Schneier on Security
A blog covering security and security technology.
« Hackers Clone RFID Passports |
| Open Voting Foundation Releases Huge Diebold Voting Machine Flaw »
August 4, 2006
Stealing Free Wireless
What do you do when you find someone else stealing bandwidth from your wireless network? I don't care, but this person does. So he "runs squid with a trivial redirector that downloads images, uses mogrify to turn them upside down and serves them out of it's local webserver." The images are hysterical. He also tries modifying all the images so they are blurry.
Posted on August 4, 2006 at 5:21 AM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It seems that some of us really have too much time. If he is so bothered, why does he not close his wireless.
That's hilarious! A far more amusing deterent than simply closing the hole.
It's nice to see some good old-fashioned fun amongst all these 'heavy' security stories.
"It seems that some of us really have too much time. If he is so bothered, why does he not close his wireless."
As pranks go, it's a pretty good one. You have to imagine the poor shulb -- who probably doesn't have much computer saavy -- dealing with the problem. "Hello, tech support. My Internet is upside down." "No, really." "What do you mean what do you mean? It's upside down." "I'm not playing games with you. I promise." "I don't care if it isn't possible, my Internet is upside down." "Yes it is!" "Don't hang up. Please help me!"
I redirect unknowns to a webpage explaining they're on the wrong network and what to do about it. I think that everyone should at least provide a webpage so the owner can be identified and problems with interferance or other network problems can be resolved.
I'd like to share my network, in particular to the passing traveller who just need to check his mail or read the news. I'd like to be able to do that when I travel, but with respect that if I don't pay then I should consume minimally.
So, I want to share in an ordered manner. I want to know who people are and I want to limit the bandwidth they can use for free.
I want to enable strangers to register to obtain access to web and jabber. But I haven't figured out a good way to check the details before granting access - how can I send an e-mail requiring confermation if they can't access their mail?
Maybe some day I'll go further and say - OK, pay to this paypal account and you get more bandwidth.
I bet a lot of people just buy a machine that has happens to have wireless and it connects and they just think its supposed to work that way. PCs finally becoming as user friendly as Macs (claim)!
But yes, this is funny. You could even swap the ads inherent in web pages with your own.
That guy needs to get a life.
I could first ARP poisoning, then DNS fake, and later make my own SSL certificate and build my own paypal.com (say, or gmail.com...). Of course the client shouldn't trust that certificate, but who really cares?
I bet that would work.
Did anyone else notice how surprisingly readable the web pages with upside down images still are? I think after ten minutes, most of us could probably surf that way without too many problems. For me the blurry one is a lot worse.
I don't know all the details of how Squid interfaces to redirection scripts, but I see that that redirection script passes the URL to wget via a command line parameter without using "--" to terminate option processing. It first parses out what's supposed to be the URL using a regular expression, but not a very cautious one. I wonder if it might be possible to request a carefully-designed URL that would cause wget to misbehave by interpreting the URL as an option instead of a URL. I also see that it's recognizing images solely by filename, so I wonder if requesting a URL named like an image but that *wasn't* an image, could cause interesting results. Furthermore, it writes the images to disk before flipping them - and I don't even see any provision for clearing out the cache of flipped images - so requesting a lot of very large images, or images someone wouldn't want to be caught possessing, might be interesting.
This, presumably, is your Friday squid blog.
Hmm. It seems an autodisemvowler is called for here. That, and replacing every image with goatse.
It's a good point about the option passing, but in this case, I don't _think_ there's an exploitable bug. Since perl is calling wget with system(), the command line isn't processed by a shell: this means that words on the "command line" are sent directly to the kernel as program arguments as is; if you send a url that looks like:
wget won't parse that as an argument and a URL, but instead as all one big argument, just like if you put it in single-quotes on a command line.
For basically the same reason, we can't send a url that looks like:
"http://www.google.com/ && rm -rf / && mail root@localhost -s pwned.jpg"
and expect it to work.
But if we were using a less good-natured program than wget, or if it has an especially tricky option I don't know about, then it is possible. The other common solution would be to more carefully check the form of the URL, but writing a regex is amazingly difficult:
On the second point, yeah, you could probably break something, but we're not really going for excellent service here, right? :-)
Your third point is a good one too. It'd be pretty easy to fix this to a "good enough" state even just by turning on a quota. An LRU caching algorithm would be more effort, but a little better.
I often read upside down (architectural drawings in meetings across a table) -- once you get used to how the words are shaped, it's a pretty quick translation, but the image maps would kill you unless the proxy was remapping =)
BLP: It's worth noting that although this is described as "turning the images upside down", it's apparent from the screen shots that it's actually mirroring them along a horizontal line, so they're not just upside down, but upside down and backwards. That may be easier or harder to read depending on how your brain is wired.
There appears to be another reason to run with an open wireless connection:
Now...combine this story and the above link for some serious fun.
