13
Wireless and Privacy
ITS 351: Privacy in the Information Age
16 November 2009
James Craig
Andrew Hillard
Martin Kovach
William Payne
As wireless technologies have expanded exponentially over the past several years, problems associated with security and privacy have surfaced over and over again. Whether it is a 802.11x, or Wi-Fi, connection, a wireless cell phone signal, communication involving technologies like Bluetooth, or a GPS-enabled device that allows for signal tracking, the technology that has kept us in contact with each other is now becoming a large liability for its users.
The number homes and businesses with broadband connections have rapidly increased over the last decade. Most airports, coffee shops, and other businesses have joined the trend of offering Wi-Fi to their customers. With the millions of Wireless networks popping up around the country there are some precautions that need to be taken to ensure your privacy is secure. Many people setting up wireless home networks speed through the setup process to get their connection to work as quickly as possible. This can be dangerous as various security problems can result in compromised privacy. It’s not always easy for the average individual to be thinking about their privacy when they barely understand the technology they are about to use. Most hardware adds to this confusion by making security features inaccessible to the average user. Despite this there are a few precautions a Wi-Fi user should take to secure themselves and their network.
The central point of access for a small wireless network is often a router. Hardware manufacturers generally provide a web address where the owner of the network can customize their settings. People just moving to Wi-Fi will unwittingly overlook these options. People with the technical expertise will easily be able to identify factory settings and be able to compromise a network without much setback. The network administrator needs to change these factory settings in favor of more secure ones. Changing the networks SSID or name is the first step. Just by changing a networks name, you can deter would be criminals who prey on the ill informed. Next a strong, unique password should be created. Adding a good password will effectively reduce most brute force attacks to zero. To fully secure the password some form of encryption should be used. Although a password will reduce brute force attempts to access a network, there are still programs that can find other was to compromise the security. These are the basic steps that everyone who has a Wi-Fi network should take to secure the network they own and use. There are more methods to ensure greater security but these basic step with prevent most people who wish to do you harm.
Next we will focus on liability issues dealing with secured and unsecured wireless networks. As stated earlier many people neglect to take the proper precautions to secure their wireless network. Many people choose to or unknowingly leave their Wi-Fi networks open. This allows any random person access to the network if they seek it. While most people who would use an unsecured network wish no harm to the owner, there is a real chance that they are someone who does. In this country it is not unlikely to be presented with an open network where ever we go. In the coffee shop, airport, and library there are networks purposefully left open for patrons to use. This can pose some problems when it comes to users privacy, and could also present legal issues.
Open Wi-Fi networks are a potential risk; they allow people to access data without any form of authentication. A person could view, alter, or otherwise affect this data through the open network. A person could also utilize the Wi-Fi network to access the Internet and engage in malicious activities. Current U.S. law states that those who provide open access to networks are not liable for the actions of third parties while on these networks. This law is mainly there to protect businesses and public facilities that provide access to many individuals.
Wi-Fi has been effective in penetrating the market; networks can be seen in homes across the country. In these environments a user has the likelihood of seeing dozens of networks within their range. Does a person need to ask permission to access these networks or are they available for anyone within range to use? Most people wouldn’t use their neighbor’s property without asking, but what about their wireless network? There are no federal laws that clearly say using other people’s networks is theft. You may not be criminally charged for having or using an open network, but it is in best for people to protect themselves. It is possible for anyone on the open network to see the actions of others. This can be a huge compromise to your privacy. With the right tools someone could gather information such as passwords, names, and files. It is really in the best interest to protect yourself and use and maintain closed secure networks.
Within the realm of wireless security and privacy, 802.11x networks, also known as Wi-Fi networks have always presented themselves as a challenge. Created to give computer users the freedom to move within range of an access point, Wi-Fi technologies have now entered mainstream society to allow people with mobile computers to have access to the Internet. With every application, two ideals are often conflicting with each other: the ability to have open, easy-access with the ability to allow only wanted users on the network. Over the past couple years, several court cases have been brought forth against people either using another’s unencrypted wireless network without their knowledge or permission or using the network beyond what was originally planned for by the business owner.
As wireless networks have increased in number with commercially available wireless routers and 802.11x equipment, a number of people have been tried and convicted of crimes using laws originally designed for hacking crimes. Instead, the ethically-questionable act of “leeching” another’s open wireless network has now been categorized as crimes in many parts of the United States. In early 2005, Benjamin Smith of Florida gained national attention after being arrested for using another person’s home wireless network to check email sporadically over the course of several weeks. Charged with the Florida crime of “unauthorized access to a computer network,” a 3rd degree felony in Florida (Leary). Within the next year, several others were arrested in similar crimes. In early 2006, David Kauchak was spotted using his laptop in his car outside of a local not-for-profit agency. Again, he was charged with a 3rd degree felony in Illinoise for using an unprotected and unsecured wireless access point. Eventually, Kauchak plead guilty and was given a $250 fine and given a one-year probation (Green). In 2007, the case that gained the most media attention was of Sam Peterson of Michigan. After previously having bought a coffee from the local coffee shop, he returned over the course of the next few days and used the wireless network from his car. After an officer approached him, he explained what he was doing, without knowledge that it was a crime. After a few days of investigating, the police charged Peterson with Michigan’s "Fraudulent access to computers, computer systems, and computer networks" law, a felony that could have resulted in up to a 5 year sentence and a $10,000 fine. Originally written for hacking, it was used against Peterson who had been using the coffee shop’s open wireless network for patrons. He was eventually sentenced with a $400 fine and 40 hours of community service because the prosecutor did not want to “throw the book at him” for a law he was unknowingly breaking (Bonisteel).
