How Ruling On WiFi Snooping Means Security Researchers May Face Criminal Liability
from the not-a-good-thing dept
We wrote last week about an appeals court’s technologically illiterate ruling that WiFi isn’t a radio communication, and therefore picking up unencrypted WiFi data, even though it’s broadcast for anyone to access, could be a violation of wiretapping laws. This seemed ridiculous for a variety of reasons, including the fact that part of the reasoning is that radio is supposedly mostly “auditory” (even though it’s not).
Over at the EFF, Hanni Fakhoury explains how this ruling could be a disaster for security researchers:
If you’re a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don’t read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal.
There’s a fairly big risk here that this interpretation of the law is going to create tremendous chilling effects on research.
Of course, there is a flip side. In theory, this might also mean that police can’t scoop up WiFi signals either:
On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We’ve seen the government use a device called a “moocherhunter” without a search warrant to read Wi-Fi signals to figure out who’s connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a “stingray” to the extent it can capture Wi-Fi signals) to capture payload data —even if just to determine a person’s location—they’ll need a wiretap order to do so. That’s good news since wiretap orders are harder to get than a search warrant.
Still we’ve seen courts give much greater leverage to law enforcement scooping up communications, so this benefit might not actually be real. The risk and the chilling effects to security researchers, however, is very real. Having seen how often security researchers have been threatened and/or arrested for their research, giving law enforcement another bogus thing to use against them is a huge problem.
Filed Under: encryption, liability, research, security, vulnerabilities, wifi, wifi sniffing
Comments on “How Ruling On WiFi Snooping Means Security Researchers May Face Criminal Liability”
so does that mean the next time I open my laptop or smartphone to check for any nearby wifi networks to connect to, that Im violating wire tapping laws?
Because in order to first connect to a network you need to scan it, to find out the ssid, and what encryption you need to use.
Re: Re:
Maybe. The law isn’t clear.
This is why it’s a bad law.
Re: Re:
It’s worse than that. Every time you are in range of a network your wireless receiver is receiving every single packet all the time. It then chooses to discard the stuff based on looking at it to see the network name on each packet.
So if you carry this ruling to its logical conclusion, you’re a felon every time you use WiFi in a built up area.
Re: Re: Re:
Re: Re: Re: Re:
All true if, as you say, a little pedantic. Doesn’t change the fact that all WiFi receivers in range receive all packets though, does it?
Re: Re: Re:2 Re:
All true if, as you say, a little pedantic. Doesn’t change the fact that all WiFi receivers in range receive all packets though, does it?
Many access points, and most client software, captures data based on this traffic to show you what is in the air around you.
Many access points label this information as “site survey” so that they can allow the administrator to chose the least populated channel (which of course, very few administrators realize that there are only three channels which do not interfere with each other: 1, 6, 11, and that choosing 2,3,4,5,7,8,9, or 10 makes you a dick,) and thus allow the administrator to chose channel 3 (because nobody else is on it.)
Most clients will display, as a matter of course, the list of SSIDs they see so that the user can connect to the one they think is theirs. Which is often a lot of fun when you set up an identical SSID as the one they usually use, and then they end up connecting to your access point without authorization! Me loves me some hot “linksys” or “default” SSID action!
So, very narrow risk so far only in Mike's FUD...
“If you’re a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets” versus fairly obvious benefits of not every yahoo or Google invading through gadgetry that is NOT put up for public use — gee, I see only benefits.
Mike Masnick on Techdirt: “its typical approach to these things: take something totally out of context, put some hysterical and inaccurate phrasing around it, dump an attention-grabbing headline on it and send it off to the press.”
Re: So, very narrow risk so far only in Mike's FUD...
Point of order: Grammer, sentence structure, and your full chain of logic would be needed if I were to even begin to take that staement seriously. Without forknowlege of how you have previously responded, I wouldn’t even be able to guess what you were trying to say.
Even guessing here I really dont see how commentary on the risk posed to researchers attempting to determine, A) how effective wifi encryption is, or B) how effective a new algorithm is at acquiring wireless signal, or C) any other legitimate, necessary research into security and/or innvoation in the wireless industry has “very little risk” because somehow it brings down google?
Re: So, very narrow risk so far only in Mike's FUD...
Have a drive-by DMCA!
Re: So, very narrow risk so far only in Mike's FUD...
You are a moron and everyone here hates you. Mental illness is sad…
Re: Re: So, very narrow risk so far only in Mike's FUD...
ouch
hee hee hee
ho ho ho
ha ha ha
ak ak ak
Re: So, very narrow risk so far only in Mike's FUD...
OOTB on Techdirt: “its typical approach to these things: take something totally out of context, put some hysterical and inaccurate phrasing around it, dump an attention-grabbing headline on it and send it off to the press.”
Re: So, very narrow risk so far only in Mike's FUD...
Hope you don’t go to Starbucks then.
You could be charged for a felony for using their wifi.
Re: So, very narrow risk so far only in Mike's FUD...
“gee, I see only benefits.”
Of course you do. That you cannot see or understand the benefits of security research only highlights your extraordinary ignorance of the topic.
Someday soon, I hope, I’m going to wake up, and people in elected/appointed office will be mostly normal again.
Sooo yeah…. this sucks…aspiring white or black hats that could help the country progress in the future, would have to be a criminal to learn the tricks of the trade.
No wonder some of the best come from china and other parts of the world.
Mike, a white background makes your website difficult to read (my eyes burn after a while). You should include the option for a dimmer more friendly color. Unfortunately my phone doesn’t seem to have such an option.
Re: Re:
Imagine if it was a black background with white letters.
