Wi-Fi in the Sky

mindless4210 writes "In an attempt to have the greatest warflying run to date, members from Daily Wireless, Tom's Hardware, SoCalWUG, and Highlands Highspeed teamed up for an amazing two-plane mission around Southern California. They picked up over 3000 access points and 900 clients, established a point to point link between the two planes, and successfully video conferenced in real time over the connection. This is also the first time that the wireless network detection tool Kismet has been taken up in the air, reporting over twice as many APs as NetStumbler. There is some footage of the flight in divx format available here."

How much info?

[GaussianInteger]

How much information can they REALLY gather from flying overhead? I assume that those planes travel as speeds > 85mph. Given the range of most APs, and the altitude of the plane, wouldn't they only be in range for a couple of seconds?

Re:How much info?

[T0t0r0_fan]

I think they only gather a couple of packets, then figure out some basic info from them(AP model, WEP-encrypted or not, etc). And those are sent out a couple of times per second, aren't they? So I don't think high speed is much of an issue, either. Gotta RTFA now, though :)

Re:How much info?

[transient]

You can slow a 172 down to about 60 MPH if you're careful. Dunno about the Piper though.

Re:How much info?

[Texas+Rose+on+Lava+L]

Actually, if it's a windy enough day, you can get your ground speed down to zero MPH. Just fly 60mph into a 60mph headwind. For that matter, if it's a really windy day, you can fly backwards.

Re:How much info?

[transient]

True airspeed most certainly does not take wind into account. You're thinking of ground speed. True airspeed is calibrated airspeed corrected for altitude and non-standard temperature.

Wi-Fi in the Sky...

[UniverseIsADoughnut]

... With Dimonds?

Re:Wi-Fi in the Sky...

[mattjb0010]

Or "Lucy in the sky with Wi-Fi". Puts a whole new twist on the mile high club.

Re:Wi-Fi in the Sky...

[rlangis]

~prays to the gods that be that Shatner doesn't decide to sing this one~

Roadtrip soon, which GPS?

[Jon+Howard]

I'm going to go on a roadtrip from the East Bay heading north. My friends will be taking a second car, and we've already decided to set up a link between us for the trip (can you say deathmatch?) - but I need to pick up a pair of GPS units on the cheap. Does anyone have a recommendation for a cheap, gpsd compatible unit?

Re:Roadtrip soon, which GPS?

[PatJensen]

Jon, Units just need to support the open GPS NMEA protocol. USB is preferred because it can be powered by your laptop without a bulky adapter or take a lighter port. I'd recommend some of the GPS "mouse" devices that are imported from Japanese manufacturers and are on eBay for $60-$80. No display but they are great for navigating with Streets and Trips or Netstumbler, etc. They will probe as a standard serial device at 9600 baud which you can feed to your navigation software. I'm in the East Bay about every 2 weeks and I frequently run kismet there quite successfully. Using an external antenna helps a lot too! Pat

Warning...!

Our access point is protected with the Patriot Missle Defense System. Offenders are liable to be shot down.

Your Friend,

D. McBride.

Re:Warning...!

[Jardine]

Anyone know the unit cost of a missile?

I'm not sure about the hardware, but I think the software is $699

Don't bother with the video dl...

[tvh2k]

...it's just of some cherokee flying around, nothing special.

Kismet Superiority

[WwWonka]

This is also the first time that the wireless network detection tool Kismet has been taken up in the air, reporting over twice as many APs as NetStumbler.

This week I realized how much better (like we needed proof) Kismet is over Netstumbler, even the newly released version

Had to fly to our San Francisco office and do some "networking stuff". Stayed in the Hyatt on Embarcadaro, where ironically they were hosting SecureIT 2004...make sure you use ' or ''=' to login to the Hyatts wi-fi service as admin for free. ;-)

Anywho, did some wireless sniffing with my "Cantenna" and on average picked up two to three times as many APs/Peers with Kismet than Netstumbler. Same equip on a dual booting laptop.

Re:Kismet Superiority

[necro2607]

Netstumbler won't report APs which aren't broadcasting their SSID in the beacon frame, whereas Kismet will. This makes a huge difference as many users are going to choose the option to make their AP "stealth" since they think it'll keep their AP hidden from "hackers" and war-drivers and the likes.

