The preceding discussion has focused on groups who actively represent their networks either in public databases or through reports that satisfy the necessities of public accountability. However one of the prominent features of IT industry sales in the last 3 years has been WLAN systems or WiFi. You couldn’t read a company report without being pointed to the meteoric rise of WiFi sales in an otherwise flat market, and 2003 was the best year yet.
While we have been unable to find accurate figures for sales of WLAN equipment in London or even the UK or Europe, we can point to the fact that a huge amount of WLAN equipment has been sold in the last year, with the following circumstantial evidence.
Worldwide 2003 WiFi sales $7 billion
Hardware $5 billion
Services $2 billion
“The home WiFi– hardware market will achieve staggering growth in 2003, with 22.7 million NIC and AP units expected to roll out in 2003, a 214% increase from 2002’s 7.2 million unit shipments. Revenues are expected to reach $1.7 billion, an increase of 140% from 2002 total revenues of $700 million.” _
Intel alone received $1,8 billion in revenue from its wireless and mobile computing sector, and with 24% of its total revenue from Europe. This points to healthy wireless sales. _
“European sales of Wi-Fi interface cards for PCs are expected to soar 66%, to 4.6 million units” _
“The most notable geographic movement in 2003 was Europe’s growth, as it moved from 9% of total Wi-Fi home shipments in 2002, to 15%. Much of this growth in Wi-Fi is tied to Europe’s dramatic increase in home broadband subscribers in late 2002 and throughout 2003.” _
In 2003 Intel also launched a $350 million marketing campaign for their Centrino chip set which is now bundled as standard with many laptops. They appear to have done well from the campaign in terms of sales:
“Wi-Fi is in danger of being over-hyped, and to some degree we may be guilty of that by spending hundreds of millions of dollars on our Centrino advertising campaign,” Intel President – Paul Otellini _
Whatever the exact figures, the uptake of WLAN technology has been impressive, but with only 829 publicly displayed nodes from both commercial and freenetwork providers, and the few emerging in public sector pilots, where is it all being installed?
Air Stumbling London
.. image:: img/air-stumble.png
:alt: London air stumble results
In order to get a picture of how much installed wireless equipment actually exists in London, we needed a way of direct measurement. Luckily, wireless networks are like light bulbs and broadcast signal into the space around them, not just in areas of intended use but also in other directions. Depending on the antenna used these signals can be visible up to 40 km away in line of sight. Signal spills out of windows into streets, into other buildings, and up into the air.
This means that there is a wireless network cloud across the city, and using a standard laptop WLAN card and GPS it is possible to ‘see’ the networks in your vicinity, and if they are open, you can connect and get access to the network. This practice normally termed ‘war driving’ has been popular since wireless networks started appearing, and in the last years has been the bugbear of a recurring media story that highlights the inherent insecurity of wireless networks.
Contrary to popular belief, looking for the existence of wireless networks is probably legal, no more problematic than looking at doorways or signposts. Accessing networks that are intentionally secured is probably not legal, though accessing networks that offer a connection is a grey area as there is no way of telling whether a network is or is not intentionally open. (NB. This is the author’s opinion. If you need a legal opinion please consult a lawyer.)
While 802.11b has a built in security mechanism WEP, it doesn’t work well and is easily circumvented. Additionally, a large number of networks are installed without any security enabled at all, either intentionally or not.
For freenetworkers open networks are not a problem but a benefit. An open wireless cloud is precisely what they are trying to achieve. In common with other public networks such as the Internet, one must not assume that the network is secure, and security must be implemented at a machine or service level.
– Don’t connect a wireless device to a network that you want to be secure.
– Make sure your wireless (or Internet) connected laptop is secured perhaps with a firewall.
– If you want to engage in secure communications across the network use a secure method such as SSH or a virtual private network.
– Open you network for public use!
In March 2002 a security survey _ in London by Digilog in association with the Cybercrime unit and the ICC, the commercial crime unit of the chamber of commerce, war drove central London in smart cars. They found 5000 WLANs 94% of them open.
In order to get a current snapshot of the whole of London we contacted Capital Radio, who offered the use of their traffic spotter plane ‘The Flying Eye’ as a platform from which to get an aerial overview. Tired of the incessant war related media chatter of the last few years, we’ve taken the opportunity to steer clear of the ‘warflying’ moniker and use instead the term ‘Air Stumbling’. After some examination of previous Air Stumbles _, on 22nd Feb 2003 James Stevens hitched a ride in the 4 seater plane. Using a directional antenna, a GPS and a laptop running network discovery program Netstumbler _, he found 1525 nodes along the flight path, 50 % of which were open.
Total Distance flown 348.4 km
Total nodes seen 1525
Radius of view ~0.5 km
Flight height ~0.4 km
Ground area covered ~0.3 km -2
Total area covered ~98 km -2
Node density ~15.5 nkm -2
Estimate of nodes within the M25 ~19451
This is a very rough order of magnitude calculation and only takes into account those nodes visible to the air and with a sufficient signal strength to reach the plane at its cruising altitude. Normal access points with standard antennas are unlikely to show up on this survey as the flight altitude was at the limit of their range, normally taken to be 250m.
However the main point of the study was to show that there is a large installed base of nodes that cover London with a fairly complete wireless cloud, far in excess of the publicly displayed node maps of either the commercial operators or freenetworkers.
