Introducing Wardriving

Wardriving is the act of driving around with equipment that can be used to detect Wi-Fi access points located in homes and businesses (see Figure 6-1). It doesn’t require a large investment in equipment or a high degree of technical skill. Anyone can wardrive, and with the proliferation of Wi-Fi networks in homes and businesses, there are plenty of wireless networks waiting to be found.

Figure 6-1: Wardriving

In the days of dial-up computer Bulletin Board Systems (BBS), before the Internet or the World Wide Web, a cracker would use a piece of software called a wardialer to dial a huge range of numbers, one after the other, and listen for a computer to answer at the other end. The wardialer would then log the number, attempt to connect, and, if successful, identify the computer and service at the other end of the line. Wardriving gets its name from comparisons to this cracker activity.

The majority of wardrivers are nothing more than curious Wi-Fi geeks; technophiles who love wireless equipment and enjoy driving around, and discovering and then mapping networks. The members of many Wireless User Groups (WUGs) wardrive to collect data and compile statistics about wireless use and level of security or insecurity of discovered WLANs.

However, harmless geeks aren’t the only people wardriving, and you need to protect your network from the minority of wardrivers that look for unsecured access points for purposes that are more nefarious.

Crackers wardrive to find vulnerable networks that they can break into. Once crackers get inside a WLAN, they can connect to the Internet or attack other computers without law enforcement or security personnel tracking and apprehending them. Efforts to locate the source of the attack lead back to the WLAN from where it originated by the cracker, but not directly to the cracker. This raises a question of liability. Can the courts hold you responsible for crimes that a wardriver commits while using your WLAN without your knowledge? In most cases, the answer is no. In order for you to be criminally liable for the actions of a wardriver, law enforcement must be able to demonstrate that you had intent or that you arranged for a cracker to access your network in order to facilitate the crime.

However, depending on the circumstances and the laws of your state you could be civilly liable for the actions of a hacker. For example, if you have a small business and a cracker was able to steal credit card information because you failed to take reasonable steps to secure your network and protect customer data, you may be subject to a lawsuit by customers who’ve had their personal information stolen.

Because of the potential for liability arising from misuse of your WLAN or from theft of personal information, it’s important that you take steps to secure your WLAN. While you may believe you’re unlikely to be the victim of a cracker, given the popularity of wardriving the chances are greater than you may think.

How wardriving works

Wardriving doesn’t require a great amount of technical skill or expensive equipment. Many people have much of what they need lying around their house already. All a would-be wardriver needs before hitting the road is:

• A laptop with a Wi-Fi adapter or built-in wireless capability

• Wardriving software (available free on the Internet)

• A high gain antenna (optional)

• A power adapter for running the laptop off the car’s battery (optional)

Once the wardriving software is running, all a wardriver has to do is drive around any commercial or residential area and he can detect WLANs. Using a Windows XP laptop and an application named NetStumbler, I was able to detect several WLANs in a rural area of Southern California in just a few minutes (see Figure 6-2). This was without the addition of an external antenna. Had I been in a more populated area I might have discovered hundreds of wireless networks.

Figure 6-2: NetStumbler detecting wireless networks

After identifying a wireless network, a cracker can attempt to connect to it. Unfortunately for WLAN user, connecting to an unsecured WLAN is trivial even for a technical newbie. If you fail to take steps to protect your network, someone may connect to it and use your Internet connection, or access files on your computers, which is why it is so important to know how to protect your network.

Hiding your network

One of the first steps you can take to help protect your wireless network is to turn off the service set identifier (SSID) broadcast on your access point. The SSID is the network name that identifies your WLAN, and access points regularly broadcast data packets, called beacon frames, that announce their presence to the world. Clients and wardrivers can listen for these beacon frames and detect the presence of your access point, as well as discovering your SSID.

Many access points allow you to disable the SSID broadcast. This is a good first step, and it will prevent some wardriving software from detecting your WLAN. However, beacon frames aren’t the only wireless packets that contain the SSID, and tech-savvy wardrivers have software that listens in passive mode and can collect and analyze other network traffic to recover the SSID and detect your access point.

Still, disabling your SSID broadcast can help hide your network from many casual wardrivers, and if they can’t see it, they can’t connect to it.

Changing default settings

Failing to change the default settings on access points is the main reason so many WLANs are at risk. Every piece of networking equipment comes configured with preset or default settings. Manufacturers configure their hardware to facilitate use, not security. They want the device to be simple to set up and use right out of the box, which minimizes customer frustration and cuts down on calls to support centers.

Ease of use doesn’t equal secure, however; it usually results in the opposite. Although devices may have security features built in, manufacturers often assume that users will be able to activate and configure these after they have the device running. Few people ever take the time to enable security features on their access points, let alone reset the default settings that they probably don’t realize are a problem.

A cracker can use the default settings on your access point to identify the make and model of the device, connect to your network, and even take control of it. Default settings for most access points are available online, so you can assume that every cracker knows them. Changing these default settings is an important first step toward protecting your network.

Using the default SSID

Every access point has a default SSID assigned by the manufacturer. Even if you have disabled SSID broadcasting, you should change the default SSID. If you haven’t changed the default SSID, a cracker can use it to identify your access point’s manufacturer and model. For example, the default SSID for most access points manufactured by Linksys Inc. is Linksys.

A cracker who knows which hardware you are using can break into your network with less difficulty. Don’t make it easy for an intruder to gain access. Follow the best practices in Chapter 11, and change your SSID to something unique that doesn’t identify you or your network hardware.

Passwords and usernames

Once a cracker knows which access point you are using, he can use the Internet to look up the default user names and passwords for your particular brand of device. Like the default SSID, the default username and password is public knowledge, and many crackers probably know them by heart.

Unless you change the settings, a cracker can connect to your access point, often through a Web browser (see Figure 6-3), and change the device’s configuration. Your username and password are like the keys to your network; you wouldn’t give out the keys to just anybody, would you? Take the time to change the default user- name and password following the steps explained in Chapter 11.