To most, wardriving sounds like something out of the world of monster-trucks. In reality, you don’t need a tank or Hummer to drive war. In a wireless world, all you need to have to successfully launch a cellular wardriving attack are a mobile phone, the right apps installed on it, and a bit of technical know-how.
As more and more enterprises and industries turn to cellular connectivity for mission-critical applications, keeping private cellular networks is becoming increasingly important. This is especially true when it comes to critical infrastructure, smart cities, and physical security.
What is wardriving? How is it done? And most importantly, what can you do to protect your private cellular networks from an attack vector that has plagued WiFi networks for close to two decades now?
What Are Wardriving Attacks?
Wardriving is the act of searching for open or vulnerable wireless networks by scanning the airwaves while moving in a motorized vehicle, often using GPS to mark the locations of vulnerable networks to exploit.
Wardriving is one in a category of attacks known as WarXing and its name is derived from war dialing, a technique employed by Matthew Broderick in the film “WarGames”. In the movie, he would dial-up numbers in an area looking for computer modems that would “answer.” Today, you can wardrive, warfly (a drone), warcycle (on a bicycle) or wartransit across town equipped with nothing but your mobile phone to scan for open networks. Heck, you can even have your cat do it for you.
Though many are familiar with wardriving in the context of WiFi networks, it’s important to remember that private cellular networks are not very different when it comes to wardriving attacks. Since private cellular networks are often employed for mission-critical connectivity by enterprises, smart cities, and critical infrastructure applications, there is added risk to the exposure or compromise of those networks and the devices on them.
Who Wardrives and Why?
The motives for wardriving can be innocent, such as mapping out public cellular network signal strength in an area before moving to it or running a kind of “digital census” WiFi networks in a specific geographic area. However, it’s quite easy to see how a collection of vulnerable networks can be useful for malefactors for nefarious purposes of all kinds.
One example is piggy-backing on open wireless networks to commit criminal and terrorist activities on the move. Such was the case with a militant group in India that roamed around Mumbai with WiFi detectors and programmed e-mail messages to be sent from hacked wireless networks prior to a series of bomb blasts.
Whitehat hackers and cybersecurity researchers often employ wardriving to uncover shady activities. For example, a group of Washington University researchers discovered stingrays (IMSI catchers) supposedly used by authorities in Seattle and Milwaukee. In this case, instead of wardriving themselves, they installed devices in ride-sharing cars to gather information faster.
When it comes to private cellular networks, wardriving attacks can expose the physical location of the network infrastructure as well as its frequency, cellular standards employed, and more. This opens the private cellular network to an array of attack vectors, both physical and cyber-based, including frequency jamming and MiTM attacks.
A Quick Guide to a Cellular Wardriving Attack
You don’t need very sophisticated equipment or extensive knowledge of cellular networking protocols to get started wardriving. Of course, if you’re a whitehat hacker with an Arduino and a desire to get adventurous, there are guides out there for you.
For a simple wardriving experiment, however, you only need to follow these steps:
1. Get an Android Smartphone
Though it is possible to conduct cellular wardriving using an iOS device, there are fewer apps available and the process is not as user-friendly.
2. Install a SIM card
To map the cellular access points and towers around you and along your path, you will need a SIM card that is permitted access onto the network. That said, it might very well be possible for you to detect and record the locations and some properties of towers on other cellular networks you may not be permitted to connect to.
3. Download a cellular tower scanning app (or three)
There is no shortage of applications you can install and use to wardrive. Some are more user-friendly than others, but in most cases, you will get the same information. At the time of writing, there were dozens of such apps with millions of downloads available for all. Among the popular ones, you will find Network Cell Info Lite, LTE Discovery (5G NR), and G-MoN.
It’s worth noting that you may want to try multiple apps to compare and complete data as results may vary.
4. Get wardriving!
The next step is as simple as running the app and going for a walk or a drive. In some cases, you will need to define the parameters of your search and whether you’d like the results to be shared with other users as part of a crowdsourcing effort.
You may discover badly concealed private cellular networks and suspicious-looking towers. Or you might simply learn where in your neighborhood you will get the best download speed on your cellular carrier.
It goes without saying that you should avoid using your own personal device and SIM card for such an experiment.
Protecting Private Cellular Networks from Wardriving
In some countries and jurisdictions, cellular network operators are obliged by law to report the location and technical properties of their cellular networks. However, as more mission-critical services and applications depend on private cellular network connectivity, it is becoming clear that wardriving can be a clear risk to the reliability, capacity, and security of those networks.
While in itself an innocent scan of the airwaves for cellular networks broadcasting their identifiers, wardriving can aid malefactors in discovering vulnerable networks, the locations of towers, and access points they may want to attack using a different vector or technique.
For cellular network operators, being aware of wardriving attacks and being able to mitigate them should be part of a security strategy when it comes to mission-critical private cellular networks.