Confessions of a War Driver

I admit it: I'm a war driver. Cloaked in anonymity, I cruise the alleyways and byways of corporate America, lurking, searching, probing for a weakness.

There! The telltale tone in my earphones alerts me to a potential target. I quickly glance at my laptop in the passenger seat. No encryption on this wireless network. It's wide open.

I have the tools. I have the knowledge. Seizing the opportunity, I ... do nothing.

Just move along, folks. Nothing to see here.

To go further and actually connect to the wireless network I've found would violate the cardinal rule of war drivers: Thou shall not access another's network under any circumstances.

"Don't do it," says war-driving guru Chris Hurley. Regardless of your motivation -- to experiment, to prove a point, to show an admin his network is unsecure -- "you're committing a crime," he says.

Hurley, a.k.a. Roamer in the war-driving world, is the organizer of the WorldWide WarDrive (WWWD), a project in which volunteers armed with wireless-network-detection software and GPS receivers map all the networks they can find in a week. The war drivers compile statistics that reveal where the networks are and whether or not they are using basic encryption methods. They are trying to prove a point: Wireless network managers need to take security more seriously.

This year's event, WWWD No. 4, ended June 19 after locating 228,537 access points (AP). Of those, about 38% had basic encryption, such as Wired-Equivalent Protocol (WEP) or Wi-Fi Protected Access (WPA). Last year's WWWD found 88,122 APs, of which 32% had encryption. Complete stats are available online.

Hurley is encouraged by the increase in the percentage of encrypted networks, but he was looking for more. "I was kind of hoping for a better increase, up to 40%," he says, but adds, "As long as there is an increase, you're happy."

Hurley, an information security engineer working in the Washington area, became interested in war driving after Peter Shipley reported on his fledgling war-driving efforts at the Def Con security conference several years ago. Since then, Hurley has taken over the annual Def Con war-driving events and the WWWD in an effort to publicize the vulnerabilities of wireless networks.

He points out in his book, WarDriving: Drive, Detect, Defend, A Guide to Wireless Security, that hackers can easily take war driving a few steps further and use freely available tools to connect to an unencrypted network for free Internet access or to sniff out passwords for complete access. That would allow them to steal information or use the network as a base to launch future attacks. It's not much harder, he says, to use other free tools to crack the notoriously flawed WEP encryption scheme. Even the more secure WPA is vulnerable to certain attacks. (Note: Wireless hacking tools are detailed in the story "The Hacker's Wireless Toolbox.")

"There are so many threats that you open yourself up to by not securing your wireless network," Hurley says. And as Hurley and his war drivers have shown, there are a lot of people out there opening themselves up.

My own war-driving forays support his take on the sorry state of wireless security. Using the free Windows application NetStumbler, I consistently found more than 100 wireless APs on my 19-mile drive to work -- before 9 a.m. Of these, typically about 70% aren't encrypted. And about 44% are using their default Service Set Identifier, which makes them more vulnerable to hackers.

Of course, the nature of the terrain in my commute indicates that most of these APs are on private home networks. Hurley believes that the recent explosion in home networking is responsible for much of the increase in networks discovered by war drivers. While these home network owners may not have corporate secrets to protect, they could be leaving themselves open to Internet access interlopers. Or worms or viruses transmitted from the outside computer. Or worse. Hurley recounted the November 2003 case in which a Toronto man was found in his car using another person's wireless home network to download child pornography.

While that man was arrested, Hurley pointed out that if someone accessed a network to download child pornography and then disconnected from the network, the network owner couldn't prove that he himself didn't commit the crime.

But it's in the corporate world where unsecured wireless networks are the most dangerous. If you war-drive through any office park, you will likely find lots of wide-open nets. Last Saturday, I did exactly that. Few people were around, and nobody paid any attention to me, but the networks were still running, letting me know they were available.

News reports have detailed how a Lowe's home improvement store earlier this month was attacked by wireless hackers intent on stealing credit card numbers from the parking lot. And as far back as 2002, researchers revealed to Best Buy executives that some of their stores were transferring credit card numbers over unsecured wireless networks. During last month's Mobile & Wireless World conference, an Intel executive mentioned that someone once wirelessly "snooped" the e-mail of 10 to 12 vice presidents in a company facility in Oregon.

And those are just the hacks that have been made public -- companies obviously are reluctant to talk about wireless security breaches. Hurley says he has heard of many other slip-ups that he can't talk about.

So why, with all the publicity about wireless security, with all the Web sites, books, magazines, white papers, consultants and TV shows detailing how to secure wireless networks, are corporate staffers still failing to take appropriate security precautions?

Hurley thinks it's overworked administrators who aren't trained to work with wireless networks. He says they are often just told by their managers to put in a wireless network, and they do it as fast and as easily as possible.

And, he says, network administrators are supposed to make sure that the company's network is up and usable -- that's their main job. It's the job of security officers to ensure it's protected from attackers. The two job functions are often at odds. And many companies don't even have security officers, Hurley says. It all adds up to war drivers finding thousands of unsecured networks, year after year. (To get a security manager's take on the threats posed by unsecured wireless networks, go to QuickLink 47059.)

What advice does Hurley have for corporate America? First, he says, decide if you really, really need a wireless network to begin with. If there's an absolute business case that you do, and you put one in, "basic security measure aren't enough," he says. "You need to have some secure form of authentication as well as a [virtual private network] ... so they are encrypting all their traffic through means other than WEP or WPA."

The bottom line, he says is that network administrators should "essentially treat your wireless network the same way you treat a dial-up user."

That's because there may be people out there who don't adhere to the war driver code of not connecting to networks they find. There might be a curious journalist, for example, who wonders if he really could connect to those networks and get free Internet access.

He might take his D-Link AirPlus XtremeG DWL-G650 Wireless Cardbus Adapter and his Dell notebook and his free NetStumbler software and find out that it's incredibly simple to jump on someone's network and surf the Web.

Then he might wonder if he really could see the traffic on these networks. He might try a bunch of readily available tools and find that the trial version of CommView is one of the few applications that works with his card and allows him to actually sniff network packets.

Then he might chicken out and erase all evidence of such illegalities and proceed no further.

Others, however, might not.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon