- Wardriving is the practice of searching for Wi-Fi wireless networks while moving in a vehicle - attackers use mobile devices to detect and map wireless access points
- Involves driving around neighborhoods, business districts, or target areas with wireless-enabled devices (laptops, smartphones, specialized equipment) to discover unsecured or poorly secured networks
- Primary goal is reconnaissance - mapping wireless infrastructure to identify vulnerable access points for potential exploitation
- Uses passive scanning techniques to detect beacon frames broadcast by access points without actively connecting to networks
- Often combined with GPS coordinates to create detailed maps of wireless network locations and security posture
Attack Methodology
- Discovery Phase: Attackers use wireless scanning tools (like Kismet, inSSIDer, or WiFi Analyzer) to detect all available networks in range
- Documentation: Records SSID names, MAC addresses, signal strength, encryption types, and GPS coordinates of discovered networks
- Target Selection: Identifies networks with weak security (open networks, WEP encryption, default credentials, or weak passwords)
- Return Visits: Attackers may return to promising locations for actual penetration attempts when not mobile
Common Tools and Equipment
| Tool Type | Examples | Purpose |
|---|---|---|
| Software | Kismet, inSSIDer, WiFi Explorer | Network discovery and analysis |
| Hardware | High-gain antennas, GPS devices | Extended range and location mapping |
| Mobile Platforms | Laptops, smartphones, tablets | Portable scanning platforms |
| Specialized Devices | WiFi Pineapple, dedicated wardriving rigs | Advanced wireless testing |
Security Implications
- Information Gathering: Provides attackers with detailed intelligence about wireless infrastructure and security implementations
- Network Mapping: Creates comprehensive maps showing wireless coverage areas and potential entry points
- Vulnerability Assessment: Identifies networks using outdated security protocols or misconfigurations
- Social Engineering: SSID names often reveal business names, locations, or other useful information for targeted attacks
Legal Considerations
- Passive scanning (listening only) exists in legal gray areas - laws vary by jurisdiction and specific activities performed
- Actually connecting to networks without authorization is illegal - constitutes unauthorized access in most jurisdictions
- Documentation and mapping activities may violate privacy laws depending on local regulations
- Professional penetration testers must obtain proper authorization before conducting wardriving activities
War chalking is the practice of marking or documenting the locations of wireless networks discovered during war driving. The term comes from the old hobo practice of using chalk symbols to mark locations with useful information.
War chalkers would traditionally use chalk symbols on sidewalks or walls near discovered wireless access points to indicate:
- The presence of a wireless network
- Whether it’s open or secured
- The SSID
- Signal strength
- Bandwidth information
While physical chalk markings are less common today, the term still refers to the practice of documenting and mapping discovered wireless networks, often using GPS coordinates and digital databases or mapping applications.
Vocabulary
SSID (Service Set Identifier): Network name broadcast by wireless access points to identify the network Beacon Frame: Management frame periodically transmitted by access points containing network information Passive Scanning: Monitoring wireless traffic without transmitting or connecting to networks GPS Coordinates: Global positioning data used to map exact locations of discovered wireless networks
Notes
- Modern wardriving has evolved beyond simple network discovery - attackers now focus on IoT devices, Bluetooth networks, and cellular infrastructure
- Enterprise networks should implement wireless intrusion detection systems - can identify and alert on suspicious scanning activities
- Regular wireless security audits help organizations understand their wireless footprint from an attacker’s perspective
- Hidden SSIDs provide no real security - wardriving tools easily detect networks with broadcast disabled through probe response analysis
- Mobile device management (MDM) solutions should prevent corporate devices from automatically connecting to unknown wireless networks discovered during wardriving activities
- Consider that signal propagation extends beyond building boundaries - wireless networks may be detectable from parking lots, adjacent buildings, or public areas