Aug 2, 2008

India - When the onus is on the victim

Sitting in my first floor flat in a middle-class Delhi colony, I have a choice of five Wi-fi networks. My own is kind of secure though I wouldn’t bet it is hack-proof. At least it doesn’t broadcast and log-ons must be manually assigned from the admin console

The other four networks can all be jumped easily. Two are open and offer connections to all comers. Two have WEP security but neither admin has bothered to change the default network name (the router’s brand). Nor have they shifted routers from default gateway IP addresses or changed Username, Password options (“admin”,”admin”) the routers shipped with.

This means, one can make an educated guess about where to find the router, log on as admin and do whatever. It is possible to gain access to passwords and other sensitive information without any effort. In fact, you could do it by accident.

My home is not in a very high net-penetration zone, being residential apart from a few lawyers’ chambers (at least two of those insecure networks belong to law firms). In the office areas of downtown Gurgaon and the Noida STP, you can war-drive long stretches and take your pick of dozens of Wi-fi networks.

Maybe half are unsecured; almost all are vulnerable to automated attack. The required software can be downloaded free for legitimate purposes from many sites. As a result, even Geoff Boycott’s proverbial mum could hack most Wi-fi networks.

It’s the same all over urban India. Wi-fi is convenient, laptop and Smartphone penetration is rising and laptops are default-configured for Wi-fi access. SOHO and SME environments brim with Wi-fi, often to the point where channels must be reset to manage signal interference.

Configuring security is painful and most people consider it unnecessary. Any Wi-fi user is likely to be using unlimited plans, paying flat rates regardless of traffic. An extra machine doesn’t degrade quality of connection much, so why bother?

This casual approach can lead to grief for US-based iPhone users visiting India. The iPhone is configured to default-access any available Wi-fi. This saves money and improves speeds in the home area. On international roaming, it causes huge bills if the user forgets to switch the feature off.

Keith Heywood, an American living in Navi Mumbai, is learning the hard way that there are other possible consequences of leaving Wi-fi unsecured. Somebody sent emails (using a address) from his Wi-fi, claiming responsibility for the terrorist attacks just before mayhem started in Ahmedabad.

Mr Heywood was probably collateral damage from war-driving — that is the simplest explanation. It is possible to spoof IPs. But spoofing requires some knowledge. It’s much easier to just wander around with a smart phone that latches onto any open Wi-fi.

Mr Heywood has been a beneficiary of racial profiling in that it has been assumed that he is victim rather than perpetrator because of his background. If the Wi-fi network in question had belonged to an Indian, that assumption wouldn’t be made.

The scary thing is that this could happen to anyone and the victim would not know it until the police come calling. The hack may not even show up on a forensic exam if the logs have been wiped.

The legal position about an Internet connection being hacked and used for criminal purposes is unclear under the IT Act, 2000. It is analogous to having a phone or car stolen and misused. But in those cases, there are warning and clear legal recourse. The onus in a hack is on the victim to prove there has indeed been a hack. Maybe it’s less trouble to secure the stable door before the horse has bolted?

No comments: