Wardriving - Building A Yagi Pringles Antenna

Spyridon Antakis Mark van Cuijk Joël Stemmer

13 October 2008

Abstract
Wireless networks bring mobility to the business user and consumer and introduce networking
on places where networking couldn’t be brought before. With the current mass usage of wireless
networking the hardware prices are lowering and the bandwidth is raising. The scanning and logging
of these networks is called wardriving. Some locations might be impossible to get at without the
adversary attracting unnecessary attention. By using a better antenna than the ones used in standard
Wi-Fi hardware, the problem could be avoided. In this paper we describe a custom directional antenna,
made using basic everyday parts and a Pringles can. Experiments will be performed to compare the
antenna with a regular Wi-Fi equipped laptop in signal quality and reception range.

1 Introduction enhancing technologies, a large share of the de-

ployed wireless networks are badly secured or not
The first operational wireless network was ALO- secured at all. Consumers are often not aware of
HAnet [9], developed at the University of Hawaii the security implications or do not have the re-
and deployed in 1970 throughout the US state of quired knowledge to determine what steps must be
Hawaii. In the decades that followed, several new taken to secure a wireless network. Wireless de-
technologies were developed, leading to the First vices are often left in their factory default settings
IEEE Workshop on Wireless LANs [4] where the (using default passwords) or with WEP and WPA
process started that would eventually lead to the completely turned off.
IEEE 802.11 standards set [2], that specifies com-
munication for wireless LANs from the physical
layer, up to encryption and authentication stan- 1.1 Wardriving
dards for security.
Wardriving is literally driving around scanning for
Since the start of the twenty-first century, most wireless networks using a portable computer or
sold notebooks include hardware to communicate PDA. Variations on the name exist, like warbik-
with wireless networks using one or several of the ing and warwalking. In this paper we will use
IEEE 802.11 standards, broadband internet con- wardriving as a collective name for all these ac-
nection providers distribute modems with built-in tivities. Despite the part ”war” is included in the
wireless networking capabilities and this lead to a name, wardriving has nothing to do with warfare.
mass adoption of the technology. Most of these net- The name was derived from the term wardialing,
works are connected to the internet and carry sen- the technique of calling a list of consecutive phone
sitive information, such as internet banking trans- numbers to find modems and fax machines.
actions, personal photographs and private email. In wardriving, the only intent is to scan the
To provide confidentiality to the transmission availability of wireless networks and collect various
channel, the original IEEE 802.11 standard, dat- security-related information of these networks. An
ing 1999, included the Wired Equivalent Privacy entirely different activity is the one of actually con-
(WEP) algorithm. Because several serious weak- necting to unprotected wireless networks or break-
nesses were identified in 2001 [5] and with the in- ing into protected networks to gain access to the in-
troduction of Wi-Fi Protected Access (WPA) as ternet, possibly for malicious purposes like sending
part of the IEEE 802.11i [8], WEP is now consid- large amounts of spam email or downloading exces-
ered deprecated. For authentication purposes, the sive amounts of data. In the wardriving community
Extensible Authentication Protocol (EAP) [6] has it is considered unethical to actually connect to a
been adopted, which had previously been used in wireless network without permission of the owner.
point-to-point topologies, like phone lines. The Stumbler Code of Ethics [11] that proposes ”a
Despite the availability of several security- collection of suggestions for safe, ethical, and legal

