In the pre-internet days, crackers programmed their modems to dial up banks of phone numbers in an attempt to find open computer networks; this was called wardialing.

Today with the advent of wireless networks, especially 802.11b, this practice has evolved into driving around downtown office buildings with a wireless NIC-equipped laptop and sniff out corporate networks and attempt to penetrate them.

Wardriving is simply driving around cities trying to find wireless access points. It's up to the person doing the driving to decide how to use this information. It might be merely for fun or for malicious intent. The term wardriving is a play on wardialing, and was coined by Peter Shipley (one of the first wardrivers to document his findings). It's disturbingly easy to do, and I'm constantly amazed to see how insecure most places are.

Why?
I began wardriving out of curiosity. I was interested to see how widespread the use of wireless network was, and to see how secure those networks were. This is the main reason I wardrive without GPS. I'm not to interested in where the networks are exactly, as I have no intention to come back to that area. (Besides the fact that a good GPS unit is out of my price range.) Sure, there are some memorable spots, but I remember them as examples of how to secure a network instead of the insecure ones. Also, it's hands-on learning. When you see and experiment with wireless networking in action, you tend to pick up the technology faster.

It's also kind of fun. You get to play with tech, there's some sneaking around, and you get to say stuff like this: "Holy Crap! Bank of X doesn't even use WEP!" (Yes, this does happen all to often.) On a road trip, it can even be a group activity. I still get giddy whenever I hit a big patch of networks. Some wardrivers even play vigilante and will e-mail or even walk into a business that has a very insecure network.

What you need.

1. A laptop.
2. A wireless NIC.
3. An omnidirectional antenna.
4. The software. Most people use netstumbler for windows, and there are numerous linux tools available.
5. A car.
6. A friend.
7. A GPS unit. (optional, used to map where your "hits" are)
8. A cigarette lighter DC inverter. (optional, but then you're relying on your laptop's battery)

Hitting the Streets.
First, make sure all your equipment is operational before you leave your house. It's up to you to decide when to wardrive, but if you drive at night remember that the glare from a laptop's LCD looks mighty suspicious. You're trying to look as unsuspicious as possible, so you might want to disguise your antenna. I had my original Lucent range extender in my rear windows, with a styrofoam cup over it. Of course, I wouldn't suggest doing that, because it can create interference. There are companies out there that make low-profile magnet mounted antennas, but they can range from 100-200 dollars.

Now that all your equipment is set up and working, start driving. Drive around office buildings, complexes, schools, or just about anywhere. When you get within range of a wireless access point, your software will catalog the manufacturer, channel, AP Name, any other relevant info, and if you're using a GPS unit, your lat and long. That's pretty much it. (Trust me, it's not that complicated.)

Tips & Tricks
The first thing is don't worry about looking shady. That may sound weird, but trust me when I say nobody will know what you're up to. I've had some weird looks, but I've also had police give me a polite wave. (This is in cities throughout the U.S.) If you're going to drive at night, try to drive "naturally". Don't loop excessively, swerve, or slam on your brakes every time you pick up a network. Also, you'll need to find a good position for you antenna. The best possible position is mounted to the roof of your car, but if that's not possible just try to make it fairly unobstructed. Finally, you might want to cover an area more than once if at all possible. It could have been that you were in a building's shadow the first time or the conditions just weren't right, and that might have caused you to miss a few access points.

Legality
Word of warning: I am not a lawyer, nor do I play one on TV. While there is no definite ruling on whether the act of wardriving is or is not legal, you certainly can be prosecuted under the standing computer crime laws. Of course, what really makes the difference is what you do with the collected list of networks. If you attempt to penetrate the networks, that is illegal (without a doubt). However, if your are using the data to show business owners that their networks are insecure, it's probably still illegal (though a little gray). Ultimately, it's illegal, so don't run around telling anyone I told you to do this.

How it all Adds Up
This is how my results usually come out in every single town I've driven in:

• 1/3 of all networks are WEP enabled. Good for them, but WEP's been cracked. I hope there's some kind of tunneling behind that as well.
• 1/3 of the networks are nice enough to give me an IP address. (This is a Bad Thing.)
• The rest don't assign an IP or are WEP-ed. (Still not secure.)

Don't be a Victim
Please, please secure your wireless network. There's numerous resources on the internet to help, but here's a list of ways to help secure your network.

1. Use WEP. Always. (Unless of course you intend for your wireless network to be public.) WEP isn't fool-proof, but at least it's a deterrant.
2. Enable MAC address filtering. This will allow only cards with a MAC Address on your list to connect.
3. Use a VPN. There's numerous VPN solutions out there, and many of them are free.
4. Close your network. That way the AP will only communicate with cards that have the exact network name. This stops cards set to "any" to be able to connect.

