Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

WiFi High Crimes
SecurityFocus ^ | May 3, 2004 | Mark Rasch

Posted on 05/04/2004 4:55:14 PM PDT by FourPeas

A local Washington DC television news station wanted to do a WiFi "hack." Their plan was to sit in a local coffee shop (named after the Pequod's first mate) and try to read their neighbors' e-mail or Web browsing. They had a simple question for me: "Is it legal?"


This raises a series of questions about how people are -- deliberately or accidentally -- breaking the law with WiFi. In fact, using someone else's wireless signal -- even if only to get Web access -- might constitute a felony. So could reading other people's cleartext communication, or even just putting an 802.11 wireless hub in your house.


Let's say you are sitting in Bryant Park behind the Astor Library (the one with the famous lions) with your Centrino-powered laptop -- just like in the advertisement. Forgetting the irony of accessing information from outside one of the best libraries in the world, you power up and your computer tells you that it has found a wireless connection. Are you now permitted to use this connection to access the Internet? We'll say there is no security on it. No userid, no password, no WEP key; just free Internet.


The answer has profound consequences for the ability of law enforcement to prosecute computer crime and trespass cases.


There is little doubt that when you "piggyback" the WiFi signal you are "accessing" -- or "using the resources of" -- the device that is providing the Internet connection. There's also little doubt that routers, access points and gateways are all computers within the meaning of federal law.

The U.S. federal computer crime statute, Title 18 U.S.C. 1030, makes it a crime to knowingly access a computer used in interstate or foreign communication "without authorization" and obtain any information from the computer. A separate provision makes it a crime to access a computer without authorization with "intent to defraud" to obtain "anything of value." Fortunately, this provision also specifies that it doesn't apply if "the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period."


So if the government wanted to throw you in jail, it could argue that, by getting free Internet, you were accessing the provider's computer without authorization (and that you knew or should have known it was without authorization or in excess of authorization) and you thereby obtained some information from the computer. Sure, that statute was intended to go after data thieves. But the access necessarily shares some data -- IP, routing, etc -- between the computers, and the statute does not specify exactly what information must be obtained. That means you've potentially committed a felony.


But wait, you say, I didn't knowingly access the computer without authorization -- there was no security on it. How was I supposed to know that I wasn't allowed to access the WiFi connection? Here is the troublesome part: If you accept this argument -- that by broadcasting a connection you are inviting others to share it -- you end up on a slippery slope. How much security must you have on a system in order to be able to prosecute someone for accessing it without authorization?


From Access to Interception
In fact, the companion New York State computer crime law, NY Penal Code Section 156 (6), requires that, before you can be prosecuted for using a computer service without authorization, the government has to prove that the owner has given actual notice to potential hackers or trespassers, either in writing or orally. In the absence of such notice in New York, the hacker can presume that he or she has authorization to proceed, under state law.


This demonstrates that a lack of security not only can act as an invitation to access, but also may preclude a later prosecution for unauthorized access. If the access is "wide open" -- as in the WiFi connection in Bryant Park -- then how do you prove that the access is unauthorized?


So, we effectively blame the victim for not having enough security. If the door is open, I can come in. But what if it's not open, but is unlocked? Or if it is locked, but locked poorly? Can I still come in? The answer right now is simply that we do not know.


So simply getting the wireless connection may be a crime. But what about reading what is sent in the clear: your neighbor's browsing, e-mail, or even just IP information being "broadcast" throughout the coffee shop.


Both the Electronic Communications Privacy Act and the federal Wiretap Law make it a crime to "intercept" communications "in transmission." Although it has an exception for capturing broadcast communications, this only applies to the interception of a satellite transmission that is not encrypted or scrambled and that is transmitted to a broadcasting station for purposes of retransmission to the general public. Thus, by reading e-mail, or even just DHCP or ARP packets, you are potentially violating that law.


