Piggybacking
From Computing and Software Wiki
m |
|||
(5 intermediate revisions not shown) | |||
Line 7: | Line 7: | ||
The recent explosive growth of wireless technology found in the market can be attributed to the many benefits wireless telecommunications provide. From the casual Internet surfer to the technological inclined power user, wireless networks provide the convenience of mobility, keeping up with today’s trends in increasing portability and decreasing size of our devices. Unfortunately, wireless networks also suffer from more attacks and abuse because of how easy it is to locate and connect to wireless networks in comparison to traditional wired ones. In combination with the lack of strong default security counter measures, the controversial practice of piggybacking has increasingly become more common. | The recent explosive growth of wireless technology found in the market can be attributed to the many benefits wireless telecommunications provide. From the casual Internet surfer to the technological inclined power user, wireless networks provide the convenience of mobility, keeping up with today’s trends in increasing portability and decreasing size of our devices. Unfortunately, wireless networks also suffer from more attacks and abuse because of how easy it is to locate and connect to wireless networks in comparison to traditional wired ones. In combination with the lack of strong default security counter measures, the controversial practice of piggybacking has increasingly become more common. | ||
- | Piggybacking should not be confused with wardriving which involves only the mapping of the insecure access points. In addition, people connecting to a hotspot service provided by businesses is generally not considered as piggybacking. | + | Piggybacking should not be confused with [http://en.wikipedia.org/wiki/Wardriving wardriving] which involves only the mapping of the insecure access points. In addition, people connecting to a hotspot service provided by businesses is generally not considered as piggybacking. |
== Statistics == | == Statistics == | ||
Line 27: | Line 27: | ||
Of all the student’s surveyed, only about 20% expressed concerned about security issues when using somebody’s wireless network and said they would not send passwords or do any other information sensitive actions. | Of all the student’s surveyed, only about 20% expressed concerned about security issues when using somebody’s wireless network and said they would not send passwords or do any other information sensitive actions. | ||
<br style="clear:both;"/> | <br style="clear:both;"/> | ||
+ | |||
== Views and Ethics == | == Views and Ethics == | ||
- | + | Views on piggybacking vary widely amongst people because of the controversial nature of the practice. On one side, advocates believe the practice does not harm anyone while benefiting the piggybacker. On the other side, advocates describe the practice to "freeloading" as bandwidth costs money and the piggybacker essentially gets it for free. The table below summarizes some of these arguments with analogies. | |
- | + | ||
+ | {| border="5" cellspacing="5" cellpadding="2" align="center" | ||
+ | |+ '''Analogies to Piggybacking Wireless Internet''' | ||
+ | ! Advocates For !! Advocates Against | ||
+ | |- | ||
+ | | | ||
+ | * Drinking from a public water fountain | ||
+ | * Reading over someone's shoulder | ||
+ | * Eating leftovers a restaurant has thrown away | ||
+ | * Borrowing a cup of sugar | ||
+ | * Enjoying music playing from a neighbor's backyard | ||
+ | | | ||
+ | * Entering a home just because the door is unlocked | ||
+ | * Stealing cable from a neighbor with a splitter | ||
+ | * Hanging on the outside of a bus to get a free ride | ||
+ | |} | ||
+ | |||
+ | About 30% of the students surveyed in the McMaster University survey who said they have piggybacked in the past or present believe it is the network owner's responsibility to enable security. Responses such as "It is their fault for not enabling security in the first place" and "It's fair game" are some of the more cynical reasons students said in favor for piggybacking. One writes, “Leaving a network open is just being a good neighbor”. | ||
