4

As a security researcher, I have become familiar with different related tools and software packages.

The other day, I opened up one of those software packages and was attempting to attack a personal wifi network with a WPS attack to asses the usefulness of the software.

I clicked the Start option and then let it run. Long story short, I selected a neighboring business's wireless network and not my intended network.

I will not disclose any information publicly and erased the data immediately, but I would like to approach the business and discuss this vulnerability.

Considering I did not have permission to run the test, but I would like to responsibly disclose my findings to those affected.. I am not asking for legal advice on here, but should I be finding a lawyer first? Is a standard NDA the accepted standard here? I know the approach is important, so how would I go about assuring my safety too?

J05H
  • 143
  • 4
  • Just to clarify, did you scan his Network on accident? – PositriesElectron Aug 06 '15 at 13:20
  • Yes, this was a complete accident. I was apparently not paying attention at the time! – J05H Aug 06 '15 at 13:22
  • And now that you already have the data collected you might as well tell your neighbors, and you are asking how to do that without getting in trouble? – PositriesElectron Aug 06 '15 at 13:41
  • or the least amount of trouble as possible? – J05H Aug 06 '15 at 13:42
  • 1
    'I am not asking for legal advice on here' I think you should IF you plan on telling them. If not, then I doubt this will matter at all. – PositriesElectron Aug 06 '15 at 13:45
  • 1
    To clarify, I'm not saying go lawyer up, I'm just saying you might want to make sure you know what the rules are for your location and then decide. – PositriesElectron Aug 06 '15 at 13:48
  • 2
    The legality of your jurisdiction, it also may depend on the business owner/CIO. If I were the person in charge of security at the business you scanned, I'd appreciate a responsible disclosure of the vulnerability so I could fix it and scan logs to see if anyone else did this. Conversely, if you didn't tell me and I discovered it independently, I might involve authorities for unauthorized access. Other businesses might try either way. Responsible disclosure would look better in court, rather than being found out independently. – phyrfox Aug 06 '15 at 16:14
  • "Hey, I was configuring my wifi and I noticed that you might have an issue with your own wifi settings. You should get a tech to take a look to make sure you've got the safest settings." – schroeder Aug 06 '15 at 17:01

1 Answers1

1

This all depends on what tools you used and how you actually found the vulnerability. Some places running a simple NMAP scan is legal, while other places it is not. If you ran more intrusive programs, then you leave this alone. Forget it. If you still feel obliged to tell them, then do so anonymously.

You have two options. Leave it alone. Just forget it. Probably the safest. Depending on how you yourself connected to the net, there is most likely something in their logs from your scan. For all you know the server is a honeypot.

If you choose to contact them then legal advice is exactly what you need, and consider that the odds are not on in your favor. If you feign ignorance then you won't seem very professional, and your move can also be viewed as an attempt to sell your services.

It all bounds down to which country you did this in, and if you take a look at the history from similar incidents, then you'll see that in some countries this often ends with a lawsuit.

Evan
  • 36
  • 1