Will Wi-fi Make Your Private Network Public?
| Citation | Vol. 1 No. 3 |
| Publication year | 2005 |
Cite as: Anita Ramasastry, Jane K. Winn and Peter Winn,
(c) 2005 Anita Ramasastry, Jane K. Winn and Peter Winn
Wireless networking is growing in popularity because it is often cheaper and more convenient than other computer networking systems. Wireless networks, however, are also very hard to secure. Locating insecure wireless networks and advertising their locations is an activity known as "wardriving." Exploiting the vulnerability of a wireless network to hack into the computer system or to monitor the wireless transmissions can give rise to liability under federal felony and misdemeanor statutes, as well as federal civil liability and liability under state law private causes of action. When introducing wireless networking into business information systems, system administrators should use all possible care to secure the network, and IT policies and practices should be updated to make sure that wireless networking risks that cannot be eliminated through technology are managed prudently.
[1] Wireless networking is growing in popularity because it can be cheaper and more convenient than other systems for networking computers. But replacing old-fashioned wires with new wireless connections may undermine whatever security once protected a network. The security problems of wireless networks are so widespread that finding unprotected networks and publicizing their vulnerability has now become a sport among computer geeks and hackers known as "wardriving." (fn2)
[2] Some forms of wardriving may be perfectly legal. Some wireless networks, such as community networks, are deliberately left open and so welcome detection by members of the public. Other networks, even though not left open to the public, may be inadvertently left unsecured and subsequently discovered quite by accident. While the inadvertent accessing of an unsecured network does not constitute a crime, so-called war drivers do not "accidentally" access wireless networks. They actively seek them out, and they do not ask or obtain permission to publicize network locations or to access the networks.(fn3) Under these circumstances, wardriving has criminal implications.
[3] Wi-Fi (or wireless fidelity) is currently the most popular form of wireless networking technology and is based on a standard developed by the Institute of Electrical and Electronics Engineers (IEEE) known as 802.11b. Mobile computing devices such as laptop computers or personal digital assistants (PDAs) can gain access to a local area network using radio signals to share data in lieu of a fixed wire connection.
[4] In recent years, wireless local area networks (WLANs) connecting personal computers have grown in popularity because prices for wireless technology have fallen sharply. Wireless networking has become a cost effective alternative to more traditional wired networks. The true cost of using wireless technology may not be apparent, however, unless the costs of securing the network are considered. Unprotected wireless networks can be accessed at will by unauthorized users who may be interested in free Internet access or may have more nefarious objectives.
[5] The 802.11b standard includes a security protocol known as Wired Equivalent Privacy (WEP) that if used, makes it more difficult to gain unauthorized access to a network. Although WEP provides only limited security for a Wi-Fi network, if used in connection with other security measures such as passwords and firewalls, it can reduce the likelihood that casual passersby will gain access to a network.
[6] The sudden popularity of wireless networks, combined with a popular misperception that no additional steps to secure those networks are necessary, has caused a marked increase in the number of insecure computer networks that can be accessed without authorization. This in turn has given rise to the sport of wardriving - detecting and reporting the existence of insecure wireless networks, ostensibly without actually accessing the network. Wardriving may also involve illegally accessing and monitoring the networks once so discovered. The sport of discovering connections to wireless computer networks can be done while driving in a car ("wardriving") or while strolling on foot with a PDA ("war strolling"). When a network is identified, the "hotspot" or "access point" (AP) can be marked with a coded symbol in chalk on a wall or sidewalk, or "war chalked". This will alert others to the presence of an open or insecure wireless network in a given location - which they might choose to access themselves. Other variations include "war stumbling" (accidental discovery of an open access point).
[7] Most hackers or wardriving hobbyists use freeware tools such as NetStumbler,(fn4) or Kismet.(fn5) These software programs can be used for the wholly legitimate purpose of helping network administrators make their systems more secure. They work by detecting the "service set identifier" (SSID) number that wireless networks continuously broadcast to identify themselves to their authorized users. Unfortunately, unless steps are taken by the wireless network operator to restrict what and to whom the network broadcasts as part of this process of signaling to users, then unauthorized users can also discover the existence of the network. In that event, drive-by snoopers and casual passersby alike will not only be able to detect the network, but will be able to access network resources unless some system is in place to restrict network access, such as requiring a user ID and password to log on to the system.
[8] Information gathered in this manner can be correlated with geographical information provided by the Global Positioning System (GPS) and uploaded to maps posted on the Internet showing the location of access points (AP) for Wi-Fi networks.(fn6) Commercial services such as Wi-Finder provide maps of wireless networks that provide free or paid public Internet access.
[9] Wardriving may violate several different computer crime statutes. These include the Wiretap Act(fn7) which covers interceptions and disclosures of electronic communications, the Electronic Communications Privacy Act (ECPA)(fn8) which addresses unauthorized access and disclosures of stored electronic communications such as e-mail, and the Computer Fraud and Abuse Act (CFAA)(fn9) which addresses unauthorized access and misuse of computers and computer networks, in general.
[10] Interceptions of electronic communications in "real time" come under the federal Wiretap Act. That Act provides that any person who intentionally intercepts an electronic communication is guilty of a felony and subject to a fine of up to $250,000 and imprisonment for up to five years.(fn10)...
To continue reading
Request your trial