A datapoint on "upside down and backwards". I recall from my youth that actual hot-metal type is/was often proof-read upside down. The printer who showed me this trick explained it as breaking the word-form pattern associations to better allow the recognition of letterforms. Wistfully, I notice that "printer" used to mean a person, as did "computer".
In what sense can a neighbor stealing wireless?
If you broadcast openly, you are implicitly allowing uses to go through your AP and get on the internet. Unless the ssid is explicitly something to effect of "don't use me".
Then again, the owner still reserves the right to be obnoxious!
I don't consider using my neighbours wireless access point to be theft - after all, my neighbour is "pushing" the signal through my windows, and it would be difficult to send it back.
Local laws may vary, but listening to your neighbor's wifi is definately not illegal. Sending packets back through their windows might be.
Open wireless points are a bit of a bad idea if your neighbor happens to be, say, downloading kiddie porn and then the police happen to come knocking on your door about it.
Jurisdictions do vary, but it's more likely that sniffing or using an unsecured access point would get you in trouble if it ever came to court. In Minnesota, for example, statute 609.89 makes it a crime punishable by up to 10 years in prison and $50,000 to "intentionally and without authorization...[access] any computer, computer system, computer network or any part thereof for the purpose of obtaining services or property." "Access" includes passive monitoring.
IANAL, but I read this as saying that if you hop on a neighbor's wireless without permission and they don't like it, you're technically in violation.
In a more general sense, it's been well established that the "it was wide open, so it must it was okay for me to saunter in" defense doesn't wash.
This issue is becoming an increasingly active arena in both criminal and tort law. There's already a criminal conviction for stealing bandwidth in Florida, I believe, and I wouldn't be surprised if a tort action has already been brought or will be soon.
I wonder how this would work with the proposed net neutrality laws. Are you required to provide unfiltered Internet access to unauthorized third parties who are going through your network?
The interesting part about accessing WIFI is that the owner of the access point is essentially "inviting" the guest to use the service if there is no additional authentication security (i.e. WEP/WPA). Therefore, one using the services of an "open" WAP is not "stealing" anything.
Anytime someone successfully connects to an "open", unsecured, WAP, they are explicitly being given permission to use that service by the WAP owner.
Regardless of the actual WIFI signal that is broadcast over the airwaves (for any and all in range), in order to use the Internet service "behind" the access point, the client has to be granted access. The first level of access is provided when the WAP issues the client an IP address, and provides Internet routing and DNS information (typically via DHCP).
To use an analogy, this is like knocking on your neighbor's door and saying "can I come in", and the neighbor says "yes, please come in, and here are some things to make your stay more comfortable".
At that point, it would be difficult for that neighbor providing the WAP to complain about someone using that service which they just gave explicit permission to use. Therefore, it is not "stealing" to use that which one is given explicit permission to use.
"this is like knocking on your neighbor's door and saying "can I come in", and the neighbor says "yes, please come in, and here are some things to make your stay more comfortable"."
Hmmm...slight distinction...neighbor isn't home to invite you in but the door is unlocked. You enter and make yourself at home, watching the TV and napping on the couch. Then you leave before owner knows anyone has been there.
Just because you can, doesn't mean you should.
Please, not with the 'knock on the door' analogies PLEASE. We're only one step from the conversation degrading into using the name of a famous Austrian who used to run Germany (as all Usenet conv. must eventually degrade to).
Analogies to open or closed doors are not valid. Analogies to radio listening might be.
And techno people who use the 'dhcp request, offer, ack' argument can find that the courts do not care about the computer agreement to work together, so that has not been proven valid. Yet.
But no, let's not go into the whole doors, neighbors, stealing, burglary thing... please... Dear $DEITY no...
Again, lack of security is not a valid defense for unauthorized access. "It wasn't secured, so they must have wanted me to use their system" will NOT work. This has already been established for many years.
The DHCP argument would no more fly than would an argument suggesting that the TCP three-way handshake means that the "SYN ACK" packet received from the other end is an agreement to connect.
"...neighbor isn't home to invite you in but the door is unlocked. You enter and make yourself at home..."
Not an accurate analogy.
While the "open" WIFI signal might be analogous to the "door is unlocked", the fact that DHCP is granting an IP address and providing Internet routing and DNS is the same as having a big sign on that unlocked door that says "come on in and make yourself at home".
I agree that just having access to an "open" WIFI signal doesn't "invite" anyone or grant permission to use their Internet service.
The fact that the WAP owner has Internet access "behind" the WAP and is then offering that service via DHCP, _is_ an invitation granting explicit use of the service.
I think it is important not to confuse the presence of a WIFI signal with access to the Internet. They are two different things.
