Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Wireless Camouflage? 174

Anonymous Coward writes "Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables. Fake AP is a proof of concept released under the GPL."
This discussion has been archived. No new comments can be posted.

Wireless Camouflage?

Comments Filter:
  • Perhaps the author of this tool forgot to read this: l
    • No.. it won't.
      It's not about using up bandwidth.. it's simply the data packets that announce other APs as present.
      A very small amount of traffic, actually.
    • "Security through obscurity doesn't work" is an aphorism, not a law of thermodynamics. It's foolish to rely on obscurity, but there's no reason why it can't add an extra layer of protection.

      Same for Brooks' law, for all the people who love to invoke that one. It's not a formal proof that adding a developer will necessarily delay a project.

      • It's foolish to rely on obscurity, but there's no reason why it can't add an extra layer of protection.

        If you can't rely on it, why are you wasting your time doing it in the first place?

        Security through obscurity is never "protection" because you're not really doing anything - because people who believe it's useful do rely on it.

        That being said, I disagree that this is obscurity - like a honeypot, nothing is being hidden; I see it more as a way to waste a potential hacker's time.. if they try a few that are bogus, they'll give up and go elsewhere.
        • If you can't rely on it, why are you wasting your time doing it in the first place?
          Because security isn't binary, good security is about lowering the odds of a break-in. Obscurity achieves this, and it can often be a very quick way of lowering the odds of intrusion.
        • I would never rely on just a single system for security anyway. And something like this that is relatively inexspensive, and can get rid of a good amount of the undesireables is worth doing. Good example is leaving a radio on and lights on when you aren't at home - anyone that watches the house for more than a few hours will realize you aren't home anyway, but for a good percentage of (would-be) thieves, that is something that is just too close to work so they move on and hit your neighbor.
    • Would you consider passwords to be security through obscurity? Security through obscurity isn't a bad thing- it just shouldn't be what your security relies on.
    • I don't think this has anything to do with Security through Obscurity. StO means you keep the flaws secret, while a fake AP flooding is an entirely different matter.

      Not saying it's bulletproof, but if it makes it harder to get in and the cost is small then there's no reason not to do it.

    • This is security by obscurity in the same way that chaff released to confuse a radar system is. You obscure a target so that attacking it with your primary mode of attack is no longer profitable.

      In other words, as many others have said, it's another layer of protection. I certainly wouldn't leave my network unsecured behind such a fuzz curtain.

      Just think of this as a form of radar jammer. It doesn't stop you from looking for the target. It just makes one of the easier ways of doing so hard.

  • by Anonymous Coward
    Won't this kill available bandwidth?
  • by WIAKywbfatw ( 307557 ) on Tuesday September 03, 2002 @06:11PM (#4191759) Journal
    Fake breasts?
  • Cacophany! (Score:1, Funny)

    by utdpenguin ( 413984 )
    I always admire a man who can use that word in a sentence.

    * bows to anonymous coward *

  • So you set up one of these things... How do your devices know what's real?
    • You take the red pill!
    • The have the correct SSID entered in their settings.
      • Which makes this whole thing pretty pointless. If you don't want people to 'netstumble' you, don't beacon and pick some obscure (non dictionary) name for your ssid. Sheesh.
      • At which point you start loving some of the wireless vendors who do not have this setting easily available. You love the older linux Prism drivers even more. The only love that shines greater is the love to driver authors who always scan for all APs before offering you a choice and overflow a fixed limit in the dialogs (there is one like that out there).

        To be continued ad naseum... Grghh....
    • You configure it to talk to your WAP.

      This product works a lot like a flare that is used to distract missiles or other military ECM. It's meant more as a distraction. I am surprised someone didn't come up with this idea before now.

      I think the point is that it will waste the potential intruder's time - not that it will totally secure your network. If the potential intruder WANTS to get in, he/she will get in eventually. This is to confuse someone trying to just do a drive by hit.

      Then again, there is no stopping luck - what if the person hits on the right access point the first time?

