HazDat
4Sep/09

Wi-Fi security — gone in 60 seconds, AGAIN.

Wi-Fi_ZoneYou're not one of those people who leave their wi-fi network open to anyone who passes by, are you? You realize, of course, that--beside the obvious security risks to your computers, your network, your passwords, email, accounting files, your bank account, private identity, maybe even sensitive medical information--that anything someone else does on your network will be traced back to you--the resident and ISP subscriber? Say, for example, the kid next door decides to use your "lightning fast DSL" to download, or worse--share--his music collection via Bit Torrent. The RIAA subpoena will be addressed to you. Or, suppose someone driving by decides to stop and explore his sexual curiosities where they can't be traced back to his network. The search warrant will be addressed to you.

But, that's not your problem, right? Because your wi-fi network is encrypted, right? I remember, back in the day, I used to brag that it would be easier to poach my cable connection from the street than hack my wi-fi, because I was using WEP encryption (cracked in 2001), a MAC filter (easily spoofed), AND I cloaked my SSID (worthless). Since then, came WPA, and more recently WPA2.

Linksys settings for WPA2 wireless secruity.

Linksys settings for WPA2 wireless secruity.

If I lost you at "lighting fast DSL", then the following probably is your problem: Computer scientists in Japan have developed a way to break the WPA encryption system used in wireless routers in just one minute. For those keeping up, presumably you upgraded your router firmware some time back, or purchased and configured a new router to utilize WPA2--which is, so far, considered to be secure.

While the availability of the hack certainly makes for a very reasonable and plausible deniability and is bound to be tested in the courts by way of a defense--especially for the purposes of challenging a search warrant--my recommendation would be to lock your wireless router, and make certain that you're using the latest Wi-Fi security protocols. If that means hiring a professional--trust me, they're cheaper than legal fees. Remember, no wireless router comes secure out-of-the-box.

Share
Print This Post Print This Post

About Jeff M. Fischbach

http://www.twitter.com/FischTech Jeff Michael Fischbach is founder and President of SecondWave Information Systems (SecondWave.com), a consulting firm specializing in Forensic Technology. Since 1994, he has served as a board member and technology adviser to numerous professional organizations and corporations. Mr. Fischbach has been engaged as a litigation consultant and Forensic Examiner, offering expert advice and oversight on matters involving intellectual property, computers, information systems, satellite, tracking and wireless communications technologies. He has advised law enforcement, foreign government representatives, judges, lawyers and the press.
Comments (11) Trackbacks (0)
  1. I disagree wholeheartedly. My home network is unencrypted and password free. My neighbor's kid routinely sits on the curb in front of her house to use her iPhone, “because it works better out here.” There are open wireless networks all over the place here, and I am but one of many.

    Any of my traffic that gets sniffed would likely bore them to death–they would see my Mario Kart scores fly by, but I'm OK with that. I don't do online banking. I only shop over SSL. If I do harden my network, and then the Japanese 1-minute crack is used to beat it–where's my plausible deniability now? Isn't it much easier to show that if the network is wide open?

    Yep, the police might come and take my stuff. That is a hassle. The RIAA might subpoena me based upon the IP address–and that's a hassle. A power outage could fry my computer. I could get a speeding ticket. Those latter items are FAR more likely to occur given the numbers. RIAA has sued, what–20,000 people? There are about 20,000,000 people sharing music, and I'm not even one of them–I'll take my chances that someone isn't going to set their laptop up in the street and get me in trouble over their sharing of T-Pain.

    Open networks provide a service to others that I take advantage of when I visit coffeeshops, airports, hotels, and so forth. I -like- that the neighbor kid uses my network–it's like she's borrowing a cup of sugar. It's a nice thing that I do for folks.

    Mind you, I'm not stupid. I don't do online banking or billpay. I don't run as admin except for updates. I shop only over SSL. The contraband on my computer is limited to abandonware and ROMs that I don't have chipsets for. I don't think the makers of Radiant Silvergun are going to come after me anytime soon.

