War Flying

[InfoSec News <isn () c4i org>]

http://arstechnica.com/wankerdesk/3q02/warflying-1.html

[Those that either live in San Diego or have spent any time there 
won't be suprised with the map of AP's listed on there. Check out the 
above URL for hyperlinks to other sites and the map.  - WK]

War Flying
by Delta Farce 
8/28/2002 


War driving is passé. Pete Shipley of the Bay Area Wireless Users
Group (BAWUG) was the early big name in war driving. He and others
popularized cruising the highways and local streets with laptops and
802.11b NICs that would detect Wireless Access Points (APs), and GPS
units to record the latitude and longitude at which they were noted.  
Last year at DefCon he delivered a presentation at the same time that
NetStumbler, a windows based war driving tool, was rapidly gaining in
popularity.  Anyone who's done any war driving knows that about 60% -
80% of the wireless LANs out there haven't had the most basic steps
taken to secure them, making them as difficult to "break" into as
buying a wireless NIC and downloading free software. For a technical
overview of Wireless security, check out this Blackpaper.

Like many people, I spent more than my share of hours and dollars war
driving last year. However, since I do not access the open networks I
see, it quickly got boring. Early this year I retired NetStumbler,
except for the occasional wireless audit at work. Then Tracy Reed
posted an invitation to go war flying on the San Diego Wireless Users
Group (SDWUG) mailing list. Now that was a cool idea, and something I
just had to do! In all fairness, while we weren't the first to do this
(some blokes in Oz beat us to it), Tracy made the suggestion at least
a month before those Aussies posted their results.

This past Sunday (8/25) I met Tracy at Montgomery Field in San Diego
at noon. He did the pre-flight while I prepped the stumbling gear. We
hoped to rack up as many APs as we could so we planned to fly over or
near high tech businesses, UCSD, Encinitas, Oceanside, Vista,
Escondido, SDSU, Mission Valley, Pacific Beach, Mission Beach, Ocean
Beach, Pt Loma, Chula Vista and then head to the airport to land.  
Tracy kept the airspeed low (about 120 knots) so we could maximize the
time we would spend in range of APs, hoping this would increase the
likelihood of detecting them.

Almost immediately after take off we passed over a business district
and the APs started popping up, and fast. I thought they would taper
off as we got higher. They didn't. After we leveled off at 1500' they
just kept coming. As long as we were passing over areas with
businesses or homes, we were getting APs. (Except for when XP and
NetStumbler were fighting for control of the NIC and I had to reboot.  
Insert your Linux/Kismet plug here.) At one point we had to ascend to
2500', and yet the APs still kept rolling in. I guess the lack of
intervening metal, wood, and concrete made a big difference. I didn't
see a drop off in the home use (Linksys, etc) or the commercial
(Cisco, etc.) APs.

Here you can see a flight plan dotted with the SSIDs. The 437 blue
diamonds represent our location when we detected an AP, and not the
true location of the AP. Therefore, they are a pretty good
representation of our flight path. As they are not the true locations
of the APs, and they don't indicate whether or not they have WEP
enabled (and it's really hard to read almost all of the SSIDs) I am
willing to post this image.

Here are the SSIDs and the manufacturers that were most represented in
the data we collected. First up we have the SSID names, which as
you'll see largely match the manufacturers:
 

SSIDs       
 
linksys 189 
default 38 
Wireless 14 
Carroll 4 
tsunami 4 
UCS001 3 
WLAN 3 
Zoom033551 3 

 

As you can see, along with not bothering to enable WEP, most people
don't bother to change the name that their wireless access point comes
setup with. 'linksys' is obviously Linksys, 'default' is D-Link,
'Wireless' is Netgear, and 'tsunami' is Cisco. Those four
manufactures' APs configured with default SSIDs account for 60% of the
APs we saw.

 
Manufacturers       
 
Linksys 257 
Agere 33 
Apple 33 
Cisco 33 
D-Link 28 
Delta (Netgear) 18 
Acer 12 
Zoom033551 3 

 

It really looks like Linksys has the lion's share of the market, at
least in San Diego.

Keeping in the same range as what I have seen while war driving, about
23% (102) of the APs had WEP enabled. Folks still don't get it.

We are planning to place a couple of APs in a house that we can spend
some time flying over. We'd like to see how far away, and at what
altitude, we can fly and still detect the AP. I'm also hoping to get
some web and perhaps IRC time in.

Don't forget to read Tracy's write up of our adventure.

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.