Warflying Experiment 1
We fly over San Diego in a small plane with a laptop looking for unsecured 802.11b wireless access points.
In the 1983 movie "Wargames" starring Matthew Broderick, the hero is a young computer hacker who programs his computer equipped with a modem to dial every possible phone number combination looking for another computer to answer in an early form of digital exploration. Wardialing was never all that productive as a means of discovering other computer systems because it took a very long time to cycle through enough numbers to find much and if you did the chances were relatively slim that you would be able to do anything interesting with the computer on the other end of the line.
But times have changed considerably and new technology has allowed this old idea to be reincarnated into something analagous to the technique of wardialing. Wireless access points have become very popular in the last couple of years as they have gotten to be relatively inexpensive. These wireless access points usually broadcast far beyond the confines of the small office or home office in which they are set up and are often set up by people with no knowledge of security or how wireless networking actually works. They simply want the convenience of not having to be tethered by a wire all the time.
Much like the kid with the modem searching for other computers with modems, a person with a laptop with a wireless network card can simply power up their computer and their wireless card will try to communicate with any nearby wireless access point. If they happen to be closer to someone elses wireless access point than their own they could end up talking to that one. You can drive around town with such a setup and your computer will detect any wireless access point it happens to come within signal range of. This is known as wardriving. If you do it from an airplane, it is warflying. This name might seem to connote some sort of violence but it is purely derived from a movie title and is in no way actually physically threatening.
With this in mind, an associate and I decided to do a little survey of the wireless world from an airplane. Lots of people have done this from cars but from an airplane we are above the ground clutter and within line of site of a lot more wireless access points than we would be in a car. We can also cover a lot more ground in less time and can fly over areas of interest without being restrained to where the roads can take us. We were hoping to be the first people in the world to do this but a group of people in Perth, Australia beat us to it by a week. However, we were probably the first in the US to do it. The goal of this exercise was to determine the extent of deployed wireless internet access points around San Diego, whether they use hardware encryption, who might own them, where they are located, and then deduce some potential risks from the data collected.
We met at the airport at noon on August 25, 2002 and began devising our strategy. We wanted to cover as many areas of interest as possible. It was decided to overfly the major population centers, business parks, and universities which were likely locations for lots of wireless Internet access. With aeronatical chart in hand we sketched out a good flight path which would take us up the I-5/805 corridor which has many high tech businesses, over UCSD, all the way up to Encinitas, then inland over Oceanside, Vista, Escondido, down the I-15 corridor to the I-8, I-8 west passing by San Diego State University and Mission Valley, all the way to the coast and then down the coast past Pacific Beach, Mission Beach, Ocean Beach, etc. to the end of Pt Loma. We overflew Chula Vista and then headed back up north to the I-8 and back to the airport for landing.
The entire flight was conducted at least 1000 feet above congested areas which complies with regulations and common sense safety. We chose this relatively low altitude instead of higher because we felt that being too high might hinder reception. We also flew at a speed of 120kts (136mph) for most of the trip. We could have gone at least 155kts (177mph) but we were concerned about the computer not having enough time to acquire the signal at high speeds.
A large portion of the flight was conducted within the airspace of various controlling agencies so there was coordination over the radio to gain clearance into these areas. It is common for people to believe that the airspace of large airports, military installations, etc. is strictly off limits. In the vast majority of cases this is not true. You simply have to ask permission and if what you want is reasonable it is usually granted.
A laptop running Windows XP and Netstumbler was used to detect the wireless access points. The IP stack on the Windows XP system was not loaded so there could be no possibility of accidentally communicating on the networks of the wireless access points we came into contact with. An omnidirectional antenna (Cisco AIR-ANT1728 5.2 db) was placed next to the passenger side window with the computer in the passengers lap. A GPS unit was attached to the laptop to record the location where the signal was detected. The use of personal electronics aboard a small aircraft is not a problem. The airplane is entirely controlled by wires and pulleys and the engine isn't much more complicated than a lawnmower engine. Nothing that these consumer electronics could possibly interfere with.
The entire flight lasted about 1.5 hours and during that time we detected 437 access points. Each device by default perodically broadcasts an SSID (Service Set IDentifier) beacon to let the world know it is there. The SSID contains a text string identifier which can be set to any arbitrary string, often the name of the person or organisation who owns the device. It is these broadcasts that Netstumbler picks up on. SSID broadcast can be turned off in which case Netstumbler will not be able to detect the device but other programs which actively transmit and query for devices will still be able to detect them. The geographic distribution of wireless access points is nearly impossible to determine from the data gathered because the software does not have the ability to triangulate where the access point is located. It can only record the point on the flightpath where it was detected so we cannot easily see areas of clusters of access points or determine on whose property an access point might be located. And since we do not know exactly where these access points are located we do not know how large an area around the aircraft we are able to detect signals in so we do not know what area we really surveyed. This means it is not possible to draw an estimate on the number of access points actually deployed in any given area. We can only say that there are a minimum of 437. But the detected access points along the route of flight can be seen to roughly correlate with high population density areas.
A quick perusal of the captured SSID's raises eyebrows as we see names of defense contractors, universities, and numerous businesses. Many of the SSID's are set to things like "home" or a factory default. It was also noticed from data within the SSID beacon broadcasts that only 102 have WEP (Wired Equivalent Privacy) turned on. WEP encrypts the transmissions using a password to keep people who do not know the password from spying on network traffic or from accessing the network resources. Wired equivalent privacy is supposed to mean that you have the same privacy as if you were using a physical wire. As it turns out, WEP is vulnerable to decryption and software is freely available to do this. But even if WEP were secure this means that there are at least 335 wireless access points spread throughout the San Diego area with absolutely no security at all. Any person can come along and effortlessly access the network. What's worse is that wireless access points are usually deployed behind the network firewall so that anyone who accesses the network via wireless has probably also accidentally done an end-run around the networks first and usually only line of defense.
This presents two major problems. The first is that a companies internal network and computing resources which they probably believe to be secure have been exposed to attack from anyone who passes near the building (possibly within a mile or two) by a tiny little box the size of a paperback book which any employee can buy at Fry's and plug into a network port under their desk without the network administrators knowledge or approval. The second is that a person who accesses the Internet through someone elses wireless access point is completely untraceable and therefore has zero accountability for their actions. They are free to attack anyone on the entire Internet without fear of being caught.
My recommendation is to NOT use wireless networking if you are dealing with any sort of sensitive data. Any business is going to be dealing with sensitive data. The military has a standing order not to deploy any wireless networking equipment but that order is very difficult to enforce. Some of the access points we picked up could have been on military installations. Anyone else who decides wireless is worth it should at least use an additional layer of encryption on top of the hardware provided WEP encryption. My recommendation would be something like ssh or IPSEC.
Overall it was a very successful experiment with lots of valuable data gathered. Additional plans for the future include setting up an access point of our own in a known location and then flying over that location to identify the access point and then fly a widening search pattern around it to map the signal strengths at various distances and altitudes. This could give us a baseline idea of how far away from the airplane we can detect other access points assuming they have similar signal properties which would allow us to determine how much area we had really surveyed.
And here is an image with all of the locations recorded by the GPS overlaid on a map of San Diego. The image really isn't all that useful since the dots pretty much display our flight path and not the actual locations of the GPS but it is useful to know the flight path and you can possibly derive the density of wireless access points from the density of the dots.
Also be sure to read my accomplices writeup over on Ars Technica