether it is or not depends on who you are and whose network you're listening to. Kismet was intended to be used by network administrators who are auditing or troubleshooting. If you're doing a security audit of your own network (or the network of someone who hires you to do it) it's your job. If it's not your network and nobody told you to do it, well, that's hacking. This is true for the other wired or wireless network auditing tools and password-recovery utilities like AirSnort and Ethereal as well.

Nearly all wardrivers use NetStumbler or MiniStumbler, and one of the reasons is that these programs don't have the machinery to do anything but detect an access point by its broadcast SSID and record its presence. Using tools like these is ethically much 'cleaner' than using something with more intrusive powers. NetStumbler by itself cannot hack into a network. Of course, once an AP has been found with NetStumbler, other tools can be used to break into it-if it needs 'breaking into' at all. The vast majority of APs found by NetStumbler have no security whatsoever, and are 'wide open.' (This is no exaggeration. In my year of wardriving, I've logged data proving that at the very most 30% to 35% of access points have WEP enabled!)

That being the case, my fellow wardrivers and I adhere to a relatively strict code of ethics that can be cooked down to the following:

  • Don't look

  • Don't touch

  • Don't play through

In other words, 1) don't examine the contents of a network; 2) don't add, delete, or change anything on the network; and 3) don't even use the network's Internet connection for Web surfing, email, chat, FTP, or anything else. Somebody else paid for the bandwidth, and if you don't have permission to use it, you're stealing it.

Basically, unless you have permission, don't connect.

The seriousness with which this code of conduct is held becomes obvious every so often on the NetStumbler forums (more on which a little later) when an overenthusiastic newbie who isn't too clear on the concept gets on a forum and asks how to connect to stumbled APs-or, worse, brags about what he did after he connected. The subsequent ass-chewings are quick, thorough, and merciless. (Do it more than once and the NetStumbler moderators will ban you for good. They are very serious about where they stand regarding hacking into other people's networks!) I won't be so naÔve as to state that wardrivers never connect to somebody else's AP, but it's pretty clear that that's not the primary intent, and the guys who do it don't talk about it when they do.

Some emerging trends make the picture even fuzzier. More and more coffee shops and restaurants in major metro areas are installing WLANs with broadband connections to the Internet, as are some hotels, bookstores, and other profit-making enterprises. Many of these connections are fee-based (like those at Starbucks), while some are free (like those at Schlotzy's Deli) and not password protected at all. So… is it legal to lean out your window with a high-gain Yagi antenna aimed at the Schlotzky's three blocks down and read your email through their unprotected public wireless connection? Probably. Is it ethical? No. But what if you ate lunch down there earlier this afternoon, and stop by for coffee frequently on the way to the subway station? Yup, it gets fuzzier and fuzzier.

I read a news item about a competing coffee shop chain that deliberately tries to rent storefronts within two hundred feet of new Starbucks shops so that their customers can mooch the Starbucks wireless connection-clearly unethical and possibly legally actionable, but unless the competing shop promotes this as a 'feature' (rather than simply relying on the inevitable word-of-mouth) the path to legal redress is still very muddy. The fact that customers pay for the Starbucks connection makes it fuzzier still. You're paying for their bandwidth-but do you have to be on their premises to use what you pay for? Yikes!

There's a final consideration on which the whole issue of wardriving's legality may ultimately depend. My lawyer friend (who is not a technologist) asked why so many 802.11b APs are 'wide open.' The reason, of course (as I've described in Part 3 concerning Wi-Fi security) is that APs default to wide open, and when unsophisticated home users take them out of the box and plug them in, that's how they come up, and without further configuration they stay wide open. 'So,' said my lawyer friend, 'most of those people with wide-open networks don't even know that they're wide open.'

True. And that may become a problem. If the user of a wireless AP has the 'reasonable expectation' of privacy when he or she sets up a WLAN, a court could rule that detecting that WLAN is an actionable violation of privacy. It sounds dumb, but this is how it evolved for analog cell phone traffic, and the courts seem to be leaning in that same direction for all sorts of data communications issues. The court case may not come this year or the next, but eventually this question will be tested, and nobody knows how it will be resolved. My guess is that the manufacturers of the wireless APs will take the hits if any hits are to be taken, but all current and future wardrivers need to keep alert for developments on the legal front.



Jeff Duntemann's Drive-By Wi-Fi Guide
Jeff Duntemanns Drive-By Wi-Fi Guide
ISBN: 1932111743
EAN: 2147483647
Year: 2005
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net