A Locked Door

WEP is neither equivalent nor private. Discuss.Sometimes, where the information is found is more important than the content. It isn't difficult to find examples of legal problems resulting from the use of wireless networks; the most recent publicized event resulted in felony charges for a Michigan man who used a coffee shop's unsecured Wi-Fi access point from his car. Not that it's a new problem, but increased public awareness resulting from news items such as this means some people are beginning to wonder just how much trouble their wireless routers might invite, should the wrong people gain access.

Really, it's exactly the access issue that's so problematic. A significant number of wireless routers—particularly those purchased for home use—are pressed into service with their default settings, or are otherwise operated with little or no concern for who might be able to use them. Sometimes this is deliberate; there's a share the bandwidth school of thought that doesn't mind if others make use of that wireless Internet connection. In other cases, it's less a matter of deliberate intent than a lack of knowledge that allows others to use—and perhaps exploit—the signals radiating from homes and businesses across the land.

Where the intent seems to be to provide open, public access, any legal problems that might arise are likely to affect everyone in the loop, although the owner of the wireless router will be much easier to locate than the unknown guy with the laptop who downloaded the child pornography while parked half a block away, and who is somewhere far, far away by the time the FBI arrives to investigate the crime. On the other hand, if it seems there was no intent to provide access—if the system was, in effect, broken into—the owner of that wireless router is in a far different situation, notably one that lacks the apparent intent to grant the world unfettered access.

At this point, you may be rolling your eyes at the insinuation of FBI involvement in such matters, but this is where the original idea of where information is found comes into play. In this case, the information in question appeared not only on a page on a law-related site, but in the context of Internet law. A link on this page delivers the reader to an FBI press release, which is where things begin to get a bit chilly. Dramatic emphasis is mine.

You might not even know if these hackers have gained access to your connection. They may be a couple houses over or on the next street. But if they're doing something illegal with your Internet connection, it's going to come back to you.

If you read the entire press release, you know it has to do with locking up your wireless system, and in particular the weaknesses of the ridiculous Wired Equivalent Privacy scheme, or WEP. This, of course, isn't news to anyone who's bothered to examine how WEP is implemented; that isn't—or at least shouldn't be—the most important point of the press release. A quick look at one of Cisco's white papers on wireless security will tell you everything you ever wanted to know about WEP, among other things.

WEP encryption is done by performing an exclusive OR (XOR) function on the plain-text with the key stream to produce the cipher-text.

While using an XOR function for anything much beyond traffic signals might be humorous in itself, the sad fact is that WEP was already shown to be an unusually weak security measure nearly six years ago, and so was never really taken seriously in the first place.

In August 2001, cryptanalysts Fluhrer, Mantin, and Shamir determined that a WEP key could be derived by passively collecting particular frames from a wireless LAN.

So, the point of this whole thing isn't simply an admonition to beef up the security on your wireless system, although that's obviously an excellent idea in any case. I think the more important point is that locking your front door won't really keep someone out, but it does indicate your intent. In other words, selecting the WEP option for your wireless router shouldn't be mistaken for an actual security measure, but it may help insulate you from legal trouble should someone decide to use your wireless Internet connection for less than honorable purposes.


No comments:

Post a Comment