The two wardrivers are parked in a lot a few blocks down from the Sparks Police Station. Itโs October 2002. Sitting in the front of the SUV, their faces are bathed in the blue light emanating from their laptop computers.
One aims a modified Pringles potato chip can. The Pringles can is a directional antenna, a yagi, built with components bought in local electronics shops. โAimsโ may not be a perfectly accurate description, since heโs manipulating the can based on what he sees on the screen of the Gateway laptop and not by anything he would sight down the barrel. The numbers heโs watching decrease toward zero.
โOK, try it now.โ
The man in the passenger seat double-clicks โMy Network Places;โ and suddenly the screen is dotted with icons of small computers.
โHoly shit. Itโs wide open. Lookathat: Administration, Payroll. We could send ourselves checks.โ
That would, of course, be illegal. By accessing the network, the wardrivers have crossed the line. Theyโve maskedโ”spoofedโ in the parlanceโtheir identifying MAC addresses, so they arenโt worried about getting caught, and they have no intention of sending themselves checks, but the vulnerability of a multimillion-dollar company spread out like a two-dollar whore astounds them.
Thereโs a secret world out there.
Itโs populated by men and women who prowl the streets night and day in cars, on foot, on bicycles, even in airplanes.
Thereโs not a lot to set them apart physically from the population at large. Maybe the punk, anti-establishment ethic is distilled down to a goatee or hippie-length hair or a streak of color or an attitudinal T-shirt. Maybe theyโre paler than most. They stalk the streets, hunting a quarry that canโt be detected with human senses. They are after something you may own. Theyโre after wireless computer networks.
Their language is arcane, filled with acronyms and uncommon words and numbers such as SSID, 802.11b, WEP, hot spot, honey pot, WiFi. What they do is legal in Nevada, but it can cross the line in some states. If the less ethical among them do go over the line, thereโs little anyone can do to catch themโthe smart ones, anyway. Preventing their access to your most private realms is another matter.
Their weaponsโtoolsโare laptop computers, handhelds, PCMCIA cards, software, cable, antennas and the like. While their world cannot be seen, it can be mapped. Indeed, these hunters are the spiritual descendants of explorers such as Lewis and Clark, mapping a world that did not exist for most people before they discovered it and put it on the record. Some are well-known, at least among others of the same stripe. They go by intriguing names, like those who monitor the forums on Netstumbler.com: marius, blackwave, lincomatic, Mother, Thorn.
Their world is defined by geographic patternsโcheckerboards and concentric patterns. Some are methodical, driving up and down every single neighborhood street. Plotting, mapping, recording, passing the information along to people of similar philosophy whom theyโve never met, connected only in their passion for mapping, for connection.
Theyโre the wardrivers, and theyโre coming to a neighborhood near you. In fact, theyโre already there.
A little history is in order. First, there was the telephone, invented in 1876. In 1969, along came ARPANET, computer networking technology advanced by the United States Defense Advanced Research Project Agency, the technology branch of the U.S. military. Then came the Internet. Then the cellular telephone arrived. Then came wireless computer networks that used radio waves instead of wires. Then came wireless connections to the Internet.
Then came wardrivers.
The raison d’รชtre for many wardrivers is the belief that Internet access should be free. They envision a world in which ordinary citizens can go from Point A to Point B, never losing their Internet connection. Entire organizations are based on this premise. The Seattle Wireless Group, www.seattlewireless.net, has had good progress building a metropolitan area network. The Reno Area Wireless Users Group, www.rawug.org, has dreams along these lines.
In fact, entire cities have embraced the concept. For example, just this week, Cerritos, Calif., began deployment of a wireless network that will give anyone with a computer and a card access to the Internet anywhere within its 8.6-square-mile area.
The philosophy of these futurists is undoubtedly well-founded: Information should be available to rich and poor alike. There should be no digital divide that gives preference to the economically blessed while forcing the disadvantaged to keep their place or to fall further behind in the rat race.
However, what should be and what is often differ.
Ethical wardrivers are intent on giving technological and social evolution a little boost. They locate the wireless networks and place their coordinates, using global positioning devices and software, on maps, which they disseminate on the Internet for free.
Unethical wardrivers are intent on accessing networks for other reasons. Some set up virus or spam programs or screw up networks (locking out administrators, for instance) just out of meanness. Some are kids who will set up ad-hoc local area networks to play high-speed Internet games on somebody elseโs dime and bandwidth.
The name โwardrivingโ came from the phrase โwar dialing,โ which was the technique of methodically dialing telephone numbers looking for a modem backdoor into a network. War dialing was the first step toward hacking a wired system.