1
stumbling” is often referenced in discussion boards Omni-directional antennas (omnis) radiate a
on the topic. pattern in all directions. Omnis are useful in
large open areas where without any significant
obstructions. Depending on the gain, most
2 Problem statement omnis are just black or white sticks in vary-
ing lengths. Others look somewhat like smoke
In this paper we will research how we can improve detectors or small, flattened hockey pucks. In
the reception of Wi-Fi signals by building an ex- general, a low gain omni will have a relatively
ternal, directional antenna. The reasons of using small coverage area, but it will be very broad
an external antenna are: a) improving signal qual- vertically. In comparison high gain omnis ra-
ity and b) increasing the scanning distance. This diate a signal further in a more narrow form.
allows you to scan a larger area while wardriv-
ing and gives you the ability to connect to net- Directional antennas exist in many varieties, such
works otherwise unreachable. The Wi-Fi antenna as Yagi, Sector Patch Panel and Parabolic [12].
will be constructed using basic parts available in Although these are all directional antennas, an
most (web)shops related to computer equipment important difference exists concerning the cov-
and electronics and a Pringles1 can. We will then erage patterns.
perform several experiments to compare the perfor-
mance of this external antenna to a regular Wi-Fi
3.1.1 Yagi antennas
equipped laptop in terms of signal quality and re-
ception range. Yagi antennas are the most well known. The Yagi
The following research questions will be answered looks a lot like an older television antenna. Most
in this paper: common Yagi antennas for 2.4 GHz — the band
where 802.11(b/g) signals are emitted — look like
1. How do you build a simple directional antenna, a long cylinder. The cylinder is just a weatherproof
suitable for reception of Wi-Fi signals? cover. Yagi antennas work by focusing signals in
one direction like a mirror behind a light bulb. The
2. How does this antenna perform compared to
higher the gain of the antenna, the narrower the ra-
an antenna in a standard Wi-Fi capable laptop
diated signal will be. In many cases a Yagi antenna
when scanning for networks?
may be able to cover up to 4 or more kilometers
3. Is a larger communication distance possible when used at both ends.
with a directional antenna at only one end?

To answer the first question, section 3 will give

3.2 Signal theory for a Yagi antenna
a basic introduction into Signal Theory to under- We are using the following basic definitions in our
stand the workings of the antenna and explains the calculations:
steps necessary to build the antenna. For the other
two questions, section 4 will give an outline of the Frequency is a measure of the number of occur-
experiments we have performed. The results of rences of a repeating event per unit time. De-
these experiments are provided in section 5, fol- noted as f (Hz).
lowed by the conclusion in section 6.
Speed of light is the speed of all electromagnetic
radiation, including visible light, in free space.
3 Building an antenna Denoted as c, equals to 3 × 108 (m/s).

3.1 Antenna types Wavelength is the distance between repeating

units of a propagating wave of a given fre-
Antennas generally fall into one of the following quency. Denoted as λ, λ = fc (Hz).
two categories: omni-directional and directional.
Although there are many different antennas, most
of them are variations of these two basic types. 3.2.1 Calculations
Presenting all the different varieties of antennas is Considering the signal theory, equation 1 calculates
something out of the scope of this paper, we will the wavelength at the lowest end and equation 2
therefore only introduce the basic antenna types. the wavelength at the highest end of the frequency
1 Pringles are a type of potato chips and are packaged in range for Wi-Fi signals (2.412 GHz channel 1 to
a cylinder-shaped can with a foil-coated interior. 2.472 GHz channel 13).

2
 c 3.000 × 108
λmin = = = 12.78 cm (1)
fmin 2.412 × 109

c 3.000 × 108
λmax = = = 12.14 cm (2)
fmax 2.472 × 109

The size of the pipe, which is part of the collec-

tor, should be between 12.14 cm and 12.78 cm. In
practice, the actual size of the pipe would be about
14.2 cm, because we will have also to include the Figure 1: The collector
lengths of the nuts at both ends. [7] [1]
Step 2: Attaching the pin We solder the 12-
gauge pin onto the Flens N-type female con-
3.3 Building a Yagi Pringles antenna nector. Based on the Pringles can diameter (7
3.3.1 Components Used cm), the ideal length of this pin is about 2.7
cm [7]. It is always just shy of the middle of
• A Pringles can with a length of 25.5 cm and a the can you are using.
diameter of 7 cm.
Step 3: Building the antenna We make a
• A metallic pipe hole about 8.6 cm (length based on testing
performance [7]) from the bottom to the top
• Ten nuts and five washers of the can. We then insert and stabilize the
N-type female connector with the attached
• Two Pringles lids solid pin in that hole and place it next to
• A low signal loss coax cable (an LMR 400 with the collector. The Yagi Pringle antenna is
N-type male connector to RPSMA male con- connected to the Wi-Fi card using the LMR
nector) 400 cable. The completely assembled antenna
is shown in Figure 2.
• A Flens N-type female connector

• A solid 12-gauge pin

Note: There are many different ways to build

a Yagi antenna, you can use different components
(Wi-Fi card, connectors, cables, can). However,
the theoretical part will always be the same, only
the calculations are going to change a bit. [10]