      I haven't seen any studies on wireless where people are finding Wireless AP's with the "Broadcast SSID" turned off (NetStumber can't find WAP's if you have the "Broadcast SSID" turned off)and MAC security enabled (you can clone a MAC address but you have to have a card that can do this function). If you are going to run a Wireless AP, why would you let any MAC hook into your system and why would you broadcast your wireless AP? Ok, you might have some clueless users who don't know how to configure their laptops and yes, it is a pain in the ass to have to distribute the SSID and the encryption Network key to everyone but why would you make it that much easier for an intruder?

      If you have a WAP that doesn't let you turn off the broadcasting of the SSID, why don't you research into either flashing the firmware to enable this feature or buying one that does let you do that? They aren't that expensive anymore.
  • DOS application? (Score:2, Insightful)

    by eander315 ( 448340 )
    Couldn't this software also be used to confuse actual end-user's wireless cards that try to find the legitimate AP? Seems like most wireless cards/software would have a hard time finding the real AP if there are 53,000 fake ones to choose from.
    • Not if you know the correct SSID, which was gives to you via a secure channel (e.g., paper).
    • Re:DOS application? (Score:1, Informative)

      by Anonymous Coward
      No, since you are manually setting your card to a specific network name you and your AP will be able to talk. If you are trying to passively sniff a network for available network names you will have a hard time since lots of phoney ones are received (or at least that seems to be the idea behind this).
    • Well, only if they don't already know the SSID.

      It'll probably stop Steve and Bill [] from stealing your service, though :-)

  • by Anonymous Coward
    A beowulf cluster of these!

    hehehehe. THat joke never gets old.

    well not to me anyway.

  • Correct me if I'm wrong, but a quick scan through the README doesn't seem to imply it'll do anything more than scream at the top of it's digital lungs with ever-changing AP SSID's.

    Isn't that going to completely slaughter your actual AP?
    • Because you *should* know what your SSID is. Your correctly configured device will have no problem making a connection, but some 3viL Hax0r will have a hell of a time connecting.
      • Sure, but there's still going to be assloads of superfluous chatter on the channels in the area. That can't be impact-free.
        • Well, it certainly isn't impact-free. I'd call it impact-lite. It is just that the packets that announce APs are a small fraction of the outgoing packets.
    • This is still trivial to see past - look at the number of data packets, and you have your real network. End of problem.

      As for bandwidth usage - 802.11 is collision-based shared media just like unswitched wired ethernet. If you keep flooding the airwaves with junk packets you increase the chances of there being a collision and decrease the available bandwidth. Actually securing the network is a better course of action.

  • how long before the DMCA starts saying that "counterfit 802.11b hot spots" is like DoS atacks on the WiFi community? I'm sure they'll find somethign wrong with this - even though I think it would be great considering I use an 802.11b wireless connection that sometimes seems to drop its speed when a lot of people are nearby - hhmmm.....
  • to port it to Windows?

    I'm not being a prick... But there are a lot of users out there who use WinDoze and this would be another tool in protecting us from those crazy script kiddies...

    Oh to be young and under 18 again...
    • Our you could just secure your system(s). There are better ways to protect yourself than this. This is just obscurity. It is like trying to avoid sexually transmitted diseases by dressing as a transvestite. Sure, it may work, but there are much better solutions.

      • Re:So who's going (Score:4, Insightful)

        by analog_line ( 465182 ) on Tuesday September 03, 2002 @07:18PM (#4192062)
        It's not security through obscurity, it's creating a forest around your tree. While I may be able to secure the machines on my network, use a VPN for all transactions over the wireless network, there's no real way to secure my access point. WEP is a joke, plain and simple. If someone gets on my wireless network unauthorized by me, I'm liable for whatever shit they might pull through my internet connection, so I don't see the supposed stupidity in making it alot harder for someone to find the real access point. I have my doubts that this software is as effective at what it's trying to do as it's author(s) claim, but even so, it narrows the potential abusers of my network down to the determined, patient, and lucky. No security is perfect. You just have to run faster than the slowest guy to avoid getting eaten by the lion, you know?

        And a better analogy would be trying to avoid venereal disease by dumping condoms all over the place so it's a veritable certainty that you'll be within reach of one wherever you happen to find yourself doing the nasty.

