The Case of the Stolen Wi-Fi
— -- Benjamin Smith III and Gregory Straszkiewicz both were arrested for allegedly stealing something no one could see, hear, or feel. That thing was valuable enough for victims to press charges in both cases. But the arrests were over something many consumers throw out their windows every day: a Wi-Fi signal.
The idea of a police car roaring down the street to catch a roving "Doom" junkie using someone else's wireless LAN may seem silly, but there are real dangers if your network plays host to strangers. The hazards you might face include eavesdropping, theft of data, painful legal hassles or even a conviction for computer-related crimes. And if you casually tap into your neighbor's Wi-Fi sometimes, these arrests--Smith's in Florida and Straszkiewicz's in Isleworth, U.K.--signal that it's at least possible you might run afoul of a law and an irritated fellow citizen.
On April 21, Richard Dinon of St. Petersburg, Florida, called police after he saw Smith in a car on the street outside his house using a notebook computer. Smith, 40, was arrested and charged with a felony under a Florida law that prohibits unauthorized access to a computer or network, according to police. A pretrial hearing is set for September 8. In July, a court in Isleworth convicted Straszkiewicz of using a laptop to access the Internet over unprotected residential wireless LANs on several occasions. He was fined $874 and got a 12-month conditional discharge.
A typical home Wi-Fi signal can transmit about 150 feet from an access point or router. Walls and windows will slow it down, but if it reaches the edge of your property, it won't stop there. In densely populated areas, it's common for a Wi-Fi device such as a notebook to detect multiple residential networks from one place.
It's not hard for even an innocent user to tap into a broadband Internet connection via an unprotected wireless LAN: As soon as the Wi-Fi client detects the network, the user can click on it and join. Some broadband subscribers even like opening their networks. But Internet access may not be the only thing being shared.
"People who steal bandwidth aren't necessarily going to stop there; they might steal data as well," said Gartner analyst Richard Hunter. Most consumers wouldn't even know if a stranger was using the network, he added.
"If you've got an unprotected Wi-Fi network and you are in any kind of populated area, then you really should do something to protect that," Hunter said.
Specifically, on a Windows PC, a intruder on your wireless LAN could get into any folder that is set with file sharing enabled, Hunter said. Whatever is in the file could be modified, copied, or posted on the Internet. So whatever you do, file sharing should be disabled, or restricted to certain trusted people on every folder, he said. That would at least prevent "a very casual hacker" from snooping in your files, Hunter said. File sharing is enabled by default in Windows XP Home Edition, according to Microsoft.
Likewise, it wouldn't be hard for someone to monitor data being sent from that unprotected LAN out to the Internet, said Kevin Bankston, an attorney at the Electronic Frontier Foundation. That could include e-mail messages and passwords. Even a low-priority password such as one for a free news site could pose a hazard for a user who sets up the same password on high-priority sites, Bankston pointed out. For users of unprotected Wi-Fi networks, he recommends encrypting e-mail and passwords with a tool such as Pretty Good Privacy (PGP), also available as freeware.
Having an open wireless LAN also could make you more vulnerable to viruses and other malicious code, according to security experts. The biggest danger in that respect comes from users who just want to share an Internet connection, said Gartner security analyst John Girard. Many home Wi-Fi routers are equipped with firewalls, which can provide protections such as deflecting attempts to scan your PC for vulnerabilities. Anyone who gets on your wireless LAN is behind the firewall, so if their systems are laden with viruses or other malicious code it can spread over the LAN. This includes tools that search for systems to turn into "bots" controlled by hackers.
One area where wireless LAN users have less to worry about is interception of online passwords, said Martin Herfurt, founder of Trifinite Group, a group of European wireless security experts. Internet commerce sites that secure customer transactions will encrypt passwords and other information all the way from the user's browser to the store's server, so the same protections are there on the LAN as on the Internet, he said. However, if you instruct your browser to save your passwords, an intruder might be able to steal them from your PC, he added. In addition, some kinds of Internet-borne attacks let hackers record your keystrokes, according to Gartner's Girard. For the best protection, he recommends having firewalls in both the router and PC.
Though it's less likely, an intruder could cause serious problems even without getting into your computer. Whatever that person did over your Internet connection--which could include downloading child porn, sharing copyrighted content, or executing a denial-of-service attack--could be linked to you, observers said.
When crimes are suspected on the Internet, usually the first piece of evidence investigators look for is the IP address from which the activity was carried out, the EFF's Bankston said. Organizations such as the FBI or the Recording Industry Association of America can subpoena your ISP to find out who you are.
Though there aren't many precedents from which to judge, lacking any other evidence, it's unlikely someone with an unprotected Wi-Fi network would be convicted just because a crime was committed from that network, both Hunter and Bankston said. But along the way, investigators could seize your computer to look for evidence and discover something else that could get you in trouble, such as your own illegally downloaded music, he said.
For that matter, arrests for "stealing" Wi-Fi are still rare and if someone taps into your network, in some places it may be hard to prosecute them, Bankston said. It's hard to prove an intruder was deliberately snooping rather than just taking advantage of signal that was intentionally made public. The flip side is that if you're the one looking for a signal and you happen to find your neighbor's wireless LAN, the odds seem fairly slim that you'll be punished for it.
Estimates vary on the percentage of unprotected wireless LANs, but many observers agree on the main reason: It's too complicated for the average consumer to set up.
All certified Wi-Fi gear made since late 2003 are equipped with Wi-Fi Protected Access (WPA), an encryption system strong enough for business use, and earlier approved products have at least Wired Equivalent Privacy (WEP), a weaker system. Even WEP will force a would-be intruder to do some work, and most snoopers will just move on to the next unprotected LAN, Girard said.
However, consumers often don't use either because they aren't aware of the problem or can't figure out the startup process. For example, setting up WPA requires the new Wi-Fi user to come up with a good "pass phrase," type it into the computer, and then enter it on the router via the network, said David Cohen, senior product marketing manager at Wi-Fi chip maker Broadcom.
Broadcom recently moved to simplify the process with Secure Easy Setup, a system that automatically creates a pass phrase and lets the user set up WPA just by clicking on a software button on the PC and then pushing a hardware button on the router. Secure Easy Setup is now shipping with products from Cisco Systems Inc.'s Linksys division, the biggest seller of home Wi-Fi gear, and will be adopted by other vendors that use Broadcom chips, Cohen said.
The Wi-Fi Alliance, the industry group that certifies Wi-Fi gear, wants to ensure easier setup for all consumers. In the first half of next year, it plans to create a standard that vendors can build in and have certified as a check-off item on their products, said Frank Hanzlik, the organization's managing director. The standard won't be required on all Wi-Fi products because it wouldn't be appropriate for complex enterprise gear installed by IT professionals, he added.
Some consumers will still choose to leave their networks open as a public service, the EFF's Bankston said. In addition to possibly violating the terms of your broadband contract, that move calls for all the safeguards mentioned above.
"If you don't know how to control network permissions, you should not run open Wi-Fi," Bankston said. "Even if you know what you're doing, opening up your network to the public will increase your risk."