Confidentiality at Risk from Wardriving in America
LACBA Update, February 2007
By James Ellis Arden, member, LACBA Professional Responsibility and Ethics Committee; member, Association of Professional Responsibility Lawyers. Arden’s practice focuses on legal malpractice litigation, appeals, and research for other lawyers. The opinions expressed are his own.
On September 30, 2006, Gov. Schwarzenegger signed into law AB 2415, the Wi-Fi User Protection Bill. Going into effect January 1, 2007, it requires wireless home networking equipment manufacturers to warn consumers about the dangers of unsecured Wi-Fi1 networks. It aims to better inform lawyers and others about the risks to personal information that can result from unsecured networks.
Lawyers nowadays use Wi-Fi connections in their laptops, cell phones, and BlackBerrys to connect to the Internet. Ethical rules bind all lawyers to keep client files and information confidential,2 and confidentiality is not lost by communicating electronically3 nor by failing to use encryption,4 but wireless communications are growing exponentially and by their nature pose particular risks to confidentiality.
Since Wi-Fi networks are susceptible to interception by unauthorized users,5 you should know about “wardriving.” Wardriving is the practice of driving around an area with a Wi-Fi equipped laptop or a PDA (personal digital assistant), looking for open Wi-Fi networks, or APs (access points). The equipment is so small, and so little is needed, that one also can detect APs by “warwalking” (walking) or “warbiking” (biking) nearly anywhere in populated areas.
The terms derive from “wardialing,” the practice of using a computer to dial phone numbers, looking for computer modems. Think of actor Matthew Broderick in the movie “War Games,” whose character programmed his computer to dial up other computers looking for games to play. A wardialer’s computer dials all numbers within certain area codes and prefixes, automatically accessing and recording basic information such as whether the call is answered by a person, a computer, or a fax machine. When a computer answers, the program records the answering computer’s identification information and often also attempts to automatically generate passwords.6
Even though state and federal laws, e.g., California Penal Code Section 502 and the federal Cybercrime Act 2001, protect against unauthorized access of computers, wardriving itself does not appear to be illegal.7 Ironically, a Houston computer security analyst demonstrating the insecurity of a county court’s wireless network appears to have been the first person ever indicted for breaking into a wireless system.8 The first wardriving conviction came in 2004 in North Carolina out of a scheme to steal credit card numbers from home improvement stores through an unsecured AP discovered during a wardrive six months earlier.9
Statistics from the 2003 “WorldWide WarDrives” showed that more than 67 percent of the 88,122 networks scanned—including some computer security firms—had not enabled security.10 That is one reason why wardrivers often blend in with normal users. Many businesses, such as coffee houses, offer free wireless access. When a coffee drinker opens a laptop, a variety of networks, some free, others subscription, likely will be available. It is often nearly impossible for a casual user or a wardriver to distinguish between open networks that are intended to be shared and networks that are only open due to the ignorance of the owner or because of faulty security configurations.
Wireless networks are becoming so pervasive that “warchalking” may become extinct. Warchalkers use chalk to write coded symbols on the sides of buildings, informing other wardrivers how to access open APs within those buildings.11 But with so many new wireless networks popping up all the time, warchalking is becoming superfluous.
Lastly, there is even something called “warspying,” the detection and viewing of wireless video. Warspying is usually done by riding around with an X10 receiver.12 Welcome to YouTube.
“Technology...is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other.”13 Lawyers who use but do not understand the rudiments of wireless technology are tempting fate, since no legislation will prevent the compromise of confidential client information, the consequent embarrassment, or the other possible costs.
1 Wi-Fi (also WiFi or WIFI,) short for wireless fidelity, refers to communicating without cords or cables, mainly using radio frequencies and/or infrared waves.
2 Bus. and Prof. Code §§6067, 6068(e); In re Atchley (1957) 48 Cal.2d 408, 418.
3 Evid. Code §952; 18 USCA §2517(4) (privileged transmissions intercepted in accordance with (or in violation of) federal wiretapping statute do not lose their privileged character); Orange County Bar Ass’n. Formal Op. No. 97-002.
4 A.B.A. Formal Op. No. 99-413 (unencrypted e-mail sent over the Internet “affords a reasonable expectation of privacy from a technological and legal standpoint.”) See also Orange County Bar Ass’n. Formal Op. No. 97-002, concluding that encryption is encouraged but not required.
5 Unless protected by encryption, firewalls, or a virtual private network (VPN.) (See Cronin and Weikers, Data Security and Privacy Law §1:25.50, 18 (Spr. 2006 Supp.). Note, though, that Windows XP’s built-in firewall is not sufficient. It protects inbound communications but does not protect outbound ones.
6 See Patrick Ryan, War, Peace, or Stalemate: Wargames, Wardialing, Wardriving, and the Emerging Market for Hacker Ethics, 9 Va. J. L. & Tech. 1, 11 (2004) . Because some password detection programs literally can try out every word in the dictionary, security experts advise against using real names or words as passwords.
7 Id. at 57; and see 3-4, differentiating wardriving from computer crimes.
8 http://www.theregister.co.uk/2002/07/26 /ethical_hacker_faces_war_driving/ (last visited November 6, 2006).
9 Kevin Poulsen, Wardriver pleads guilty in Lowe’s WiFi hacks, SecurityFocus (June 6, 2004); http://www.securityfocus.com/news/8835 (last visited November 6, 2006).
10 Ryan, supra note 6, at 52.
11 Cronin and Weikers, supra note 5.
12 X10 is a communications protocol for remote control of electrical devices, first patented in 1980. (You might remember the TV commercials from that time.) X10 makes remote control devices for lighting, appliances, music, and video as well as wireless surveillance and security. See http://www.X10.com (last visited November 6, 2006).
13 C. P. Snow, New York Times, March 15, 1971.