The RDV Group InfoSec Blog

Thursday, March 09, 2006

The Danger of Wireless Piggybacking

Michel Marriott had an excellent article in the NY Times on Sunday (03/05) about the growing phenomenon of "wireless piggybacking", using someone else's wireless router to jump on the Internet: "... Piggybacking, the usually unauthorized tapping into someone else's wireless Internet connection, is no longer the exclusive domain of pilfering computer geeks or shady hackers cruising for unguarded networks. Ordinarily upstanding people are tapping in. As they do, new sets of Internet behaviors are creeping into America's popular culture"

The hacker magazine 2600 frequently has pieces about wireless hacking, and one writer says that he often changes the default admin password after attaching to the router to prevent the real owner from disconnecting him later. Although this is easy to remedy through resetting the router to its default state and applying MAC address filtering, it shows how the proliferation of these devices has outstripped the ability of the common owner to control them. The admin password is easily found on the web, say by downloading a pdf of the manual for the router, and is the first thing the owner of the router should change when installing.

I admit I'll jump on my neighbor's Linksys when I'm having trouble with my router; the signal is weak but usable (remind me to tell him how to configure filtering on it some day). And there is a movement to allow free wireless access, not just in coffee shops, but in whole cities, like Cambridge and Philadelphia (I'll have a post about how to protect yourself while using public Wi-Fi later). even provides a directory of free wireless "hot spots": " ...The Wi-Fi-FreeSpot Directory is a listing of Wi-Fi enabled locations that offer Free Wireless High Speed Internet Access. USA State-by-State listings come first with Europe and other regions of the World listed further down the page.."

But a larger, more problematic issue arises from wireless piggybacking. Mr. Marriott briefly touches upon the issue in one paragraph: " ... savvy users could piggyback into unprotected computers to peer into files containing sensitive financial and personal information, release malicious viruses and worms that could do irreparable damage, or use the computer as a launching pad for identity theft or the uploading and downloading of child pornography."

But this needs to be really emphasized, because here's the rub: there is no way to convince the government that it wasn't you who accessed the pornography or terrorist site. Or the RIAA that it wasn't you downloading the latest hit music or video.

And especially that the Justice Department want to know what you're Googling, you really can't legally afford to let unknown parties surf the web through your router.

If determined hackers wanted to use your router, they'll be able to no matter what you do. A $89 Wi-Fi router from CompUSA is not going to have strong security, but please at least change the admin password and set up MAC filtering.


Post a Comment

<< Home