Science & the Environment
22/03/04 Wardriving, Warspying, Bluesnarfing by Edward Teague

    Clandestine listeners and watchers are on line. Naked in a wireless world.

150 years ago James Scott Maxwell imagined it, 100 years ago Marconi proved its use, and since then we have been filling the ether with wireless waves to contact, connect and communicate.

Since then, from the merely curious, to the curious military, we've been listening in, snatching conversation, data and images. Signals intelligence or SIGINT by the "Coalition of the Willing" gobbles up the dollars, prostitutes the best mathematical brains and judging by the gems that Colin Powell revealed to the UN last year, the careful study of chicken entrails may achieve better results.

At a lower level and at a much lower cost Wardrivers are matching the military in their surveillance of our unguarded digital data streams.

All the wardriver needs is a lap top, wireless card and Global Positioning system (GPS) to locate Wireless Access Points (WAP) within 300 metres on the dramatically expanding Wi-Fi networks out there in the world. The idle can consult the many web sites that list them, lists 900.000 world wide and the Boston MA district wardrivers group, for example has an incredibly detailed site covering the whole Boston Metropolitan area.

What makes it easy, is the world wide acceptance (and convenience to the users) of the 802.11b standards, but users are usually oblivious to the privacy vulnerability, nor are vendors anxious to address the issue, or advise the buyer of any privacy problems.

Not only is it easy to clandestinely access Wi-Fi networks, it is rarely illegal. The FBI states that using an access point without explicit authorisation may be a federal crime, (theft of services, interception of communications, misuse of computing resources, up to and including violations of the federal Computer Fraud and Abuse Statute). In California, the vanguard of Jeffersonian liberalism, the State amended the penal code 13848-13848.6 to include wireless networks, "to provide law enforcement with the tools to interdict the promulgation of high technology crime". The State of New Hampshire is trying to set up HB 495 to make owners of networks responsible for security.

In the UK access to fixed land lines is covered by wire tapping legislation, but there appears to be no statutory control over accessing wireless data networks, and that includes the security services – no need for Home Office approvals. There do not appear to be any examples of attempts at prosecution anywhere, although of course, use of any information obtained may well be covered by all sorts of laws.

Programs to enable easy WiFi access are readily available across the net, frequently free, or at low cost. Armed with AirSnort which can decrypt access keys from the notoriously fallible WEP protocol for Wireless Local Area Networks (WLANS), and NetStumbler, a Windows based product which can actively detect and identify sites or Kismet to pick up the Service Set Number (SSID), you can sit with your lap top in a Hotel parking lot and watch the encrypted data stream out of the busy executives rooms.

How do you know if that chap crouched over his latte and laptop in Starbucks is latched in to your connection, reading your sales orders, e-mails, stealing your porn? You don't.

Why don't vendors tell you how easy it is to get access – even more so now that lap-tops are coming equipped with wi-fi access as a major feature?

Well would you buy a car where you had to leave the key in the ignition, the engine running and the doors and windows open when you parked it? Don't expect the salesman to tell you that is exactly what you are buying with a wireless network.

How can I protect myself?

With difficulty. The 802.11 standards were set up primarily to define the protocols for communication, not security. So you have to equip yourself not only with the tools to protect yourself, but also to continuously monitor rogue attempts at access.

  1. You can install software / hardware tools to protect your networks. A "Virtual Private Network" VPN will allow access to corporate networks. Minimum setup costs in $1,000's with extra renewable annual access costs per user and they are not foolproof. This also offers limited interoperability, ie you will not necessarily gain access to your office network, through your hotel, coffee shop, airport lounge because they will only allow WEP.
  2. Install extra encryption software – freeware Airscanner, but there are many packages of variable quality available at various costs.
  3. Avoid WEP which is crackable by most freeware sniffer programs like Airsnort. Wireless access protection WAP is a new standard which will be available "real soon now", which uses temporal key integrity (TKIP) which unlike WEP which is static, uses a complex mixing function per packet.
  4. Physically secure your equipment whilst on the move.

Risk reduction bears a cost in terms of money and users time and convenience.

Air Magnet Ver 4.0 is available at a starting cost of $8,000 to provide WLAN security with blocking of rogue access points with tracing, and improved security.

War spying ?

This is a sub-set of the geek wardrivers community, who roam the streets equipped with some $600 worth of equipment easily available on line or from Radio Shack or RS, which easily accesses the signals from remote CCTV cameras and displays them on a local screen as they are accessed.

For £50 / $100 you can buy a remote Camera to feed video links around your home/office to watch an elderly relative, child, protect an area, room, stairwell, whatever.

Commercially available systems have no security whatever.

Now who on earth would want to have access to the output from such devices? Well, one character in Ontario last fall was caught by the patrolling police alone in a car outside a home where the occupants had installed such a camera in their bedroom.

For some reason he was naked from the waist down.


Bluetooth is an open access wireless technology developed by the Bluetooth group, the brand name alone is owned by Ericsson. It provides for transmissions on unlicensed 2.4 Giga Hertz ISM band in three levels with varying access up to 100metres. Because they have low power they are, unlike WiFi 802.11 devices harder to identify due to their low power, however signal amplification whilst controlled and banned by the FCC in the US is, it appears, available elsewhere so extending the operating range and likelihood of rogue access.

Bluetooth is now widely used in connecting all sorts of WLAN devices, such as printers to networks, mice and keyboards to PC's, but also remote hands free transceiver headsets for mobile phones. That means your conversation is first transmitted from the headset to the telephone, and also is available to anyone with a suitable device nearby, even if you have taken advantage of the "hide" facility.

Due to a weakness again in the design of the standard protocols it is relatively straightforward, using any suitably enabled Bluetooth device, to identify a nearby device (bluesnarfing) and gain access to the memory of a portable telephone, including, call directory, identity, business cards, fax, etc., because of the high frequency channel hopping, snooping on the conversation would be difficult but not impossible.

Security concerns are even greater because of the huge and growing range of devices currently enabled (in excess of 3 million) and also the desire of manufacturers to speed products to market, to provide unique non-standard "features" regardless of the default security features within the standard Bluetooth protocols.

So, cruise controlling your way down the outside lane of life's superhighway, that dishy blond in the Beamer on the inside lane giving you the eye, raising your heart rate – he/she may also be downloading an electronic copy of your telephone's memory at 10 Megabits per second, numbers, calls, business cards – everything.

Want to know more about how vulnerable you are ? Google any of the appropriate words above. Surprised? You will be. Alarmed? You should be.

Edward Teague

Main Index >> Science & Environment Index