War flying: Wireless LAN sniffing goes airborne

Computerworld - Hobbyist wireless LAN sniffers are now taking their war-driving skills to the air, detecting hundreds of wireless LAN access points during short trips in private planes cruising at altitudes between 1,500 and 2,500 feet. A Perth, Australia-based "war flier" recently managed to pick up e-mails and Internet Relay Chat (IRC) conversations from an altitude of 1,500 feet.
Wireless LAN war drivers routinely cruise their immediate areas in cars equipped with laptops loaded with a wireless LAN card, an external high-gain antenna and a Global Positioning System (GPS) receiver. The wireless LAN card and GPS receiver feed signals into freeware, such as NetStumbler or Kismet, which detects access points and their identifiers along with their GPS-derived locations.
The term war driving is derived from the "war-dialing" exploits of the teenage hacker character in the 1983 movie WarGames who has his computer randomly dial hundreds of numbers and eventually winds up tapping into a nuclear command and control system.
On Aug. 25, a hobbyist wireless LAN sniffer who goes by the name Delta Farce and Tracy Reed from the San Diego Wireless Users Group conducted a war-flying tour of much of San Diego County in a private plane at altitudes between 1,500 and 2,500 feet.
They detected 437 access points, according to a post describing their aerial sniffing expedition on the Ars Technica Web site. Delta Farce said NetStumbler indicated that only 23% of the access points detected on the war-flying trip had the simplest form of wireless LAN security, Wired Equivalent Privacy (WEP), enabled. The trip also showed that the range of 802.11b wireless LAN signals, which radiate in the 2.4-GHz unlicensed frequency band, is far greater than what manufacturers tell users they can expect.
Delta Farce said he was able to detect access points at a height of 2,500 feet, or about five to eight times the 300- to 500-foot range of wireless LANs used in a warehouse or office. Delta Farce said he assumed that the increased range was due to the lack of obstructions between the aircraft and the access points.
Jason Jordan, a self-described war driver in Perth, Australia, claimed the first war-flying exploit in an Aug. 18 post to the E3 war-driving blog in Australia. In his flight around Perth, Jordan said he detected 92 access points with Kismet and another 95 with NetStumbler. While NetStumbler software can only monitor access points, Kismet can actually intercept network traffic. Jordan said that at an altitude of 1,500 feet, Kismet picked up "IRC conversations, e-mails and clear NetBIOS