Thursday, September 12, 2013

Wi-Fi isn't radio!?

So, this happened.  #$&^@#.


http://arstechnica.com/tech-policy/2013/09/appeals-court-rules-google-must-stand-trial-for-wi-fi-data-scandal/

The 9th Circuit Court of Appeals has ruled that Google can be prosecuted for the capturing of wireless data by Street view cars.  (Disclaimer: Reports indicate that this software was Kismet; having never been a Google employee I have no position on that; it's open source software, I expect it to show up all over the place).

There are some very odd aspects to the ruling - the full text of which can be found here:

http://cdn.ca9.uscourts.gov/datastore/opinions/2013/09/10/11-17483.pdf

The most controversial aspect of the ruling is the declaration that Wi-Fi isn't radio.

Data Transmitted over a Wi-Fi Network Is Not a “Radio Communication” under the Wiretap Act.

From a technical standpoint this is obviously, blatantly, wrong - of course Wi-Fi is radio.  From a legal standpoint, this appears to be drawn from previous interpretations by Congress and exact terminology:

Congress does not use “radio” or “radio communication” to reference all of the myriad forms of communication that use the radio spectrum. Rather, it uses “radio” to refer to traditional radio technologies, and then separately describes other modes of communication that are not ordinarily thought of as radio, but that nevertheless use the radio spectrum.

One of the cited examples is the specification of "radio" as a separate concept from "television" or "communications".  So how did they decide this?  It's tied to the phrase "common meaning", in other words, the non-technical belief that "radio" is for AM and FM audio, and not a whole lot else.  Specifically, the ruling references previous statements, in utterly unrelated cases:

"..Not surprisingly, Congress has not typically assumed that the term “radio” encompasses the term “television.” See, e.g., 18 U.S.C. § 1343 (imposing liability for “[f]raud by wire, radio, or television”) (emphasis added); 18 U.S.C. § 2101 (imposing liability for inciting a riot by means of “mail, telegraph, radio, or television”) (emphasis added); 7 U.S.C. § 2156 (defining an “instrumentality of interstate commerce” as “any written, wire, radio, television or other form of communication);

Which leads to the surprisingly clear statement:

2. A “radio communication” is a predominantly auditory broadcast, which excludes payload data transmitted over Wi-Fi networks

and:

The payload data transmitted over unencrypted Wi-Fi networks that was captured by Google included emails, usernames, passwords, images, and documents that cannot be classified as predominantly auditory. They therefore fall outside of the definition of a “radio communication” as the phrase is used in 18 U.S.C. § 2510(16).

So under this ruling, Wi-Fi isn't broadcast - but what about when it is?  For example, literally, broadcast packets, which are transmitted indiscriminately and define the actual presence of the network?

Technical impacts - This is bad.  Absurdly bad.


It all depends how this ruling is interpreted and enforced.  For law enforcement agencies, there are two types of snooping on data. [* more info here]

  1. Pen/Tap registers and Tap and Trace.  On phone lines, these are essentially the metadata of the call - when a call takes place, the source and destination, duration of the call, etc.  For email, this type of trace can capture header data, sender and recipient emails, and subject lines, but not the content of emails.  These are simpler to get.
  2. Traditional wiretaps, which can contain the content of messages, full packet logs, the content of emails, etc.  These are harder to get and require (in theory) more oversight.
This gets extremely sticky because the statutes interpret a wiretap as anything which receives the information - for a packet-based capture system, this means the copy stored in RAM in the system buffers prior to filtering.  Even if you filter the based on headers and discard the data, it counts as a wiretap.

A researcher, pen-tester, or someone running a WIDS system, or anyone running an access point in Linux (which uses a monitor-mode interface), is going to be capturing all packets on the channel.  Despite the ruling explicitly stating:

But “radio hobbyists” do not mistakenly use packet sniffers to intercept payload data transmitted on Wi-Fi networks. Lending “radio communication” a broad definition that encompasses data transmitted on Wi-Fi networks would obliterate Congress’s compromise and create absurd applications of the exemption for intercepting unencrypted radio communications.

Under the actual limitations of wiretap law, this is exactly what happens under every WIDS system - even if the packets which are not part of the target network, or even if the data packets, are immediately discarded (such as Kismet running under "don't be evil" mode, with "hidedata=true" set in the config), a copy is still made and kept in RAM as part of the kernel packet buffers or in the Kismet (or whatever) buffers.

This seems to be a fundamental failure to understand the nature of shared media:  If you're transmitting on a channel, ALL users of that channel will see your transmissions.  They might ignore them, but they're going to see them.  That's how it works.

By not taking any precaution to encrypt data, a user on an unencrypted network is voluntarily transmitting their traffic for anyone to monitor.

Is this a particularly desirable situation for a user to be in?  No - but the last time I checked, being foolish wasn't against the law.  People do things all the time that aren't particularly safe, secure, or smart.

Critically, the ruling seems to think it's difficult to monitor Wi-Fi:

First, Wi-Fi transmissions are not “readily” available because they are geographically limited and fail to travel far beyond the walls of the home or office where the access point
is located.
...
Second, the payload data transmitted over unencrypted Wi-Fi networks is only “accessible” with some difficulty. Unlike traditional radio broadcasts, a Wi-Fi access point cannot associate or communicate with a wireless device until it has been authenticated.

Considering the vast majority of Wi-Fi reaches far beyond the property lines of the owners - which causes problems in urban settings, and which many users deliberately attempt by boosting the power or adding after-market antennas, I'm not too confident about that assertion.  Plus, Google only monitored from the street - that means the networks were broadcasting beyond private property into public space.  Seems like that's a pretty clear-cut broadcast.