- | + | A person can commit some serious crimes with the Internet services he or she gains through piggybacking, such as hacking into sensitive information, downloading child pornography, etc while remaining pretty much anonymous without a trail leading back them. Especially if many people piggyback on a single network, bandwidth can become an issue. Users on the network may experience major slow down if many people are using the network simultaneously or if there are a lot of downloads. | |
== Prevention == | == Prevention == | ||
Line 38: | Line 56: | ||
It is very ineffective against people with a little computer knowledge and the will to gain access to the network since WEP is cryptographically weak and takes only a few minutes to crack. There have been attempts to enhance the security such as: | It is very ineffective against people with a little computer knowledge and the will to gain access to the network since WEP is cryptographically weak and takes only a few minutes to crack. There have been attempts to enhance the security such as: | ||
*WEP2 | *WEP2 | ||
+ | ** Enforces the minimum size of encryption to 128 bits | ||
*WEP+ | *WEP+ | ||
- | * | + | ** Proprietary enhancement by Agere Systems which strengthens initialization vectors |
+ | *Dynamic WEP | ||
+ | ** Changes the key periodically | ||
None are substantially more effective. | None are substantially more effective. | ||
=== MAC Address Authentication === | === MAC Address Authentication === | ||
A computer trying to connect to the network will be allowed to do so if and only if their MAC address conforms the list of allowed MAC addresses. This is cumbersome to setup for the administrator as he or she will have to add everyone’s MAC address to the list. This method does not prevent data from being stolen since there is no encryption. And even then, an attacker can observe network traffic and obtain valid MAC addresses and then spoof their MAC address to gain access. | A computer trying to connect to the network will be allowed to do so if and only if their MAC address conforms the list of allowed MAC addresses. This is cumbersome to setup for the administrator as he or she will have to add everyone’s MAC address to the list. This method does not prevent data from being stolen since there is no encryption. And even then, an attacker can observe network traffic and obtain valid MAC addresses and then spoof their MAC address to gain access. | ||
- | + | === Honeypot === | |
+ | One can set up a fake network for would-be piggybackers to connect to and see what they do. After they connect and their MAC address is logged, one can ban their MAC address from connecting to their network. | ||
=== IPSec === | === IPSec === | ||
Ip security or IPSec is used to encrypt traffic, reducing or possibly eliminating all plain text information sent across the network. It is composed of a suite of protocols such as authentication, encrypting IP packets, or cryptographic key establishment as we have read about in Chapter 9 Key Management of the textbook. | Ip security or IPSec is used to encrypt traffic, reducing or possibly eliminating all plain text information sent across the network. It is composed of a suite of protocols such as authentication, encrypting IP packets, or cryptographic key establishment as we have read about in Chapter 9 Key Management of the textbook. | ||
Line 50: | Line 72: | ||
WPA also boasts a more secure message integrity code or MIC with the Michael algorithm. | WPA also boasts a more secure message integrity code or MIC with the Michael algorithm. | ||
Later, they introduced WPA2 which strengthens the security with new algorithms such as CCMP which stands for Counter Mode with Cipher Block Chaining Message Authentication Protocol. | Later, they introduced WPA2 which strengthens the security with new algorithms such as CCMP which stands for Counter Mode with Cipher Block Chaining Message Authentication Protocol. | ||
+ | While generally strong, an exploit to WPA's flaw can crack the encryption. This method relies on obtaining the Pre-Shared Key (PSK) by monitoring network traffic packets when a valid computer logs into the network. Some tools that facilitate this are kisMAC or coWPATTY. | ||
== Legalities == | == Legalities == | ||
=== Canada === | === Canada === | ||
