Wardrivers charged with hacking Lowe’s and stealing credit card details
Read the article if your interested, but the basic gist of this article is that two gentlemen were apparently wardriving in thier hometown and came across a number of Lowe’s stores with wireless access and decided to hack the networks. If what the article is saying is true, than these guys deserve whatever the federal government has to throw at them. But the article leaves so much unsaid that I’m not even sure what they really did. And that has me concerned.
Why am I concerned? This story is very vague on exactly what the two culprits did to the network, which could be anything from passively finding open 802.11x access points to using those access points for Internet access to actively hacking the Lowe’s network. Wardriving is the act of driving around in your car with a laptop, a wireless card, an antenna, and a GPS. Every so often, usually several times a second, the laptop sends out a signal that basically says, “If your an Access Point, please respond”. If an Access Point is set up to respond, the laptop gets back information about the Access Point, if it is using encryption and the signal strength of the Access Point. Additionally, the software on the laptop uses the signal from the GPS to mark down the physical location where the signal was recieved.
Wardriving is in kind of a legal limbo at this time. In the strictest sense, you have made a connection to the network, but at such a low level as to be unusable. A very rough analogy to the physical world would be to drive around a building to see if it has doors and looking if the door has a lock. At this point, you haven’t even jiggled the lock. Like most loitering, this is frowned upon, but wardriving is equally hard to detect and stop. I have yet to hear of anyone being charged with anything for wardriving, and I’m more than a little afraid that this may be one of the first examples. If it is, I’ll be very interested in seeing how the courts treat it.
A second scenario concerning this incident might be passive sniffing of the network at Lowe’s. Setting up wireless Access Points isn’t that hard to do correctly and securely, but it’s even easier to do incorrectly and insecurely. If these guys were just sitting in the parking lot watching the Lowe’s network traffic as it flowed by, then they deserve a slap on the wrist. Lowe’s, on the other hand, deserves a big, fat lawsuit. I can imagine that the basic logic would be, ‘You didn’t secure your network, my credit card information was stolen and you have to pay up!’. When are companies going to start having to pay for ignoring basic security practices?
Finally, if, as this story suggests, the gentlemen in question were actively exploring the Lowe’s network and trying to get credit card information, I hope the Fed’s throw the book at them. When your using a wireless connection, it’s pretty easy to feel like you’ll never be caught. Except for the fact that the radio communication flows in two ways and the budget the Fed’s have for catching hackers allows them to buy the sort of equipment you need to follow the signal back to a car. Not to mention a little footwork will allow you to find two guys who have been sitting in front of your store for hours staring at a computer screen.
I hope more details come out about this case. I really want to know what happens. If wardriving is ruled as illegal, I want to make sure that I don’t get caught doing it. Nothing like a hacking charge to ruin a network security career.