Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Legality of WEP Cracking
From: Larry Offley <lucullus () shaw ca>
Date: Sun, 20 May 2007 16:02:08 -0700

Since someone else brought this up, and the question on non-encypted wifi has come up many times how does the following apply and has anyone seen any cases that it has been used as a defense for using an open wifi system.

18 USC 2511:

(g) It shall not be unlawful under this chapter or chapter 121 of this
title for any person—

(i) to intercept or access an electronic communication made through
an electronic
communication system that is configured so that such electronic
communication is readily
accessible to the general public;

Would not a open Wifi router BE "configured so that such electronic communications is readily accessible to the general public"?

Larry Offley

cwright () bdosyd com au wrote:
The situation is fairly simple and NOT as some people have deemed, unclear. The un-clarity comes from a lack of understanding of the law, not that the law is in anyway unclear. There are in most common law western countries a variety of statutes that cover these acts at a federal level.
For clarification, the US, (most of CA), AU, UK, NZ and many other places are common law and not Romanic or civil law 
countries. France is civil law. Now that this is clear I will progress.

Wireless interception is covered as electronic interception. Wireless communications use electromagnetic waves for transmission. The dissemination of electromagnetic waves is legally considered electronic interception of electronic communications. Thus is clear. It is decided in case law in a variety of countries.
Mostly this is oldish law going back 20-30 years. The majority of cases at that point are due to the interception of 
Satellite transmissions or to pay television through electronic interception.

In § 2511 (Interception and disclosure of wire, oral, or electronic communications prohibited) of [1], parts1.b.ii 

        “such device transmits communications by radio, or interferes with the transmission of such communication”

So this is US Federal law. Forget all the “my state” bits etc. It is defined federally, and federal is all you need to 
be covered.

Section 2.d of the Act states:
        “It shall not be unlawful under this chapter for a person not acting under colour of law to intercept a wire, 
oral, or electronic communication where such person is a party to the communication or where one of the parties to the 
communication has given prior consent to such interception unless such communication is intercepted for the purpose of 
committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.”

The act even covers cases where a transmission is NOT “encrypted or scrambled”. It is still not legal to intercept it.

Now from the above in 2.d you should note that you can be given prior permission. This is from the site or system 
owner. As such, you can intercept a communication on your own site when you are an auditor or network administrator. 
You are exempted under the act as long as you remain acting within your authority. If you attack another network which 
crosses your site – you have no authority.

REMEMBER that this is PRIOR permission. That is BEFORE the act. There can not be any permission subsequent to the act.

In Au, we have the Telecommunications (Interception) Act 1979 and the TELECOMMUNICATIONS (INTERCEPTION) AMENDMENT BILL 
2006. The UK has the equivalent as do the majority of other common law (and many civil law) countries.

Nothing is unclear about the law. Not knowing it does not make it unclear. These are VERY clear laws. The ONLY areas of 
un-clarity are in tortious actions. The un-clarity is how much of a civil penalty will you also get.

There is nothing to stop the owner of the network your intercepted taking tortious action. If you have been found guilty or charged with a criminal offence – this makes it easier.
So the uncertainty is not per se a legal one, but rather that when you go to goal, will the aggrieved party also sue 

So: Admin and your own network =ok
Admin and finding another network, but stopping = ok
Admin finding another network and just capturing = asking for trouble
Not admin and no permission = new friends with Bubba




This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]