Re: Re: Re:
http://www.eveonline.com/
http://community.eveonline.com/news/dev-blogs/
You’re welcome.
This is a multi-million dollar business too.
Re: Re: Re:
Imagine if it was a black background with white letters.
That would be great, that’s what I have AO3 set to. Or what about black on dusky light blue like my copy of Cool Reader?
Re: Re:
I agree, of often Ctrl-A the page to make it white text on blue. It’s like putting on a pair of shades on a sunny day. 🙂
Re: Re: Re:
Oops, I often…
translation
To translate the EFF statement:
Because we think this might actual make some forms of hacking illegal, and because we wish that all wi-fi was free and no net users could ever be held accountable for their action, we therefore bring up this incredible scare story that has little basis in fact.
Valid security researchers, working on approved target networks or against networks they create for testing would not have an issue.
People who randomly door knock servers and networks looking for problems would – as they should.
Thanks to the EFF for this horribly transparent attempt to further their own agendas.
(and my posts are STILL being held for moderation… don’t you get bored of censoring people Mike?)
Re: translation
Wow, you’re just a big glutton for punishment aren’t you? Right here, we’ve got another post where you whine “censor censor censor” – and post within minutes of the previous poster.
Congratulations, fucktard, you earned yourself a DMCA vote, plus the following observation – which I’m going to keep making until you get it through your penis-embedded skull.
horse with no name just hates it when due process is enforced.
Re: translation
And my posts are STILL being held for moderation… don’t you get bored of censoring people Mike?
Actually, censorship would be if your posts were deleted altogether, not simply held to check they’re not anything like the following: Cheap kobe Shoes I looked at the size and realized it was not going t
New Football Boots Their alertness, agility, and strength make them formidable guard dogs and used as service dogs, guide dogs for the blind, therapy dogs, police dogs in K9 units, and occasionally herding cattle or sheep. After all, censorship is suppression of speech, not waste disposal.
Another interpretation that would make it difficult for the people who actually do good works with Wi-Fi.
So are they telling us that all the miscreants who war drive and invade Wi-Fi will stop dead in their tracks because of this ruling? I doubt that.
The government can’t even seem to follow it’s own law and those who are there to enforce them and seem to have a broad interpretation of how the law applies to them.
Well this will certainly clear that up.
Re: Re:
No, but arguably you could be arrested for detecting them since you will be “wire tapping” their WiFi signal to do it.
Great theory...
That’s sarcasm… right?
Another useful feature shot down in flames
Just thought of another effect of this ruling even assuming you aren’t a criminal now just for using WiFi in the first place…
Most enterprise level WiFi controllers allow the detection and quashing of “rogue” WiFi signals in range, including detecting APs impersonating your own network. This often includes the ability to impersonate the rogue AP to “steal back” any clients that have attached to it. To do that of course, it has to “wire tap” the rogue.
Looks like that feature will have to be disabled, huh? Way to make corporate networks less secure.
Torn Sympathies
So hard to know for which to root, Amish judge’s opinion or reality. On the AJ tip, we’re all at risk for running wireless networks at all, since our machines listen to everything, but, hypothetically, we now have a defense against cops who snoop sans wiretapping orders. Got ‘o hope EFF, ACLU, et al. are standing in the wings, waiting to jump on the first case brought by ANY cop organization, operating in the 9th circuit’s demesne, that is based on one of these newly illegal wiretaps.
Not just security researchers
I have personally used Wireshark (a common and powerful sniffer) to capture all the wifi traffic in the area, to help me choose the best wifi channel for the access point I was configuring. This is a good idea since there is some traffic you will not see just by looking at the list of nearby networks like most people do.
Every wifi network in the area was encrypted, so I did not capture any plaintext payload, and I discarded the capture when closing Wireshark. But I could not know that every wifi network in the area was encrypted until after I did the capture. Not only are there kinds of wifi networks which do not beacon normally (like some kinds of mesh network), but also if I am close to the client but far enough from the access point, the network could be invisible to me but I could see the client (the hidden node problem, with the access point being the hidden node).
That ruling is pathetic anyway. “Sophisticated hardware”? Really? Every single wireless network card I have seen on common laptops can capture wireless packets. If every average laptop user has it, calling it “sophisticated hardware” as if it was something special you had to buy is a stretch. “Fail to travel far beyond the walls of the home or office where the access point is located”? Have they ever heard of high-gain antennas? I have heard of people being able to connect to unmodified access points kilometers away by simply using a high-gain antenna on a laptop. And not all high-gain antennas are “sophisticated hardware” too; have they ever heard of the cantenna and of the wok-fi?
Keep your security out of our criminal’s way. Understood?
but i’ll bet you anything you like that any company collecting data on behalf of the entertainment industries will be given a carte blanche to do what they like, where they like, how they like!!
Government
In what world does anyone believe the government won’t completely disregard any laws they put into place and sniff the data anyways?
“an appeals court’s technologically illiterate ruling that WiFi isn’t a radio communication, and therefore picking up unencrypted WiFi data, even though it’s broadcast for anyone to access, could be a violation of wiretapping laws”
Unless you are exempt from the law, which apparently allows you to do what ever you want. No holds barred. Two sets of rules.
“All animals are equal, but some animals are more equal than others”
Police wardriving
So, the police who were wardriving for unsecured wifi and warning owners are now at risk for wiretapping charges, right?
So let me get this straight. If the NSA collects communications but doesn’t read them, they haven’t actually collected anything. But if you’re a researcher, then it’s a felony?
Re: Re:
Double standards are always the government standard.
Judges are imbeciles
Somehow our political process has appointed judges with the IQ of a nat.
NSA can spy on every internet user but internet users cannot snoop on (public) WiFi?