3.3.2 Combining the components

Step 1: The collector This is the most impor-
tant part of the antenna. Here we apply the
measurements based on the signal theory cal- Figure 2: The Yagi Pringles antenna
culations in section 3.2.1. We take the 14.2
cm pipe, the 5 washers, the 10 nuts and the
2 Pringles can lids. A hole is pierced in the 4 Experiments
center of both can lids, big enough for the all-
thread to pass through. The outer ridge of After building the antenna, there are a lot of in-
one can lid is trimmed off to fit inside the can. teresting experiments that can be performed with
Finally we assemble the pipe. The pipe is a it. We picked two basic experiments that allow us
sandwich that goes on the all-thread as can be to tell something about the performance of the an-
seen in Figure 1. The washers are fixed in the tenna. The first experiment is a passive one; we
chosen distance 3.035 ≤ λ4 ≤ 3.195 cm. shall only receive signals to detect what wireless

3
networks can be received. The same will be done and a common notebook antenna. The intention is
using standard Wi-Fi equipment in a notebook to to focus mostly on a possible difference in the sensi-
create a comparison. In the second experiment we tivity and the detection performance that these two
shall create a connection to another wireless device antennas are going to give us in a real life situation.
get a hint on the maximum distance that still allows Both notebooks will be placed on a table in the
communication. Auditorium of the Technical University of Eind-
hoven (TU/e). At start, the directional antenna
4.1 Hardware and software will be placed in a fixed position. After setting this
up, Kismet will be started on both notebooks at
the same time and the program will be instructed
Notebook A: The first notebook is an Acer to sort the available network by SSID. After this,
Aspire 1500LMi, which includes a Broadcom the notebooks and the antenna will not be touched
Corporation BCM4306 802.11b/g Wireless for a period of two minutes to allow them to cap-
LAN Controller (rev 03). This notebook runs ture enough packets. After two minutes, the full
a Linux 2.6.25-2-amd64 SMP kernel with the list of networks is noted and for all networks that
b43 driver module loaded. The BCM4306 is appear on both notebooks, the signal strength will
loaded with firmware version 410.2160. be noted. After the information is noted, Kismet
will be closed on both notebooks. The directional
antenna will be rotated 120 degrees and the exper-
Notebook B: The second notebook is a Mac- iment will be repeated.
Book 4.1, with a Zydas USB Wireless LAN
Controller attached to the USB bus. The
notebook runs a Linux 2.6.24-19-i686 SMP 4.3 Experiment B
kernel with the zd1211b driver module loaded. Ethics prohibit a wardriver to actually connect to
The device is loaded with firmware version a wireless network, but a criminal might have dif-
4725. ferent intentions after finding an interesting net-
work. To use the network without attracting any
attention, he might want to connect to it from a
Access Point: A Thomson SpeedTouch 580
larger distance than regular Wi-Fi equipment is ca-
ADSL modem, with built-in wireless access
pable of. In this experiment, we will try to deter-
point is used as the base station in the second
mine what the maximum distance between a regu-
experiment. This device was supplied for
lar wireless access point and a notebook with the
free with an ADSL subscription with a large
Yagi Pringles antenna is. For the sake of simplic-
national provider in The Netherlands.
ity, encryption is disabled on the SpeedTouch ac-
cess point and it is configured to accept connections
Software: Kismet is a well known 802.11 layer2 from any client. Notebook B will be used in this
wireless network detector, sniffer, and intru- experiment.
sion detection system. It will work with any The devices are placed next to each other and
wireless card which supports raw monitoring a wireless network connection is setup to verify the
(rfmon) mode. Kismet identifies networks by devices are compatible. After this has been verified,
passively collecting packets, detecting (and the SpeedTouch device is placed at the eleventh
given time, decloaking) hidden networks, floor of the staircase in the main building of the
and inferring the presence of non-beaconing TU/e. The notebook is moved just outside of the
networks via data traffic. [3] building and the antenna is pointed towards the
SpeedTouch to verify connection is still possible,
given the thick layer of glass in between. Now, the
notebook is moved to the top of the Twinning Cen-
4.2 Experiment A
ter, which is located approximately 800 meters from
To compare the reception performance of our an- the main building, where again a connection will be
tenna with standard Wi-Fi equipment, we will use created.
two notebooks and perform a passive scan with The outcome of this test will determine how the
both of them at the same time. Two notebooks experiment will continue. If no connection is cre-
are positioned next to each other and use Kismet ated, the notebook will be moved closer to the main
to process the received packets. Our main goal is to building to find the point where a connection is pos-
actually compare and spot the differences between sible. Otherwise, the notebook and Yagi Pringles
the scanning results of our Yagi Pringles antenna antenna will be placed in a car and will drive the