However, it's not just about getting free, anonymous internet access. Once connected to your wireless network, a wardriver will be inside whatever firewall you have set up. It's just as if he/she had walked in and plugged into your switch. The wardriver can now browse your internal network at his/her leisure. Prepare!

1. All wireless access points should be put outside any firewalls and viewed as insecure.
2. All connection coming FROM the access points should be authenticated.
3. This is just good practice: your internal network security should be just as strong as your external.

My experience shows I could get a high-bandwidth, anonymous, and untraceable internet connection in just about any decent sized town in America, not to mention access to internal networks. It's shocking, and a little depressing. To a cracker, wireless networks are a goldmine.

All right, so you can wardrive. And, as long as none of the sniffed systems you find are actually accessed, it should be completely fine. A lot of people choose to wardrive this way, making it out to be a hobby not unlike trainspotting, birdwatching, or using a police-band scanner. These signals are being sent into the public airspace, after all. Some wardrivers even put on a white hat, and inform businesses and residences of the security risk they're running by having unsecured wireless nodes.

But the big question is, should you make any use of the access points you find? There are those wardrivers who feel that latching onto the bandwidth of an unprotected network to check email, chat, or websurf is perfectly all right...but is it?

Let's take a look at what people from both sides of the fence might say.

Digital Trespassing, Bandwidth Burglary?

If I forget and leave my front door unlocked, or even wide open, does that give you the right to come into my house uninvited? No...my house is my property, and if you enter without invitation, it may not be burglary, but it is at least trespassing. And who knows what you might do in my house if I don't know you're there? I might come home to find my bookshelves rifled through, my music out of order, my silverware gone.

It doesn't matter whether or not I've secured my wireless access point, you have no right to be using it even if I haven't.

If It's Not Forbidden, It Must Be Permitted

It is trivially simple to secure a wireless router in such a manner that, while still not impossible to crack, it requires enough effort that most would-be whackers won't bother. Therefore, if someone hasn't bothered to put in the minimal amount of effort necessary to secure the access point against unauthorized use, he must have intended for me to be able to use it.

Or, if he was too stupid to secure it against unauthorized use, he deserves to have me use it.

First of all, this noder does not condone hacking (in the sense of gaining unauthorized access to private information). If you use someone's wireless access point without authorization, you are inside their firewall. You can access all the boxes on their network. For crying out loud, leave them alone! Pilfering a little bit of bandwidth to surf the net is at least defensible: the network was wide open, and as many people are intentionally sharing wireless bandwidth these days, how could you know that this wasn't one of those community access points? But if you start rummaging through confidential information, you could open yourself to hacking charges.

When you make unauthorized use of wireless networks, you are using some of the bandwidth that the owner of that network pays for—thus, less bandwidth is available to that network's legitimate users. Now, unless you're running a peer-to-peer node or a webserver, uploading or downloading lots of files, the actual amount of bandwidth you use is probably so trivial that the network owner in question would never notice or care. Some writers even suggest that part of the reason for 802.11b's rapid adoption is the great number of insecure access points so that prospective buyers can use their Wi-Fi-equipped laptops almost anywhere. Still, as the Doonesbury strip at http://karlo.org/archives/images/db020721.php suggests, it is freeloading.

It is very easy to secure a wireless point such that it would not return a signal to every computer that requests it. Enable WEP (preferably with a 128-bit key), restrict access by MAC address, and turn off public broadcasting of the network ID. This can often be done in under five minutes using the wireless router's administrative software. It doesn't make it impossible (or even necessarily very hard) for hackers to access, but makes it difficult enough that most wardrivers won't bother. It also serves as a sort of digital "no trespassing" sign: if the company has tried to secure its network, that must mean it doesn't want unauthorized people using it.

That being said, many companies with insecure wireless access points may not even realize that they have them—as a result of impatient employees plugging in their own wireless routers in the office, not realizing they should secure them, and leaving their whole corporate network open to anyone who drives by. That a bank or other business probably doesn't intend for just anyone off the street to be able to use its network should be a matter of common sense.

However, sometimes it can be hard for a wardriver to tell whether an access point is intended to be public or not—or even if he is on the public network he intends to be using. Consider the point raised in http://www.newsfactor.com/perl/story/21529.html of two unsecured wireless networks located within a few hundred feet of each other: one public-access (an Internet coffeehouse), one not intended to be (a library). Because wireless-equipped computers will hook onto whichever signal is strongest, it is possible for someone to be located in the the coffeehouse but accidentally browsing via the library network.

In the end, whether or not to borrow bandwidth from possibly-unintentionally-open access points will be up to the individual wireless user. But this noder would suggest keeping a "caveat browser" mindset. It is not impossible for unauthorized access to be discovered and traced...so be certain that you are not doing something you shouldn't.