- | While there are many differences in the laws between one country and another, in Canada the law could be interpreted in such a way that makes piggybacking illegal. A Toronto lawyer Gil Zvulony commented on CBC’s Spark Radio recently and says that if the police ever showed up because you were piggybacking, the only way you can be charged was if the crown could | + | While there are many differences in the laws between one country and another, in Canada the law could be interpreted in such a way that makes piggybacking illegal. A Toronto lawyer Gil Zvulony commented on CBC’s Spark Radio recently and says that if the police ever showed up because you were piggybacking, the only way you can be charged was if the crown could prove you knew it was wrong to piggyback. |
The closest thing someone being charged with piggybacking was where a Toronto man was caught literally with his pants down downloading child pornography using someone's wireless network. Ultimately, he was charged for the pornography and not the piggybacking. | The closest thing someone being charged with piggybacking was where a Toronto man was caught literally with his pants down downloading child pornography using someone's wireless network. Ultimately, he was charged for the pornography and not the piggybacking. | ||
Line 59: | Line 82: | ||
=== Singapore === | === Singapore === | ||
- | + | Garyl Tan Jia Luo became the first man to be convicted of piggybacking on January 16th, 2007 and was sentenced for 18 months probation with 80 hours of community service. | |
+ | Lin Zhenghuang was convicted and sentenced to 3 months jail time and a $4000 fine when he used his neighbor's internet to post a fake bombing report on forums managed by HardwareZone. The judge clarified the jail time would not be sentenced for piggybacking alone but for piggybacking "committed in order to facilitate the commission of or to avoid detection for some more serious offense" as with Mr. Zhenguang's case. | ||
== References == | == References == | ||
+ | |||
+ | # Michel Marriott. "Hey Neighbor, Stop Piggybacking on My Wireless", The New York Times, 2006-03-05. Retrieved on 2007-11-27. <http://www.nytimes.com/2006/03/05/technology/05wireless.html?_r=1&oref=slogin> | ||
+ | # Bradley Mitchell. "Wireless / Networking", About. Retrieved on 2007-11-27. <http://compnetworking.about.com/od/wirelessfaqs/f/legal_free_wifi.htm> | ||
+ | # Wikipedia. "Piggybacking (internet access)", Wikipedia, 2007-11-14. Retrieved on 2007-11-27. <http://en.wikipedia.org/wiki/Piggybacking_(internet_access)> | ||
+ | # Adam Pash. "Reader Poll: Do you piggyback wireless internet?", lifehacker. Retrieved on 2007-11-27. <http://lifehacker.com/software/poll/reader-poll-do-you-piggyback-wireless-internet-158613.php> | ||
+ | # News Report. "Research Shows Wi-Fi Piggybacking Widespread", digital communities. Retrieved on 2007-11-27. <http://www.govtech.com/dc/articles/186157> | ||
+ | # bwilds. "WPA Encryption Cracking", ITtoolbox Blogs. Retrieved on 2007-11-27. <http://blogs.ittoolbox.com/wireless/networks/archives/wpa-encryption-cracking-7419> | ||
+ | # Byran Rite. "Cracking WEP and WPA Wireless Networks", Alkaloid Docupedia. Retrieved on 2007-11-27. <http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks> | ||
+ | # Glenn Fleishman. "WPA Cracking Proof Concept Available", Wi-fi Net News. Retrieved on 2007-11-27. <http://www.wifinetnews.com/archives/004428.html> | ||
+ | # Wikipedia. "Wired Equivalent Privacy", Wikipedia, 2007-11-26. Retrieved on 2007-11-27. <http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy> | ||
+ | # Michael Ossmann. "WEP: Dead Again, Part 1", 2004-12-14. Retrieved on 2007-11-27. <http://www.securityfocus.com/infocus/1814> | ||
+ | # CBC Spark Radio Podcast: <http://podcast.cbc.ca/mp3/spark_20071107_3820.mp3>. Retrieved on 2007-11-27. | ||
+ | |||
== See Also == | == See Also == | ||
+ | [[Social engineering]]<BR> | ||
+ | [[Honeypot]]<BR> | ||
== External Links == | == External Links == | ||
- | --[[User:Chenc8|Chenc8]] 13:53, 1 December 2007 (EST) Christopher Chen | + | * [http://www.zvulony.com/ Zvuloney & Co] |
+ | * [http://en.wikipedia.org/wiki/Wireless_community_network Wireless Community Networks] | ||
+ | |||
+ | --[[User:Chenc8|Chenc8]] 13:53, 1 December 2007 (EST) Jinn Tarng Christopher Chen |
Current revision as of 05:23, 2 December 2007
Piggybacking internet access is the practice of gaining network services by moving their computer into range a broadcasting access point of someone’s wireless connection without the owner’s explicit permission or knowledge.
