The dangers of easy access wireless LANs recently prompted government officials in New York and California to create new laws to prevent network “piggybacking” and exposure of sensitive data in both businesses and homes.
Last October, the local government in Westchester County, N.Y., began enforcing a countywide law requiring all commercial businesses to secure their WLAN access or face fines. It also requires any Westchester County businesses offering public Wi-Fi access to the Internet to post an official sign on the wall that advises the user to “install a firewall or other computer security measure.”
The law, which has the Westchester IT department periodically driving about the county with WLAN probes to test whether businesses have failed to adequately secure their WLANs, was enacted because “we saw piggybacking on Wi-Fi nets,” says county CIO Norm Jacknis. “On these networks, there’s unfettered access to confidential data, and we have a problem with that.”
Jacknis says a small number of businesses caught with unsecure Wi-Fi exposing sensitive data have been cited for violations under the law, but so far none has failed to correct the discovered problems. Under the new law, a second violation would lead to a US$250 fine and a third and succeeding violation a fine of $500.
Public Wi-Fi access is spreading, with not just Starbuck’s coffee houses, but many retail operations, such as garages, offering Wi-Fi for their customer’s convenience. Security experts say unprotected Wi-Fi poses dangers.
“I can sit in Starbuck’s and not even try to join the network, and see all the traffic passing around me,” said Al Potter, manager at testing outfit ICSA Labs, during a talk on WLAN security at the InfoSecurity Conference in New York in December. “It’s possible to capture credentials and then I’m you.'”
Andrew Neuman, special assistant to the county executive, says the State of New York as a whole is considering adopting similar legislation.
However, while some applaud the effort to raise security awareness, they’re skeptical a Wi-Fi warning sign posted on a wall is the right approach for government to take.
“It’s silly, because wireless doesn’t stop at the wireless site,” says Mark Rasch, chief security counsel at Omaha, Neb.-based security services firm Solutionary. “If you’re sitting outside, you won’t see the sign.”
However, Rasch says the general idea of warning users about the potential security dangers of Wi-Fi access is great. “A better approach would be a screen shot when you log in at the start.”
Legal experts agree that existing law in the United States does not clearly forbid the practice of Wi-Fi “piggybacking.”
Piggybacking entails using a wireless-enable computer to jumping onto whatever Wi-Fi access happens to available, whether its source is an unsuspecting business or home. When taking advantage of Wi-Fi access left open, a user may stumble across sensitive files.
“When it comes to piggybacking, it’s not clear it’s illegal, not clear it is legal,” Rasch says. “Is lack of security in this case an invitation to come in? We don’t know if what we’re doing is participating in a broad experiment or committing a felony.”
Rasch adds that a close reading of certain telecommunications-related laws in Delaware, Maryland, Florida, Michigan and Wyoming suggests a case can be made that unauthorized access to Wi-Fi would be illegal. But it’s simply not clear.
California crackdown
The new California law pertaining to Wi-Fi security, officially referred to as AB 2415 and sometimes called the “Wi-Fi User Protection Bill,” acknowledges that the legal status of piggybacking remains uncertain.
“The practice is becoming a serious issue for people who live in densely populated areas or live in apartment buildings where wireless transmission waves can travel easily through walls, floors and ceilings,” California’s AB 2415 points out, estimating that about 16.2 million households in the United States now have wireless access. “There is disagreement as to whether it is legal for someone to use another person’s Wi-Fi connection to browse the Internet if the owner of the Wi-Fi connection has not put a password on it.”
California’s Wi-Fi User Protection Bill,” introduced by Assembly Speaker Fabian Nunez, doesn’t tackle this thorny issue of the legality of Wi-Fi piggybacking. But it does put pressure on manufacturers of wireless routers and bridges to provide security warnings and advice in products they sell in the state beginning this October.
AB 215 offers WLAN vendors a choice of: putting a security warning sticker on the wireless router ; presenting a screen message after the router is successfully installed that it’s time to secure the network; or securing the wireless LAN through a service. Users don’t have to apply security measures; they just have to be informed in some way about risks.
The legislation was originally introduced as a requirement for encryption in WLAN equipment, and then evolved to require security warnings on all WLAN equipment, including PCs. It then ended up as a requirement for warnings only on WLAN routers sold to small business and home offices.
The California law is supported by the Wi-Fi Alliance, the industry trade group establishing Wi-Fi interoperability standards; Apple, Cisco , the American Electronics Association, the Privacy Rights Clearinghouse and the American Civil Liberties Union.
“In the final analysis, the language was acceptable,” says Frank Hanzlik, managing director at the Wi-Fi Alliance. “The question is how do you build awareness? There is probably a lot of good security technology out there and we want to see it turned on.”
No position
While the Wi-Fi Alliance hasn’t taken a position on whether it would want to see California’s WLAN security warnings extended to the rest of the country, some vendors affected by the new law say it’s a moot point.
“California is obviously so big, you need to make the change for all your products,” says David Henry, director of product marketing for consumer products at Netgear. “We’re already compliant with the California law.”
Netgear chose to add a step in the WLAN router installation process advising customers to activate the security protocols WPA-2 or WEP , which are Wi-Fi Alliance standards. “Our message says this will prevent unauthorized access from your neighbors,” Henry says.
The California law “is treating security as a product liability rather than the lack of security as a feature,’ says Solutionary’s legal expert, Rasch.”The average consumer needs some hand-holding on this, and it’s not without cost to companies. The cost will be in the helpdesk and tech support for WEP or other means. Some people will return their Wi-Fi routers because of this.”
The California law will probably make lawyers pleased, says Rasch.
“If lawyers had their way, there would be nothing in the world but disclaimers and warnings,” he said. “Lawyers love warning labels. We don’t have to fix the problem, just warn about it.”