How is wardriving done? Itโs pretty simple, really. First, you need a basic laptop or a handheld computer and a wireless network card. To do the โrealโ wardriving, you need software like Netstumbler for Windows, Kismet for Linux or MacStumbler for Macintosh. This software merely locates networks; it doesnโt help with cracking WEP (wired equivalent privacy) encryption. That takes something like Ethereal, Airsnort or WEPCrack.
The card fits into the computer, and a pigtail connects the computer to either a yagi (a directional antenna) or an omni (a multidirectional antenna).
For the pure wardriving experience, which requires mapping, a global positioning system receiver is necessary. It records the longitudinal and latitudinal coordinates of the hot spot.
Thereโs one final component.
Wardrivers also need peopleโmarks, if you willโrich enough to buy a wireless router (one of those cute little boxes with rabbit ears that allow you to surf the Web from the comfort of your living room couch; Linksys and D-Link make some of the most popular) but dumb or generous enough not to enable the encryption or change the default login or password.
A little more than a year ago, a drive around the McCarran loop would yield only a couple dozen APs, or access points. This month, an evening wardrive yielded 81.
Once coordinates are collected, the files are uploaded to one of several mapping sites, such as wigle.net, allyour80211barebelongtous.org or the World Wide WarDrive. Wigle adds the statistics to maps and pages, so wardrivers can keep track of their contributions. All Your 80211b Are Belong to Us is run by an anonymous group known as โThe Collective.โ The Collective accepts .ns1 files and compiles them with other .ns1 files to create one massive file, which it e-mails back to the submitter.
The well-equipped wardriver. <br> <a href=”/issues/reno/2003-12-18/coverpic.pdf”>Click here </a>for larger image with labels.
Photo By David Robert
The Collectiveโs file lists 135,839 open networks across the United States. Out of those, 46,938 are unprotected networksโdefault SSID and no WEP. That means that 35 percent of wireless networks are wide open. Anyone with wardriving equipment and rudimentary computer knowledge can own the network for whatever purposes he or she chooses. Wigle.net claims more than 639,571 total unique networks in its database.
In California, there are laws forbidding the publication of networks without the network ownerโs permission, but that law doesnโt seem to have slowed down wardrivers. On Sept. 12, California Deputy Attorney General Robert M. Morgester of the Special Crimes Unit posted on the Wigle Web site, demanding that people stop posting their .ns1 files. Postings do not appear to have decreased.
In Nevada, there are no such laws. But be careful: Cross the line beyond simple recording of wireless networks, and you may run into the laws that regulate computer hacking or even trespassing.
Lorrie Adams, program coordinator for the Cyber Crime Task Force of Nevada in the Attorney Generalโs Office, said that while sniffing the airwaves is legal, it has come under the scrutiny of law enforcement.
โThe task force is currently looking at what other states have done with their legislation to make that illegal,โ she said. โSo that even surfing the airwaves will be illegal.โ
Since the Nevada Legislature meets only every two years, wardrivers are safe to pursue their prey at least until 2005.
Still, itโs the invasive stuff, such as getting on someoneโs network without permission, that crosses the line. Thatโs called intrusion, hacking. Laws already exist to protect businesses and individuals from invasion of privacy or theft of information or resources.
โA company with a few safeguards in place has a presumed privacy,โ Adams said. โTheyโve got a firewall, theyโve got VPS, and theyโve got anti-virus software up; they should be able to conduct their business wirelessly. Theyโve done their part to protect their proprietary information. If somebody actually gets onto their network, that falls under โintrusion.โ Intrusion or hacking just means having unauthorized access onto a system. Just logging in, youโve already crossed the line, like breaking and entering or trespassing. You canโt touch or feel [a network]; itโs not a property line, but it is considered [as having] a boundary. As soon as youโve crossed it, youโve trespassed; youโve intruded on their network, and youโve caused a security breach.โ
Adams was uncertain if companies that didnโt take the minimum security precautions had the same presumption of privacy.
A claim of legality isnโt an implication that law enforcement authorities arenโt willing to make opportunities for less-than-ethical wardrivers. For example, one local agency maintained an open WAP (wireless-access point) at its office in the South Meadows, nhp2fbi. Wardrivers call this a โhoney pot,โ a trap by law enforcement to monitor MAC addresses and catch fools stupid enough to try to access the network.
Mike Konieczka has been wardriving since the hobby was in its infancyโa year and a few months.
The 6-foot-3, bespectacled vice president of operations for Video Maniacs laughed unselfconsciously when talking about his love of the hobby.
โThe funny thing about wardriving is you have to keep saying to yourself, โThis is not illegal, this is not illegal, this is not illegal,โ โ he said. โYou feel like youโre breaking the law, but all youโre doing is seeing whatโs out there. Itโs so fun, it feels like it must be illegal.โ
Konieczka said heโs into the challenge of keeping up with the new technology. He likes the idea of furthering the use of wireless Internet by helping with the worldwide efforts to map its growth.
