Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Legality of WEP Cracking
From: Nick Selby <nick.selby () the451group com>
Date: Sun, 27 May 2007 14:06:13 +0200

Sorry to pick this up late in the game, but some of my research prior to joining my current firm agrees with Richard's, below (a friend and I detected WEP-'protected' or wide open access points whose ESSIDs indicated that they belonged to lawyers, doctors, banks and a state senator's offices after a four mile drive in Albany, NY - makes one wonder about compliance with things like, say, HIPAA and SOX).

Also regarding the legality issue, if it has not been done to death, the issue - when I researched this last year - might not be as simple as Craig suggested. He speaks accurately about prior permission. But I am not sure the 'your state my state' issue should be dismissed out of hand for that very reason: one problem seems to be that states seem to control how such authorization itself is expressed, and lawyers and legislators are unclear about how one can reasonably assume authorization.

The problem of successfully prosecuting someone who accesses an AP without permission - even though arrests have been made - seems fairly tough.

From a report I wrote on the problem of protecting AP's at the offices of lawyers in New York State:

   * *You cannot rely on existing laws to prosecute "unauthorized" WAP
     access. It is difficult to determine how a user becomes authorized
     to access a WAP, and there's no common mechanism by which to post
     a notice that he is not. *

In early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III for accessing a residential WAP and connecting to the Internet - from his car. Smith was charged with unauthorized access to a computer network.

He might get off. Who's to say it was unreasonable for Smith to assume what he did was Kosher? The WAP he used was wide open. With the proliferation of public Hotspots, who can say whether a person can reasonably infer an Open WAP is /intended/ for public use?

Under current New York law, it is illegal to intentionally access someone else's computer, computer network or equipment without authorization to do so where such computer or equipment, "...is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer or computer system.

The New York Penal Law also attempts to define "authorization" by providing that to establish authorization, one must be either

(i) give actual notice in writing or orally to the user;

(ii) prominently post written notice adjacent to the computer being utilized; or

(iii) a notice that is displayed on, printed out on or announced by the computer being utilized by the user

Significantly, the Penal Law also provides for a presumption that notice of such authorization is given where, "the computer is programmed to automatically display, print or announce such notice ...."

Scott R. Almas, who was instrumental in developing the business and technology model to implement many of the Hotspots throughout downtown Albany, New York, is a technology attorney at the law firm of Lemery Greisler LLC. While Almas does not endorse the unauthorized use of open WAPs, he points out significant problems with New York's law when viewed against the practical reality of the proliferation of Open WAPs.

"I am particularly troubled," Almas said, "by how a user is supposed to know whether or not the owner of the Open WAP is authorizing use of the access point where the owner broadcasts to the world the presence of the access point and takes no steps to secure it. By the very nature of WAPs, there is no reasonable way to post or provide oral notice, and it can be difficult to interpret from the broadcasted name of the access point whether authorization is intended."

"In light of the fact that protecting the WAP is free, simple to do, and strongly recommended by the access point manufacturers during the set up process," Almas said, "I believe anyone who sets up a WAP and does not follow the advice to install even the most basic, minimal safeguards should be presumed to be providing authorization to access the Open AP for otherwise lawful Internet use."

"The presumption should not," adds Almas "extend to authority to access information on the WAP owner's LAN, or other illegal or harmful activities."

(whole thing: http://www.nickselby.com/articles/technology/?a=1805)

In trying to determine an interpretation of NY law, I came up with the analogy that an AP was like a hallway leading to the internet. Walking into the hallway and out to the internet on the other side was cool. Walking through and jiggling the handles of all the doors you passed in the hallway, and walking in to rooms that were unlocked along the way TO the internet was not cool.

For fun, let me introduce the unknown and probably unknowable impact of the USA PATRIOT act on the matter: we determined in talking the legal scholars and looking at case study (I am not a lawyer but worked with several in this research) that there could be a case for the USA PATRIOT act applying to those who leave their APs unprotected. Imagine, if you would, an open access point being detected by, say, Danish terrorists, who later use the AP to access an email account and send each other banned cookie recipes. Or other, perhaps worse, contraband. I can see that the label of having supplied 'material aid' to a terrorist organization could thereby be applied to a person failing to tighten access to the AP!

There's my two cents. I have absolutely no idea what it's like in other countries.


Richard Brinson wrote:
That's a good idea about the war chalking Paul, although I haven't seen much
evidence of it locally. As for the use of WEP, it is most definitely still
in use by organisations of all sizes. Whilst parked up in a high street
recently trying to connect to a hot spot, I picked up approx 20 wireless
networks - only 2 were using WPA, the rest (including the council
headquarters and 2 firms of solicitors!) were on WEP. This lack of education
is obviously a huge problem.



This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]