There are security holes a mile wide in the suggested perl script, which fails to do any sanity checking on the URL, which is referenced in interpolated context. Passing a URL of something like `rm -rf /` would be a very un-neighborly thing to do. It'd be a lot better to turn on taint-checking and then do some making sure that there are no shell escape characters or anything in the user-supplied data. Even if it means that some images aren't flipped upside down. Actually, it might be more annoying to have random images *not* flipped. "Hello, tech support, half my internet is upside down. Hello? Hello???"
I hate the door analogy to WiFi too, Jak. The web server analogy is *much* better, but no one seems to use it.
My computer requests a web page, and the server either gives it to me, or doesn't (depending on how it is configured).
Same with WiFi. My computer requests access and the router either gives it to me or doesn't (depending on configuration).
Anyone know of any court cases regarding using a public web server without express permission? That is legal, as far as I know, and I'd be curious to know if the similarity could be used to defend using open WiFi.
Huh. I don't so much notice the people using my open base station if what they're doing is web browsing. I notice them when they're doing P2P sharing over it. And that's when their MAC gets blocked in the base station. (Well, actually, since the old one blew up and the "temporary" replacement is... less featureful, they get handed a non-routed IP address via DHCP, and I just figure they're too dumb to set a static one that'd work.)
Jim: "Again, lack of security is not a valid defense for unauthorized access. "It wasn't secured, so they must have wanted me to use their system" will NOT work. This has already been established for many years."
Since when? What is special about DHCP that does not apply to HTTP or anonymous FTP? If you go to a website that does not have any authentication/authorization on it, which is, oh, 99% of them, ask for a web page, and the server says "Sure, have this web page" without asking for even "basic authentication" - are you saying that's hacking?
If you connect to a computer on port 21 and it says "ftp ready", so you try logging in as "anonymous" with your email address as password and ask for a file and the server says everything's OK and gives it to you, are you saying *that's* hacking?
So, if you connect to a DHCP server, ask for an IP address and routing information and the server gives it to you, and you use it, how exactly is that hacking?
Adam: Remeber the case of Daniel Cuthbert in England? According to the judge there, asking for a URL from an Internet accessible http server is "hacking" if the site's owners didn't intend for you to request it.
From the first article: "Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee."
Directory Traversal Attack: requesting a URL of the form "http://www.foo.com/bar" given a known-good URL of the form "http://www.foo.com/bar/baz"
From the second: "District Judge Mr Quentin Purdy said: 'For whatever reason Mr Cuthbert intended to secure access, in an unauthorised way, to that computer...it is with some considerable regret...I find the case proved against Mr Cuthbert.'"
There's precedent here, and it goes 180 degrees against what almost any knowledgable computer-inclined person would expect: the sequence of actions explicitly encoded in a network protocol between two parties' computers does not reflect the intent of those parties. Access to networked resources may be unauthorized regardless of the fact that the server authorized the access to a legitimate client.
We can only hope that this interpretation of network protocols doesn't become common law.
From my wife...
"That's mean. What if the poor guy happens to be smoking something at the time?"
I like the net neutrality point. Flip it on its head: my neighbours and I could each subscribe to a different provider and share all our connections, routing through whichever had the best connection for a given service.
We have a funny site over here in germany, where decisions of judges are collected, and presented as 'Judges explain the internet'.
Only one section is english ('international'):
The rest is in german.
Example: "The internet isn't a big data ocean, but a big data storage, where Compuserve saves its data, and therefore may control it." ((poor) translation by myself).
And you are supposed to know which resources the site's administrator *intended* you to access by ... telepathy?
Makes one think about methods whereby an open wap could be used to phish for gullable neighbors.
On another note, I use an ssid of "IcanCU". One neighor, after seeing it on his list of available connections, immediately pulled the plug out of his machine.
Craig: it's not that easy to exploit because the entire URL is passed as a single argument to wget. So "rm -rf /" won't work; wget is not the shell and would not execute rm. However, there might be some possibility (as I suggested) of cooking a URL to look like a wget option. It would have to look enough like a legitimate URL to get Squid to pass it to the script, and I'm not sure how much scope for imagination that leaves.
If it flipped and rotated the images at random, it'd be much more difficult to read, as your brain would have to analyze every picture individually to determine how to read it, rather than just applying the same rule to every picture.
One more thing. In the US, plenty of ISPs (verizon, comcast, I'm sure others) do not allow subsribers to allow connections outside their homes. While the consequences or an unauthorised grabbing may be small (for provider), they may not be zero.
Now back to the dreaded tresspassing analogy...
Forgive me for asking this OT here - maybe someone can help and it might be also of interest to others, too:
@ home I can receive some (closed) wifi networks and I want to get in contact with the owner of these to propose a participation in exchange to paying part of the bill. But how to manage this? any ideas how to find out the owner of a hotspot? Thanks and sorry again...
Effective range of a wireless hot spot is (in most cases) under 200 feet. Without buying some expensive RF gear, the fastest way to find out who manages the hot spot is to walk around and knock on doors.
Oddly enough, most people will talk to their neighbors ;)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.