Re:Kismet Superiority

[Necr0maN]

also, netstumbler is an active scanning tool, meaning that it needs to get associated with an accesspoint first before reporting it, so it needs to talk to the accesspoint for that, and if your card can't transmit that far it won't pick it up. Kismet works in RFmon mode, so it listens in on the airwaves and just reports what it gets from the beacon frames flying around, thus , because it doesn't have to transmit anything, having a much higher range if you use a sensitive NIC (like the cisco 350, or those 200mW prism's). Also, kismet is undetectable. The only pro for the netstumbler way of handling things is that is works with 99% of all cards, since it uses high-level methods of speaking to them.

Re:How much info? - Plenty

[necro2607]

To quote the book "Maximum Wireless Security" from Sams Publishing:

Many Access Points have the ability to be configured in a stealth mode, thus "disabling the beacon" as one of their options. In reality, the beacon frame is still sent every 100 milliseconds--only the SSID has been removed.

Information made available by a single beacon frame, one of which is sent 10 times a second:

• 
  
• Basic Service Set ID (BSSID)
  
• WEP-enabled or not
  
• Type of device: AP or peer
  
• MAC address of wireless device
  
• Channel device was heard on
  
• Signal strength of device
  
• Longitude and latitude (if using a GPS)
  

Video?!

[theparanoidcynic]

Will they ever learn? Anything but plain text fed to ./ will turn your server into a heap of molten destruction. . . . .

Re:Video?!

[tvh2k]

nah, anything put into ./ will lead to error 404 :-P

Kismet got more because

[Pranjal]

..the Dailywireless team had a higher powered antennas.

So the the article is little biased when it says kismet picked up more. Sure it has the ability to catch cloaked SSID's but having a high powered antenna is definite boost towards gathering more info about access points.

Re:Kismet got more because

The antennas are receiving data, not sending it. The strength (output) of their antenna is irrelevant to scan for networks, as it does not need to transmit to them. The antenna design does however, a whole hell of a lot, but not its output capabilities.

WEP (in)security assumptions

[David+Jao]

The article incorrectly assumes that WEP enabled networks are more secure than non-WEP enabled networks. You can tell by the red/green color choices and the choice imprecations that the authors think poorly of un-WEPd networks. Unfortunately, in reality the best way to secure a wireless network is one that does not involve WEP. It is well known that WEP is insecure and thus one must resort to other means in order to secure a wireless network against known attacks.

As a starting point, the WaveSEC homepage describes a way to secure a wireless network entirely using IPsec, without relying on WEP. In addition, for a small home network you can get away with static IP addressing instead of using DHCP, and in this way you can gain all the benefits of WaveSEC security without needing any software patches (since if you look closely all the software patches are DHCP related).

IPsec is supported in Windows 2000 and up, Linux 2.6 (natively) or 2.0 and up (with Free S/WAN patches), and FreeBSD; unfortunately I have no firsthand knowledge of MacOS support. The main drawback of IPsec is that it is a very complicated protocol and takes a lot of effort to set up. Making different systems interoperate with each other is especially challenging -- for this task, I recommend the Free S/WAN interop page which links to an eclectic pile of guides covering most of the possible combinations.

My own home wireless network is a mix of Linux and Windows XP clients all connected via IPsec, and I have much more confidence in its security than I would otherwise have with WEP.

Re:WEP (in)security assumptions

[necro2607]

I was waiting for someone to mention this...

The ONLY security WEP provides is merely delaying any would-be 'hacker'.

Simply sit within the range of a wireless network with your laptop, collect enough packets with Ethereal or a similar tool, and you'll have the AP's WEP key.

Proof of concept: WEPCrack, open source program for cracking WEP keys from tcpdump, prismdump or ethereal captures.

For detailed info on why WEP is insecure, go here. Plenty of info on various types of Wifi attacks and vulnerabilities.

