CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Mobile

Insecure networks could lead to lawsuits

special report The dangers of not protecting wireless networks are well known, yet many fail to secure them--and may find themselves slapped with lawsuits as a result.

 

Wireless minefield
 
By Rob Lemos
Staff Writer, CNET News.com
July 1, 2002, 4:00 a.m. PT

The major Internet backbone networks for the Pacific Northwest converge at a single location: the Westin building in Seattle, a 32-story structure that houses dozens of major and minor Internet service providers.

It is also home to more than 50 wireless networks, most of which apparently have no security.

"The Westin building is the Northwest nexus for all the fiber. Everyone who is anyone is colocated there," said Josh Pennell, CEO and principal consultant for Seattle security firm IOActive, who recently visited his company's servers at the site. "You can think about the mayhem that people can cause by getting onto that. It's pretty scary stuff."

It's a story repeated all over the United States. Security researchers and wireless aficionados have found areas in cities and suburbia where hundreds of insecure networks can allow hackers to connect to the Internet and conduct nearly untraceable attacks.

Yet the potential for their networks to be subverted hasn't persuaded individuals and many companies to set up wireless access points with stronger safeguards. That's leading security professionals and many lawyers to warn companies that they may be liable for attacks launched from their corner of the Internet.

Future calls for liability may be louder because wireless intruders can easily disappear into thin air. With the right equipment, which typically costs less than a few hundred dollars, online vandals can connect from several miles away, while other techniques allow them to hide their tracks easily and completely.

"If an attacker in a van uses a wireless network to hack an employee's workstation and launch an attack, it looks like the employee did it," Pennell said. "They could use your wireless to do a reconnaissance on FBI.gov, and it comes back to your doorstep."

Making matters even worse, wireless hackers and enthusiasts have created a graffiti-like system to mark zones of wireless connectivity with designs drawn on streets and walls. So-called Wibo runes--or "warchalking," as first described--have spread like wildfire around the Internet since the concept was introduced just over a week ago, and could make wireless networks that much easier to find.

"It's useful, because it's a visual cue that something is there," said Matt Jones, a designer and information architect for the British TV station BBC and the creator of the original marks. "Someone leaves a clue for you on how to connect. It's a low-tech thing."

Perhaps, but one with decidedly high-tech consequences that have security consultants worried. Already, they say, vulnerable areas are simple enough to identify without the help of Wibo runes.

Michael Stokes, chief security officer for wireless technology company CD/Help, recently came across a Northern California health care provider that used wireless connections throughout its facility and, because of the lack of security, broadcast patients' medical data indiscriminately.

In another instance, when one client called Stokes to its San Francisco office because of wireless connectivity problems, he traced the interference to a network used by a Big Four financial firm that was wide open half a block away. In the short time it took to identify the network, Stokes observed that data for investors' portfolios were broadcast for anyone to see.

"You see tons of poorly engineered or open-access points out there," Stokes said. "I see a huge liability issue."

Residential neighborhoods are rife with unprotected networks as well. From the top of an office building in a mainly residential area of Seattle, several students learning hacking and security from IOActive's Pennell were able to find more than 30 wireless access points, most with no security.

David Pollino, managing security architect for digital security firm @Stake, is concerned that few people are taking the wireless problems seriously. "Too many people are buying access points, taking them out of the box, and plugging them in," he said.

Moreover, because those who use wireless networks at home typically don't keep access logs, the threat goes beyond legal responsibility for damages because they could easily be fingered as the perpetrator, Pollino warned.

When the notorious Melissa virus struck in March 1999, law enforcement officials quickly tracked its release to an America Online account that had been hacked. AOL's logs indicated that the person who released the virus dialed in with a telephone number that didn't belong to the account owner.

"Right now, the account owner has a good story to tell over a beer," Pollino said. "But what would have happened today if the person who released the virus got into AOL through a home (wireless) network? The trail would have gone cold at the victim's house, and they would likely be arrested."

In addition, if an attack does a great deal of damage, the individual or company whose account was used in the hacking could face enormous liability charges, said Joseph Burton, a lawyer with Duane Morris who focuses on information security issues.


Reader Resources
Three gateways to Wi-Fi
Wi-Fi routers for home or office

Until now, Burton said, companies have been afraid to sue others for their security problems. "Companies are reluctant to bring the cases, because it's like living in a glass house and throwing the stone. Everyone is at risk."

But that reluctance could be about to change. Because of heightened safety concerns since the Sept. 11 terrorist attacks, the courts will eventually establish certain levels of security as reasonable expectations.

"A company hurt because of another firm's weak security will say, 'They are idiots. They should have known better, and I'm out $22 million,'" Burton said.

Burton, who is representing Russian software company Elcomsoft against copyright infringement charges, believes that one or two cases will crop up in the next year, most likely brought by insurance companies trying to recoup losses.

"The minute it is open, it's open season on everybody," he said. "That's why you haven't seen it so far."

That same reason is why other lawyers believe that no such cases will be filed anytime soon. "I think at this point in time, it would be hard to say there is a professional duty of care to others to secure the network," said Jennifer Granick, clinical director for Stanford University's Center for Internet and Society.

In the meantime, while the issue is debated in academia and corporations, the chalk-marked message on the street is clear: Connect here. 

Four ways an attacker can hack the airwaves and get access to your network and beyond:

Method: Low-hanging fruit
Description: Hacker scans for open access points that allow anyone to connect. In some cases, such wireless networks are meant to be used by the public, but most of the time, the networks are just misconfigured.
Goal: Free Internet access, attack a third party using target as a blind, exploring someone else's network.

Method: Access point spoofing
Description: An attacker sets up his or her own access point, known as a rogue, near the target network or in a public place where the victim might believe that wireless Internet access is available. If the rogue access point's signal is stronger than the signal of the real access point, then in many cases, the victim's computer will connect to the rogue access point. Then, the attacker can wait for the victim to type in passwords or inject attack code into the information flow to compromise the victim's computer.
Goal: Snooping, password acquisition, identity theft, network access

Method: WEP attack
Description: By exploiting the flaws in the Wired Equivalent Privacy security protocol, an attacker can crack the encryption on the communications between an access point and a legitimate client. Passive attacks, when the attacker just listens, can take days. But at least one active attack has been discovered that requires merely hours.
Goal: Snooping, password acquisition, identity theft, network access

Method: Man-in-the-middle attack
Description: Similar to the access point spoofing, the attacker combines an access point with a virtual private network (VPN) server of the same type as the one on the target network (for example, Secure Shell or SSH). When the victim attempts to connect to the real server, the spoofed server sends a reply back, leading the victim to connect to the fake server.
Goal: Snooping, password acquisition, identity theft, network access

Related news

Want Wi-Fi? Learn the secret code

Is that Wi-Fi on your sleeve?

U.K. jumps into Wi-Fi networking

Wireless hits notes in 802.11a, b and g

Wi-Fi roams into standards battle

For two home devices, wireless is more

Wi-Fi's new job: Doing the dishes?

Wi-Fi on the rise

Microsoft boosts Wi-Fi security

Wi-Fi wants a few good "hot spots"

Editors: Mike Yamamoto Lara Wright, Desiree Everts
Design: Ellen Ng
Production: Mike Markovich