What About Wardrivers and Warchalkers?

The recent explosion of wireless networking has led to a few new terms, including wardriving and warchalking. Whether
wardriving and warchalking actually represent security threats is a question that’s subject to a lot of debate.

Wardriving
Wardriving refers to the practice of driving around town with notebook computers looking for open access to wireless
networks just to see what networks are out there. Some wardrivers even make maps and put them on the Internet.
The basic intent of wardriving is to discover open wireless networks that can be accessed from public places. A side
benefit is that it can help network administrators discover holes in their network security. If your network shows up on a
wardriving map, be grateful for the wardrivers who discovered your vulnerability. And by publishing it, they’ve given you
incentive to plug the hole!

The downside of wardriving is that intruders can check the wardriving maps posted on the Internet to find potential
targets.

Wardrivers arm themselves with the following equipment:

 A car.
 A notebook computer with a wireless adapter.
 An external antenna isn’t a must, but it helps.
 Software that can scan for open wireless networks.
 A GPS, or global positioning system, a device that can automatically track where you are.
 Software that correlates the discovery of open networks with location data obtained from the GPS device.
 Free time.

For more information about wardriving, check out the Web site www.wardriving.com.

Warchalking
Warchalking refers to marking the location of open access points with special chalk symbols on the sidewalk. The chalk
symbols indicate that a network is nearby. So if you’re wandering around in downtown San Francisco and you spot a
warchalk symbol on the curb, you can sit down at the nearest park bench, fire up your notebook computer, and start
surfing the Internet.

The origins of war

Where does the term wardriving come from? Although the term has nothing to do with actual combat, I’ve heard two
plausible explanations for its origin:
It derives from the popular hacker word warez (pronounced wayrz), which refers to pirated software. Thus, wardriving
refers to looking for pirated wireless network access.
It derives from the movie Wargames, in which a very young Matthew Broderick hacks his way into the Pentagon’s top-
secret nuclear defense network by setting up his computer to dial numbers sequentially until it finds a computer worth
hacking into. This practice was called wardialing.

Figure 2-1 shows the common warchalking symbol for an open (unprotected) wireless network. The SSID of the open
network is listed above the symbol. You may also find other information written, such as the bandwidth of the Internet
connection available through the access point.

Warchalking Web sites like to relate that the practice of warchalking dates back to the Great Depression in the United
States, when homeless people used chalk or coal to write symbols on sidewalks, fences, or railroad trestles to provide
information or warnings to their fellow travelers. For example, some symbols represented food, water, or safe places to
camp, while other symbols represented dangerous areas or aggressive police. I leave it up to you to decide whether
college kids wandering the streets looking for free Internet access is analogous to the unemployed and homeless of the
Great Depression looking for food.

Securing Your Wireless Network

Hopefully, you’re convinced that wireless networks do indeed pose many security risks. In the following sections, I
describe some steps that you can take to help secure your wireless network.

Changing the password

Probably the first thing you should do when you install a wireless access point is to change its administrative password.
Most access points have a built-in, Web-based setup page that you can access from any Web browser to configure the
access point’s configuration settings. The setup page is protected by a username and password. However, the username
and password are initially set to default values that are easy to guess.
For example, the default username for Linksys access points is blank, and the password is “admin.” If you leave the
username and password set to their default values, anyone can access the access point and change its configuration
settings, thus bypassing any other security features that you enable for the access point.

So, the first step in securing your wireless access point is changing the setup password to a value that can’t be guessed. I
suggest that you use a random combination of numerals and both uppercase and lowercase letters. Be sure to store the
password in a secure location; if you forget it, you won’t be able to reconfigure your router.

Securing the SSID

The next step is to secure the SSID that identifies the network. A client must know the access point’s SSID in order to join
the wireless network. If you can prevent unauthorized clients from discovering the SSID, you can prevent them from
accessing your network.

Securing the SSID is not a complete security solution, so you shouldn’t rely on it as your only security mechanism. SSID
security can slow down casual intruders and wardrivers who are just looking for easy and free Internet access, but it isn’t
possible to prevent serious hackers from discovering your SSID.

You can do three things to secure your SSID:

Change the SSID from the default. Most access points come preconfigured with well-known default SSIDs. For example,
Table 2-1 lists some well-known default SSIDs. By changing your access point’s SSID, you can make it more difficult for an
intruder to determine your SSID and gain access.

Table 2-1. Common Default SSID Values

SSID Manufacturer
3com 3Com
Compaq Compaq
Linksys Linksys
tsunami Cisco
Wireless NetGear
WLAN DLink
WLAN SMC

Disable SSID broadcast. Most access points frequently broadcast their SSIDs so that clients can discover the network
when they come within range. Clients that receive this SSID broadcast can then use the SSID to join the network.

You can increase network security somewhat by disabling the SSID broadcast feature. That way, clients won’t
automatically learn the access point’s SSID. To join the network, a client computer must figure out the SSID on its own.
You can then tell your wireless network users the SSID to use when they configure their clients.

