Warchalking and Wardriving

home | about | site use | services | guides | profiles | papers | timeline || Analysphere | Ketupa | Cinetext

This note considers warchalking and wardriving, ie mapping wireless access to the internet and intranets.

It covers -

introduction
driving
chalking
statistics and mapping
demographics and industry
legal frameworks
responsibility
primers and studies

It supplements the broader discussion elsewhere on this site regarding internet security, network governance and matters such as cybercafes and wireless access in Australasia.

introduction

Despite the name, warchalking and wardriving have little to do with war - of the traditional or cyber varieties - or terrorism. Instead, they relate to identifying and mapping wireless access points (AP), in particular individual devices or intranets that are inadequately protected and are thus open to unauthorised users.

That activity encompasses a cultural phenomenon - the 21st century equivalent of train spotting or bird watching - and a minor industry that involves hackers and crackers in defence or unauthorised access to devices and networks.

The term 'wardriving' supposedly derives from phone phreak era 'war dialing', ie hacker exploits in dialing phone number after number to identify and then access modems. The emergence of wireless networks - discussed here and here - following development of the Institute of Electrical & Electronics Engineers (IEEE) 802.11 standard was reflected in recognition that

the existence of secure and non-secure networks could be readily ascertained by observers with little equipment and without extensive training or expertise
the protection of many networks was inadequate or indeed non-existent.

One US observer thus wrote

Suddenly, people all over the country realized that their wireless devices could be set to scan for AP's, then throw 'em into their backpacks and walk around the financial district until they had several dozen free internet connections.

Wardriving took that identification from the backpacks and footpaths onto the road, with people engaging in 'drive-by' discovery of open and closed wireless access points. It is a phenomenon that has continued, with some enthusiasts reporting their discoveries in lists and maps of considerable sophistication (including interactive online mapping that features GIS data and details about individual APs).

Warchalking - hyped by the mass media - appears to have been as evanescent as the chalk markings on some pavements to indicate an adjacent open AP. It is of interest as a digital culture fad that didn't last the distance.

driving

APs are identifiable because they signal their presence at specific intervals (typically 100 milliseconds) by broadcasting a packet that features an individual service set identifier (SSID) and other data elements. That signal is of low intensity, generally restricted to a radius of 100 metres and affected by attenuation such as water, architectural features or security shielding.

Wireless-equipped laptops, personal computers and other devices (such as personal digital assistants) are able to detect the signal. That is necessary if they are to join a network and allow the user to exchange information with an individual device or a network of devices (including devices that provide a bridge to the internet).

As we have noted in discussing networking and the GII, a wireless capacity is now a standard feature on much new equipment. Devices can also be augmented with tools to detect and process AP signals and external antennae, particularly when using a motor vehicle. A range of free and commercial 'stumbling utility' software can be used for example to record data transmitted by an AP; some products incorporate global positioning system coordinates that provide the basis for producing electronic maps.

Wardriving was initially conducted manually - some reports featured tales of ballpoint pens and Pringles can antennae - but came of age in 2001 with development by Marius Milner and Peter Shipley of dedicated AP software that readily integrated GPS location data with databases of detected APs.

Wardriving has flourished since that time, through word of mouth, media coverage, industry claims of varying accuracy and newsgroups or specialist sites such as wardriving.com, some of which feature lists and maps. Examples of maps are here and
here.

Much wardriving does not actually involve automobiles. We are aware of two enthusiasts who use a bicycle in wardriving; one contact in Australia has used a helicopter and - more scarily, at least for people in his flight path - a light plane. In major urban centres it is arguably easier to engage in 'warwalking', roam the strrets with a PDA running a stumbling utility like MiniStumbler. Fans have also referred to 'warcabbing' - nothing more elaborate than watching a laptop in the back seat of a taxi.

Wartrapping, promoted by security consultants, comprises a 'honeypot' AP - one that features monitoring software aimed at determining the level of wardriving and attempted intrusions.

chalking

Wardriving first attracted attention in the mass media because of warchalking, which became a fashion - arguably now past - among undergraduates, high school geeks and the post-secondary tech community. Having identified a wireless AP those tech savvy users would 'mark the spot' with a chalk symbol on the pavement, bin or building. In December 2002 warchalking was named one of the "100 most significant ideas of the year" by zeitgeist sniffers at the New York Times Magazine.

Chalking supposedly originated with blog entry by London-based information architect Matt Jones, with the expectation that warchalk symbols would provide a sufficient visual cue for attempting a connection from a laptop or PDA. Such marks would supposedly "encourage newcomers and initiate conversations between Wi-Fi users, network operators and others". The chalking was spun as "runes" or "a modern version of the hobo sign language used by low-tech kings of the road to alert each other to shelter, food and potential trouble".

