title for Warchalking note
home | about | site use | resources | publications | timeline   spacer graphic   blaw


law & ethics

related pages icon


Security &



related pages icon



Aust & NZ

dot-com &
telco bubble

section heading icon     overview

This note considers warchalking and wardriving, ie mapping wireless access to the internet and intranets.

It covers -

It supplements the broader discussion elsewhere on this site regarding internet security, network governance and matters such as cybercafes and wireless access in Australasia.

The following page of this note discusses the legal status and ethics of warchalking and wardriving before offering pointers to primers and studies.

section marker     introduction

Despite the name, warchalking and wardriving have little to do with war - of the traditional or cyber varieties - or terrorism. Instead, they relate to identifying and mapping wireless access points (AP), in particular individual devices or intranets that are inadequately protected and are thus open to unauthorised users.

That activity encompasses a cultural phenomenon - the 21st century equivalent of train spotting or bird watching - and a minor industry that involves hackers and crackers in defence or unauthorised access to devices and networks.

The term 'wardriving' supposedly derives from phone phreak era 'war dialing', ie hacker exploits in dialing phone number after number to identify and then access modems. The emergence of wireless networks - discussed here and here - following development of the Institute of Electrical & Electronics Engineers (IEEE) 802.11 standard was reflected in recognition that

  • the existence of secure and non-secure networks could be readily ascertained by observers with little equipment and without extensive training or expertise
  • the protection of many networks was inadequate or indeed non-existent.

One US observer thus wrote

Suddenly, people all over the country realized that their wireless devices could be set to scan for AP's, then throw 'em into their backpacks and walk around the financial district until they had several dozen free internet connections.

Wardriving took that identification from the backpacks and footpaths onto the road, with people engaging in 'drive-by' discovery of open and closed wireless access points.

It is a phenomenon that has continued, with some enthusiasts reporting their discoveries in lists and maps of considerable sophistication (including interactive online mapping that features GIS data and details about individual APs).

Warchalking - hyped by the mass media - appears to have been as evanescent as the chalk markings on some pavements to indicate an adjacent open AP. It is of interest as a digital culture fad that didn't last the distance.

section marker     driving

APs are identifiable because they signal their presence at specific intervals (typically 100 milliseconds) by broadcasting a packet that features an individual service set identifier (SSID) and other data elements. That signal is of low intensity, generally restricted to a radius of 100 metres and affected by attenuation such as water, architectural features or security shielding.

Wireless-equipped laptops, personal computers and other devices (such as personal digital assistants) are able to detect the signal. That is necessary if they are to join a network and allow the user to exchange information with an individual device or a network of devices (including devices that provide a bridge to the internet).

As we have noted in discussing networking and the GII, a wireless capacity is now a standard feature on much new equipment. Devices can also be augmented with tools to detect and process AP signals and external antennae, particularly when using a motor vehicle. A range of free and commercial 'stumbling utility' software can be used for example to record data transmitted by an AP; some products incorporate global positioning system coordinates that provide the basis for producing electronic maps.

Wardriving was initially conducted manually - some reports featured tales of ballpoint pens and Pringles can antennae - but came of age in 2001 with development by Marius Milner and Peter Shipley of dedicated AP software that readily integrated GPS location data with databases of detected APs.

Wardriving has flourished since that time, through word of mouth, media coverage, industry claims of varying accuracy and newsgroups or specialist sites such as wardriving.com, some of which feature lists and maps. Examples of maps are here and here.

Much wardriving does not actually involve automobiles. We are aware of two enthusiasts who use a bicycle in wardriving; one contact in Australia has used a helicopter and - more scarily, at least for people in his flight path - a light plane. In major urban centres it is arguably easier to engage in 'warwalking', roam the strrets with a PDA running a stumbling utility like MiniStumbler. Fans have also referred to 'warcabbing' - nothing more elaborate than watching a laptop in the back seat of a taxi.

Wartrapping, promoted by security consultants, comprises a 'honeypot' AP - one that features monitoring software aimed at determining the level of wardriving and attempted intrusions.

section marker     chalking

Wardriving first attracted attention in the mass media because of warchalking, which became a fashion - arguably now past - among undergraduates, high school geeks and the post-secondary tech community. Having identified a wireless AP those tech savvy users would 'mark the spot' with a chalk symbol on the pavement, bin or building. In December 2002 warchalking was named one of the "100 most significant ideas of the year" by zeitgeist sniffers at the New York Times Magazine.

Chalking supposedly originated with blog entry by London-based information architect Matt Jones, with the expectation that warchalk symbols would provide a sufficient visual cue for attempting a connection from a laptop or PDA. Such marks would supposedly "encourage newcomers and initiate conversations between Wi-Fi users, network operators and others". The chalking was spun as "runes" or "a modern version of the hobo sign language used by low-tech kings of the road to alert each other to shelter, food and potential trouble".

That led John Hiler to rosily characterise chalking as the "
perfect storm" confluence of "three favorite tech themes" -

It's got Wi-Fi. It's got the tie-in to hobo language, which is really cool from a linguistics point of view. And it ties into the spirit of democracy, which was the original intention of the Web. It's the subversive idea of giving the finger to the local land-line monopoly.