Contents |
Background
The recent explosive growth of wireless technology found in the market can be attributed to the many benefits wireless telecommunications provide. From the casual Internet surfer to the technological inclined power user, wireless networks provide the convenience of mobility, keeping up with today’s trends in increasing portability and decreasing size of our devices. Unfortunately, wireless networks also suffer from more attacks and abuse because of how easy it is to locate and connect to wireless networks in comparison to traditional wired ones. In combination with the lack of strong default security counter measures, the controversial practice of piggybacking has increasingly become more common.
Piggybacking should not be confused with wardriving which involves only the mapping of the insecure access points. In addition, people connecting to a hotspot service provided by businesses is generally not considered as piggybacking.
Statistics
Concerns of piggybacking is a cultural state of mind. In the past, piggybacking has not been a major cause for concern and only recently has begun to work its way into our laws. Taking a look at people's opinion through surveys can help depict society's overall thoughts on piggybacking.
Online Poll
From an online poll taken from lifehacker.com since March 2006
- ~60% of voters said they would gladly hop onto someone’s wireless network if they didn’t have access to their own at the moment.
- ~25% of voters said they piggybacking is their main source of internet.
Combined that’s 85% of voters admitting to the practice.
- ~7% said they sometimes piggyback but only in an emergency.
- ~8% said their morals would never allow them to do such a thing.
McMaster University Poll
Just as a comparison, I conducted a small survey sampling our fellow students at McMaster. I attempted to cover a broad range of students from different faculties so I only asked a few students in this class as I did not want to contaminate the data with biased answers. About 55% of the students I surveyed admitted to have piggybacked before and 45% said they have not. Mind you, I was patiently waiting for them to finish filling out the survey so I suspect some may have not been telling the truth in fear of embarrassment.
Of all the student’s surveyed, only about 20% expressed concerned about security issues when using somebody’s wireless network and said they would not send passwords or do any other information sensitive actions.
Views and Ethics
Views on piggybacking vary widely amongst people because of the controversial nature of the practice. On one side, advocates believe the practice does not harm anyone while benefiting the piggybacker. On the other side, advocates describe the practice to "freeloading" as bandwidth costs money and the piggybacker essentially gets it for free. The table below summarizes some of these arguments with analogies.
Advocates For | Advocates Against |
---|---|
|
|
About 30% of the students surveyed in the McMaster University survey who said they have piggybacked in the past or present believe it is the network owner's responsibility to enable security. Responses such as "It is their fault for not enabling security in the first place" and "It's fair game" are some of the more cynical reasons students said in favor for piggybacking. One writes, “Leaving a network open is just being a good neighbor”.
A person can commit some serious crimes with the Internet services he or she gains through piggybacking, such as hacking into sensitive information, downloading child pornography, etc while remaining pretty much anonymous without a trail leading back them. Especially if many people piggyback on a single network, bandwidth can become an issue. Users on the network may experience major slow down if many people are using the network simultaneously or if there are a lot of downloads.
Prevention
There are several ways to prevent piggybacking however some are more effective than others.
WEP
It is very ineffective against people with a little computer knowledge and the will to gain access to the network since WEP is cryptographically weak and takes only a few minutes to crack. There have been attempts to enhance the security such as:
- WEP2
- Enforces the minimum size of encryption to 128 bits
- WEP+
- Proprietary enhancement by Agere Systems which strengthens initialization vectors
- Dynamic WEP
- Changes the key periodically
None are substantially more effective.
MAC Address Authentication
A computer trying to connect to the network will be allowed to do so if and only if their MAC address conforms the list of allowed MAC addresses. This is cumbersome to setup for the administrator as he or she will have to add everyone’s MAC address to the list. This method does not prevent data from being stolen since there is no encryption. And even then, an attacker can observe network traffic and obtain valid MAC addresses and then spoof their MAC address to gain access.
Honeypot
One can set up a fake network for would-be piggybackers to connect to and see what they do. After they connect and their MAC address is logged, one can ban their MAC address from connecting to their network.
IPSec
Ip security or IPSec is used to encrypt traffic, reducing or possibly eliminating all plain text information sent across the network. It is composed of a suite of protocols such as authentication, encrypting IP packets, or cryptographic key establishment as we have read about in Chapter 9 Key Management of the textbook.