Re:WEP (in)security assumptions

This is true; WEP is known to be insecure. However, for the average joe, it is good enough - its the whole target of oppurtunity thing - would you as a hacker, spend a night in your car outside some dudes house in the hopes that they might compplete an online transaction with a CC?
It also prevents bandwidth leeching from all but the most determined.
For companies etc, the solution you mention is of course the better one; they stand to lose much more to a hacker, and can afford to pay someone to set up your solution.
Most people though neither have the time nor the skills, nor, for that matter, the need of such an elaborate solution.

Re:WEP (in)security assumptions

[necro2607]

One thing is, though, that you can actually try dictionary or brute-force password cracking on individual packets, so you could just capture a few packets and do a dictionary or brute-force crack in the comfort of your own home, or even just leave it to your 2ghz home desktop to do the cracking while you're at work or whatever.

You can see an explanation of this here, with a detailed explanation of how you could potentially crack a WEP key in half a minute...

Of course, brute-forcing a 104-bit key is going to take a long time, but the point is that you can do it without sitting outside some business' office overnight. ;)

Re:WEP (in)security assumptions

[David+Jao]

WEP is known to be insecure. However, for the average joe, it is good enough ... would you as a hacker, spend a night in your car outside some dudes house in the hopes that they might compplete an online transaction with a CC?

I agree that for most people (and maybe even for me), WEP is good enough. However I should point out that I did actually spend a night cracking my own access point's WEP encryption and my success in that effort is what motivated me to seek a better solution.

My bigger objection is with the article's premise that the unWEP'd networks are automatically insecure. WEP is neither necessary nor (fully) sufficient for really good security. People who really know what they're doing don't actually use WEP. The writers of this article (and many other writers) present a very simple "TURN ON WEP" message that does not adequately convey the subtleties of what is in fact a very complicated security situation.

I don't necessarily expect a sermon in every article, but I would appreciate a more moderated message and at least some kind of acknowledgement that there is more going on behind the scenes.

Re:WEP (in)security assumptions

[canon006]

At my school, in order to get internet access we have to authenticate against the school's proxy server. All the wifi access points have the same SSID (the ingenious 12345). So a few bright individuals create ad hoc wifi networks with their laptops with an SSID of 12345, then build a simple page with a prompt like the one the proxy gives and they harvest school id/password combos.

Luckily, my own laptop(iBook) differentiates between normal and ad hoc wifi networks and prompts me before connecting to an ad hoc system but the ones distributed by the school don't as far as I can tell. So how does one verify that they're connected to a real AP and not some kid's laptop?

Re:WEP (in)security assumptions

[Beryllium+Sphere(tm)]

Umm, it's not hard to spoof a MAC address.

Re:WEP (in)security assumptions

[bbdd]

with kismet, you will be able to see the valid mac addresses being used on the network, without being connected to it. from their homepage:

"Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic."

then use something like macchanger, and you're in!

Re:./ is repeating itself

[not5150]

NOT5150 = Humphrey Cheung My previous Warfly was in December 2003 with one plane.

I'm still amazed...

[LqqkOut]

I'm still amazed at the number of unsecured WAP's! Who are these people!?

Wait, nevermind! All of the unsecured AP's must just be Mom & Pop coffee shops offering free nodes. Right, must be it.

While sitting at my coffee table, Kismet shows 4 wireless networks available (without an external antenna) and each of these networks has WEP enabled, the message must be getting through to some people!

I know absolutely nothing about Microsoft's WI/FI API, but imagine a virus that spreads throughout the mess (er, mesh) created by the unsecured wireless networks. Hmm... and if the virus is smart enough to determine the WAP's manufacturer, it could even use the default admin password to blow massive holes in the router's firewall as well. While it's not very likely in my geographic location, it could definately be feasible in more densely populated areas.

Oh, and kudos to Kismet for blowing NetStumbler out of the water!

Too Bad DailyWireless.com is a STOLEN Domain

dailywireless.org is the real daily wireless, after they had sucess in gaining ad $$ dailywireless.com snagged the .com name and wont release it, dailywireless cant afford to persue the issue because now its ad dollars are being stolen

Re:Too Bad DailyWireless.com is a STOLEN Domain

[not5150]

Ok, so you are saying dailywireless.com of stealing the domain name???? Good webmasters will register all the .net/.org/.com addresses for the domain names. Seems dailywireless.org needs to hire another webmaster. not5150

Mirror of movie

[paulproteus]

I have made a mirror of the movie so you can spare Tom's the bandwidth.

