http://arstechnica.com/wankerdesk/3q02/warflying-1.html [Those that either live in San Diego or have spent any time there won't be suprised with the map of AP's listed on there. Check out the above URL for hyperlinks to other sites and the map. - WK] War Flying by Delta Farce 8/28/2002 War driving is passť. Pete Shipley of the Bay Area Wireless Users Group (BAWUG) was the early big name in war driving. He and others popularized cruising the highways and local streets with laptops and 802.11b NICs that would detect Wireless Access Points (APs), and GPS units to record the latitude and longitude at which they were noted. Last year at DefCon he delivered a presentation at the same time that NetStumbler, a windows based war driving tool, was rapidly gaining in popularity. Anyone who's done any war driving knows that about 60% - 80% of the wireless LANs out there haven't had the most basic steps taken to secure them, making them as difficult to "break" into as buying a wireless NIC and downloading free software. For a technical overview of Wireless security, check out this Blackpaper. Like many people, I spent more than my share of hours and dollars war driving last year. However, since I do not access the open networks I see, it quickly got boring. Early this year I retired NetStumbler, except for the occasional wireless audit at work. Then Tracy Reed posted an invitation to go war flying on the San Diego Wireless Users Group (SDWUG) mailing list. Now that was a cool idea, and something I just had to do! In all fairness, while we weren't the first to do this (some blokes in Oz beat us to it), Tracy made the suggestion at least a month before those Aussies posted their results. This past Sunday (8/25) I met Tracy at Montgomery Field in San Diego at noon. He did the pre-flight while I prepped the stumbling gear. We hoped to rack up as many APs as we could so we planned to fly over or near high tech businesses, UCSD, Encinitas, Oceanside, Vista, Escondido, SDSU, Mission Valley, Pacific Beach, Mission Beach, Ocean Beach, Pt Loma, Chula Vista and then head to the airport to land. Tracy kept the airspeed low (about 120 knots) so we could maximize the time we would spend in range of APs, hoping this would increase the likelihood of detecting them. Almost immediately after take off we passed over a business district and the APs started popping up, and fast. I thought they would taper off as we got higher. They didn't. After we leveled off at 1500' they just kept coming. As long as we were passing over areas with businesses or homes, we were getting APs. (Except for when XP and NetStumbler were fighting for control of the NIC and I had to reboot. Insert your Linux/Kismet plug here.) At one point we had to ascend to 2500', and yet the APs still kept rolling in. I guess the lack of intervening metal, wood, and concrete made a big difference. I didn't see a drop off in the home use (Linksys, etc) or the commercial (Cisco, etc.) APs. Here you can see a flight plan dotted with the SSIDs. The 437 blue diamonds represent our location when we detected an AP, and not the true location of the AP. Therefore, they are a pretty good representation of our flight path. As they are not the true locations of the APs, and they don't indicate whether or not they have WEP enabled (and it's really hard to read almost all of the SSIDs) I am willing to post this image. Here are the SSIDs and the manufacturers that were most represented in the data we collected. First up we have the SSID names, which as you'll see largely match the manufacturers: SSIDs linksys 189 default 38 Wireless 14 Carroll 4 tsunami 4 UCS001 3 WLAN 3 Zoom033551 3 As you can see, along with not bothering to enable WEP, most people don't bother to change the name that their wireless access point comes setup with. 'linksys' is obviously Linksys, 'default' is D-Link, 'Wireless' is Netgear, and 'tsunami' is Cisco. Those four manufactures' APs configured with default SSIDs account for 60% of the APs we saw. Manufacturers Linksys 257 Agere 33 Apple 33 Cisco 33 D-Link 28 Delta (Netgear) 18 Acer 12 Zoom033551 3 It really looks like Linksys has the lion's share of the market, at least in San Diego. Keeping in the same range as what I have seen while war driving, about 23% (102) of the APs had WEP enabled. Folks still don't get it. We are planning to place a couple of APs in a house that we can spend some time flying over. We'd like to see how far away, and at what altitude, we can fly and still detect the AP. I'm also hoping to get some web and perhaps IRC time in. Don't forget to read Tracy's write up of our adventure. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 03:03:06 PDT