7

I received a mail about illegally sharing copyright-protected material on the Internet; I never did it. I checked my router's configuration and noticed that the MAC address of one of the connected devices doesn't match any of my devices. I'm afraid that somebody somehow hacked my wireless network and used my Internet connection to illegally download something.

About the legal questions: I'm living in Germany. However I guess it would be interesting to know how things are in the different jurisdictions.

  1. Is there any way for me to track this guy? I have his MAC address and can sniff his packets. Couldn't find any interesting detail in the packets since most of the packets are encrypted.
  2. Should I contact the police?
    1. Would the police be able to find out who bought a device with the given MAC address? Otherwise would they be able to get the packets decrypted to find out this guy's identity?
    2. Do you believe the police will actually do anything? In case they will, how long do you think it would take?
  3. I could change the router password right now to lock out this guy. I'm afraid, though, that if I do, it will be more difficult to prove that it was somebody else, rather than me, downloading the protected material. Is this fear found?
Tom
  • 79
  • 2
  • 4
    Not an answer, but: if you are correct, and someone has accessed your wireless router even with a password set up, that person is probably also smart enough to spoof his MAC (so item 2.1.a is an overwhelming "no" -- even if it *were* possible to trace a MAC back to a purchaser somehow, you likely are not seeing the device's real MAC). In the event I'm wrong, see http://www.coffer.com/mac_find/ to look up the MAC's vendor. – apsillers Jul 15 '13 at 15:24
  • http://security.stackexchange.com/questions/23247/repudiation-in-copyright-infringement-bittorrent A similar question I had before – sudhacker Jul 15 '13 at 18:12
  • 1
    Either you are using WEP or you are using default / common passwords. Switch security to WPA2 and use a decent password – The Illusive Man Jul 15 '13 at 21:19
  • 3
    @Tom You have not provided details on the e-mail you got, but have you considered the possibility that the e-mail might be a phishing attempt from the intruder him/herself? If he is within your network, he might well have found out your e-mail address by gathering smaller details that go unencrypted. – Lex Jul 16 '13 at 11:35

2 Answers2

5

I have to say the usual 'I am not a lawyer' here, and don't know the current law in Germany ( I believe this is changing a lot in recent times, as it is in all countries).

You should probably lock the other guy out and choose a more secure protocol such as WPA2. Not a good idea to let an attacker keep access to your network.

Any lawyers for the copyright holders will be holding you responsible as the packets went through your connection. You can keep a log of the traffic for the intruder on your system. It won't be that much proof, as you could easily spoof a mac address yourself and become your own 'intruder'.

There's really no way to prove your innocence which is what you will be asked to do, since the copyright holders will argue that all they have to prove is that the offending traffic went through your connection. Making it your responsibility to secure your connection properly. You can claim that the manufacturer of the router or your ISP made the protection trivial to break, and that you assumed that since there was a password, you were secure.

You could try some kind of man-in-the-middle attack on the intruder, since you are the man-in-the-middle. This might allow you to decrypt enough traffic to identify him/her, though I doubt it. If the traffic is mostly encrypted, it will be hard to spoof SSL certificates at this stage. This also raises the question that if the traffic is encrypted, how do the copyright holders know what data was in the offending traffic going to your connection.

Beware that a lot of these type of letters by copyright holders are scare-tactics, sometimes not even from the real copyright holders, to extort some money from you to make the problem go away.

Some mac addresses you might not have thought of might also be on your network such as smartphones / tablets / smart-tv / gaming console ... these might be your 'intruder'

Loopo
  • 151
  • 2
  • 5
  • 1
    Assuming the copyright infringement was done via Bittorrent, encryption doesn't help in that regard. Copyright owners sometimes hire companies to join Bittorrent swarms from which they can collect IP addresses. The main purpose of the encryption is to prevent throttling of BT by ISPs. – Dracs Jul 16 '13 at 00:49
  • In the United States, courts are beginning to understand that an IP address is not a person. Slowly. – Bob Brown Oct 16 '14 at 13:50
0

If the perpetrator is on your WiFi, they are likely nearby in the same block of flats. It is possible that perpetrator is connected from further away in that case they are likely using some sort of directional antenna to boost the signal in both directions.

You can use this information to get a crude direction on where the person is located -- think compass points. It wont tell you how far away they are though so don't run around accusing your neighbors.

An easy to implement method to determine the direction of the other radio is called occlusion. This is a low tech Radio Direction Finding (RDF) technique. You need something that will shield the signal from reaching your antennas from one direction and allowing it from the rest. A couple of layers of Aluminum/tin foil wrapped around a piece of cardboard in a flat square or partial cylinder will work at wifi frequencies (2,4 & 5,8Ghz). However you need to make sure that it is at least 40cm on a side to help minimize reflections from other metal objects from getting around your shield.

Once you have the shield, simply connect to the admin screen where you can see the attached devices. When the questionable device is attached, place your shield 20cm or so from your antennas and see if the signal looses connection after a few seconds. If not move it around the antenna some with some overlap on the previous position. Include areas above and below your router. At some point the device will disappear. The shield at that point is between the your AP antenna and the rogue device.

You can test with one of your own devices but you want to make sure your device is not close 10m-20m to your Access point when you try otherwise the strong signal may swamp the shield. You may need to force the interface to update to show changes.

When this technique is used in actual RDF Situations, it can be used to locate any regularly communicating device on any frequency. Generally multiple checks are performed at each location to confirm the vector of the signal and then the location where you are searching from is changed so you can get a new vector that would intercept the first. Once a tighter search area was defined a less sensitive device would be used to continue testing following the same methodology. This technique is also powerful when used with equipment that can measure signal strength.

Good luck.

Rowan Hawkins
  • 111
  • 4