overview
corporate
hotspots
WISPs
community
mobiles
satellite
aircraft
municipal
theft
related
Guides:
identity
crime
Networks
& GII
Economy
related
Profiles:
warchalking
the net in
Australia
cybercafes
|
theft
This page considers wireless internet theft (aka piggybacking
or LANjacking).
It covers -
It
supplements the broader discussion elsewhere on this site
regarding internet security and warchalking.
introduction
Concerns about 'wireless theft' (unauthorised use of a
wireless internet connection) have centred on two areas.
The first is that unauthorised use may impose costs on
a residential subscriber or corporate network operator,
which potentially face -
- a
higher ISP bill because of increased traffic (ie they
pay for downloading and/or uploading by the unauthorised
user, particularly if that unauthorised use involves
lots of traffic such as downloading videos or software)
- caps
on the performance of their account, given that some
ISPs 'shape' (ie restrict) an account once traffic reaches
a specific limit.
In
principle that unauthorised use and consequent injury
to the owner of the wireless account is an offence under
common and/or statute law in most jurisdictions.
The
second area of concern is that unauthorised access via
wireless may be the basis for other offences. Those offences
are not restricted to wireless access; they are evident
in misuse of in 'wired' networks. They include -
- unauthorised
use of a credit card, cheque account or other information
held on a computer (ie identity
offences)
- breach
of privacy and secrecy
regimes
- destruction
or amendment of information on the network
- unauthorise
use supervisory control & data acquisition (SCADA)
mechanisms, such as causing damage by 'hijacking' computer
controlled factory equipment, public utilities and other
devices
- covert
access to or dissemination of offensive material, including
child pornography and defamatory
content (with the offender aiming to disguise his/her
involvement by hiding behind someone else's wireless
account)
- covert
distribution of spam, with
some spammers for example aiming both to reduce their
costs and reduce the likelihood of detection (and hence
prosecution) by using someone else's account to send
their junk mail.
incidence
How much wireless internet theft takes place in Australia?
Is it serious? Is it increasing? Who are the offenders
and victims?
The answers to those questions are contested: there is
little solid information, much extrapolation or guesswork
(intelligent or otherwise) and major disagreement amoung
the 'e-security community'.
One reason for uncertainty is the small number of prosecutions,
variously interpreted as indicating that there's not much
theft, that the theft is not discovered or taken seriously,
or that corporate network operators - as with much data
loss, discussed elsewhere on this site - prefer to
keep their misadventures out of the public spotlight.
There are anecdotal indications within Australia and overseas
that -
1
leeching
there is a substantial number of wifi theft incidents
involving unsecured residential and small business networks,
for example because householders have created a wireless
LAN but not bothered to set up basic security such as
changing the default password on their wireless router.
That theft may have a tangible impact on the individual
victim (whose monthly ISP bill for example blows out
because the neighbouring kids have been leeching the
network 24/7).
Responsibility for the theft typically is not conclusively
identified (eg the victim belatedly realises that someone
has been using the account but does not identify who
that user - or users - is)
2 thrill-seeking
there appear to be a substantial but smaller number
of incidents where people gain wireless access to the
network of an individual/family or organisation, typically
"poking around" on servers and personal computers
(and sometimes adding, deleting or altering data to
"show them I waz ere"). Most of that access
appears to be transitory but may be recurrent.
3 espionage or commercial exploitation
a smaller number of (but more commercially significant)
incidents, in which offenders seek and use wireless
access to send spam, disrupt an organisation's operation,
access sensitive information or engage in credit card
fraud and other financial offences
legal frameworks
Is unauthorised access to a wireless network legal? What
about piggybacking on someone's network to gain access
to the net? A US journalist huffed that people have been
arrested
for allegedly stealing something no one could see, hear,
or feel. That thing was valuable enough for victims
to press charges in both cases. But the arrests were
over something many consumers throw out their windows
every day: a Wi-Fi signal.
As noted in discussion elsewhere on this site regarding
wardriving and warchalking, observers have often argued
that merely identifying that a wireless network is unsecured
is not illegal. Some use the 'front door' analogy, where
it not an offence to identify that a door exists but unauthorised
entry breaches the law and facilitating wrongdoing by
alerting offenders that the door is unlocked may also
be a breach.