    In sum, an open wireless network is “less safe” than a full blown WPA2 encrypted with password rotation, but it's about a million times easier to use (I set my Wii and Roku up in about ten seconds), it makes me a friendly neighbor, and it's easier to defend in the asteroid-hitting-me-long odds that someone nefarious pulled up to my house and downloaded something inappropriate. I'll take my chances.

    -Jeb

  2. I hear what you're saying. As a matter of fact, I was very much involved with some of the early efforts to establish public metropolitan Wi-Fi networks, and even took early-adopter interest in private efforts like Fon (http://www.fon.com/en/info/aboutUs). I'm a licensed Ham Radio operator (KC6ZCF), so I have enjoyed the fruits of a shared, open, cooperative network. In an ideal world, I'm with you. I think your probability model is probably solid, but I think you vastly underestimate the implications of ending up on the loosing end of the statistic.

    I'd be lying if I said that I didn't have a stake in the outcome either way. Part of my job is to educate and advise, based on the trends that I'm seeing. They don't support the ideal. Service provider subpoenas, and warrant requests are increasing year-over-year. It's become about as easy a prosecution as they come, which would support the trend.

    I think that the sugar analogy is flawed. First, no one actually “borrows” a cup of sugar, like no one borrows a cigarette. They ask. You give. It's consumed. The end-product goes through another shared network. If the neighbor's kid came by and ASKED to use your Wi-Fi, and you allowed it, that might be more analogous to the sugar scenario. After all, your neighbors aren't returning the bandwidth they consume. But, that's presuming that the Wi-Fi was yours to give. You paid for a certain amount of sugar. It's yours to give away. Chances are that the Terms of Service that you have agreed to with your ISP don't allow you to give away their bandwidth to your neighbors.

    I only bring that up because it's your ISP that will be cooperating with law enforcement. It's hard to imagine that, after they find out that you were cutting into their profits by serving your neighbors broadband, that they're going to incentivized to provide aid to your defense. In fact, having worked for the defense, I can tell you that they will do everything, short of violating the same TOS to aid in your prosecution–even if you didn't intentionally open your network.

    But, let's assume, for the sake of argument, that your ISP is one that welcomes the spirit of sharing–explicitly. Returning to the sugar analogy: What you're really doing is leaving the front door open so that your neighbors, or anyone else passing by, can come in a take some sugar. Moreover, you're putting out a neon sign that invites them to do so. Then, when a crime occurs on your property, you show law enforcement the neon sign, and the open door, and ask that they, and a jury of your peers, understand and accept the likelihood (plausible denyabillity) that it was someone else.

    I get those cases from time to time. A jury is typically apt to accept the government's assertion that you were running a crack house. I also get the open-wi-fi cases. The jury is typically apt to accept the governement's assertion that you were directly, knowingly invovled, or aiding in any crime that occours on your network–if for no other reason than, there's no one else to investigate and charge. (Not that the kid next door wouldn't make a great character witness in a sex crimes case.)

    There are, after all, there are almost 200 million drivers in the U.S., and only around 6 million accidents a year. Those are good odds. With only 20,000 people sued by–and a 100% success rate for–the RIAA, and less than 700,000 Americans on sex offender registries (many for images that traversed their computer networks), I suppose you could take your chaces–for the betterment of your neighborhood.

  3. Ah, the “open door” metaphor. We'll get back to that. The sugar analogy works very well, in fact, because I don't expect to get my sugar back anymore than I expect to get my bandwidth back. No one does. The expectation is that I am neighborly, and here's a cup of sugar. If you want to use my bandwidth–it's not like they're joining “LINKSYS”–they are joining “Adams pple”–there is a tacit if not explicit understanding that this is mine and they are using it without “asking.” The question is, would I care? No, so go ahead. The kids use my basketball hoop without asking–do I care? No, so go ahead. Say they want to come in my garage and use my washing machine–would I care about that? Yeah, I probably would. A reasonable person would conclude the same.

    Here's the metaphor you -should- be using: Suppose they want to water their lawn from my hose–would I care about that? Yes, I would. Here's why even THAT metaphor is flawed. I don't pay LVMWD a fixed fee for my monthly allotment of water whether it is used or not–that's how my bandwidth works.

