Re: Legality of WEP Cracking

From: Justin Ferguson (jnferguson@gmail.com)
Date: Sat May 19 2007 - 16:54:13 EDT


I'm not sure where the opinion that sniffing wifi isn't illegal, I
know the popular opinion by law enforcement is that is indeed illegal
and covered by laws dealing with the interception of wired
communications. I'm not positive about the case law, but my
understanding was that interception of communications of any kind
(wired or wireless) is generally prohibited under a handful of laws,
most specifically the Federal Wire and Electronic Communications
Interception Act. There are some exceptions, most notably if you're a
carrier (carrier is defined broad enough that I believe it would
include your home wifi router), or the intended recipient of the
communication.

I feel (and may be incorrect, IANAL) that in both, the wording that
defines 'electronic communication' is not only broad enough, but
specifically lists wifi (as a result of it being part of a radio
system), that almost all internet traffic potentially affects
interstate/international commerce, and that if its encrypted then the
users definitely have a reasonable expectation of privacy (regardless
of how unrealistic it may be), and therefore illegal under 18 USC
2511.

Even more, I think most almost any judge would rule that the spirit of
the various laws would cover wireless communication even if they felt
that it had not been specifically included, although my reading of the
various laws leads me to the be of the opinion that they do
specifically include wireless communication. So while IANAL, if my
reading is correct, cracking a WEP key is a moot point because
obtaining it without being an intended recipient/owner would be
illegal.

Seriously, don't ask the pen-test mailing list, consult a lawyer or
read the laws yourself, you're a fool otherwise (and may inadvertently
do something illegal with potentially the best of intentions
[ignorance of the law is not an excuse]).

This is of course, just my opinion after reading the laws and may not
be correct as the laws have actually played out.

Relevant excerpts (although I encourage the interested reader to look
it up themselves):

18 USC 2510:

(4) "intercept" means the aural or other acquisition of the contents
of any wire, electronic, or oral communication through the use of any
electronic, mechanical, or other device.
[...]
(12) "electronic communication" means any transfer of signs, signals,
writing, images, sounds, data, or intelligence of any nature
transmitted in whole or in part by a wire, radio, electromagnetic,
photoelectronic or photooptical system that affects interstate or
foreign commerce, but does not include— [...]

18 USC 2511:
Except as otherwise specifically provided in this chapter any person who—

(a) intentionally intercepts, endeavors to intercept, or procures any
other person to intercept or endeavor to intercept, any wire, oral, or
electronic communication;
[...]
shall be punished as provided in subsection (4) or shall be subject to
suit as provided in subsection (5).
[...]
(4)
(a) Except as provided in paragraph (b) of this subsection or in
subsection (5), whoever violates subsection (1) of this section shall
be fined under this title or imprisoned not more than five years, or
both.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:49 EDT