Hackers are on the warpath again. Some call today's tactics war driving.
Others call these efforts Net stumbling. Whatever the moniker, it's coming to a
city near you. And maybe even to your neighborhood.
But what exactly is going on? What exactly is war driving? It's a variation of
war dialing, an old hacker tactic that dates back to the good old days when
analog modems were king. Hackers would develop scripts that dialed all the
possible numbers in an exchange to determine which ones were attached to a
modem. Once the hot phone numbers were discovered, a series of known hacks
would be applied in an effort to break into whatever was attached to a
modem.
War driving simply reflects the times. It involves a search for 802.11 wireless
networks. While it's only been around for a year or so, here's how war driving
usually works: Most war drivers cruise around metropolitan areas in their cars
with wireless-equipped notebook computers and high-gain antennas capable of
detecting signals at long range. Recently, however, some war drivers have
begun to step over the legal line a bit by using RF amplifiers.
Most war drivers are not sinister in nature. They're usually just a little over-
curious. Many are security consultants trying to garner some media attention.
That's not so bad, is it? Maybe not, but would you feel a little differently if the
war drivers were mapping your neighborhood and then publishing the results on
the Internet? Thanks to a software product called Netstumbler, a war driver
equipped with a portable GPS device can now pinpoint the exact location of
access points, which then can be easily transcribed onto a map.
Netstumbler not only allows hackers to identify the geographic coordinates for
access points, it also determines whether any security provisions have been
implemented as well as pinpoints the 802.11 service set identifier that is
configured on each access point and is normally broadcast periodically using
beacons.
In his project in the Research Triangle Park area of North Carolina, Alan Clegg
found that only a very small proportion of access points in residential
neighborhoods employ 802.11 WEP (wired equivalent privacy), a technology
that provides privacy by encrypting data streams and prevents clients who
don't know the right WEP key from associating with the access point. In areas
with more businesses, Clegg found a greater percentage of locations have WEP
enabled.
If you've followed the wireless LAN business for a while, you probably are
aware of the fact that WEP has been successfully hacked. In fact, security
experts refer to it as "totally insecure." And they are correct, to the extent
that available public-domain software will allow a hacker to capture your WEP
keys by mounting a passive attack. However, the hacker does need to capture
a significant amount of data to successfully compromise the system. For that
reason, most security analysts recommend that WEP be used to provide a first
line of defense, despite its penetrability if an attacker is motivated. How many
hackers do you think are willing to park their cars outside your business with a
directional antenna poking out of the sunroof for a half-hour collecting enough
data to crack WEP?
Should you be concerned? Yes. Some users dismiss the security threat by
asserting that the only consequence is another user sharing their Internet
connections. However, since the attack effectively takes place inside your
network, any local LAN services -- including file shares -- are also exposed.
Are there steps you can take to further protect yourself? Yes, to a limited
extent. If you're a home- or small-office user, you probably can't really afford
to implement a robust security overlay. But you can at least add MAC-address
restrictions, provided your access point supports that capability, which most
do. Since wireless traffic can be captured using a wireless protocol analyzer
and MAC addresses can be spoofed, you're still not totally secure; but at least
you have a deterrent. And given the number of wireless networks that are
totally open, you don't need much of a deterrent to get a war driver to
continue driving down the road.
If you're working in an enterprise setting, you may find these war driving tools
useful for auditing your company's wireless security policy (you do have one,
don't you?). Rogue access points (usually low-cost, wireless NAT gateways)
are being installed in many offices, and because these connections are usually
inside the enterprise firewall, they represent a significant security threat. Given
the technology's appeal, I'm glad I don't have to be the one pulling the plugs on
peoples' wireless connections. But if I had to, I'd certainly do it.