    Your thoughts about the ToS are interesting. Technically, it is -illegal- for the neighbor kid to steal my bandwidth, which there is much circumstantial evidence to conclude she is. It's not -illegal- for me to run an unsecured network, and so far, it's not -illegal- for me to not pay attention to my router logs and determine how many hop-ons I may have. Are train operators breaking the law if they don't check for hobos? By your own statement, even if my network was locked the ISP is going to help the prosecution–why should I care what they think?

    I think your “open door” analogy is weak. The last time I checked, even if the door was open and a neon sign was on my lawn saying come get some sugar, it is still illegal to come in my house and look at child porn or steal something. Every week people report items stolen from their unlocked cars, and the police still write up the reports, because a crime was committed. What you're saying is that some third party will say, “Someone in that house STOLE SOME MUSIC.” And the investigators will walk up and see my door open and my neon sign, and conclude that I stole the music, despite the fact that there's no music in my house (viz, that song and very likely that sharing client, as I'm using a Mac), and convince the jury of this with their “preponderance of evidence.” (That's the civil court language, yes?) Yeah, I'll take my chances.

    Schneier points out ( http://www.schneier.com/blog/archives/2008/01/m… ) that there are 15M people sharing music on the Internet. That's a 0.13% chance of getting caught–and that's for people that are ACTUALLY SHARING MUSIC, which I'm not. For me, the cost-benefit analysis is clear. I'll keep my network open.

    -jeb

  4. OK, I want to live on your planet. It sounds nice, and civil (and probably filled with Macs). A place where everyone gives you the benefit of the doubt, and takes logic into consideration before litigation. Sounds a little bit like Sesame St.

    I think the discrepancy between our positions is actually a small one–because, what you propose is an ideal to which I ascribe. Here's the minor chasm, as I see it: I believe you're coming from the standpoint of, will I ever ACTUALLY be convicted? The irony of this position is that, it is one that seems to be common among both the most, and least, educated defendants I've met over the last 15-odd-years.

    The problem is, most of the defendants I've met lost everything they had–jobs, savings, friends, spouses–long before they were ever acquitted or convicted. Even the wealthy ones. Many, long before the investigation was completed. Most people have to mortgage their houses to pay for a defense. I'm talking about well before any kind of trial. Which, by the way, can take years to get to.

    Actually, (and I know this because I examine the evidence,) more often, these days, people get investigated for the theft of their own cars–especially if they're found unlocked. And, your insurance company won't usually pay, if they're found without evidence of forced entry.

    Yes, you can be indicted, even if your computer is clean. The network traffic is enough to indict. Not because I say so, but because I've had plenty of cases where the computers weren't even seized. And, some of those defendants did prison time. Some pre-conviction and some post.

    That time you spend “convincing the jury” will cost you tens-of-thousands-of-dollars. And, remember, the time to “lawyer-up” is when they start asking questions, not later. Pleanty of my cases involve “Just tell us your side of the story” statements. Not good.

    Bottom line, you play the lottery. If your number doesn't get pulled, you're in good shape. As long as you don't live near a place that gets traffic, like a major street, or public park, you're chances are lessened, I suppose. I love my neighbors. Maybe, even enough to risk the wrath of my cable company's TOS. I've handed out my house key to a neighbor before. I'd likely hand out my WPA shared key (password) to the same ones, if they needed it.

    If I WERE a gambler, I'd bet on the house. But, I wouldn't use my house as collateral. I think you're taking a small statistical risk with a huge potential loss, and little upside.

  5. But how can I ever win? The whole point of your post is that even the state of the art WiFi network can be cracked in a minute. I don't live my life in that kind of fear. The odds an asteroid will hit me are low, but the cost is very high. I still manage to make it through the day.

    Insightful discussion, Jeff!

    -Jeb

  6. I agree, it is a fascinating discussion. Especially for me, in that–if there was a “win”–I'd rather it supported “openness”. In other areas of technology, that's a concept I evangelize.

    Unfortunately, I can't do anything to prevent an asteroid strike. I'm helpless. If you can–no matter how small the probability–I wish you would. If not for your sake, then for mine.