        A better
        • or... having sex with thousands of people and saying that makes each instance of sex have a lower likeliness to cause an STD.
        • ...Would be trying to avoid venereal disease by dumping condoms all over the place hoping that one of them will land on your penis. ...Or mabie not. I don't think STDs and wireless networking can be directly compared... -_-
        • You can use IPSec on your gateway to prevent random people from using your gateway. Real security also has all kinds of side benefits, such as actually having reasonable assurances of security.
          • You can use IPSec on your gateway to prevent random people from using your gateway.

            The above is a content-free statement that wishes it was a rebuttal. What gateway? My gateway to the internet? What, do you actually think I've got a Cisco with an IPSec module lying around that I can use merely for authenticating outbound web browsing? Are you clinically thick? Do you mean the wireless access point? How many consumer 802.11b access points do you think have an integrated VPN server built into them? None that I've found. Sure if you're an enterprise and have the cash to spend, and the need for wireless networking on a a large and secure scale, you can get a Colubris Access Controller, but I, and most of the other people fielding wireless access points for their homes, can't afford it. And even if they could, setting up a VPN securely is not a trivial task that just anyone can do. Neither is using a spare Intel box to run a xBSD or Linux-based VPN server, not to mention the issues involved in securing the VPN server itself, that many well paid system administrators and security professionals can't seem to do correctly.

            Real security also has all kinds of side benefits, such as actually having reasonable assurances of security.

            I dare you to find the right access point out of 53000 others WITHOUT having to come up with a story behind why you're inching around with a Pringles can trying to figure out which access point my computers are using. ANY security measure can be socially engineered into uselessness. All your "resonable assurance of security" buys you is a false sense of invulnerability, and the good feeling you get from spouting industry buzzwords.

  • by westfirst ( 222247 ) on Tuesday September 03, 2002 @06:19PM (#4191798)
    So I get a list of hundreds of access points. My trusty computer can be programmed to check them all one by one. Only the legit one will respond. I realize this is a bit slower, but I think the number of fake APs needs to be huge to hurt the war drivers.

    In fact, I think that the problem with this solution is the amount of effort expended in defense is equal to the amount of effort for the war driver. You've got to have a PC pumping out fake APs constantly. Both radio modems are putting out the same bandwidth. This isn't a good equation for most of us.

    Good encryption, on the other hand, takes only a few cycles to do but a gazillion cycles to undo. That's a great ratio of defense to offense.

    Plus, don't the fake APs still end up jamming the channel. If you're faking an AP, someone else can't use the channel on that micro second. Given that wardrivers come only occasionally, but the jamming goes on constantly, I think that the legitmate users will pay a big price in network access for something that would only slow war drivers down a bit.

    But I may be wrong.

    • The packets that announce an AP consume a tiny fraction of your available bandwidth. There should not be a noticable drop in bandwidth.
    • This sounds more interesting to me. I have no closely looked at the exploitation of WEP to see if introduces a low level (~1%) of improperly encrypted packets would cause problems or not. My guess is that it would, although you would have to be careful that the false encryptions were subtly wrong. What I do not know if how much harder it would make it. Perhaps more important, I do not know how possible it is to do with commercial cards.

      Of course, the much better solution would be if encryption was used properly by wireless networks. If you add a good key management system, it might even be usable (a globally shared key is just not a good idea). Many people are working on these, of course. Of course, it does not matter how good your encryption is if people do not use it.
  • Dumb. (Score:4, Informative)

    by Fat Casper ( 260409 ) on Tuesday September 03, 2002 @06:20PM (#4191799) Homepage
    Um... Why not secure the damn network instead?

    • Agree'd..

      Security through obscurity is not the best solution.

      It seems to me that if this solution is commonly used, the tools will also rapidly adapt.
    • ...every time somebody goes on a silly hackers witchhunt. Been asking for a long time!
    • Yeah, this sounds an AWFUL LOT like STO. There's really no substitute for good security practices...

      I mean, you wouldn't dream of hiding the door to your home with bushes and leaving it unlocked because after all nobody can see the door for all the bushes. If I suggested that was a good idea, you'd probably laugh at me.

      (Hell, you probably already are. :-P)

    • Um... Why not secure the damn network instead?