Most regimes regard unauthorised connection to and use
of a network as illegal.
That encompasses activities such as identifying what files
are held on particular servers or desktop machines, identifying
the topography of a LAN, copying (or modifying or deleting
files) and using the network for unauthorised communications
(including spam and stalking).
It is consistent with prohibitions on unauthorised physical
access to content, devices and networks, with legislation
for example identifying crimes such as theft of services.
In Australia there has been no definitive case law about
'theft of service' through unauthorised use of a network.
Observers note that there are specific prohibitions in
federal law.
The federal Cybercrime Act 2001 (CA)
for example amended the Criminal Code Act 1995
by identifying computer offences that "impair the
security, integrity and reliability of computer data and
electronic communications". The three major computer
offences are -
1) Unauthorised access, modification or impairment with
intent to commit a serious offence (with a maximum penalty
equal to the maximum penalty for that serious offence).
2) Unauthorised modification of data where the offender
is reckless as to whether the modification will impair
data (maximum penalty of 10 years in prison), covering
situations such as where a hacker unintentionally impairs
data in the course of unauthorised access to a computer
system.
3) Unauthorised impairment of electronic communications
(maximum penalty of 10 years in prison), including 'denial
of service' attacks'.
The
first offence centres on activity such as hacking a financial
institution's database to access credit card details with
the intention of using them to obtain money (ie intending
to commit a fraud offence).
The Act includes other computer offences -
1
Unauthorised access to, or modification of, restricted
data (maximum penalty of two years imprisonment)
2 Unauthorised impairment of data held on a computer
storage device, including removable storage (maximum
two years imprisonment)
3 Possession or control of data with intent to commit
a computer offence (maximum penalty three years imprisonment)
4 Producing, supplying or obtaining data with intent
to commit a computer offence (maximum penalty three
years imprisonment)
More
broadly, theft of service (unauthorised use of a consumer's
wireless connection, thereby blowing out the money owed
by that consumer to the ISP) would arguably be both a
civil and criminal offence in Australian law ... akin
to unauthorised use of the consumer's credit card or debit
card.
prosecutions
The 2004 conviction (in the US District Court for the
Western District of North Carolina) of Paul Timmins on
a single count of fraudulent and unauthorized Wi-Fi access
to a private corporate network is believed to be the first
wardriving conviction in the US. Legal specialists have
argued that there is potential liability under the US
federal Computer Fraud & Abuse Act, the Wiretap
Act and some state legislation.
The same year saw action under the US federal CAN-SPAM
Act against Nicholas Tombros,
who allegedly sent spam via insecure residential wireless
APs in Los Angeles.
Other jurisdictions have successfully prosecuted individuals/groups
for 'theft of service' or unauthorised access.
Canadian police for example prosecuted a man in November
2003 after checking his car for a traffic infraction and
discovering that he was naked from the waist down and
was viewing child pornography accessed via a residential
wireless hot spot. He was charged with theft of telecommunications
and possession, distribution and creation of child porn.
In March 2006 Ontario Provincial Police charged a man
under Section 326 of the Ontario Criminal Code (Theft
of Communications), alleging the man was "using his
lap top computer to steal a wireless Internet connection"
in Morrisburg.
In the UK Gregory Straszkiewicz is believed to be the
first person to be convicted, in 2005, of wireless 'piggybacking'
in breach of sections 125 and 126 of the Communications
Act 2003 (dishonestly obtaining an electronic communications
service). He was fined £500 and given a 12-month
conditional discharge, with confiscation of his laptop.
The prosecution in R v Straszkiewicz does not
appear to have relied on eavesdropping provisions in the
Computer Misuse Act, the basis of his initial
arrest.
In 2006 Singapore teenage 'bandwidth bandit' Garyl Tan
Jia Luo pleaded guilty under the Computer Misuse Act
to tapping into a neighbour's wireless network, in what
is claimed to be Singapore's prosecution for the offence.
What
of warchalking? As far as we are aware there have been
no successful Australian prosecutions for chalking, although
presumably there is some scope for action under damage
to public/private property (don't use waterproof paint
or carve a symbol on someone's fence or front door) or
even aiding a crime.
::
|
|
Ketupa