    Living in fear sucks. And, it makes no statistical sense. For instance, I've had one car accident in the last 22 years. I don't put on my seat belt every time I get in the car–before I start the engine–because it's the law, or because I have a statistical probability of getting in an accident. My good driver discount says otherwise. (Though, one might argue that, statistically, I'm due.) I put one on because I'm afraid of what might happen if I don't. Murphy's Law would suggest, the DAY I don't. Likewise, safety was my number one concern when purchasing a family car. Though, one might argue–given my driving record–my money might have been better spent elsewhere.

    I suppose, if the odds favored an accident, no one would even sell me insurance. The bet favors the house. Yet, I have more-than-adequate coverage–not because the law says I have to, or because it's paid off in the past, but because, IF something happened, I could loose my house. So far, I've lost money on the investment–and I'm glad it has worked out that way.

    The good news is, the “state-of-the-art” wireless security, WPA2–has not yet been cracked. At least, not that anyone is bragging about. So, for now, those who want to live in fear, can, with relative confidence.

    Though I would never advise leaving a Wi-Fi router “open”, I will tell you what I would do IF I was hell-bent on providing service to the neighborhood (or, say, my customers in a small retail establishment). Mind you, this is just a theory. I would lock-down my own router, assign “keys” to my own computers, and enable logging. Then, I would attach an unsecured, “open” router to the DMZ (an isolated port on the router that should not intermingle with the other computers inside the network). I would also enable logging, and name the router something like “Guest”. Then, should there be a problem, I would volunteer those logs to law enforcement (AFTER CONSULTING AN ATTORNEY), and advise investigators, in writing, VIA MY ATTORNEY, of the configuration.

    Minus the “open” part, it's something I've done when I have guests on my network, just to prevent any cross-contamination. I like my friends, but I don't know where their laptops have been. It not only allows you to play Robin Hood with your broadband, but also provides plausible deniability with your ISP because of the hot-spot's name (SSID). As far as the ISP is concerned, you forgot to disconnect when your guests left. It's not a half-bad insurance policy, if you want to live on the edge.

  7. I hear what you're saying. As a matter of fact, I was very much involved with some of the early efforts to establish public metropolitan Wi-Fi networks, and even took early-adopter interest in private efforts like Fon (http://www.fon.com/en/info/aboutUs). I'm a licensed Ham Radio operator (KC6ZCF), so I have enjoyed the fruits of a shared, open, cooperative network. In an ideal world, I'm with you. I think your probability model is probably solid, but I think you vastly underestimate the implications of ending up on the loosing end of the statistic.

    I'd be lying if I said that I didn't have a stake in the outcome either way. Part of my job is to educate and advise, based on the trends that I'm seeing. They don't support the ideal. Service provider subpoenas, and warrant requests are increasing year-over-year. It's become about as easy a prosecution as they come, which would support the trend.

    I think that the sugar analogy is flawed. First, no one actually “borrows” a cup of sugar, like no one borrows a cigarette. They ask. You give. It's consumed. The end-product goes through another shared network. If the neighbor's kid came by and ASKED to use your Wi-Fi, and you allowed it, that might be more analogous to the sugar scenario. After all, your neighbors aren't returning the bandwidth they consume. But, that's presuming that the Wi-Fi was yours to give. You paid for a certain amount of sugar. It's yours to give away. Chances are that the Terms of Service that you have agreed to with your ISP don't allow you to give away their bandwidth to your neighbors.

    I only bring that up because it's your ISP that will be cooperating with law enforcement. It's hard to imagine that, after they find out that you were cutting into their profits by serving your neighbors broadband, that they're going to incentivized to provide aid to your defense. In fact, having worked for the defense, I can tell you that they will do everything, short of violating the same TOS to aid in your prosecution–even if you didn't intentionally open your network.

    But, let's assume, for the sake of argument, that your ISP is one that welcomes the spirit of sharing–explicitly. Returning to the sugar analogy: What you're really doing is leaving the front door open so that your neighbors, or anyone else passing by, can come in a take some sugar. Moreover, you're putting out a neon sign that invites them to do so. Then, when a crime occurs on your property, you show law enforcement the neon sign, and the open door, and ask that they, and a jury of your peers, understand and accept the likelihood (plausible denyabillity) that it was someone else.