      Heh, this sounds like the best way to secure a network. Along with the usual firewalls and other gems of obscurity, this is like a minefield that stands to catch 99.99% of the wannabee intruders. If you place lucrative triggers of deception everywhere, a newbie to your network is guaranteed to set off an alarm.

      This is just the final touch for security. Its more beautiful than the venus fly trap. Imagine an intruder blindly walking off the edge of a cliff. The death penalty won't protect you from pests, but this will!
  • Uhm, huh? (Score:2, Interesting)

    by Qwerpafw ( 315600 )
    I really don't understand how this works. I perused their website for a bit, and even downloaded the binary, but it still bewilders me.

    So this program creates a whole host of fictional access points? Well, a few points I don't get

    How do *you* the correct user, find out which AP is correct?

    What keeps the wardriver from doing that?

    How does this affect performance?

    how does this affect range?

    If it doesn't affect either of the two above, then how does it work? It requires, apparently, only one 802.11b card...

    Of course, I only run a small wireless network, and I am really not the most technically skilled of people. However, I use whatever security I have (the relatively weak WEP, with a well generated key), and would love having a bit more assurance of network safety.

    Anyone who understands this willing to come forwards?
    (And not just understanding in principle, i understand their whole schpiel about hiding in plain sight, like an apple in a barrel of apples.)

    • Re:Uhm, huh? (Score:2, Informative)

      How do *you* the correct user, find out which AP is correct?
      You should know what your SSID is. That is how your device knows which AP it should use.

      What keeps the wardriver from doing that?
      Don't tell the wardrivers your SSID. :)

      How does this affect performance? how does this affect range?
      Minimal. The packets that announce APs are a small fraction of your outgoing packets.

    • The software basicly turns you Wan card in to a compulsive liar. It keeps saying it is diffrent accesss points but it will only respond to its real name. You as a legit user know the real name because the person who set it up told you the real name. In that way it kinda works like a password, but the AP is broadcasting possible passwords all the time. It seems to me the person who wrote the software doesn't quite get the consept of "just because we can, doesn't mean we should"
    • >>How do *you* the correct user, find out which AP is correct?

      Just check the warchalk on the sidewalk outside. ;-)
  • Is there really such a problem with people mooching off wireless networks?

    I mean come on. Is the big problem in todays work environment really that before all the staff can play Quake III on the company LAN someone has to go out and scatter all the hooligans with laptops?

    This is cool, don't get me wrong. But if encryption isn't enough, go with the cat5 cable.
  • Pretty much everything on the site is included in the submission. Fairly amusing... anyone tried this? How about a full report on it's usage in a heavy wardriven area like downtown Chicago or San Francisco?
  • That has got to be one of the coolest things I've seen. The article is a lil short on details but this reminds of the article on LeBrea. [] the software to mire the MS worms....

    This is pretty innovative.....sorry just my 2 cents.

    • Innovative? not really...

      The idea of hiding a gold nugget in a sea of crap is nothing new.

      Except here you can just erase all that crap by just sniffing for TCP on 80-
      Well gee- now what you gonna do?
      Fake a slew of web requests so someone sniffing can't see the real ones?

  • It won't work! Of the 50,000 AP's you just need to find the one called tsunami.
  • by ihowson ( 601821 ) <[ian] [at] []> on Tuesday September 03, 2002 @06:25PM (#4191826) Homepage
    that doesn't eat up bandwidth on your network, is to simply disable beacons on your AP. Having thousands of beacons sent makes it fairly obvious that there's an actual AP somewhere in the area, and there are other ways to determine the real network name.

    Admittedly, not all AP's allow beacons to be disabled. But then, Kismet doesn't need them at all to detect networks.
  • by trentfoley ( 226635 ) on Tuesday September 03, 2002 @06:27PM (#4191837) Homepage Journal
    Let's hope that this concept is never applied to physical security. Imagine working in an office/cubicle with 32 keyboards and 64 mice, rj45 and rj11 jacks everwhere, throw in some extra pc cases to fill every inch under your desk -- with only one of each that actually works
  • by Dannon ( 142147 ) on Tuesday September 03, 2002 @06:28PM (#4191843) Journal
    First, uncloaking networks []. Then, invisible cloaks []. Now, cloaking networks.