Unfortunately, when a client computer connects to a wireless network, it sends the SSID to the access point in an
unencrypted packet. So a sophisticated intruder who’s using a packet sniffer to eavesdrop on your wireless network can
determine your SSID as soon as any legitimate computer joins the network. Disable guest mode. Many access points
have a guest mode feature that enables client computers to specify a blank SSID or to specify “any” as the SSID. If you
want to ensure that only clients that know the SSID can join the network, you must disable this feature.

Enabling WEP
WEP stands for Wired Equivalent Privacy and is designed to make wireless transmission as secure as transmission over a
network cable. WEP encrypts your data by using either a 40-bit key or a 128-bit key. 40-bit encryption is faster than 128-
bit encryption and is adequate for most purposes. So I suggest that you enable 40-bit encryption unless you work for the
CIA.

Note that in order to use WEP, both the client and the server must know the encryption keys being used. So a client that
doesn’t know the access point’s encryption keys won’t be able to join the network.

You can specify encryption keys for WEP in two ways. The first is to create the 10-digit key manually by making up a
random number. The second method, which I prefer, is to use a passphrase, which can be any word or combination of
numerals and letters that you want. WEP automatically converts the passphrase to the numeric key used to encrypt
data. If the client knows the passphrase used to generate the keys on the access point, the client will be able to access
the network.
As it turns out, security experts have identified a number of flaws with WEP that compromise its effectiveness. As a
result, with the right tools, a sophisticated intruder can get past WEP. So although it’s a good idea to enable WEP, you
shouldn’t count on it for complete security.

Besides just enabling WEP, you should take two steps to increase its effectiveness:

Make WEP mandatory: Some access points have a configuration setting that enables WEP but makes it optional. This
may prevent eavesdroppers from viewing the data transmitted on WEP connections, but it doesn’t prevent clients that
don’t know your WEP keys from accessing your network.

Change the encryption keys: Most access points come preconfigured with default encryption keys that make it easy for
even casual hackers to defeat your WEP security. You should change the default keys either by using a passphrase or by
specifying your own keys. Figure 2-2 shows the WEP key configuration page for a typical access point (in this case, a
Linksys BEFW11).

Using WPA
WPA, which stands for Wi-Fi Protected Access, is a new and improved form of security for wireless networks that’s
designed to plug some of the holes of WEP. WPA is similar in many ways to WEP. But the big difference is that when you
use WPA, the encryption key is automatically changed at regular intervals, thus thwarting all but the most sophisticated
efforts to break the key. Most newer wireless devices support WPA. If your equipment supports it, I suggest you use it.

Here are a few additional things to know about WPA:

✦ A small-office and home version of WPA, called WPA-PSK, bases its encryption keys on a passkey value that you
supply. However, true WPA devices rely on a special authentication server to generate the keys.
✦ Windows XP with Service Pack 2 has built-in support for WPA.

✦ The official IEEE standard for WPA is 802.11i. However, WPA devices were widely available before the 802.11i
standard was finalized. As a result, not all WPA devices implement every aspect of 802.11i. In wi-fi circles, the 802.11i
standard is sometimes called WPA2.

Using MAC address filtering

MAC address filtering allows you to specify a list of MAC addresses for the devices that are allowed to access the
network. If a computer with a different MAC address tries to join the network via the access point, the access point will
deny access.

MAC address filtering is a great idea for wireless networks with a fixed number of clients. For example, if you set up a
wireless network at your office so that a few workers can connect their notebook computers, you can specify the MAC
addresses of those computers in the MAC filtering table. Then, other computers won’t be able to access the network via
the access point.

Unfortunately, it isn’t difficult to configure a computer to lie about its MAC address. Thus, after a potential intruder
determines that MAC filtering is being used, he or she can just sniff packets to determine an authorized MAC address
and then configure his or her computer to use that address. (This is called MAC spoofing.) So you shouldn’t rely on MAC
address filtering as your only means of security.

Don’t neglect the basics

The security techniques described in this chapter are specific to wireless networks. They should be used alongside the
basic security techniques that are presented in Book III. In other words, don’t forget the basics, such as:
 Use strong passwords for your user accounts
 Apply security patches to your servers
 Change default server account information (especially the administrator password)
 Disable unnecessary services
 Regularly check your server logs
 Install virus protection
 Back up!
Placing your access points outside the firewall
The most effective security technique for wireless networking is to place all your wireless access points outside of your
firewall. That way, all network traffic from wireless users will have to travel through the firewall to access the network.

As you can imagine, doing this can significantly limit network access for wireless users. To get around those limitations,
you can enable a virtual private network (VPN) connection for your wireless users. The VPN will allow full network access
to authorized wireless users.
Obviously, this solution requires a bit of work to set up and can be a little inconvenient for your users. However, it’s the
only way to completely secure your wireless access points.