    I get those cases from time to time. A jury is typically apt to accept the government's assertion that you were running a crack house. I also get the open-wi-fi cases. The jury is typically apt to accept the government's assertion that you were directly, knowingly invovled, or aiding in any crime that occurs on your network–if for no other reason than, there's no one else to investigate and charge. (Not that the kid next door wouldn't make a great character witness in a sex crimes case.)

    There are, after all, there are almost 200 million drivers in the U.S., and only around 6 million accidents a year. Those are good odds. With only 20,000 people sued by–and a 100% success rate for–the RIAA, and less than 700,000 Americans on sex offender registries (many for images that traversed their computer networks), I suppose you could take your chances–for the betterment of your neighborhood.

  8. Ah, the “open door” metaphor. We'll get back to that. The sugar analogy works very well, in fact, because I don't expect to get my sugar back anymore than I expect to get my bandwidth back. No one does. The expectation is that I am neighborly, and here's a cup of sugar. If you want to use my bandwidth–it's not like they're joining “LINKSYS”–they are joining “Adams pple”–there is a tacit if not explicit understanding that this is mine and they are using it without “asking.” The question is, would I care? No, so go ahead. The kids use my basketball hoop without asking–do I care? No, so go ahead. Say they want to come in my garage and use my washing machine–would I care about that? Yeah, I probably would. A reasonable person would conclude the same.

    Here's the metaphor you -should- be using: Suppose they want to water their lawn from my hose–would I care about that? Yes, I would. Here's why even THAT metaphor is flawed. I don't pay LVMWD a fixed fee for my monthly allotment of water whether it is used or not–that's how my bandwidth works.

    Your thoughts about the ToS are interesting. Technically, it is -illegal- for the neighbor kid to steal my bandwidth, which there is much circumstantial evidence to conclude she is. It's not -illegal- for me to run an unsecured network, and so far, it's not -illegal- for me to not pay attention to my router logs and determine how many hop-ons I may have. Are train operators breaking the law if they don't check for hobos? By your own statement, even if my network was locked the ISP is going to help the prosecution–why should I care what they think?

    I think your “open door” analogy is weak. The last time I checked, even if the door was open and a neon sign was on my lawn saying come get some sugar, it is still illegal to come in my house and look at child porn or steal something. Every week people report items stolen from their unlocked cars, and the police still write up the reports, because a crime was committed. What you're saying is that some third party will say, “Someone in that house STOLE SOME MUSIC.” And the investigators will walk up and see my door open and my neon sign, and conclude that I stole the music, despite the fact that there's no music in my house (viz, that song and very likely that sharing client, as I'm using a Mac), and convince the jury of this with their “preponderance of evidence.” (That's the civil court language, yes?) Yeah, I'll take my chances.

    Schneier points out ( http://www.schneier.com/blog/archives/2008/01/m… ) that there are 15M people sharing music on the Internet. That's a 0.13% chance of getting caught–and that's for people that are ACTUALLY SHARING MUSIC, which I'm not. For me, the cost-benefit analysis is clear. I'll keep my network open.

    -jeb

  9. OK, I want to live on your planet. It sounds nice, and civil (and probably filled with Macs). A place where everyone gives you the benefit of the doubt, and takes logic into consideration before litigation. Sounds a little bit like Sesame St.

    I think the discrepancy between our positions is actually a small one–because, what you propose is an ideal to which I ascribe. Here's the minor chasm, as I see it: I believe you're coming from the standpoint of, will I ever ACTUALLY be convicted? The irony of this position is that, it is one that seems to be common among both the most, and least, educated defendants I've met over the last 15-odd-years.

    The problem is, most of the defendants I've met lost everything they had–jobs, savings, friends, spouses–long before they were ever acquitted or convicted. Even the wealthy ones. Many, long before the investigation was completed. Most people have to mortgage their houses to pay for a defense. I'm talking about well before any kind of trial. Which, by the way, can take years to get to.