    Next thing you know, we'll see a post about the invention of visible cloaks.
  • by funky womble ( 518255 ) on Tuesday September 03, 2002 @06:32PM (#4191857)
    This won't do anything to hide an active network, people will just look at the data traffic instead of the beacons.
    • by Anonymous Coward on Tuesday September 03, 2002 @07:32PM (#4192152)
      This won't do anything to hide an active network, people will just look at the data traffic instead of the beacons.

      No, I'm a hacker, and I can tell you, this has us beat. Trust me on this one: this will work. I promise.

      Also, run your telnet daemon on port 123. That will stump us as well.

    • This won't do anything to hide an active network, people will just look at the data traffic instead of the beacons.

      I'd say the effectiveness of this is not to hide a real AP amongst bogus AP's, but to hide real networks amongst bogus networks. So don't set this up in your office building... set it up in places there aren't currently wireless networks so wardrivers waste their time trying to break into something that can't be broken into. This isn't security through obscurity, it's a honeypot designed to lure people away from the real target.

  • So, we have a story submitted by an AC, linking to a site with very little information on it. Mayhaps the AC was the site operator?

    Now, how does this generate all the frames? Does it require the 802.11 interface to be on the Linux box, or does it manage to send the data to the interface as normal packets. In other words, if I am using one of the Linksys router/802.11 boxes, can I run this on my normal Linux box, or do I need to hack the Linksys to run Linux?

    And what is the effect on throughput? Any time the system is sending a fake frame, that is time it cannot be sending real data.

  • This is like painting your house the same color as the hill behind it, or better yet, using mirrors to create a bunch of fake reflections of houses. Not using encryption over wireless is akin to having no key-lock on the front door. Obscuring your house does little to keep someone from taking your precious collection of Atari 2600 cartridges.
  • by Anonymous Coward
    party line for all of us was to mock security-through-obscurity. Did I miss a memo?

    Oh, I see. It runs on Linux. Never mind. Carry on and sing praises to it.
  • by Render_Man ( 181666 ) on Tuesday September 03, 2002 @06:37PM (#4191879) Homepage
    As a wardriver, I think that this would definatly confuse and annoy anyone driving around.

    However I've noticed that companies with wireless AP's tend to be in clusters in close vicinity to each other. I'm just wondering what the effects on the persons neighboor would be. I could just see someone running this and just confusing the hell out of his neighboors. It would be even worse if the fake broadcasts were on different channels, then there would be real chaos with legit users.

    Fun to play with, but not practical for production since a determined attacker would wade through the data to get your real SSID

    Just my $0.02
  • by nowt ( 230214 ) on Tuesday September 03, 2002 @06:40PM (#4191894)
    I have a 3com Airconnect AP (one of the earliest AP's available). It has MAC filtering for nics. For the odd time I have a new nic I want to use, I need to add the MAC addr to it to even get a signal.

    It seems to work very well and would foil would-be wardrivers.

    • You can change the MAC address on wireless cards easily now. MAC filters are about useless these days.
    • Why would this foil them exactly?

      You're most likely right, since they are likely doing this for sport, not hacking. If you are using this simply as a deterrent, not security, then you are correct.

      However, any hacker who actually wanted in your network could do so in seconds:

      1. Listen for a unicast frame to determine a valid MAC address on the network.
      2. Change MAC address on his/her card to be one of the MAC addresses.
      3. Pillage the network of the person sitting dumb, fat, and happy on their unsecured net.

      The short and sweet of this is that it is not hard to spoof MAC addresses. Therefore, Access Control Lists (ACL) can not be the only level of security.
      • However, any hacker who actually wanted in your network could do so in seconds: 1. Listen for a unicast frame to determine a valid MAC address on the network., exactly, are they going to do this without being on the network? Mac filtering will keep them off the network unless they are an incredibly lucky guesser or have a lot of spare time on their hands.

  • Contaminated Coffee. (Score:4, Interesting)

    by perlyking ( 198166 ) on Tuesday September 03, 2002 @06:47PM (#4191922) Homepage
    Am I the only one who saw this and thought of Starbucks?
  • The messaging of WEP security associations within the 802.11 mac spec is performed in the clear by passing challenge texts and responses around.