WPA
Wi-FI protected access, commonly referred to as WPA, was created by Wi-Fi Alliance and one of the major improvements over WEP is the Temporal Key Integrity Protocol which basically changes the key dynamically as the system is being used. WPA also boasts a more secure message integrity code or MIC with the Michael algorithm. Later, they introduced WPA2 which strengthens the security with new algorithms such as CCMP which stands for Counter Mode with Cipher Block Chaining Message Authentication Protocol. While generally strong, an exploit to WPA's flaw can crack the encryption. This method relies on obtaining the Pre-Shared Key (PSK) by monitoring network traffic packets when a valid computer logs into the network. Some tools that facilitate this are kisMAC or coWPATTY.
Legalities
Canada
While there are many differences in the laws between one country and another, in Canada the law could be interpreted in such a way that makes piggybacking illegal. A Toronto lawyer Gil Zvulony commented on CBC’s Spark Radio recently and says that if the police ever showed up because you were piggybacking, the only way you can be charged was if the crown could prove you knew it was wrong to piggyback.
The closest thing someone being charged with piggybacking was where a Toronto man was caught literally with his pants down downloading child pornography using someone's wireless network. Ultimately, he was charged for the pornography and not the piggybacking.
Singapore
Garyl Tan Jia Luo became the first man to be convicted of piggybacking on January 16th, 2007 and was sentenced for 18 months probation with 80 hours of community service. Lin Zhenghuang was convicted and sentenced to 3 months jail time and a $4000 fine when he used his neighbor's internet to post a fake bombing report on forums managed by HardwareZone. The judge clarified the jail time would not be sentenced for piggybacking alone but for piggybacking "committed in order to facilitate the commission of or to avoid detection for some more serious offense" as with Mr. Zhenguang's case.
References
- Michel Marriott. "Hey Neighbor, Stop Piggybacking on My Wireless", The New York Times, 2006-03-05. Retrieved on 2007-11-27. <http://www.nytimes.com/2006/03/05/technology/05wireless.html?_r=1&oref=slogin>
- Bradley Mitchell. "Wireless / Networking", About. Retrieved on 2007-11-27. <http://compnetworking.about.com/od/wirelessfaqs/f/legal_free_wifi.htm>
- Wikipedia. "Piggybacking (internet access)", Wikipedia, 2007-11-14. Retrieved on 2007-11-27. <http://en.wikipedia.org/wiki/Piggybacking_(internet_access)>
- Adam Pash. "Reader Poll: Do you piggyback wireless internet?", lifehacker. Retrieved on 2007-11-27. <http://lifehacker.com/software/poll/reader-poll-do-you-piggyback-wireless-internet-158613.php>
- News Report. "Research Shows Wi-Fi Piggybacking Widespread", digital communities. Retrieved on 2007-11-27. <http://www.govtech.com/dc/articles/186157>
- bwilds. "WPA Encryption Cracking", ITtoolbox Blogs. Retrieved on 2007-11-27. <http://blogs.ittoolbox.com/wireless/networks/archives/wpa-encryption-cracking-7419>
- Byran Rite. "Cracking WEP and WPA Wireless Networks", Alkaloid Docupedia. Retrieved on 2007-11-27. <http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks>
- Glenn Fleishman. "WPA Cracking Proof Concept Available", Wi-fi Net News. Retrieved on 2007-11-27. <http://www.wifinetnews.com/archives/004428.html>
- Wikipedia. "Wired Equivalent Privacy", Wikipedia, 2007-11-26. Retrieved on 2007-11-27. <http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy>
- Michael Ossmann. "WEP: Dead Again, Part 1", 2004-12-14. Retrieved on 2007-11-27. <http://www.securityfocus.com/infocus/1814>
- CBC Spark Radio Podcast: <http://podcast.cbc.ca/mp3/spark_20071107_3820.mp3>. Retrieved on 2007-11-27.
See Also
External Links
--Chenc8 13:53, 1 December 2007 (EST) Jinn Tarng Christopher Chen