[LINK] The Degree of Peril in an Insecure Wifi Network

Roger Clarke Roger.Clarke at xamax.com.au
Sat Jul 16 11:16:41 AEST 2011 

[Comments at end]

Wi-Fi hijackers cause download of trouble
Aaron Cook July 16, 2011
SMH
http://m.smh.com.au/technology/security/wifi-hijackers-cause-download-of-trouble-20110715-1hhrm.html

THOUSANDS of Sydney households are placing their personal information 
at risk and inadvertently protecting fraudsters and users of child 
pornography by not securing their home Wi-Fi networks, a Herald 
investigation has shown.

NSW Police have prosecuted individuals for crimes involving fraud and 
child exploitation material who were using unsecured wireless 
internet networks to commit offences, said Bruce Van Der Graaf from 
the NSW Police fraud squad.

''This results in the innocent user being asked to explain why their 
internet service was used,'' he said.

[... asked how it was possible for their Internet connection to be 
used by someone else, maybe?  How would they know *why* it was used??]

An internet security expert from RMIT University in Melbourne, Mark 
Gregory, said unsecured Wi-Fi could attract attacks on any devices on 
the same network, leading to the loss of personal data, such as bank 
statements and credit card numbers. ''The likelihood that the Wi-Fi 
will be used by someone else is high,'' he said. Hackers can turn 
home computers into robots, using them to send spam and attack other 
computers.

''All of the detrimental effects of being hacked will then follow, 
except the hacker has been given an easy and exploitable way into the 
network,'' Dr Gregory said.

[Isn't Gregory confusing rather separate things here?  Is it 
significantly easier to break into a device via a wifi network than 
over the Internet connection?  And even if it is, does that approach 
scale sufficiently to make it worth a miscreant's while using this 
approach rather than mounting the attack over the Internet?]

Wi-Fi is a technology used to make an internet or computer connection 
available to wireless devices such as laptops and smartphones within 
a range of about 100 metres from a transmitting device.

The Herald discovered unsecured Wi-Fi networks in 10 out of 20 
residential locations visited during a test across Sydney. In total, 
382 networks were detected with 2.6 per cent operating without 
password protection.

[That's 10 out of 382.  That strikes me as a remarkably low 
percentage!  And I do hope that the white-hat they used took 
precautions to ensure that they only captured beacon-data!]

Dr Gregory estimates 20 to 30 per cent of homes are operating Wi-Fi 
networks. Extrapolating the Herald's results, there could be more 
than 10,000 unsecured networks across Sydney.

The arrest in March of a man in Buffalo, New York, by armed 
Immigration and Customs Enforcement agents, who threw him down some 
stairs and called him a paedophile and pornographer, highlighted the 
danger of leaving a network unsecured.

[As distinct from the danger of employing thugs as law enforcement 
employees, encouraging them to exercise their thuggery, and failing 
to control their thuggery?]

The man's Wi-Fi router was used to download thousands of images of 
child exploitation and it took three days for investigators to 
establish his innocence. His neighbour was later charged with 
distributing child pornography.

Nicolas Suzor, a law lecturer at Queensland University of Technology, 
said that if an unauthorised user illegally downloaded copyrighted 
material, it could be traced back to the network owner. ''It could be 
quite difficult to prove that it wasn't in fact you,'' Dr Suzor said.


[Nic, I assume you were selectively quoted.

[The norm in the criminal law is for guilt to be proven by the 
prosecutor, not innocence by the prosecutee.  The combination of:
-   absence of any evidence on the devices in question
-   sworn testimony by the individual(s) concerned
-   evidence that the wifi network was not password-protected
must surely lead even the police, let alone a court, to conclude that 
there is (a great deal more than) a reasonable doubt about the 
person's guilt.

[I've had a go at this a couple of times, including twice in expert 
evidence.  See, for example: 
http://www.rogerclarke.com/II/OffIm0511.html

[I couldn't quickly locate any sources on the extent to which legal 
compulsion exists to secure a wife network.  Does anyone know the 
story?

[Leaving your front door unlocked probably compromises your 
insurance, at least on the basis of contributory negligence alone 
(leaving aside the probability that there's a relevant clause 
somewhere in the insurance policy);  but it doesn't justify a 
criminal charge of aiding and abetting the committing of a criminal 
offence.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list