    So just compile a list of all the APs you see and listen out for a good security association. From this you can devine the real AP.

    With the proposed enhanced security mechanisms (TKIP & AES) the encryption similarly is not turned on until a security association (based on 802.1x) is completed. You can see this happen on the air and you can see which AP is being communicated with.

    For this to work well you might need to also fake lots of good security associations to all the fake APs that are beaconing.

    I see this is a poor mechanism. It is security through obscurity. It can be circumvented and the beacons suck away bandwith.

    TKIP is the way to go.

  • Very effective @ DCX (Score:2, Interesting)

    by kwj8fty1 ( 225360 )
    While I was at defconX, I fired up kismet at one point, and started see lots of APs. It turns out that the folks sitting behind me had been from Black Alchemy, playing with this neato tool. I personally saw about 600 APs/minute with this tool under kismet, and they had lots of dumb windows clients trying to associate with them. With some tuning, I'm sure they could get the number of APs per second to increase (They may have done this by the time of release).

    It was good stuff, and I ended up getting my name in the credits. :)
    • by BeBoxer ( 14448 )
      and they had lots of dumb windows clients trying to associate with them

      Which is exactly why this is a bad idea. The software doesn't just send beacons. It requires to you install a driver which contains full AP functionality, and then starts configuring it with random MAC address and common, well known SSID's, every quarter second. Which means that anybody within range who happens to have "linksys", or "tsunami", or any of a handful of common SSID's is going to be out of luck when their laptop connects to whomever is running this Alchemy "tool". People who set up broken AP's with liberal (i.e. wide open) security are assholes. And that's exactly what this. software does.
  • It made me think, say you have an "evil enemy" company, or wait.. a corporation (it sounds more evil somehow) which is stealing all your hard earned profits. All you have to do is get a car with a couple of nice antennas (if you want to do it nice, but perhaps you won't even need it) and a couple of laptops and park it close to their office. Then you intercept the channel and ssid of their wlan, and you start to flood it with a lot of random packets using their channel and ssid. That's going to be more than a little annoying then, perhaps to the point that some people would even call it a DOS attack right?

    Now, I don't think such a thing is illegal or is it?
    • But the fun thing would be that if they hadset up their system to be wireless only and had used VoIP, then they wouldn't be able to call the cops on ya.
      • Why, I mean the 2.4ghz band is a public one, they can't force you to change ssid or channel?
        What if they had a default network, ssid 101 or airport on channel 1 or something like that, if you're not on their territory and having a lan party with a couple of laptops sitting in your car with the same default settings, they can't accuse you of dos'ing right?
  • Why not spray paint on the side of the building "Hey there's an 802.11 access point in here!"

    Come on! They idea is for them not to notice, and set up a barrier if they do. Not for you to set up a red light district.

  • Fine, We will sniff for probe packets then.

  • If you're smart enough and technically inclined enough to have a RedHat linux box to run this program on why not just run FreeRadius [] instead? It would seem to me that it would be better just to have a good authentication protocol and real security rather than just splatter crap all over the radio instead.
  • If you actually download it and look at it, you'll realize it's just a Perl script. Basically what it does is configure your laptop to be a real, functioning, access point. Every quarter second it reconfigures the card with a random MAC address and one of a handful of well-known SSID's such a "tsunami" and "linksys". Which means if you run this near any poor sap who happened to leave his card in it's default configuration, they'll be screwed as they continuously associate with your non-functioning access point.

    Basically, I can't imagine this being effective at all against war-driving. But I can imagine it being quite effective as a DoS tool. Imagine setting it up with the SSID that Starbucks uses and walking into one of their shops with this. You could have half the customers futily trying to connect to the legitimate service but getting your non-connected and continously resetting "AP" instead. It would be easy enough for this "tool" to configure the card so that clients couldn't accidentally connect to it, by enabling WEP or MAC filtering or whatever. But it doesn't do that, or even try to. I understand it's version 0.2, but at this point I think it should be filed under "trojan horse" or "skript kiddie" given that it'll easily screw up legitimate users while doing basically nothing to protect you from any crackers around.
  • I thought 802.11b was covered under Part 15 of the FCC rules. Doesn't this violate them by purposely generating interference?
  • Ok, a flaimbait subject, but get off your horse. It is a tool for FUN. Personally, I plan on using it to cause wardrivers to drive off 128 as their laptop goes bonkers in the front seat (128 is a main commuter parking lot around Boston for those not lucky enough to live there). Should be FUN!
  • As has been pointed out in other replies to this story:

    it's easy to sniff for data traffic and thus ignore the fake access points,

    this is a useful DoS tool more than a way of securing networks.

