1

Someone in my neighborhood is using a WEP encrypted wifi router. I am not sure who they are yet, but if I find out, should I inform them of the security risks which that poses or are there any legal ramifications to doing so?

dramzy
  • 121
  • 3
  • 1
    define "should" - I'm not sure what you're asking – schroeder Jul 06 '15 at 18:39
  • The American Way is to abuse it to show that it's insecure. Where do you live? – ott-- Jul 06 '15 at 18:54
  • I am in the US, but that sounds way too risky. – dramzy Jul 06 '15 at 18:55
  • I think @ott may have been joking... – Neil Smithline Jul 06 '15 at 18:57
  • @NeilSmithline I'm not joking. This was the quite usual way when `irc` was young (from 1991 on). People loved to cause netsplits and to kill services. – ott-- Jul 06 '15 at 19:02
  • Were you recommending that he follows the "American Way" @ott? – Neil Smithline Jul 06 '15 at 19:05
  • @NeilSmithline Let me think it over a bit. – ott-- Jul 06 '15 at 19:07
  • I see what ott is saying. If you can change their SSID to something like 'Unsecure Router', they might get scared and make sure to upgrade on Security. – PositriesElectron Jul 06 '15 at 19:54
  • 2
    UNAUTHORIZED connection to ANY network is considered ILLEGAL. Even if the network isn't password protected. Even going to starbucks and using their WiFi without purchasing something is technically considered unauthorized. The best thing to do would be not use the network, the ethical thing to do would be to attempt to inform the owner of the risks. They could be held accountable for someone using their network for nefarious deeds. – JekwA Jul 06 '15 at 20:41
  • Considering you don't know them personally I'd advise not telling them. I don't know very much about cars but if my neighbor was under the hood and then telling me I needed to fix something, I'd let the property manager know that some dude was messing around with my car instead of heeding any advice. In the event they do listen to you, you'll likely become the sole point of contact for any and all computer issues. –  Jul 06 '15 at 23:19

3 Answers3

2

To be honest, I find that most people don't / won't care.

Unless they are running a business or similar functionality over the network I wouldn't bother explaining the difference between WEP and WPA2 to them, especially since they might not be tech savvy and just get more confused or worried about it.

At least they are using SOME security. I have been to many stores where they just plug in their router (Linksys for example) and don't secure it at all. THAT would be something worth bringing up, especially if that's the network they use for their POS system (like a card reader)!

I doubt there is anything illegal about telling someone their security isn't the best. Unless you broke into their system to find that out :P

TL;DR: If it's a home router for a private network it isn't worth the effort.

EDIT:

I think this might be a good example for something I heard quite a lot in my Net Sec Classes:

Time & Money vs. Risk Factor

In bigger companies these type of decisions have to be made every day, and there are always two groups.

  • Us, the Security people. Of course in our perspective this Wifi should be made as secure as possible because 'technically' someone could easily breach it and use the internet access to blame any illegal activity on the owner of that network. We should always keep such a 'worst case scenario' in mind.

  • People like 'Upper Management', or in this case the owner of the WiFi. They probably aren't very involved with Cyber Security and don't care much for it as long as their internet is working.

Our job is to compromise and figure out if it's worth it to 'invest' into this security issue. At a bigger company this investment would mean Time & Money and the required manpower. You might need to take some time to explain and demonstrate the security risk of having a low security protocol to your neighbors. This could range from a quick 5 minute conversation up to 2 hours of you trying to explain networking terms to someone who has not much of an IT background.

One way to find out if this investment is worth it is deciding the Risk Factor.

How likely are your neighbors to be victims of a network breach?

If you live in a crowded place like Manhattan NYC for example, you should most definitely secure your WiFi as much as possible, the risk of someone scanning the area for easy-to-breach targets is higher in such a populated area. If you live in a suburban area, far from downtown, the risk is relatively low.

Now this might seem a bit overkill for such a simple problem, but try to relate it to a company deciding weather or not they need another piece of software which could be thousands of dollars in license fees and hundreds of man-hours for installation & support.

PositriesElectron
  • 1,595
  • 1
  • 13
  • 17
  • Well, given that WEP keys are crackable within minutes by anyone capable of using a search engine and following instructions, is it not a threat to even a home network at least because of illegal activity by that person on their network? – dramzy Jul 06 '15 at 18:50
  • It is, but you have to decide if the effort of showing/explaining that to your neighbors is worth the time and effort vs. the risk of them getting their wifi breached. This is a pretty good example of the type of decision making that happens in big companies. Time & Money vs. Risk Factor. – PositriesElectron Jul 06 '15 at 19:16
1

I don't believe there are legal ramifications in advising someone about security, but you may want to approach it cautiously. You'll definitely want to explain in a way that fits the user's ability level as far as tech is concerned, and if they're using WEP they may not be very well versed. They may ask for your help in setting up a stronger encryption as well, so be prepared for that.

Stealth_kong
  • 314
  • 1
  • 6
1

Imagine your neighbor came up to you and told you that he was looking at the locks on your house and noticed they were really easy to pick with a simple and cheap pick gun, available on the internet. With such a tool someone could get in your house in 5 minutes. He then said you should upgrade to hard to pick Medeco locks.

Would you think your neighbor is:

  • A. Helpful.
  • B. A little crazy, but harmless. Best left ignored.
  • C. Knows waaay to much about locks and lock picking, and might want to break into your house.

Most people would pick B or C, not A.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • Unfortunately that may very well be the case. – dramzy Jul 06 '15 at 20:18
  • Well, I think it's really justified. People that know something about security weaknesses fall into 2 categories. The curious, and criminals. Without knowing the person ahead of time, it's safer to be a little wary of the guy who demonstrates proficiency in the security realm. Nobel Laureate Richard Feynman found this out during WWII at Los Alamos. https://www.cs.virginia.edu/cs588/safecracker.pdf – Steve Sether Jul 06 '15 at 22:04