War flying: wireless LAN sniffers scour sky for access

Hobbyist wireless LAN sniffers are now taking their war-driving skills to the air, detecting hundreds of WLAN access points during short trips in private planes cruising at altitudes between 1,500 and 2,500 feet. A Perth, Australia-based “war flier” recently managed to pick up e-mails and Internet Relay Chat (IRC) conversations from an altitude of 1,500 feet.

WLAN war drivers routinely cruise their immediate areas in cars equipped with laptops loaded with a wireless LAN card, an external high-gain antenna and a Global Positioning System (GPS) receiver. The wireless LAN card and GPS receiver feed signals into freeware, such as NetStumbler or Kismet, which detects access points and their identifiers along with their GPS-derived locations.

The term war driving is derived from the “war-dialing” exploits of the teenage hacker character in the ’80s movie War Games who has his computer randomly dial hundreds of numbers and eventually winds up tapping into a nuclear command and control system.

On Aug. 25, a hobbyist WLAN sniffer who goes by the name Delta Farce, and Tracy Reed from the San Diego Wireless Users Group, conducted a war-flying tour of much of San Diego County, Calif., in a private plane at altitudes between 1,500 and 2,500 feet. They detected 437 access points, according to a post describing their aerial sniffing expedition on the Ars Technica Web site.

Delta Farce said NetStumbler indicated that only 23 per cent of the access points detected on the war-flying trip had the simplest form of WLAN security – Wired Equivalent Privacy (WEP) – enabled. The trip also showed that the range of 802.11b WLAN signals, which radiate in the 2.4-GHz unlicensed frequency band, is far greater than what manufacturers tell users they can expect.

Delta Farce said he was able to detect access points at a height of 2,500 feet, or about five to eight times the 300- to 500-foot range of WLANs used in a warehouse or offices. Delta Farce said he assumed that the increased range was due the lack of obstructions between the aircraft and the access points.

Jason Jordan, a self-described war driver in Perth, Australia, claimed the first war-flying exploit in an Aug. 18 post to the E3 war-driving blog in Australia. In his flight around Perth, Jordan said he detected 92 access points with Kismet and another 95 with NetStumbler. While NetStumbler software can only monitor access points, Kismet can actually intercept network traffic. Jordan said that at an altitude of 1,500 feet, Kismet picked up “IRC conversations, e-mails and clear NetBIOS traffic for local Perth users.”

Jordan added that he didn’t post this traffic to the blog for security reasons and that he intended to follow up his flight with calls to users on the needs to improve their security.

Brian Grimm, a spokesman for the Mountain View, Calif.-based Wireless Ethernet Compatibility Alliance, said these early war-flying reports once again illustrate the need for WLAN users to encrypt their signals. But, he noted, “war-flying is self-limiting,” since a hacker needs to remain stationary in order to intercept network traffic.

Grimm expressed no surprise at the distance from which war fliers were able to detect access points but added that “2,500 feet is about the limit.”

Craig Mathias, an analyst at Farpoint Group in Ashland, Mass., agreed that war flying serves as yet another WLAN security heads-up. But he doubts that it will proliferate to the extent of war driving, because of the expense involved and the close monitoring of private aircraft in North America in the post-Sept. 11 security environment.

Mathias added that he wouldn’t be surprised if a number of organizations, such as operators of public-access WLAN networks, have used war flying as a “legitimate technique” to detect WLAN network traffic in a given area as part of a site survey.