War Driving

Introduction

Some of you may be asking what war driving is. Much like the War-Dialing of the late 80's and early 90's War Driving is a way to enumerate networks and all from the comfort of your own car. Simple to do and effective war driving maps out an area of wireless networks for access and possible connection. All one has to do is drive or walk around to find access. It doesn't take long in highly populated areas. The basic connection setup is a wireless card, a computer, and a GPS receiver, and some special software. There is also war walking which is a more concealed usually using a Pda (iPAQ or Zaurus) instead of a laptop. War Chalking is leaving a chalk mark where a wireless network is located and certain symbols for the access to the network. Information about war chalking can be found here

Flight Plan

Irwin -> Monroeville -> Oakland -> Irwin -> Sheetz -> Greensburg -> Irwin

It begins...

What a night, I drove a little over 80 miles in 2 hours; I and had some fun at it too.

Setup

I used a laptop setup running Windows 2000 utilizing netstumbler and nmap for the more interesting sites, one Lucent Gold 802.11b card, a pig tail cord, one roof mounted antenna, and one borrowed GPS receiver. (Thanks dad).

Irwin

Irwin was a dead zone. (No surprise there) I found 2 houses near mine that had WAPS (Wireless Access Points) both which had no security and were non encrypted. Irwinites are not the smartest of folk! So after checking my spam (I mean email account) parked outside my neighbors house I decided it was time to goto Monroeville.

Monroeville

Before paying my turnpike ticket my computer had found 2 WAPS. I drove down Route 22 and hit a WAP about every other building. There was an appartement complex off the beaten path which must issue a wap to every resident because net stumbler went nuts when I drove past. Some of the more intresting finds in were CompUSA and several other department stores were running wireless access with encryption turned on kudos to them! I kept getting access to tsunami which after I launched mozilla revealed that Monroeville has a local wireless ISP!

Oakland

For those of you unfamiliar with netstumbler it has a setting to play a sound every time it finds a new access point. Which is useful if your driving alone. This sound started the moment I entered Oakland and didn't stop until I left. CMU's campus runs a wireless network and just about everyone has a WAP there, so I circled the CMU campus once and The University of Pittsburgh's Telecommunications department a few times. Most of CMU's stuff isn't running encryption, except for a few WAPs near the frat houses which are after further inspection personal WAP's of students. (Go security).

Greensburg

I went to Greensburg on a whim and because the Sheetz coffee still had not worn off. My most interesting find of the night happend to be in Greensburg. A few hospitals and local business were running WAPS; I also found a few residential areas that had their fare share as well. However, a certain financial provider (who shall remain nameless) had no security turned on, period. In fact, before I could glance over at my laptop to see the name of the access point, the WAP was more than happy to provide my computer with a DHCP release. My browser refreshed the google page. At which point I parked my car and browsed the web a bit. For proof of concept, I scanned their network and decided I had better leave before I did anything for someone to fuss over.

Fin!

In a matter of 2 hours I managed to find 828 unique wireless access points.
Most of them were found tooling along between 35-85 MPH, and many of the WAPs were on the edge of their signal, taking a slower trip and using a larger antenna I could have probed many more networks.
Of these 828, 793 had encryption turned OFF, leaving only 35 encrypted wireless networks.
Of these 828, 10 gave me a DHCP release without checking my cards MAC address.
Wireless security is far worse than any I have seen to date!

Why is this a problem?

The equpiment for this project (laptop excluded) cost under $200 US.
Tools to sniff wireless networks and reconfigure a wireless card's mac address are freely avaliable.
Using AirSnort I could have broken half of the remaining 35 networks encryption keys.

More Info

Security on wireless networks can be done correctly using 128 bit WEP encryption MAC filtering and an IpSEC implementation. However, unless all three elements are in place, breaking into wireless networks is far easier than taking candy from a baby. Park, crack in, drive away.
The NetStumbler Dump from my trip can be downloaded here.
These guys are trying to map the world and have a decent chunk at the momment. mapserver.zhrodagu.net
For more information on WarDriving check out www.wardriving.com
For linux users check out War Linux Project
Download the quick reference guide for WarChalking here
Take me home Scotty!