That led John Hiler to rosily characterise chalking as the "perfect storm" confluence of "three favorite tech themes" -

It's got Wi-Fi. It's got the tie-in to hobo language, which is really cool from a linguistics point of view. And it ties into the spirit of democracy, which was the original intention of the Web. It's the subversive idea of giving the finger to the local land-line monopoly.

Paul Boutin in the usually starry-eyed Wired News commented in 2002 that "Warchalking, it seems, is so cool it doesn't even matter if anyone is really doing it or not". Christian Sandvig more incisively commented that warchalking is entirely a media phenomenon

it is a beautiful idea, but it doesn't make any sense as a directory service to find Wi-Fi. It is too easy to miss a warchalk mark, and the chalk wears away (or washes away in the rain) too quickly. Warchalking symbols were heavily promoted in the New York Times just *48 hours* after they were first made public on the Web. There was a subsequent wave of media stories about warchalking, giving everyone ideas. Every single occurrence of chalk I've found can be attributed to chalkers who want to self-promote their own mark. So I believe that people *do* rarely make warchalking marks for various reasons (to be cool, to advertise for their own network) but I *don't* believe that people use warchalking marks in a meaningful way to find Wi-Fi.

Two years later, although APs continue to proliferate, there's little sign of ongoing warchalk activity on the ground or in the mass media. Among the young digerati with whom we are in contact the idea of chalking is at best regarded as 'quaint'.

statistics and mapping

In discussing Australian and New Zealand wireless access we have noted that figures about the number of open and closed APs are contentious. There are few authoritative industry or government accounts, although it is clear from equipment sales figures and from anecdotal reporting that the number of APs is continuing to grow rapidly - particularly as many organisations seek to contain network deployment and maintenance costs by using wireless rather than wired LANs in their premises.

The immaturity of the industry means that an indeterminate number of sites appear to be open to unauthorised access, whether deliberately or through poor design and maintenance. Within a few kilometres of the Canberra CBD for example there are approximately 180 access points, of which as many as 100 are unsecured as of August 2004. A December 2003 wardrive in Auckland identified around 700 wireless APs, of which around 60% were unsecured. Some overseas statistics from the annual 'Official WorldWide WarDrive' are here.

There have been no major studies of wardriving and chalking as avocations. It is unclear how many people engage in driving, mapping and chalking on a short term or ongoing basis. Examination of participation in online fora suggests that numbers are not particularly large. Vendors of network protection solutions have, however, argued that a "significant" number engage in casual or sustained driving at any one time and that much of the activity extends beyond identifying APs to unauthorised grazing of private information and offences such as release of viruses or spam.

Driving as a mechanism for legitimate acqusition of geospatial data has attracted some commercial attention, given the muddiness of much hotspot mapping and industry analysis. US specialist Quarterscope for example, in building a commercial AP database to deploy location based applications, has announced that it is

willing to pay wardrivers for past and future GPS located scans. We will pay between $0.01-$0.05 per access point depending on the priority of the area (NYC versus Topeka) and the quality of the data (number of GPS locations per access point).

A somewhat different approach has been taken by the 'open infrastructure' Herecast project.

demographics and industry

Detailed statistics on the size and shape of the wardriving population are unavailable.

That is unsurprising, given that wardriving is a 'fringe' activity (consistent both with concerns regarding legality and, more importantly, the frisson associated with the mixture of expertise and naughtiness).

Anecdotal indications suggest that in Australia and other western nations most non-professional wardriving is what one observer unkindly characterised as "black t-shirt homosocial" - predominantly white, male, under 25, tech literate and involving two or more friends in a car. Much of it is presumably undertaken "because it's there" and doesn't involve the pizza-deprivation experienced by mountaineers. One US driver thus commented in 2004 that

For those of us that do wardrive, we're not interested in how many systems we can hack, or trading warez, or any of that -- we just want to see where and how many

Proponents such as John Duntemann argue that

wardriving provides a unique opportunity to gauge the growth of a technology market segment by direct inspection . In other words, we don't have to take a vendor's or research firm's word for how many wireless networks are out there. We can go out and look for ourselves. This isn't possible for things like digital cameras and DVD burners. In conjunction with some understanding of the demographics of an area, it's possible to use wardriving data to get a sense for how "connected" or "tech savvy" a neighborhood or region is.

