COMMUNICATIONS OF THE ACM September 2004/Vol. 47, No. 9 21The concept of wirelessnetworking dates back atleast as far as ALO-HANET in 1970. Whilethis project is now of primarilyhistorical interest, the onlineoverview is still worth reading(see en.wikipedia.org/wiki/ALOHA_network). The con-cept of ALOHANET spannedmany of the core network pro-tocols in use today, includingEthernet and WirelessFidelity (aka WiFi). ALO-HANET was the precursorof the first generation ofwireless networks.Wireless technologies maybe categorized in a variety ofways depending on theirfunction, frequencies, band-width, communication protocolsinvolved, and level of sophistication(ranging from first- through third-generation wireless systems). Forour purposes, we’ll lump them intofour basic categories: Wireless DataNetworks (WDNs), Personal AreaNetworks (PANS), Wireless LocalArea Networks (WLANs), ofwhich the newer Wireless Metro-politan Area Networks (WMANs)and Wireless Wide Area Networks(WWANs) are offshoots, and satel-lite networks.WDN is a cluster of technolo-gies primarily related to, devel-oped for, and marketed byvendors in the telephony andhandheld market. This marketcovers a lot of ground from basicdigital cellular phones to relativelysophisticated PDAs and tabletPCs that may rival notebook com-puters in capabilities. WDNincludes protocols such as the Cel-lular Digital Packet Data(CDPD), an older 19.2Kbps wire-less technology that is still in usein some police departments fornetwork communication withpatrol cars; General Packet RadioService (GPRS) and Code Divi-sion Multiple Access 2000(CDMA2000), which are multi-user, combined voice and data2.5- generation technologies thatexceed 100Kbps; and WirelessApplication Protocol (WAP),which provides wireless support ofthe TCP/IP protocol suite andnow provides native support ofHTTP and HTML. If you’reusing a cellular phone with textmessaging and Web support,you’re likely using some form ofWAP. PANs began as “workspace net-works.” Bluetooth, for example,is a desktop mobility PAN thatwas designed to support cable-free communication betweencomputers and peripherals.Blackberry(www.blackberry.com) is likeBluetooth on steroids. It inte-grates telephony, Web browsing,email, and messaging serviceswith PDA productivity applica-tions. As such it blurs the distinc-tion between PAN and WLAN. WLAN is what most of usthink of wireless technology. Itincludes the now-ubiquitous802.11 family of protocols, aswell as a few others. Table 1 pro-vides a quick overview of someof the 802.11 protocol space.Note that all but the first arederivative from the originalWireless Infidelity I: War DrivingPETER HOEYHal BerghelAlthough WiFi technology security vulnerabilities are well known, the extent of these vulnerabilities may be surprising: War driving experiences identify many potential points of entry.Digital Village22 September 2004/Vol. 47, No. 9 COMMUNICATIONS OF THE ACM802.11 protocol introduced in1997. In Table 1, “Year”denotes the approximate year ofintroduction as a standard (forexample, 802.11a and802.11b were introducedat the same time, though802.11a came to marketlater). The two bandsused for WiFi are Indus-trial, Scientific, and Medical(ISM) and Unlicensed NationalInformation Infrastructure(UNII). Bandwidth is advertisedmaximum. Encoding, aka “spec-trum spreading” techniquesappear at the physical or linklayer and include frequency-hopping spread-spectrum(HPSS), direct-sequence spread-spectrum (DSSS), and orthogo-nal frequency divisionmultiplexing (OFDM).Both the 802 and 802.11landscape are somewhat morecluttered than the table suggests.For example, 802 also allows forinfrared support at the physicallayer. In addition, proprietarystandards for 802.11 have beenproposed. In 2001, Texas Instru-ments proposed a 22Mbps varia-tion of 802.11b called “b+”, andAtheros proposed a 108Mbpsvariant of 802.11g called “SuperG”. Further, there are standardsfor enhanced QoS (802.11e) andenhanced security (802.11i) thatare actually orthogonal to the tra-ditional 802.11 family in thesense that they deal with limita-tions rather than the characteris-tics of the protocol suite. Tomake comparisons even moreconfusing, there are 802.1x pro-tocols like 802.16 (2001) and802.16a (2003) that are designedfor wider area coverage: the so-called Metropolitan Area Net-works or MANs. The 802.11nspecifications are meager as ofthis writing, although the currentattention is on increasingthroughput at the MAC interfacerather than the physical layer.The Origins of War Driving The first formalization of the con-cept of war driving, circa 1999, isattributed to Peter Shipley. His earlywar driving experimenta-tion was subsequentlyintroduced to the hackercommunity at DEF-CON 9 in Las Vegas inJuly 2001; Figure 1 isderived from this experiment.The basic idea behind war dri-ving is to “sniff” 802.11 trafficwith a wireless card set to monitormode so that it accepts all traffic ona frequency irrespective of intendedtarget. War driving is an extensionof the concept of war dialing thatdeserves some explanation.War dialing is the techniqueused by the main character in the1983 movie WarGames to gainaccess to computer systems. OneDigital VillageFigure 1. An early WAP map, circa 2001(source: Peter Shipley, “Open WLANs—The Early Results of WarDriving”;www.dis.org/filez/openlans.pdf).StandardYearFrequencyBandBandwidthEncoding Techniques802.1119972.4GHzISM2MbpsDSSS/FHSS802.11a19995GHzUNII54MbpsOFDM02.11b19992.4GHzISM11MbpsDSSS802.11g20032.4GHzISM54MbpsOFDM802.11n20055GHz??100+Mbps?Table 1. The 802.11 protocol family.might recall that in aneffort to access comput-ers of a computer gamecompany, the film’s maincharacter launched acountdown to a nuclearwar. Though modembanks are technologicaldinosaurs, they remain inuse and are one of theeasiest network appli-ances to compromise. War dialing is the artof scanning lists ofphone numbers for thecarrier tones that indicatemodem lines. The target lists arederived from sundry public-domain sources such as tele-phone directories (for example,411.com), WHOIS domain reg-istration Web sites such as Inter-nic (www.internic.net/whois.html),contact information on organiza-tional Web sites, and so forth.The principle is relatively simple:find an organizational telephonenumber, and then sweep throughthe range of numbers thatincludes it for the presence of amodem. A modem’s carrier tonesignifies a receptive appliance, sothe war dialer records a “hit.”
View Full Document
Unlocking...