The actual node density at 15.5 nkm^-2 is far in excess of the 0.11 geek activist node density mentioned in the previous section, and also far above the 1.25 node density required for a fully meshed metropolitan network. In fact the coverage is such that just considering the percentage of nodes either open intentionally or by default, there already exists a wireless freenetwork in much of the city.
Projects such as the Wigle initiative in the States _ have focused on this phenomenon and provide global coverage maps submitted by anonymous wireless cartographers and stumblers. Their database is growing fast and within the 2 days when I examined it, the node count rose from 700,000 nodes to 778,000 worldwide. London is as yet underrepresented in this database, with only one 428 node track compared to these tentative stumbles that we have made.
Stumbles of Interest
Wireless nodes broadcast more than just their whereabouts into the public spectrum. Among other things they show a unique identifier for each network interface which is called a MAC address and the network name which is called an SSID.
SSIDs are the names that a user is presented with when they choose between available networks and are set during configuration by the node owner. They can tell us something about who the owners are and we can cross reference them against what we can see in public databases.
=== ================= =========================
Top 20 SSIDs
=== ================= =========================
141 default <-default Netgear
135 Wireless <- default Netgear
111 Linksys <- Linkysys default
111 NETGEAR <- Netgear default
53 belkin54g <- Belkin default
39 WLAN <- Belkin, acer default
35 BTVOYAGER* <- BT voyager default
10 Conexant <- Conexant default
9 tsunami <- Cisco Aironet default
9 eurospot <- Swisscom Eurospot
9 USR8054 <- us robotics default
9 USR2249 <- us robotics
9 ACTIONTEC <- Actiontec default
9 3Com <- Actiontec default
8 BTopenzone <- BT openzone
7 tmobile <- T-mobile
=== ================= =========================
**default SSID's ~ 680/1525 45%**
In this stumble we find that approximately 40% of access points are running with the manufacturers factory default SSID. settings. This points to equipment being used straight out of the box with little or no configuration and suggests that many networks may be open because of a lack of configuration, creating freenetworks by default.
Top 20 manufacturers
321 Netgear, Inc.
209 The Linksys Group, Inc.
184 D-Link Corporation
81 BELKIN COMPONENTS
53 ANI COMMUNICATIONS INC.
52 Aironet Wireless Communication
50 DELTA NETWORKS, INC.
47 Agere Systems
38 Undefined Mac addresses
35 ASKEY COMPUTER CORP.
30 U.S. ROBOTICS, INC.
27 Melco Inc.
26 2Wire, Inc
25 Z-COM, INC.
24 Cisco Systems
23 Apple Computer, Inc,
19 Acer Incorporated
17 Global Sun Technology, Inc.
12 Senao International Co., Ltd.
The first 6 digits of a MAC address are termed an OUI. This is an identifier maintained at the IEEE _ which uniquely identifies the manufacturer. By tallying occurrences of different OUIs in the stumble we are able to get a good picture of the 802.11b equipment market. Here we see that, Netgear, Linksys and D-link are the market leaders in London.
Registered Nodes and Hotspots
By matching SSIDs with node names in public freenetwork node databases such as the consume database and commercial hotspot databases such as Jiwire _, we can get some kind of picture of freenetwork and commercial activity.
While it could be that the strong showing of commercial nodes is due to the fact that this flight concentrates on roads and city centre, where most of the density of activity for commercial operators occurs, it is worth looking at the measured densities.
Flight area covered ~ 98km2
Percentage of London ~ 8%
Commercial ~ 25
Extrapolated Commercial ~ 320
Percentage of Registered ~ 46%
Consume ~ 4
Extrapolated Consume ~ 50
Percentage of Registered ~ 35%
Registered commercial/consume ~ 4.8
Actual commercial/consume ~ 6.25
Here we see roughly 46% of the expected commercial registrations that we would expect to over-fly and 35% of the expected Consume registrations. This suggests that the over-fly sees around half of the nodes it over-flies, probably due to the altitude taking the plane out of range of nodes, etc. What it does show us is that the relationship between the numbers of Consume nodes and commercial hotspots detected largely mirrors the ratio of those measured - 4.8 vs 6.25.
The very small sample size here makes the uncertainty in these figures rather high. For example, one extra Consume node seen would have changed the ratio to 4.8 vs 5.
Also, there are some problems with the method of matching SSIDs with Consume database entries, which may skew results. Node names in the database are not necessarily SSIDs. 'Hampstead' occurs in the stumble log and 'Hampstead Heath' in the Consume database. As no definitive information such as MAC address is kept about nodes in the Consume Db this SSID. survey can only give a very rough indication.
Reading Between the Line
SSIDs can sometimes tell you something about the owners of the networks or other less formally coded information. At a US conference two years ago, sysadmins changed SSIDs during the keynote to make jokes about the speech. Here's a selection from the flyover.
Neil Hawes & Associates Ltd <- SME
5t3ntw1r3l355 <- l33t hax0r
)(arthur <- SSID containing the )( open network symbol from war chalking _ shows that the user is offering a freenetwork here.
Fuck Off and use your own <- aggressively closed network
pikefamilynetwork <- home networking
HARINGEY IT <- public sector
www.4gisp.com <- advertising?
FM-lon10 <- FM radio station uplink?
Cazs Wireless Network <- clink street diaspora?