April 21st, 2005

Potential Legal Risks with Unauthorized Wi-Fi Access

Heath Stewart
Principal Software Engineer

Bruce Schneier pointed out an interesting article that got me thinking and even made me laugh a little. From the article:

Suppose you turn on your laptop while sitting at the kitchen table at home and respond “OK” to a prompt about accessing a nearby wireless Internet access point owned and operated by a neighbor. What potential liability may ensue from accessing someone else’s wireless access point? How about intercepting wireless connection signals? What about setting up an open or unsecured wireless access point in your house or business? Attorneys can expect to grapple with these issues and other related questions as the popularity of wireless technology continues to increase.

One doesn’t always have to consciously connect to another WAP, however. Many times has my Linksys Wireless-G Game Adapter will decide that my signal isn’t optimal and will jump to someone else’s unsecured WAP. Fortunately unintentional access seem to (currently) be protected:

The Computer Fraud and Abuse Act (“CFAA”) makes punishable whoever “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains — . . . information from any protected computer if the conduct involves interstate or foreign communication.”

I do typically notice such a jump right away, as many of my neighbors have only an 11 Mbps WAP. I still have yet to figure out why the jump even happens. I have changed the channel on my WAP while all my neighbors seem to be using the default channel Linksys configures: 6. This leads me to the somewhat funny part of the article:

In a residential area, the WAP name may refer to a neighbor’s last name, such as in “Jones Family Access Point.” The act of choosing an access point in this context could provide evidence of intentional access.

In all residential areas where WAPs have appeared they’re almost always set to “linksys” or “default” or whatever the manufacturer set. In this plug-and-play world, most people probably don’t even use the installation CD which is typically just a wizard to set up the WAP. I certainly didn’t. This along with using the default channel and not using WEP, WPA, or even setting up a white list of MAC addresses – which is what I do on my WAP – causes a real problem when considering how the CFAA reads. Hopefully any additional legislation regarding wireless access considers this issue and a legal precedence is set to carefully weigh these problems.

Topics
Security

Author

Heath Stewart
Principal Software Engineer

Heath is an application architect and developer, looking to help educate others to learn professional development. Besides designing and developing applications he enjoys writing about intermediate and advanced topics. Heath also consults for deployment packages and scenarios within Microsoft and for external customers.

0 comments

Discussion are closed.