4
J.F. Kennedylaan, away from the TU/e campus. the main building of the TU/e as described in sec-
We will continue until a point is found where no tion 4.3. The notebook is moved to the parking lot
signal from the TU/e wireless network is received. next to the W-hoog building, where the antenna
is directed at the staircase of the main building.
Kismet detects the signal and the GUI allows us to
5 Results establish a connection. After this, we moved the
notebook to the top of the Twinning Center and
5.1 Experiment A again directed the antenna to the main building.
Again the signal is picked up by Kismet. Estab-
The first thing to notice after starting up Kismet, is lishing the connection using the GUI took longer
that notebook B detects 10 to 20 new networks ev- than normally, but it succeeded. To test the con-
ery second, without being able to detect the SSID of nection, we opened up the configuration webpage
these networks. The packet count of all these net- of the SpeedTouch device. We succeeded in load-
works stay at exactly 1. We assume that they are ing the page, although at a much lower speed than
the result of distant networks, that are too far away in normal conditions.
to interact together with standard equipment, but An interesting thing we noticed on top of the
that get mixed and received by the Yagi antenna. Twinning Center is that Kismet detected packets
Kismet is known to process packets that are almost with SSID stadhuisplein. Assuming this network
valid 802.11 packets. We decided to sort the results is located at the Stadhuisplein in Eindhoven, the
by reversed packet count, to push these bogus re- approximate distance those packets traveled is an
sults down and ignore them during the scanning. exciting two kilometers.
Notebook A picked up 16 different wireless net- The follow-up experiment was conducted on the
works, all of which belonged to the TU/e. Many same day between 3:30 PM and 4:30 PM. The note-
of these networks shared the same SSID, but were book and antenna were placed in a car. During the
uniquely identifiable through their MAC address. ride, the antenna was directed towards the TU/e
Table 1 lists all the different SSIDs that were found. campus. We left the TU/e campus using the exit
Each of these SSID had four different access points at the J.F. Kennedylaan. At this point, Kismet
and we noticed that in all cases the last digit of their showed the tue SSID in the results. When driving
MAC address corresponded with the id in the table. away from the campus, the network disappeared
Notebook B only picked up 12 different wireless net- very soon. Because of this, we decided to stop at
work, all of which were also detected by notebook the first bridge over the J.F. Kennedylaan (Viaduct
A. The four networks that were not detected by the Orpheuslaan) and perform the test outside. The
Pringles antenna were always the same (tue-wpa2 ). tue network shows up on Kismet again.
We suspect the reason for not detecting those four After this, we moved on to the next bridge
networks are because of limitations in the drivers, (Viaduct Sterrenlaan) and performed the same test,
but this has not been verified. We were unable to but the tue SSID did not show up anymore. From
connect to any of the available wireless network be- this bridge, we had a line-of-sight towards the Ver-
cause the drivers of the Wi-Fi card in notebook B tigo building on the campus, but the rest of the
did not support the necessary security protocols. campus was invisible because of trees. About 300
These drivers were also unable to report the signal meters east of the bridge is a building of the ROC.
quality of the detected networks. We requested access to the highest window with
view to the TU/e campus to perform the test with
id SSID a better line-of-sight. From this position the tue
0 eduroam SSID did not show up either.
1 guest Afterwards we looked up the exact positions
2 tue where we stopped. The Viaduct Orpheuslaan is
3 tue-wpa2 approximately 1000 meters from the campus. The
Viaduct Sterrenlaan and the ROC building are ap-
Table 1: The SSIDs detected in experiment A
proximately 2300 meters from the campus.

5.2 Experiment B 6 Conclusions

The first part of the experiment was conducted on We have shown how to build a Yagi antenna with
September 26th, 2008 between 9:00 AM and 10:00 some basic parts and a Pringles can. Assuming
AM. The SpeedTouch device is setup and placed in you already own a wireless network card, the total