    Actually, (and I know this because I examine the evidence,) more often, these days, people get investigated for the theft of their own cars–especially if they're found unlocked. And, your insurance company won't usually pay, if they're found without evidence of forced entry.

    Yes, you can be indicted, even if your computer is clean. The network traffic is enough to indict. Not because I say so, but because I've had plenty of cases where the computers weren't even seized. And, some of those defendants did prison time. Some pre-conviction and some post.

    That time you spend “convincing the jury” will cost you tens-of-thousands-of-dollars. And, remember, the time to “lawyer-up” is when they start asking questions, not later. Pleanty of my cases involve “Just tell us your side of the story” statements. Not good.

    Bottom line, you play the lottery. If your number doesn't get pulled, you're in good shape. As long as you don't live near a place that gets traffic, like a major street, or public park, you're chances are lessened, I suppose. I love my neighbors. Maybe, even enough to risk the wrath of my cable company's TOS. I've handed out my house key to a neighbor before. I'd likely hand out my WPA shared key (password) to the same ones, if they needed it.

    If I WERE a gambler, I'd bet on the house. But, I wouldn't use my house as collateral. I think you're taking a small statistical risk with a huge potential loss, and little upside.

  10. But how can I ever win? The whole point of your post is that even the state of the art WiFi network can be cracked in a minute. I don't live my life in that kind of fear. The odds an asteroid will hit me are low, but the cost is very high. I still manage to make it through the day.

    Insightful discussion, Jeff!

    -Jeb

  11. I agree, it is a fascinating discussion. Especially for me, in that–if there was a “win”–I'd rather it supported “openness”. In other areas of technology, that's a concept I evangelize.

    Unfortunately, I can't do anything to prevent an asteroid strike. I'm helpless. If you can–no matter how small the probability–I wish you would. If not for your sake, then for mine.

    Living in fear sucks. And, it makes no statistical sense. For instance, I've had one car accident in the last 22 years. I don't put on my seat belt every time I get in the car–before I start the engine–because it's the law, or because I have a statistical probability of getting in an accident. My good driver discount says otherwise. (Though, one might argue that, statistically, I'm due.) I put one on because I'm afraid of what might happen if I don't. Murphy's Law would suggest, the DAY I don't. Likewise, safety was my number one concern when purchasing a family car. Though, one might argue–given my driving record–my money might have been better spent elsewhere.

    I suppose, if the odds favored an accident, no one would even sell me insurance. The bet favors the house. Yet, I have more-than-adequate coverage–not because the law says I have to, or because it's paid off in the past, but because, IF something happened, I could loose my house. So far, I've lost money on the investment–and I'm glad it has worked out that way.

    The good news is, the “state-of-the-art” wireless security, WPA2–has not yet been cracked. At least, not that anyone is bragging about. So, for now, those who want to live in fear, can, with relative confidence.

    Though I would never advise leaving a Wi-Fi router “open”, I will tell you what I would do IF I was hell-bent on providing service to the neighborhood (or, say, my customers in a small retail establishment). Mind you, this is just a theory. I would lock-down my own router, assign “keys” to my own computers, and enable logging. Then, I would attach an unsecured, “open” router to the DMZ (an isolated port on the router that should not intermingle with the other computers inside the network). I would also enable logging, and name the router something like “Guest”. Then, should there be a problem, I would volunteer those logs to law enforcement (AFTER CONSULTING AN ATTORNEY), and advise investigators, in writing, VIA MY ATTORNEY, of the configuration.

    Minus the “open” part, it's something I've done when I have guests on my network, just to prevent any cross-contamination. I like my friends, but I don't know where their laptops have been. It not only allows you to play Robin Hood with your broadband, but also provides plausible deniability with your ISP because of the hot-spot's name (SSID). As far as the ISP is concerned, you forgot to disconnect when your guests left. It's not a half-bad insurance policy, if you want to live on the edge.


Leave a comment



No trackbacks yet.

Log In


Join the conversation...

Join the conversation on Twitter

Join the conversation on Facebook

disquslogo_180 Subscribe to RSS feed

Join the Google conversaton…

Geo Visitors Map