All in all, electronically examining packets traveling through the air is probably a crime, just as intentionally listening to someone's cell phone or cordless phone calls is a crime -- even if unencrypted and broadcast in the air.


The Access Point Felony
Even putting up an unencrypted, unprotected wireless access point might conceivably get you in trouble. Let's say that it's a nice day out, and you want to sit in Riverside park on the Upper West Side and enjoy the day. So you plug your Linksys 802.11(g) access point into your cable modem, and sit outside.


You're busted! You see, when you "broadcast" the cable connection, you are opening it up for anyone to potentially use it. So other people can potentially get Internet access from Comcast without paying for it. In Maryland, for example, it is illegal to use an "unlawful telecommunication device" which is a "device, technology, [or] product . . used to provide the unauthorized . . . transmission of . . access to, or acquisition of a telecommunication service provided by a telecommunication service provider." Delaware, Florida, Illinois, Michigan, Virginia and Wyoming all have laws on the books that may do the same thing.


These laws generally treat "sharing" of Internet connections the same way it would treat "sharing" of Cable TV or Satellite TV services. Thus, while you could invite your neighbors in to watch the latest episode of The Sopranos, you probably couldn't hook a coax into apartment 3B so they could watch from home -- at least without getting the permission of the cable TV company.


You can see this in, for example, Verizon's personal DSL agreement, which states that "[y]ou may not resell the DSL Service, use it for high-volume purposes, or engage in similar activities that constitute resale (commercial or non-commercial), as determined solely by Verizon." So, if Verizon determines that your 802.11 connection constitutes a non-commercial resale (and is unauthorized) not only can it cut you off, but it can make you a felon.


All of this means that the simple act of driving around and getting WiFi connections as needed, something we hope to be able to do (isn't that why we bought the Centrino in the first place?), is fraught with legal risk. One way to counter this is to establish more universal wireless access agreements (like we did with the first cell communications) so we can pay a single fee and move from WAP to WAP freely.


But ultimately if we want to move to ubiquitous wireless computing, where you can use the WiFi protocols for cheap, mobile VOIP communications, or have near universal wireless Internet access, we are going to have to persuade the law to get the hell out of the way.





SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.


TOPICS: Constitution/Conservatism; Crime/Corruption; Culture/Society; Government; Technical
KEYWORDS: warchalking; wardriving; warflying; wifi

1 posted on 05/04/2004 4:55:14 PM PDT by FourPeas
[ Post Reply | Private Reply | View Replies]

To: FourPeas
Both the Electronic Communications Privacy Act and the federal Wiretap Law make it a crime to "intercept" communications "in transmission."

...unless you are a little old couple from Florida that 'just happens' to intercept a cell phone call between the Republican Speaker of the House and another Republican House member....then it's OK.

2 posted on 05/04/2004 5:26:26 PM PDT by Tallguy (John F. Kerry: just taking another Purple Heart out of petty cash...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FourPeas
interesting
3 posted on 05/04/2004 6:05:09 PM PDT by NonValueAdded (Not Fonda Kerry)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FourPeas
The internet is not some proprietary device that I get permission to share. I sign up with an ISP and they provide service from my coax to some hub, but after that they connect to an amorphous cloud of worldwide networked computers. Who's to say which computer an internet user has legal access to and which ones they don't? Not my ISP, right? I'm not required to get permission from every computer on the internet that I intend to browse if it doesn't challenge me with an ID first, right? Permission is implied by virtue of being accessible on the internet, right? Why else would they exist on the internet?

One presumes that, by connecting your computer to the internet you are intending users of the internet to access your computer, as well as your intent to access the internet from your computer. That is what the internet is, a global chain of networked computers, right?