Re:why bother with the video?

[John+Hering]

Sorry about the bum video clip, we had our hands full operating all the equipment! Check out the piece on CNN next sat at 12:00PM PST/ 3:00PM EST for some great footage and complete video coverage of the flight.

A few months ago I did this over San Francisco

[ConsumedByTV]

It was a single plane flying over the San Francisco bay area. I used Kismet as well... I think I wasn't the first but I did beat these guys by a long shot.

Two photos here:

kismet photo, San Francisco.

We had an ibook scanning as well, it picked up about 1/10th of the networks. All in all without very good equipment (knoppix, old kismet, nothing special) we got about 190 networks.

It's possible with a good antenna to circle and get online, it's also possible to make cell phone calls if you should feel like it (not that we did that). We were flying at about 2000 feet for most of the time.

It wasn't the last time we did it either. War flying can be fun with a GPS that records the altitude as well as the lat+long.

Nevermind that...

[uberdave]

Nevermind how much info they can gather, but rather, how are they going to mark the sidewalk?

Dumb idea

[johnthorensen]

OK, well here's a list of things I see wrong with this article:

• Using uncertified transmitters in a GA aircraft
• Unexperienced pilots flying formation
• DOOR POPPING OPEN AT TAKEOFF

As a pilot myself, I've got to say that these guys didn't exactly have their heads screwed on straight the day they went to do this. You couldn't PAY me enough to fly formation with another pilot whom I didn't know well, and someone obviously wasn't being too careful if doors are popping open. The wi-fi transmitters probably aren't that big of a deal, but I believe it may still be illegal, and I'd hate to do have all that gear running without a decent idea of what it was going to do to my avionics. Overall, a stunt like this does little to advance any sort of "science", and probably wasn't worth the risk to the 4 lives involved

-JT

Re:Dumb idea

[not5150]

"Overall, a stunt like this does little to advance any sort of "science", and probably wasn't worth the risk to the 4 lives involved"

Hmmm.... Wasn't this said to the Wright Brothers?? Of course, we all know what failures they turned into /sarcasm off.

Doors pop open all the time. During flight training, flight instructors tell students what to do in the case that a door pops open. It's actually not a big deal, if you have the proper training. The air pressure keeps the door almost closed.

Inexperienced pilots flying formation?? Do you know what kind of formation we were flying? Did you know that both pilots have hundreds of hours? The pilot of the Cherokee has a private airstrip with 5 planes and a helicopter.

The closest we ever got to each other was about 100 feet. Most of the time we were at least 300 feet away.

As far as the wifi messing with the avionics. Yeah there is a chance... but I did a previous warfly in December, 2003. We didn't experience any problems. Also, it doesn't really matter if the wifi messes with avionics, as we flew VFR. We followed visual landmarks, and used a moving map GPS.

Accidents happen... you can't stop that. People get hurt/killed in the name of science every day. Some people take the risks, other people just talk about them.

not5150

Re:Dumb idea

[kfg]

. . .probably wasn't worth the risk to the 4 lives involved

Personally I'd say making this assessment is strictly the business of the 4 lives. If someone wants to attempt a free climb of the north face of the Eiger it really makes no nevermind to me.

Risks to others are another story.

Of course, you risk other people's lives every time you take a drive to the mall as well, in tight formation with God knows who doing God knows what. There's no clean ethical cutoff.

Of course, on a typical day cars don't just drop out of the sky onto your head either, although it's been known to happen.

KFG

Re:Dumb idea

[kfg]

Actually, no. We don't have flying cars because there's no way to make a flying car that doesn't suck. The requirements of the two vehicles are just too different and I canna change the laws of physics.

Levitating cars would be a different issue.

KFG

Re:Dumb idea

[tyler_larson]

* Using uncertified transmitters in a GA aircraft

What the hell is that supposed to mean? Even on a commercial scheduled flight, any electronic device at all that the pilot and/or carrier deems safe is allowed--and that's under IFR. For GA craft under VFR, there's nothing even remotely illegal or even discouraged about it. There's obviously nothing dangerous about it. Steam gauges, visual navigation. You could lose your whole electrical system in those conditions and still continue the flight safely and legally as planned (albeit not in LAX's airspace) The 2.5 GHz transmitters aren't going to interfere with the com radios, though--you could test that on the ground. Hardly the stuff that would put lives in danger. Did you read your FAR/AIM manual before you took your written test? I did. Yep, the whole damn thing. And let me tell you, there's nothing illegal about what they did.

* Unexperienced pilots flying formation

That would be dangerous if they were inexperienced. But how did you arrive at that conclusion? Certainly not by checking the FAA registry -- At least one of the two is an instructor.

* DOOR POPPING OPEN AT TAKEOFF

A bit out of the ordinary, sure, but certainly not the stuff of disaster. The Cessna is, after all, a 1973. Perhaps the door latch needs work. Still, an open door has never caused an accident on an unpressurized aircraft. Never? Never. Not even one. Sometimes the pilot forgets to fly the plane when he sees that the door is open. But that's just training.

No, I don't see anything inherently dangerous about the operations they were conducting. Actually, I think you just came up with a few objections to their procedures to find an excuse to let the slashdot world know that you're a pilot.

In fact, I was thinking it would be fun to do in my area, if I can get someone to man the laptop. :)

Just one more reason...

[vwjeff]

to put an anti-aircraft defense system on my roof.

Been there, done that

[jmoore2333]

I've personally taken my Powerbook 17' w/ integrated 802.11g up in a friend of mine's plane (Grumman American) and was able using kismac for 10.3 (OS X) to pick up some faint wireless base stations, nothing strong enough to actually forge a connection. We had to be flying reasonably slow, and low but it did work. I also had a 802.11 connection going to another laptop, but it was in the co-pilot's seat.

And......

[Nursie]

So there are a lot of WAP's open and unsecured. Big deal. Mine at home is open, by choice. I like the idea. If everyone had open WLAN's attached to ADSL/Similar, then I could go pretty much anywhere and access the net on my laptop. I would return the favour by paying fo a connection that other people could use in the same way. I like that world in my imagination where everyone allows access and so everyone has access. If it gets abused for spam I'll lock it down, yes I am a realist in a small way. Attack is not so much an isue as all the machines on th WLAN have firewall software.

Re:My one question...

[MarcQuadra]

The short answer is 'no', Radio/WiFi signals move at near-light speeds and planes do not. Any sort of 'trail' that you're thinking would be at MOST a few millimeters (if that!) and it would be only one-way, preventing any real communication.

oddly enough

[Keruo]

I did some research while ago, wether warwalking/wardriving is legal here in Finland. Surprisingly I found section from the radio law that states receiving transmissions that weren't intended to you directly are illegal to receive. Meaning if you don't own the accesspoint or have legal access to it, you can be sentenced with this law, and the sentence goes up to 2 years in prison. That makes warwalking pretty extreme sports if there's someone who wants to try if this law holds in court.

Freaking Awsome Idea!

[Jonathan+Hamilton]

I would like to say that un-like the other two
post I think that was freaking awsome and can't wait to get my commercial fixed wing liscence and do the same thing.

Anyone that post about the avaonics messing with equipment or "flying in formation" as being dangerous has not idea what they are talking about, and have probably never be in an Airplane besides a huge jet.

Flying in formation dosen't mean you have to fly 3-4 feet like the fucking blue angles. You can fly 100's of feet from each other as long as you are maintaining the same heading, speed, and distance away from the other airplane.

People also forget that Wireless equipment is line of sight, so by being in a airplane you can see more AP's then by driving alone, not to mention that is saves more time.

I think it all boils down to jelousy and ignorance. These people can't own or see owning a plane, so they think that any one that does is a moron, and that flying in a plane to find Wireless AP's is a waste of time..

If those out there have the money and the resources to fly a fucking plane for wireless access points let them do it. This is a free country (moslty) and economics will punish them if they can't afford to do these things. (I.E. they will go bankrupt because the money that went for place fuel was suppose to go to power.)

If they can do it, and want to do it.
More power to you!