In each of these cases, the alleged activity has been nothing more than leeching another’s open Internet access. The problem comes to light when many novices with this equipment do not understand or know how to secure the wireless access point. While many choose to leave their networks open, a significant portion wants to have their Internet access secured. Unfortunately, many nefarious people have used open wireless networks to gain credit card numbers, passwords, or to commit crimes on the Internet using another’s open network. As the criminal has often left by the time the authorities arrive, the network owner is often liable for activity. While many see an open network as an invitation for others to use it, giving the example that the access itself is permission, others point to the default settings on wireless equipment as open, indicating that the network owner might not be giving permission.
As the decade of Wi-Fi comes to a close, the issue of network access and permission will be at the forefront of debate. Often cited as a defense in RIAA music infringement trials, people point to their open networks as proof that another might have gained access to the network without permission. Unfortunately, there is not, as of yet, a clear distinction on liability with wireless networks. Who is ultimately responsible for crimes committed on open wireless networks and on whose onus is it to make sure that networks are secured?
As we use more and more wireless devices privacy become a great concern. Many times the information transmitted using these devices is easily intercepted by other parties. One example of this is cellular and cordless phones. Today the technology is these devices do a much better job ensuring the privacy of the communication, but it is still possible for other to intercept these transmission given the sophisticated enough equipment.
The website privacyrights.org states that "The Federal Communications Commission ruled that as of April 1994 no radio scanners may be manufactured or imported into the U.S. that can pick up frequencies used by cellular telephones, or that can be readily altered to receive such frequencies. (47 CFR Part 15.37(f))." This is also evident on any radio scanning device you purchase, as it states that modifying that device to receiver cellular radio telephone communications is a violation of federal law.
This, however, has stopped very few people from doing exactly that. Visitinghttp://www.snapshield.com/www_problems/Inter/All_you.htmwill give you a good start on what it takes to modify a radio scanner to intercept cell phone transmissions, and tips on how to best do it. While today cell phone communications are encrypted, they once were not. I remember being able to once use a basic radio scanner purchased at Wal-Mart to listen in on one side of my family's first cellphone, which used a 400 Mhz frequency and the voice was transmitted using no encryption. The newer digital cell phones aren't as easy to intercept with equipment available to consumers, but law enforcement grade scanners are capable of intercepting the transmission.
We do see that there is legislation that makes doing this illegal, but unless you talk about listening to a conversation or you are caught in the act of listening to a conversation, it is highly unlikely anyone would know that the act had occurred. A shortcoming in the technology, and especially in the early days of the technology, provide no means outside of it being illegal to stop criminals from intercepting a transmission. It is likely the people who would abuse the information they hear when intercepting a transmission most likely would not care that is against the law to intercept that transmission, therefore making the legislation useless.
Possibly the bigger issue is wireless phone communications is the interception of household cordless phones. Household cordless phone often use a frequency spectrum is shared among other devices, including other cordless phones. Traditionally cordless phones have also been much easier to intercept on radio scanners. I remember hearing from a friend one time about someone asking him a question while he was talking on his cordless phone, and then someone that was listening to the conversation called him and answered the question he was asked! This person has listened to the entire conversation. In fact most of these phones made it much easier to listen in on the conversation because the both sides were often transmitted back to the person talking so they could hear themselves in there handset (http://www.howstuffworks.com/cordless-telephone).
If we look back at privacyrights.org they stress how easy it is for someone to listen in on your conversation. They also stress that consumers look for features like digital spread spectrum technology (DSST) or digital enhanced cordless technology (DECT) as provide better security against people listening in on you're conversation. However, this doesn't ensure that your conversations will be totally private.
Lastly we can see that another source for monitoring is pagers. Privacyrights.org points out that pagers use unencrypted communication on frequencies easily received my radio scanners. While these messages can’t be easily decoded, equipment is available that does exactly that.
On the upside of all this, the technologies we use today are much more secure. Cell phones and cordless phone encrypt communications making them much harder to intercept. What we can take from this is a technological means of making these communications private because policy alone could not stop criminals from stealing the information transmitted.
Wireless technology provides a convenient way to access the Internet, as well as other devices without the use of cables, or while someone is on the go. However the use of this technology comes at the price of ones personal privacy. One issue in particular is the fact that people can have the information they access, and even their location tracked when using wireless. Bluetooth, Internet browsers, cell phones, and other applications can make ones location accessible to others. This raises some serious issues about privacy if ones location can be determined by surfing the Internet or using ones phone.