It is fun. Many geeks find hacking that involves tweaking both software (sniffing / penetration tools) and hardware (PCMCIA cards, USB adapters, connectors, antennas, amplifiers) more exciting than more traditional cracking over wired links. The same applies to being able to hack outdoors, while driving, while drinking beer in a pub that happened to be in some unlucky network's coverage zone, and so on.

It gives (nearly) anonymous access and an attacker is difficult to trace. Any time the attacker logs in from his or her ISP account, he or she is within a single whois command and a legally authorized phone call from being caught. The "traditional" way of avoiding being traced back is hopping through a chain of "owned" hosts that then get rm -rfed (or, in case of a more experienced attacker, shredded, defiled, decimated, or bcwiped) after a serious attack is completed and the time for an escape sequence has arrived. There are few significant disadvantages (from a cracker's viewpoint) of such a method. A cracker still needs an ISP account, for which he or she has to supply credentials. He or she also needs enough "rooted" hosts to hop through; ideally these hosts must belong to different networks in different countries. If one of the targeted hosts implements log storage on a nonerasable medium (e.g., CD-R, logs sent to a printer), a cracker is in deep trouble. The same applies to secure centralized logging if a cracker cannot get into the log server. LIDS installed on the attacked host can bring additional trouble; suddenly getting "w00t" is not really getting anywhere. Finally, one of the used hosts can be a trap. Thanks to Lance Spitzner's work, honeypots and even honeynets are growing exceedingly popular among the security community.The bottom line is this: Hiding one's tracks this way is a complex process that includes many steps. Each one of these steps can suddenly become a point of failure. With wireless cracking, things are different. There is no ISP involved (save for the target's ISP) and the trace would lead to the attacked and abused wireless network, where it would literally dissolve in the air. Even if a person with a laptop or car with a mounted antenna was spotted near the wireless network from which the attack originated, authorities would have a very hard time finding the cracker and proving he or she is guilty. If before and after the attack the cracker has changed his or her wireless client card MAC address, and removed all the tools and data relevant to the attack from the laptop or PDA, then proving the attacker's guilt becomes frankly impossible. Even if you or the company guards approach the cracker during an attack, as long as the cracker is not on the premises, he or she can simply refuse to cooperate and leave. What are you going to do? Take a laptop by force from a stranger on a street?

Some might view illicit wireless access as a way of preserving one's online privacy. Recent legislation in the United Kingdom (the infamous RIP or The Regulation of Investigatory Powers Bill) makes online privacy practically impossible, with ISP logs required to be kept for up to seven years. This legislation is primarily a response to September 11 and the U.S. Patriot Act, which many other countries have followed in terms of introducing somewhat similar regulations. An unintended result of this is to encourage users, keen on privacy, to view the Internet connection via someone's WLAN as a good way of remaining anonymous. Of course, at the same time they will violate the privacy of the abused wireless network's owners, but most people are generally selfish. In addition, because they might not trade pirated software or pornography, send SPAM, or crack local or remote hosts, they will not view their action as something explicitly illegal: It's just "borrowing the bandwidth" for "self-defense" reasons.

In addition, there are purely technical reasons (apart from the vague network perimeter) that make wireless networks very attractive for crackers. An access point is not a switch; it's a hub with a radio transceiver. When was the last time you saw a shared wired Ethernet network? Putting a network interface into promiscuous mode and sniffing out all the Telnet / POP3 / SMTP passwords and NTLM hashes on a LAN looked like a thing of the past until 802.11 networks came into broad existence. At the same time, due to improper network design, an attacker associated with a wireless network will often find himself or herself connected straight to a wired LAN behind the corporate firewall with many insecure and unpatched services exposed to an unexpected attack. Security-illiterate system administrators might ignore the security of the "inner LAN" altogether, equating network security with the settings of the perimeter firewall. It is a very common mistake and because of it, once the perimeter firewall is bypassed, you can still find old Winsock Windows 95 machines, unpatched wu-ftpd 2.6.0 daemons, passwordless shares, flowing LM hashes, and similar awful security blunders. Another technical point to be made is that due to the high anonymity of wireless access, crackers can play dirty to achieve maximum break-in efficiency. By that we primarily mean that powerful but very "noisy" vulnerability discovery tools, initially aimed at system administrators auditing their own networks without a need to hide, can be run by wireless attackers without a fear of reprisal. Such tools include Nessus, Satan/Saint/Sara, ISS and RETINA, and so forth.

A cracker can install a PCMCIA / PCI card / USB adapter / rogue access point as an out-of-band backdoor to the network. All the pages of sophisticated egress filtering rules on the corporate firewall suddenly become useless and a sensitive information leak occurs where no one expects it. On the other hand, unruly users can install wireless devices, from PCMCIA cards in an ad-hoc mode to access points, without company system administrators even knowing about it. When they do find out, it could be too late. It is simply an evolution of the infamous case of users connecting a modem and opening a hole in an otherwise secure network by creating a new insecure point of external entry. When a frontal attack against the corporate gateway fails, a desperate Black Hat might attempt to scan the company premises for insecure wireless access points or ad-hoc networks and succeed.

There is always "opportunistic cracking." If you had the chance to read your neighbors' e-mails and check which Web sites they were surfing, would you resist it? If a neighbor has an insecure wireless network, chances are an opportunistic attack will occur. What if the network in question is a corporate WLAN that opens future access into a large, impressive wired network, with the possibility of sensitive data flow and a very high-speed connection to the Internet? Opportunistic cracking of this kind is the victim's nightmare: The attacker does not have to go anywhere, is not limited by battery power, can involve a more powerful desktop machine in executing the attack, and is likely to have some form of Internet access at hand to get the necessary tools and manuals to carry out an intrusion. Besides, a stationary attacker can sell illegally obtained bandwidth to neighbors and friends, basically operating a small do-it-yourself wireless ISP at the unsuspecting company's expense.