โThe technology is always changing. When I first put up my wireless network at home, I got the D-Link card, and I thought I was styling. Once I got into wardriving, I found out it wasnโt the best card to have because Netstumbler doesnโt work with it. Itโs an educational process. After that first time, Iโve done a lot of research, and Iโve read all that I can about the equipment, so now Iโm having a better time with it. Instead of getting signals from close-by APs, I can use the yagi or the omni-directional antenna, and I can reach out further.โ
Heโs not one of the malicious wardrivers who would send spamโunwanted e-mailโfrom a server or invade a private businessโs network for personal financial gain, but he acknowledges that there are some of those types out there, and the software for those with nefarious minds is easily gotten from the Web.
โEthereal or whatnotโpacket sniffersโcaptures the packets, the information that is being passed between computers and the access point. The sniffer captures those packets, and you are able to read them. The packets have all different types of informationโpasswords, private information about a person.โ
Here in the Truckee Meadows, not all the WiFi network access is illicit. Some individuals and businesses have opened parts of their networks free to the public. Coffee shops like Waldenโs offer free access. Starbucks offers access to a pay per use system.
One huge AP, right downtown, has the SSID MADCON. The acronym SSID stands for Service Set Identifier, and itโs the networkโs name. This network belongs to Project ReTRAC, the train trench. Itโs a huge pipeline, about 10 megabytes per second in bandwidth, and anyone with a WiFi card (the Windows wardriving community standard is the Gold card by Orinoco) can access the network.
โItโs funded through the ReTRAC funds, which are public funds, and there was no reason for our use to be secure, so why not let everybody benefit?โ said Mark Demuth, owner of MADCON, the group in charge of ensuring the train trench gets built without doing undue damage to the environment. โWe deliberately left it open for the public.โ
DeMuth may be a few years ahead of his time, but his situation illustrates many of the reasons WiFi will become even more relevant for businesses.
โWe did it because, we estimate, it saves 1.5 hours per employee day. With the wireless Internet connection, they can basically do anything from the field. They can do their report writing in the field. They can view our library of reference materials from the field. Weโll be connecting a wireless WebCam [to monitor] for compliance with dust regulations.โ
The University of Nevada, Reno, also recently powered up an AP at the Getchell Library thatโs available to anyone with the technical know-how to access it. It began its test rollout on Oct. 27.
The universityโs ultimate goal is to cover the whole campus in a wireless cloud, said Network Security Manager Jeff Springer.
โWeโre really in the initial stages where weโre concentrating on about 20 buildings. By the beginning of spring, weโll have the first three or four buildings done. By the end of summer, weโll have the first 20 done. During that time, weโll also be looking at other wireless technologies to do a bigger cloud. Right now, weโre just doing individual buildings, so, if youโre in the building, youโll have access.โ
The universityโs wireless system is somewhat different than the MADCON system. First, the university uses a fairly high level of encryption, VPN, virtual private network, which requires a password of anyone who accesses the network. Itโs far more secure than a simple WEP key. All students, workers and faculty have โNetIDโ accounts.
The university system doesnโt yet cover the campusโ outdoor areas, although someday students will be able to turn in papers from the quad and maybe even the Breakawayโalthough efforts will be taken to keep the โcloudโ over the campus proper. Finally, the university uses the 802.11g wavelength, which could be considered next-generation wireless. Itโs faster than 802.11b but will still work with the old cards.
Erich Hohman, a local-government IT specialist and member of the Reno Area Wireless Users Group, said the Truckee Meadows should get prepared for the wireless revolution.
โWeโre going to get out the word about wireless; weโre going to promote the free access whenever possible,โ he said. โWe can set up businesses for wireless. All they have to do is provide the bandwidth and equipment, and we can maintain it for them. [We can make it] secure enough that hackers wonโt be coming through all the time, but secure enough that customers can get on for free.โ
December 2003: The two wardrivers are joined by a third in the same SUV, the same spot. Theyโve returned to the street down from the Sparks Police Department to do a network neighborhood search on the wide-open network, a quick screen grab and get goneโa sort of a trophy.
Nearby, the number of wireless networks has increased exponentially from the year previous, and Netstumbler, which makes a submarine sonar sound every time it makes contact with one, is pinging with the insistence of an alarm clock.
โThere it is. Thatโs the one.โ
But thereโs a closed padlock sign next to the networkโs name. That indicates that WEP is enabled. In other words, the network access is encrypted. The trio of hunters moves on. As they pull out of the parking lot, a Sparks police cruiser passes in the opposite direction. Nobody waves.
Cover story sidebar
How to protect your network from wardrivers
Click here