Paul Boutin in the usually starry-eyed Wired News commented in 2002 that "Warchalking, it seems, is so cool it doesn't even matter if anyone is really doing it or not".

Christian Sandvig more incisively commented that warchalking is entirely a media phenomenon

it is a beautiful idea, but it doesn't make any sense as a directory service to find Wi-Fi. It is too easy to miss a warchalk mark, and the chalk wears away (or washes away in the rain) too quickly. Warchalking symbols were heavily promoted in the New York Times just *48 hours* after they were first made public on the Web. There was a subsequent wave of media stories about warchalking, giving everyone ideas. Every single occurrence of chalk I've found can be attributed to chalkers who want to self-promote their own mark. So I believe that people *do* rarely make warchalking marks for various reasons (to be cool, to advertise for their own network) but I *don't* believe that people use warchalking marks in a meaningful way to find Wi-Fi.

Two years later, although APs continue to proliferate, there's little sign of ongoing warchalk activity on the ground or in the mass media. Among the young digerati with whom we are in contact the idea of chalking is at best regarded as 'quaint'.

section marker     statistics and mapping

In discussing Australian and New Zealand wireless access we have noted that figures about the number of open and closed APs are contentious. There are few authoritative industry or government accounts, although it is clear from equipment sales figures and from anecdotal reporting that the number of APs is continuing to grow rapidly - particularly as many organisations seek to contain network deployment and maintenance costs by using wireless rather than wired LANs in their premises.

The immaturity of the industry means that an indeterminate number of sites appear to be open to unauthorised access, whether deliberately or through poor design and maintenance. Within a few kilometres of the Canberra CBD for example there are approximately 180 access points, of which as many as 100 are unsecured as of August 2004. A December 2003 wardrive in Auckland identified around 700 wireless APs, of which around 60% were unsecured. Some overseas statistics from the annual 'Official WorldWide WarDrive' are here.

There have been no major studies of wardriving and chalking as avocations. It is unclear how many people engage in driving, mapping and chalking on a short term or ongoing basis. Examination of participation in online fora suggests that numbers are not particularly large.

Vendors of network protection solutions have, however, argued that a "significant" number engage in casual or sustained driving at any one time and that much of the activity extends beyond identifying APs to unauthorised grazing of private information and offences such as release of viruses or spam.

Driving as a mechanism for legitimate acqusition of geospatial data has attracted some commercial attention, given the muddiness of much hotspot mapping and industry analysis.

US specialist Quarterscope for example, in building a commercial AP database to deploy location based applications, has announced that it is

willing to pay wardrivers for past and future GPS located scans. We will pay between $0.01-$0.05 per access point depending on the priority of the area (NYC versus Topeka) and the quality of the data (number of GPS locations per access point).

A somewhat different approach has been taken by the 'open infrastructure' Herecast project.

section marker     demographics and industry

Detailed statistics on the size and shape of the wardriving population are unavailable.

That is unsurprising, given that wardriving is a 'fringe' activity (consistent both with concerns regarding legality and, more importantly, the frisson associated with the mixture of expertise and naughtiness).

Anecdotal indications suggest that in Australia and other western nations most non-professional wardriving is what one observer unkindly characterised as "black t-shirt homosocial" - predominantly white, male, under 25, tech literate and involving two or more friends in a car. Much of it is presumably undertaken "because it's there" and doesn't involve the pizza-deprivation experienced by mountaineers.

One US driver thus commented in 2004 that

For those of us that do wardrive, we're not interested in how many systems we can hack, or trading warez, or any of that -- we just want to see where and how many.

Proponents such as John Duntemann argue that

wardriving provides a unique opportunity to gauge the growth of a technology market segment by direct inspection . In other words, we don't have to take a vendor's or research firm's word for how many wireless networks are out there. We can go out and look for ourselves. This isn't possible for things like digital cameras and DVD burners. In conjunction with some understanding of the demographics of an area, it's possible to use wardriving data to get a sense for how "connected" or "tech savvy" a neighborhood or region is.

The number and severity of wi-fi based offences is unknown. Its flipside, as with other cracking, is the market for defensive services. Konstantin Gavrilenko commented in 2004 that

The market for wireless security is really huge, mainly due to the fact that despite all the media buzz, majority of companies still do not fully understand the potential vulnerabilities that wireless networks can bring into their existing IT infrastructure. We do wardrive often, for the purpose of collecting statistical data of the overall protection level of wireless networks, obviously staying within the legal limits, and we have to say that the picture is worrying. We have seen quite a few rather large multinationals employing unprotected wireless access to their internal network. Some of them have improved over the time, turning on basic WEP. However, the biggest challenge in our business, is that you do know that the company is vulnerable, however, you can not go and inform them. The initiative has to come from the client itself, who should realize the severity of the problem and come to us for advice and complete solution.

In May 2010 Google attracted criticism in Europe, Australia and other locations after disclosure that the vehicles used for its global street photography exercise had been collecting wireless internet information along with the images. Both data sets of course are tied to GPS information.

icon for link to next page   next part (wardriving law and ethics)

this site
the web


version of May 2010
© Bruce Arnold
caslon.com.au | caslon analytics