The number and severity of wi-fi based offences is unknown. Its flipside, as with other cracking, is the market for defensive services. Konstantin Gavrilenko commented in 2004 that

The market for wireless security is really huge, mainly due to the fact that despite all the media buzz, majority of companies still do not fully understand the potential vulnerabilities that wireless networks can bring into their existing IT infrastructure. We do wardrive often, for the purpose of collecting statistical data of the overall protection level of wireless networks, obviously staying within the legal limits, and we have to say that the picture is worrying. We have seen quite a few rather large multinationals employing unprotected wireless access to their internal network. Some of them have improved over the time, turning on basic WEP. However, the biggest challenge in our business, is that you do know that the company is vulnerable, however, you can not go and inform them. The initiative has to come from the client itself, who should realize the severity of the problem and come to us for advice and complete solution.

legal frameworks

Is wardriving legal? The answer varies, depending on jurisdiction.

Some analysts use the 'front door' model, where it not an offence to identify that a door exists but unauthorised entry breaches the law and facilitating wrongdoing by alerting offenders that the door is unlocked may also be a breach.

Most regimes regard unauthorised connection to and use of a network as illegal. That encompasses activities such as identifying what files are held on particular servers or desktop machines, identifying the topography of a LAN, copying (or modifying or deleting files) and using the network for unauthorised communications (including spam and stalking). It is consistent with prohibitions on unauthorised physical access to content, devices and networks, with legislation for example identifying crimes such as theft of services.

The 2004 conviction (in the US District Court for the Western District of North Carolina) of Paul Timmins on a single count of fraudulent and unauthorized Wi-Fi access to a private corporate network is believed to be the first wardriving conviction in the US. Legal specialists have argued that there is potential liability under the federal Computer Fraud & Abuse Act, the Wiretap Act and some state legislation. The same year saw action under the US federal CAN-SPAM Act against Nicholas Tombros, who allegedly sent spam via insecure residential wireless APs in Los Angeles.

What of warchalking? As far as we are aware there have been no successful prosecutions for chalking, although presumably there's some scope for action under damage to public/private property (don't use waterproof paint or carve a symbol on someone's fence or front door) or even aiding a crime.

responsibilities

As with most information security issues, APs involve several responsibilities and are not restricted to containment of wardrivers.

Pundit Jeff Duntemann comments that -

My fellow wardrivers and I adhere to a relatively strict code of ethics that can be cooked down to the following:

Don't look.
Don't touch.
Don't play through.

In other words, 1) don't examine the contents of a network; 2) don't add, delete, or change anything on the network, and 3) don't even use the network's Internet connection for Web surfing, email, chat, FTP, or anything else. Somebody else paid for the bandwidth, and if you don't have permission to use it, you're stealing it. Basically, unless you have permission, don't connect. Consider it a matter of personal honor, even when it's unlikely that you'll be caught. (If you get too used to feeling that you won't get caught, sooner or later you will get caught!)

Patrick Ryan's 2004 War, Peace, or Stalemate: Wargames,
Wardialing, Wardriving, and the Emerging Market for Hacker
Ethics (PDF) considers wardriving and 'ethical hacking', something examined in more detail here.

Network operators also have responsibilities, including an obligation not to inadvertently allow access to their networks. In Australia, apart from damage to the financial viability of an organisation, the operator might potentially face exposure to action for failure to adequately protect employee or customer privacy, intellectual property and other duties.

Some sense of scope is provided by a contact's discovery of an open 2 megabit network in Canberra, which in principle would allow an offender with an appropriate address list to spam much of Australia with a few minutes. The organizer of the Auckland wardrive noted above commented that

People just take their routers out of the box, assign a username and password and nothing else.

It is thus not surprising that intrusions occur ... although many of those intrusions are undetected.

studies

Primers for drive & chalk aficionados include

Drive-By Wi-Fi Guide (Phoenix: Paraglyph Press 2003) by Jeff Duntemann

WarDriving: Drive, Detect, Defend - A Guide to Wireless Security (Rockland: Syngress 2004) by Chris Hurley, Michael Puchol, Russ Rogers & Frank Thornton

Wi-Foo: The Secrets of Wireless Hacking (New York: Pearson Education 2004) by Andrew Vladimirov, Konstantin Gavrilenko & Andrei Mikhailovsky

Wireless Hacks (Sebastopol: O'Reilly 2003) by Rob Flickenger

Christian Sandvig's 2004 An Initial Assessment of Cooperative Action in Wi-Fi Networking (PDF) - in Telecommunications Policy 28 (7/8) - is of value. For an historical perspective see Shipley's LanJacking and WarDriving (PDF).

::