The second assertion is a major misunderstanding of how Wi-Fi, and Wi-Fi monitoring, operates.  Unencrypted networks are received by everyone in range of them, they're just deliberately discarded if they're not originating from a network a client is connected to.  Broadcast management packets are specifically designed to be received by every device in the area, as are the traffic flow control packets.  Wi-Fi has been specifically designed to co-exist with additional Wi-Fi networks in the same space because it's impossible to not receive packets from other networks!

While Google did take deliberate action to record all the packets seen, it's definitely not difficult to receive them in the first place.  Just because a user may choose to not be aware of how things work under the cover doesn't mean it's not trivial.

But what about the FCC?


What indeed!  The FCC - the regulatory body concerned with radio communications.  Like Wi-Fi.  Which uses radio - already examined this case and declared that Google was not infringing:


In it the FCC specifically addresses the fact that Wi-Fi networks have broadcast transmissions to all receivers, and that Wi-Fi networks can have extended coverage reaching into public areas.

Additionally, Wi-Fi networks fall under Part 15 of the FCC rules.  The extremely exciting (by which I mean not exciting at all) rules, by which all devices in the frequency ranges used by Wi-Fi must abide by, can be found here:


The two relevant aspects of the document that I could find is the statement that cordless phones operating under Part 15 must contain a sticker explicitly notifying the user that privacy is not guaranteed when using the device, and the following admonition about monitoring:

Except for the operations of law enforcement officers conducted under lawful authority, no person shall use, either directly or indirectly, a device operated pursuant to the provisions of this part for the purpose of overhearing or recording the private conversations.

What constitutes a "private conversation"?  Surely using encryption should fit that - it demonstrates an explicit desire to obfuscate.  Conversely, shouting into the street would not constitute a private conversation.  Person-to-person email might be assumed to be a private conversation - except the US government has already made it clear that it doesn't consider any email on a remote server to be protected by any expectation of privacy.

So it's all the users fault, right?


I wouldn't be comfortable saying it's all the users fault they're engaged in insecure behavior - while huge inroads have been made into educating users about Wi-Fi security (and in the past decade I've seen adoption of some form of encryption jump from around 10% of networks to around 70%), responsibility also lies on the manufacturers to ship more devices with secure default settings.  This is slowly becoming more common, but needs to continue this trend.


What happens now


Taken at it's most literal, this ruling effectively makes standard modes of Wi-Fi operation illegal:  By failing to recognize the broadcast nature of Wi-Fi control packets, it makes it impossible for normal CSMA/CA collision avoidance (detecting flow control packets from any network overlapping the current channel), or even building lists of networks in the area (receiving and processing all packets until a beacon is seen).

This will also impact all WIDS systems - which by design capture all the packets in the channel and look for unauthorized networks, while ignoring or discarding packets from other networks - after capturing them and discarding them.

Would they prosecute basic operational methods?  Probably not.  Could they?  Probably yes.  Would it be tacked on as another 100 charges to inflate public outrage, force a plea bargain, or push for excessive sentencing?  I'd certainly expect so.

Security through Legislation


What's worse than security through obscurity: I won't tell you how it works so of course you could never figure it out?  Security through legislation:  It's secure because I say you can't look at it.

Security by Legislation has been applied to several wireless communications standards already - analog cell phones and digital pagers offer no security and no protection, but are considered "secure" because it's illegal to look at them being insecure.  This sort of "protection" provides two things:  A club to beat offenders with, should they ever be caught, and a limit on the above-board products which might otherwise violate ("see all pages in your neighborhood!").  What it does not prevent is any behavior by individuals already inclined to break the law, nor does it offer any incentive for manufacturers to develop more secure devices.  Pager networks are still heavily used today.  By hospitals, EMS, fire departments, alarm networks, and traditional alert systems like email forwarders for company network monitoring.  They're still unencrypted, and they still offer no protection against message spoofing.

By contrast, Wi-Fi is barely over a decade old (in any modern implementation with widespread adoption).  In that timeframe, extensive work has been done by security researchers, many many tools exist for testing and protecting networks, and major improvements have been made to providing users with actual, working security.  If they can be bothered to turn it on.




Thanks to Amanda, Renderman, Mister X, and folks who know who they are, for reviewing, fact checking, and telling me I needed to get this written.


Feel free to post in the comments or @KismetWireless on Twitter


5 comments:

  1. Yes. NIC "radios" need to listen for the probe responses and csa or the 802.11 protocol would be a mess. absolute mess. because of this, then we are all criminals just for using the protocol and shared medium. The judge should have left this to the ieee/fcc/and those who have been making and breaking it all this time. How can they not see that is *is* electro-magnetism that is oscillated and alternated - just as radio frequency? Bless our poor, poor, livers...

    ReplyDelete
  2. Great post. Just FYI, my think tank the Information Technology and Innovation Foundation filed an amicus brief arguing many of these same points. You can find that here: http://cdn.ca9.uscourts.gov/datastore/general/2013/10/04/11-17483_amicus_on_pfr.pdf

    ReplyDelete
  3. I just read out hide my ass blog post very recently Li-Fi a new wireless technology has been experimenting to introduce next year. A technology that's going to use lighting power for internet sharing. I was wondering if WiFi is not using radio frequency than what type of frequency it's using.
    Kayla

    ReplyDelete
  4. It is radio: That's the point. This ruling is flawed and shows the bizarre legal double-speak.

    ReplyDelete