Monday, 19 November 2007

UK WiFi Theft is Rife

A recent UK survey by Sophos revealed 54% of those surveyed had used someone else’s wireless Internet access without permission. Many within the media are calling this practice “WiFi Piggybacking”, and I’ve even seen quotes from liberal academics backing the practice. In my view this is plain and simple WiFi Theft, its wrong and it’s completely illegal in the UK.

The offence is under section 125 of the Communications Act 2003, which states that "a person who (a) dishonestly obtains an electronic communication service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence”. The maximum penalty is six months in jail and/or a fine of up to £5,000. There have been several prosecutions under this act. In fact I'm aware of the arrest of a 39 man in August, who was spotted using on his laptop in the street, accessing an unsecured WiFi connection within someone’s home in Chiswick, London.

I have heard some people say, they don’t care if their neighbours use their WiFi for Internet access. Well first of all, every UK ISP I have encountered has a clause within the contract, which clearly states you aren’t allowed to share your WiFi Internet connection with your neighbours. Secondly if you leave your WiFi broadband open, it allows the potential for anyone (even your neighbours) the ability to browse illegal and unsavoury websites, commit online fraud, download illegal movies, and even host illegal movies and unsavoury material. All of this activity is done in the name of the WiFi owner, some people still don’t realise the Internet is far from being anonymous usage, everything can be easily traced back via your ISP, back to you. So if someone uses your Internet bandwidth illegally, it will be your doorstep the authorities will darken. Thirdly, someone connecting to your WiFi connection can eavesdrop on your Internet activity, reading your Emails, building up a profile for identity theft and gathering any non-encrypted website username and passwords. Fourthly, many ISPs provide bandwidth limits, especially the cheaper deals out there, so your Internet usage is quite literally a limited resource, so you certainly shouldn’t want others stealing and using it.

How many unsecured home WiFi connections are they in the UK? Well the answer is about 1 in 4 residential wireless routers are unsecured, according to Moneysupermarket.com, who commissioned an amateur hacker to test the quality of wireless security in the streets of Liverpool, Manchester and Chester earlier this year. About 88% people secure their home PCs from the Internet with Anti-Virus and Firewalls, but it seems significant numbers are neglecting to secure the WiFi Routers. It’s possible for bad guys to compromise an unsecured WiFi router and bypass the security on home PC. Particularly if you think about the consequences of changing DNS settings and routing on the WiFi Router, so keeping the default WiFi Router name and password and leaving your WiFi unsecured isn’t such a great idea,

7 comments:

Anonymous said...

I'd certainly like to know your thoughts on the following article.

http://thebigretort.blogspot.com/2007/11/scandal-of-high-street-banks.html

It was uncovered in 1998, and it still goes on I'm sure.

Dave Whitelegg CISSP said...

Thanks for your post.

Well actually our high street banks now lead the way when it comes to information/data security, sure there are always going to be minor issues here and there with them, but rest assured banks are light years ahead of any government department. I doubt if we would ever see a breach by bank on the scale of TK Maxx or the HMRC in this day and age. Why, because the banks are protecting their own money. So if a bad guy obtains money from your bank account and it's soley down to bank systems and processes, it's the bank fault and the bank has to refund you, not to mention all the costs of investigating and administrating the incident which often costs more than amount stolen. So it really isn’t in any banks interest or business plan to have any holes in their security, there is no such driver at government agencies and departments like the HMRC.

For many years now banks have been attacked from all angles imaginable, some of these attacks are very clever indeed. However these attacks have never been disclosed by any bank and none of their customers suffered any losses. So banks have learnt many lessons since that 1998 report and all invest heavily in information security and so have become a very hard target for the bad guys. The bad guys always go after the lowest hanging fruit, so target us and our bank accounts as an indirect way of accessing the bank’s money, which I suppose is the weakest part of any bank’s security. The HMRC missing data is just the stuff the bad guys are after to do this.

So I do have confidence with banks but I should stress no organisation or system can be ever be 100% secure, especially if there are humans involved!

Anonymous said...

I'm no legal genius, but if I, as the hotspot operator, don't ask someone to pay to connect through me, how can someone be guilty of
"(b) does so with intent to avoid payment of a charge applicable to the provision of that service:
??

Dave Whitelegg CISSP said...

If you are providing WiFi to customers for Free, then there is no payment to be avoided, so the law doesn't apply in the instance.

Also you should double check your broadband contract, as the majority of domestic broadband connections has a clause in the contract that says you cannot share your broadband outside your household.

Here's the one for Sky Broadband for instance...

"a) Sky Broadband is for private use by you and members of your household only. It must not be used for any commercial or business purpose."

If one of the customers were to do something "dodgy" through your provided WiFi it could all turn pretty sour.

I'd make sure you have a commerical broadband contract, isolate the Wifi from any other networks used by the business, and use good web filtering.

Anonymous said...

As far as I know, there have been no successful prosectutions, only cautions - why? where is the loophole?

Brett Patterson said...

I leave a WiFi access point open and I want people to use it. People connecting to it are not doing anything illegal under UK law. I also access open networks, and have no intent to access the service dishonestly. I am assuming they have also deliberately left their access pojnt open. Its allowed under UK law.

Re stopping people doing evil things, its not my job to control access to the internet or try to police UK laws.

The ISP terms and conditions have nothing to do with the legality of accessing an open network. Thats a totally separate issue and not relevant to the question of legality of accessing an open network.

Allowing access to your network doesn't necessarily mean allowing access to computers on your network. I secure my LAN both at the router and individual computer level, while giving access to the internet for others.

MrPringle said...

Unless you know what you are doing, open Wifi usually does mean your PC/internal network is vulnerable. Once connected to the wifi network, all I need to do is run a packet sniffer like WireShark, I can intercept data packets over peroid of time, doing stuff like reading all your Email, and obtaining all sorts of information, like the websites you visit, and even your webmail user name and passwords...tis dead easy, and it doesn't matter what you "secure" on your router or computer, unless you DMZ your internal network.

If you are giving access to all this for free and knowingly, does thi smean it can't be illegal to do these things?

Oh open wifi is great for downloading - errh lets say not so legit movies, games and music, cos it can't be traced back, only the owner of wifi internet is prosecuted and fined, as that where its registered.