5
cost to build this antenna will be about 20 euros, tops using different hardware configurations and
depending on the type of cable used. This is very software versions. To address the issue of detec-
reasonable considering the results we were able to tion of invalid wireless networks, multiple software
achieve. packages should also be considered.
The first experiment was designed to test if the Once these problems have been dealt with, sev-
Pringles antenna was able to pick up Wi-Fi signals. eral other interesting ideas can be further explored.
The results indicate the Pringles antenna was able Stepping away from the strictly wardriving point
to successfully detect most networks, but it did un- of view, actual connection tests can be performed.
cover a problem we had not anticipated. The an- What is the amount of packet loss and the avail-
tenna picked up a lot of noise and interfering sig- able bandwidth, and how exactly does increasing
nals. These were incorrectly registered as new net- the distance affect it. A point-to-point link could
works and flooded the list of valid networks. We be set up. One where both parties are using an ex-
have not been able to determine if this is a soft- ternal directional antenna. What will this mean for
ware problem only affecting Kismet or if it is a re- the overall signal quality and what kind of distances
sult of the increased sensitivity of the new antenna. can we expect to reach?
Because of a limitation in the hardware drivers we
were unable to determine the signal quality of these
networks. References
In the second experiment we were able to detect
[1] Build your own wireless signal booster with
a network about 800 meters away. Using an unen-
pringles, [Online; accessed 26-September-2008]
crypted access point we were also able to success-
http://www.truveo.com/
fully establish a connection. Even though there was
Build-Your-Own-Wireless-Signal-Booster-with/
an unobstructed line-of-sight view between the ac-
id/3600436257.
cess point and the antenna, the signal quality was
poor which resulted in a significant loss of band- [2] Ieee 802.11, the working group setting the stan-
width. Based on these results we continued experi- dards for wireless lans, [Online; accessed 25-
menting to find the maximum distance achievable. September-2008]
Our antenna was able to detect wireless networks http://www.ieee802.org/11/index.shtml.
up to about one kilometer. During these experi-
ments we observed some strange behaviour. The [3] Kismet, a wireless network scan tool, [Online;
best results were sometimes achieved by slightly accessed 30-September-2008]
pointing the antenna away from the intended tar- http://www.kismetwireless.net/.
get. This could be explained by the fact that we did [4] The first ieee workshop on wireless lans, 1991,
not have the proper equipment and environment to [Online; accessed 24-September-2008]
calibrate the antenna. http://www.cwins.wpi.edu/wlans91.
[5] Nikita Borisov, Ian Goldberg, and David Wag-
7 Future work ner, Intercepting mobile communications: the
insecurity of 802.11, MobiCom ’01: Proceed-
A controlled testing environment is necessary to ings of the 7th annual international conference
properly calibrate the antenna and perform exper- on Mobile computing and networking (New
iments. This controlled environment should block York, NY, USA), ACM, 2001, pp. 180–189.
any sources of interference. It can then be used
to test various configurations of the antenna. The [6] B. Aboba et al., Extensible authentication pro-
effects of using cans with different lengths and di- tocol (eap) key management framework, [On-
ameters can be measured. It will be interesting to line; accessed 24-September-2008]
see the differences in using other amounts of wash- http://tools.ietf.org/html/rfc5247.
ers, with various sizes, spread differently on the col- [7] Rob Flickenger, Antenna on the cheap (er,
lector. The exact placement of the pin inside the chip), [Online; accessed 28-September-2008]
can could also influence the reception and should http://www.oreillynet.com/cs/weblog/
be tested. This will result in a design with care- view/wlg/448.
fully chosen components, assembled and calibrated
for maximum performance. [8] Sheila Frankel, Bemard Eydt, Les Owens, and
To reach more reliable results, identical hardware Karen Scarfone, Establishing wireless robust
and software will also be required. In our experi- security networks: A guide to ieee 802.11i,
ments we compared the results acquired with lap- Tech. Report SP 800-97, National Institute

6
 of Standards and Technology, February 2007,
[Online; accessed 25-September-2008]
http://csrc.nist.gov/publications/
nistpubs/800-97/SP800-97.pdf.
[9] F. F. Kuo, The aloha system, SIGCOMM
Comput. Commun. Rev. 25 (1995), no. 1, 41–
44.
[10] Gregory Rehm, How to build a tin can
waveguide wifi antenna, [Online; accessed
27-September-2008]
http://www.turnpoint.net/wireless/
cantennahowto.html.
[11] Renderman, Stumbler code of ethics v0.2,
[Online; accessed 26-September-2008]
http://www.renderlab.net/projects/
wardrive/ethics.html.
[12] Terry Schmidt and Ben Serebin, Antennas
101; basic antenna concepts for 802.11, [On-
line; accessed 12-October-2008]
http://poitiers.sansfil.free.fr/doc/
Antennas101.pdf.