X

Wi-Fi arrest highlights security dangers

A man in Canada who stands accused of downloading child pornography over a hijacked Wi-Fi connection has the industry pondering liability and fixes.

Richard Shim Staff Writer, CNET News.com
Richard Shim
writes about gadgets big and small.
Richard Shim
6 min read
Wireless security for home networks is in the spotlight following an unusual arrest in Canada, where a man stands accused of downloading child pornography over a hijacked Wi-Fi connection.

Toronto police said they stopped a car last week for a traffic infraction when they found the driver naked from the waist down with a laptop computer on the front seat, playing a pornographic video that had apparently been streamed over a residential wireless hot spot. The driver was charged with possession, distribution and creation of child pornography, as well as theft of telecommunications--a first in Canada, according to local authorities.

News.context

What's new:
The arrest of a man accused of downloading child pornography over a hijacked Wi-Fi connection raises more questions about security in the consumer market and has the industry looking for a fix.

Bottom line:
Running an insecure Wi-Fi hub from a home or office is risky business that can leave a person or company open to a host of legal and technical problems. As wireless networking gear becomes more popular, more criminal activity is expected.

For more info:
Track the players

Prosecutors have not sought to charge the owner of the Wi-Fi connection used to download the images. Still, the Nov. 19 incident offers a dramatic illustration of the dangers of running an insecure Wi-Fi hub from a home or office.

Although Wi-Fi law is still largely unsettled in the United States and Canada, people who run open Wi-Fi hubs could conceivably be held accountable for activities carried out on their networks by unauthorized users, according to Joseph Burton, an attorney with law firm Duane Morris.

"Is it possible a home owner can be liable for a lack of security on a wireless network? Yes, if they are negligent in setting up security," Burton said.

Security experts have long known that unauthorized users could hijack open wireless Internet connections in order to mask their online activities, with some offering dire warnings that open Wi-Fi hot spots could abet terrorism. So far, there's little evidence to show how much and what kind of abuse is taking place. But security experts say a surprisingly high number of consumers choose not to activate security protocols on their wireless networks, meaning the opportunity clearly exists.

That could pose a legal risk if someone were to suffer damages as a result of activities conducted on an open Wi-Fi hub, Burton said. Individuals that gain unauthorized access to a wireless network that's providing a broadband connection can not only download illegal material, but they could also use a hijacked network to launch spam, distribute a virus or steal data from resources on the network. In all these case, it would look like the owner of the connection had performed the acts.

That may not be enough to trigger liability, counter other legal experts, who note that the law is still largely unformed. Internet service providers in the United States have long enjoyed some protection from lawsuits related to the activities of their customers, and courts might extend that same principle to cover Wi-Fi providers. Still, the providers might find themselves on the wrong side of the law in some cases--for example, if they refuse to secure their network after repeated attacks.

A growing problem
Experts agree on one point: As the popularity of wireless local-area networking gear grows for small businesses and consumers, break-ins on unsecured networks are likely to become more common and increasingly involve criminal activity, experts said. Wi-Fi shipments are expected to nearly quadruple from a projected 9.8 million units this year to 47.4 million units by 2007, according to research firm Synergy Research Group.

Tracking down open Wi-Fi ports while in a car, a practice known as "war driving," is a simple task with the proper radio scanning equipment. Once a wireless network is identified, war drivers may mark the spot, such as a building, with symbols in chalk to indicate to others what type of network is accessible and its security features.

According to research by the WorldWide WarDrive, more than two-thirds of the roughly 88,100 access points found by war drivers around the globe this year did not have basic security settings activated.

Wi-Fi users need to do more than simply turn on their security settings to protect themselves. Wi-Fi uses Wired Equivalent Privacy as its default security protocol. WEP is widely recognized as being easily broken, leading industry groups to develop alternatives. A new security standard known as 802.11i is expected to be finalized around the middle of next year, bringing stronger encryption to keep eavesdroppers from snagging passwords and other sensitive data exchanged between a remote computer and a Wi-Fi base station.

In the meantime, standards groups are backing an interim security protocol known as Wi-Fi Protected Access to replace WEP, offering improved encryption and authentication. Since September, products certified by the Wi-Fi Alliance for interoperability must include WPA, and so far 80 products have been certified. Upgrades for products already in homes are available from most manufacturers' Web sites.

Who's liable?
Beefing up Wi-Fi security is a top priority for the industry. Wi-Fi case law is not developed enough to clearly support negligence claims, according to Burton, but businesses are already bracing for a day when they might be found liable for Wi-Fi security breaches.

The issue sparked up earlier this year, when three men were arrested and charged with stealing credit card information from a Lowe's store in Southfield, Mich., after allegedly accessing the home improvement store's wireless network from a parking lot.

Lowe's said the men were apprehended before they were able to use the credit card data. Since no customers suffered damages as a result of the alleged break-in, Lowe's couldn't be held liable in the incident. But that wouldn't preclude customers and insurers from seeking redress in other cases, particularly if they were found to have suffered financial or other losses as a result of negligence, attorneys said.

Security and the prevention of access by unauthorized individuals have been among the thorniest issues surrounding the use of wireless networks. The attraction for consumers and businesses has been that the wireless networks are easy to set up because they don't require laying cables in an office.

The easiest networks for consumers to install are wireless networks using Wi-Fi standards that have been created and developed by technology industry groups. Wi-Fi networks create an area of up to 300 feet in radius from a distribution device called an access point allowing a consumer to wirelessly access resources on the network. The most common resource used with Wi-Fi networks now is a broadband connection.

Many businesses have shied away from allowing wireless networking within their offices due to security concerns, although Wi-Fi has made in-roads in some areas such as warehouses, health care, education and government.

Consumers have been less concerned with security and have readily purchased Wi-Fi gear to set up networks. Security specifications are included in most consumer gear, but for whatever reason they aren't being used.

One solution would be to make security easier to turn on, according to Bruce Sunstein, an attorney with Boston-based Bromberg and Sunstein, which would also make it more clear when negligence has occurred. If security were already enabled when networking gear was sold or were self-configuring, consumers would have to actively disable the security, making them responsible for their act, Sunstein said.

But out-of-the-box security is not likely to happen soon, according to Dennis Eaton, chairman of the Wi-Fi Alliance, an industry group that certifies Wi-Fi products for interoperability.

"Networking can still be a complicated process, and what we're trying to do first is make it as easy as possible for consumers to set up the networking," Eaton said. "Then they can work on enabling security.

Eaton added that while the group discusses making security easier to enable, there is no formal plan for making that happen.

Mike Wagner, a director of marketing at Linksys, a division of Cisco, added that there could be a larger problem if security were enabled before gear got to consumers.

"Most people don't change default settings, so if we enabled security out-of-the-box with preset passwords, and consumers didn't change their passwords, there could be a potential for a larger problem if a hacker found out that default password--something that would be easy to do," he said.