    Seems to me that as long as network admins, users or Jo-average-computer-at-home-user keeps thinking of 802.11 kit as a "alternative to wires", we'll be stuck with all the security problems. Wireless = broadcast. That will inevitably involve sending your data out to anyone who cares to set up an antenna and kit to recieve it. You trade the convenience of not having to run wires for the insecurity of broadcasting your bits to the world. Anyway, given that this unpleasantly insecure technology is spreading worldwide, it's interesting to see this article at CNet [] about small, cheap 802.11 chipsets destined for set-top boxes. I contentedly predict that in a couple of years there'll be scares about wardrivers sniffing what people are watching on their wireless TVs :) Anna B

  • This might slow down wireless intruders, but not stop them ... ... Now if we where to come up with a package that makes a computer pretend it was an open relay we would be set.

    Imagine a BeoWolf cluster of these ;-) A spammer finds what he thinks is a open relay and all it does is send his junk to /dev/null.

    If everyone did this, we would raise the cost of spamming. It will not stop spammers, but it will make them have to check if the relay is actually working by spamming themselves. Nice little breadcrumb trail, no more bulk sending blind ...

  • We should stop this attitude in its tracks, it is a selfish and irresponsible waste of bandwidth.

    1) WarChalking &| WarDriving are not crimes, the bands used by 802.11 are *public airspace* they belong to *everyone* not *anyone*.

    2) The vast majority of 802.11 access points are still expermental and like the early days of the Web are *supposed* to be *free* to use by responsible early adopters.

    3) If your AP is not intended for public use, it is it's owners responsibility to secure it.
    • 1) WarChalking &| WarDriving are not crimes, the bands used by 802.11 are *public airspace* they belong to *everyone* not *anyone*.

      Just because something is public does not mean that rules do not apply to this public space. A park is a public space but there are rules about how you can use it, the unlicensed spectrum used by 802.11b is available for anyone to use but you are still required to follow FCC regulations regarding how you operate within this spectrum. There are rules that dictate how your wireless card operates, how much power it can put into it's signal, etc.

      In fact, it might be wise of you to consider this in terms of another user of this particular segment of the spectrum -- cordless phones operating at 2.4 GHz. The signal goes out over the same unlicensed spectrum band, but if you were to create a base station which prevented your neighbors from using their cordless phone handsets (even if it was accidental) you could be fined for violating the FCC rules regarding this slice of the spectrum. If you were to monitor and record a transmission between the base station and remote node you would be breaking the law. If you created a phone handset that masqueraded as your neighbors handset and used his phone base station (and phone line) for your calls you would be breaking the law. Both offenses can bring stiff fines and jail terms, something that aggressive wardrivers and 802.11b access point "borrowers" might want to keep in mind...

      • You seem to be missunderstanding my position. I am AGAINST this tool.

        You also seem to be making incorrect assumptions about what WarChalking &| WarDriving are about, it is no more about cracking than hacking is. The majority of people doing these are the very people trying to develop invovative uses of the technology.

        I suggest your persue this site:

        spectrum used by 802.11b is available for anyone to use but you are still required to follow FCC regulations regarding how you operate within this spectrum

        I agree. Though the author of this tool clearly does not. It is essentially an area denial of service attack for 802.11, filling the spectrum with invalid SSID's. This is akin to seeding local DNS servers with invalid domains, are worse hijacking popular domains. I am sure that the FCC would consider that abuse. I know the UK's Radio Communication Agency would.

        but if you were to create a base station which prevented your neighbors from using [...]

        I am not doing that, though anybody using this tool would be.

    • This tool is essentially conducting an Area DOS attack against peer 802.11 services.

Air is water with holes in it.