War driving is the act of moving through an area (often by car) to detect and map wireless networks by picking up their broadcast beacons and SSIDs, usually as reconnaissance before a wireless attack.
War driving is reconnaissance on wheels. An adversary drives or walks through a neighborhood with a device that listens for the beacons wireless networks constantly broadcast. Each beacon advertises a network's SSID (service set identifier), the human-readable name like 'CoffeeShop' or 'HomeNet99'. By collecting these, the adversary builds a map of which networks exist where, which ones are unencrypted, and which ones make easy targets.
War driving itself isn't the attack, it's the scouting step. Once an adversary knows a network's SSID and security setup, they can plan something nastier, like spinning up an evil twin access point with a matching name to trick you into connecting. Think of war driving as casing the block before a break-in. The adversary doesn't have to be highly skilled to do it, since the tools that scan for networks are freely available online.
War driving lives in Unit 1: Introduction to Security, specifically topic 1.3 Best Practices for Public Networks. It ties directly to learning objective AP Cybersecurity 1.3.B (identify types of wireless cyberattacks) and connects to AP Cybersecurity 1.3.A (identify the type of adversary). It also explains why the defensive advice in AP Cybersecurity 1.3.C matters: if an adversary is mapping SSIDs near you, verifying that a network name exactly matches the one you intend to join (EK 1.3.C.1) is your first line of defense. Understanding war driving helps you see how reconnaissance, attacks, and personal defenses all fit together in one wireless threat model.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryEvil Twin Attack (Unit 1)
War driving is often the setup; the evil twin is the payoff. An adversary war drives to learn a real network's SSID, then stands up a fake access point using that same name so you connect to them instead. The recon makes the impersonation convincing.
SSID (Unit 1)
The SSID is exactly what war driving collects. When an adversary sees a beacon advertising 'CoffeeShop', the network name they're reading is the SSID. No SSID broadcast, nothing to harvest.
Adversary Skill Levels (Unit 1)
War driving is a low-skilled adversary move. The scanning tools are bought or downloaded, not custom-built, which fits the EK 1.3.A.1 definition of a low-skilled adversary using tools made by others.
VPN and Unencrypted Wi-Fi (Unit 1)
War driving flags which networks are open and exposed. Using a VPN encrypts your traffic to the VPN operator (EK 1.3.C.3), so even if an adversary maps and intercepts the network, your sensitive data stays unreadable.
On the multiple-choice section, expect a scenario stem describing an adversary moving through a neighborhood detecting wireless beacons, then asking which network component they're identifying. The answer is the SSID, since that's the network name the beacon advertises. You may also see war driving offered as a wrong-answer distractor against evil twin, jamming, or denial of service questions, so know that war driving is reconnaissance (finding networks) while those others are active attacks (impersonating or disrupting). No released FRQ has used this term verbatim, but it supports the kind of layered wireless-security reasoning that connects reconnaissance to attack to defense. Be ready to name what an adversary gains from war driving and what defense (verifying the exact SSID, using a VPN) counters it.
War driving is scouting, the evil twin is the strike. War driving just detects and maps networks by their SSIDs. An evil twin attack uses that information to create a rogue access point with a matching SSID so victims connect to the adversary by mistake. One gathers info; the other actively impersonates a network.
War driving is reconnaissance, where an adversary moves through an area to detect and map wireless networks by their broadcast beacons.
The component an adversary reads during war driving is the SSID, the network's human-readable name.
War driving is a low-skilled adversary activity because the scanning tools are freely available rather than custom-built.
War driving often precedes an evil twin attack, since knowing a real SSID lets an adversary clone it convincingly.
Verifying that a network name exactly matches the one you intend to join (EK 1.3.C.1) is a direct defense against attacks that war driving enables.
War driving is when an adversary moves through an area, often by car, scanning for wireless networks by picking up the beacons they broadcast. It's a reconnaissance technique that maps which networks exist and which are unencrypted, usually before a real attack.
Not exactly. War driving is reconnaissance, the scouting step that gathers network names and security info. The actual attack, like an evil twin or jamming, comes afterward using what was discovered.
War driving collects information by detecting SSIDs in an area, while an evil twin attack uses that info to set up a fake access point with a matching SSID. War driving finds the target; the evil twin impersonates it.
They see the SSID, the network's broadcast name like 'CoffeeShop' or 'HomeNet'. The beacon advertising that name is what the war driving device picks up, which is why exam questions point to the SSID as the component being identified.
Verify that any network name exactly matches the one you mean to join (EK 1.3.C.1), avoid sending sensitive data over unencrypted Wi-Fi, and use a VPN to encrypt all your traffic so intercepted data stays unreadable.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.