Comment: When WiFi WarDriving Turns into ‘WarDiving’

Chaskar says determined hackers will not just drive by, they will dive in
Chaskar says determined hackers will not just drive by, they will dive in
WarDrive in action (top), with resulting available network map (bottom)
WarDrive in action (top), with resulting available network map (bottom)

WarDriving has been around almost since the advent of WiFi. It involves driving around with a hi-gain antenna, a sniffing tool like Netstumbler, and location recorder such as GPS to look for WiFi access points (APs) detectable on streets and in other public areas.

WarDrivers also make their findings about the WiFi in different neighborhoods publicly available on the Internet. Many WarDrivers are hobbits who abide by the principle ‘see but do not enter’. What many WarDrivers may want to do is to gain free wireless internet access or inform others about how they may do the same. But that is not where the WarDriving may eventually stop.

Hidden underneath the WarDriving maps is a different kind of security threat, which sometimes is not so apparent. That is because determined hackers will not just drive by, but they will dive in. This is what I call ‘WarDiving’ – diving into enterprise networks through the WiFi security holes discovered by WarDriving.

Perils of WarDiving

A WarDiver’s goal is to enter the soft interior of an enterprise network, bypassing the wrapping security layers. At the heart of all enterprise LANs is the precious switching infrastructure. It is the interior core of the LAN, and it is common practice to rely on wrapping layers such as routers, firewalls and IDS/IPS for its security. This practice has been around for many years and it is acceptable as long as the only way from the outside into the switching infrastructure is through the wrapper layers.

However, when you throw WiFi into the mix, the WarDiver can reach the soft interior of the switching infrastructure through WiFi security holes, bypassing the wrapping security layers.

The most common security hole exploited in WarDiving is a rogue AP (i.e., an unmanaged AP connected in the wired network). It can be connected by an unassuming employee or by a malicious insider.

Another common security hole exploited in WarDiving is a misconfigured AP or an AP using weak encryption. Even properly configured APs that have implementation flaws in them provide a way for WarDivers to enter a network. Once the switching infrastructure becomes accessible through WiFi backdoors, many types of attacks are possible:

  1. Denial of service (DoS) attacks on switches in the wired LAN: There are many know DoS attacks for switches. Some examples are content addressable memory (CAM) table overflow, dynamic host configuration protocol (DHCP) address exhaustion, DoS attacks on the spanning tree protocol (STP) – which is the core of traffic forwarding in the switches – and attacks on the VLAN trunking protocol (VTP). In order to launch these DoS attacks, layer 2 access to the switches is needed, which was not possible to obtain from outside the network premises prior to the proliferation of WiFi. But when these WiFi security holes open up, access can be obtained by outsiders, and a DoS attack on the switches can lead to a blackout of the wired LAN.
  2. Man-in-the-middle (MIM) communication on the wired LAN: Again, there are many known MIM attacks on switches once layer 2 access to them is obtained. Examples include MIM by CAM table ‘fail-open’, address resolution protocol (ARP) poisoning, and reconfiguring the spanning tree structure used by the switches for traffic forwarding. MIM attacks enable the WarDiver to read, modify, and/or inject traffic in the communication sessions of LAN users.
  3. Active scanning of the hosts connected to wired LANs: Once access to the wired LAN is obtained, bypassing the wrapping security layers, it is possible to perform active scanning of the network to identify and exploit any vulnerabilities therein. This is pretty much what happened in the infamous TJX credit card breach.

Many ready-made software tools are easily available to launch the aforementioned attacks – dsniff, yersinia, cain, ettercap and nessus, to name a few. SECTOOLS.org has posted a compiled list of some available software. These software tools are often described as ‘penetration testing tools’, but a penetration testing tool in hands of a WarDiver becomes a hacking tool.

WarDiving Remedies

One way to combat the WarDivers is to ensure that the switching infrastructure is iron clad; that is, even without the wrapping security layers. For this, it is required to examine the defenses that the switches may have against the previously mentioned attacks.

These defenses should be enabled (many of them are off by default) and audited regularly. However, there are some practical challenges in this remedy. Enabling so many defenses may degrade the switch performance, because of the increased per-packet processing required at the switch ports to detect many attack signatures.

Also, some of the defenses may require configuring the anomaly detection thresholds – for example, defenses against active scanning and zero-day attacks. In practice, it is difficult to come up with the threshold values so that a real attack is never missed and false alarms are not raised during normal operation.

Finally, the switches are not designed to be directly exposed to hostile attackers. Hence, all types of attacks may not be addressed.

Another way to combat WarDivers is to provide a wrapping security layer on the network that is designed to block WiFi attacks – a wireless intrusion prevention system (WIPS). A WIPS is tailor made to detect WiFi vulnerabilities, such as insecure APs, and automatically block their wireless communications. This remedy requires installing the WiFi monitoring hardware within the network, but gets rid of the previously noted switch configuration management overhead.

One way or the other, the network and security administrators need to keep alert to WarDiving and deploy appropriate remedies in their networks. Ironically, even the non-WiFi networks (that is, enterprise networks that have not deployed managed WiFi of their own) are vulnerable to the WiFi WarDiving because a WiFi vulnerability such as rogue APs can appear on non-WiFi networks as well, and providing a way for WarDivers to enter your network.


Hemant Chaskar has been in the wireless networking and network security industry for more than a decade and currently the director of technology at AirTight Networks. Chaskar holds a PhD in electrical engineering from the University of Illinois at Urbana-Champaign.

What’s Hot on Infosecurity Magazine?