-PJ

4 posted on 05/04/2004 6:16:33 PM PDT by Political Junkie Too (It's not safe yet to vote Democrat.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FourPeas
Bump for later reading
5 posted on 05/04/2004 8:29:06 PM PDT by mattdono (Big Arnie: "Crush the democrats, drive them before you, and hear the lamentations of the scumbags.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: FourPeas
Bump for later reading
6 posted on 05/04/2004 8:29:07 PM PDT by mattdono (Big Arnie: "Crush the democrats, drive them before you, and hear the lamentations of the scumbags.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: BellStar
WiFi ping
7 posted on 05/04/2004 8:57:02 PM PDT by anymouse
[ Post Reply | Private Reply | To 1 | View Replies]

To: Political Junkie Too
Who's to say which computer an internet user has legal access to and which ones they don't? Not my ISP, right? I'm not required to get permission from every computer on the internet that I intend to browse if it doesn't challenge me with an ID first, right?

Right. It's reasonable to assume that the owner of a computer with an httpd service listening on port 80 expects to have that computer accessed by the general public using that particular service.

Permission is implied by virtue of being accessible on the internet, right?

Wrong. Just because I allow the public to have access to my web server doesn't mean they're allowed to access any other service, like FTP or Icecast, which runs on that box or at that IP address.

There are measures that an owner can take to close and lock the doors, like authorization controls (passwords) and encryption. But if someone decides not to protect a service, is that an implied permission for general access, or is it simply ignorance? You don't know.

Some guy in my neighborhood runs an open WAP; I know it, because I discovered it while using NetStumbler to check my own stuff -- he doesn't. Should I tell him, and run the risk of being labeled the Neighborhood Hacker? Should I keep quiet about it, let him get exploited and learn the hard way?

What about the folks hitting my web server, trying to hack it? Does the fact that it's available imply an invitation to explore areas where they're not supposed to be?

8 posted on 05/05/2004 6:08:46 AM PDT by TechJunkYard
[ Post Reply | Private Reply | To 4 | View Replies]

To: FourPeas
Your house and your computer system are not public places; consequently, there is a presumption of a right to privacy. As such, unless you get the owner's authorization, you're trespassing.
9 posted on 05/05/2004 9:24:37 PM PDT by Bush2000
[ Post Reply | Private Reply | To 1 | View Replies]

To: FourPeas
When computer hacking first became "fashionable", my company security department immediately required all UNIX sysadmins to fix the "greeting" message associated with the login process. It was changed into a stern warning that unauthorized access will be prosecuted to the maximum limits permitted by law. Company legal opined that a "welcome" message was a free pass to login and do as you please.

Apparently broadcasting an SSID beacon, not employing a WEP key and permitting any MAC address to be issued an IP address is the current equivalent of a "welcome" message.

10 posted on 05/05/2004 9:37:17 PM PDT by Myrddin
[ Post Reply | Private Reply | To 1 | View Replies]

To: Myrddin
Apparently broadcasting an SSID beacon, not employing a WEP key and permitting any MAC address to be issued an IP address is the current equivalent of a "welcome" message.

Nah. The courts will find that unauthorized access is unauthorized access. But admittedly, anyone accused of using someone else's network without proper authority could reasonably claim that it was inadvertent -- and that the owner of the network could have taken reasonable precautions to secure the resource. However, that's sort of like arguing that you wouldn't have trespassed into someone's house if only they'd locked the front door. Doesn't wash.
11 posted on 05/06/2004 9:10:36 AM PDT by Bush2000
[ Post Reply | Private Reply | To 10 | View Replies]

To: TechJunkYard
Some guy in my neighborhood runs an open WAP; I know it, because I discovered it while using NetStumbler to check my own stuff -- he doesn't. Should I tell him, and run the risk of being labeled the Neighborhood Hacker? Should I keep quiet about it, let him get exploited and learn the hard way?

There's an easy answer: Leave him an anonymous note in his mailbox describing what you found and how to correct it. That way, you don't get labeled the neighborhood hacker and he gets to decide if/how to address his problem. Everybody wins.
12 posted on 05/06/2004 9:13:07 AM PDT by Bush2000
[ Post Reply | Private Reply | To 8 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson