Is it ethical to turn on wireless security for an open access point?

Is it ethical to turn on wireless security for an open access point?

Summary: One of my readers sent me the following question and I thought it posed an interesting question on ethics.  I'll post his email and then I'll answer his questions.

SHARE:
TOPICS: Networking, Wi-Fi
147

One of my readers sent me the following question and I thought it posed an interesting question on ethics.  I'll post his email and then I'll answer his questions.

I helped a friend move, and re-established her wireless network working with a new ISP. While working, I encountered 7 wireless networks (in addition to hers), 3 of which were wide open, 2 were SSID belkin and one called linksys, etc. It was the same old problem, they plugged the router in, said "hey we're connected" and that was it. I want your opinion on this.

I connected to each one, then using 192.168.2.1, 192.168.0.1, etc, I connected to their wide open routers, then changed the network to be WPA-PSK and made the passphrase "Secure your network, you are totally unsecure". I did not change the router password.

Worst case, I figure geek squad will be called, but maybe, they call their router helpdesk, and learn something. I still think pressure needs to be brought to bear on router providers to default to WPA-PSK, the last "wizard I ran" never even touched on securing the link.

I have little doubt that what I did was illegal, the same way it is illegal to open someone's car door and turn off their lights, but was what I did wrong?

Besides the fact that what you did was illegal and would get you arrested if you were ever caught, turning off someone's car lights does cost the owner a penny but saves them a bundle by saving their car battery.  But if the victim of your "good deed" needs to call Geek Squad to come and fix their router, they're out a hundred dollars or whatever the going rate is for tech support.  In many cases I think the user will simply call tech support and find out that WPA-PSK was enabled, but there are people who will suffer economic damage.  Perhaps if you dropped an envelope with a letter explaining what happened with instructions on how to configure WPA-PSK for Windows or Mac, then the user won't have to suffer agitation or a Geek Squad bill.

Using a random 10-character alpha-numeric upper/lower pass-phrase would be better since your pass-phrase would be known by everyone though the owner should be scared enough to learn how to change it themselves.  Changing the SSID would also be a good ideal.  That has nothing to do with security but it does prevent accidental connections between neighbors.  Changing the router default password is as important as enabling wireless LAN security.  Of course all these changes would have to be in the letter.

There have been proof of concept browser scripts that can go in to your router using the default password and change the router configuration.  Criminals simply need to change the DNS server on your router and redirect all of your DNS requests though proxy servers that can harvest all of your browser session and snoop on all of your communications.  This would be even worse than a PC root kit because it hijacks every computer on the network and you can't clean it off the computer because it's on the router.

Again I reiterate that breaking in to someone's router (even if it's to lock down their network) is ILLEGAL and you need to ask yourself if it's worth the risk of going to prison.  But if you want to continue doing this, please consider the potential economic impact to the owner of the wireless network and at least drop a letter in their mailbox explaining how to fix it.  While I admit the damage is far lower than getting hacked by a real criminal, the law isn't going to see it that way.  Personally I wouldn't be caught dead doing this because I have nothing to gain and everything to lose.

Update 12:45PM - It seems the readers have spoken in the talkback and they are pretty much universally against changing someone's wireless settings.  I personally don't view it as negatively since I believe the dangers of leaving it open are greater, but I do think it falls on the side of unethical.  Changing the Wi-Fi settings will break things for the user and most cause them some real economic damage so the ethics of doing changing the Wi-Fi security is very questionable.  I think changing the password on the router so that the person doesn't get hijacked by someone malicious wouldn't be unethical since that doesn't really break day-to-day operations like changing the Wi-Fi security settings.  I'll add a poll to see what all of you think.

[poll id=37]

[poll id=38]

.

Topics: Networking, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

147 comments
Log in or register to join the discussion
  • In all cases

    He should leave peoples networks as they are, he could drop a letter in their mail with an explanation that it's not the smartest manner of doing stuff, but as he doesn't know what's running on these networks he should leave them alone. (it could be used for remote monitoring a person...)
    tombalablomba
    • Agreed completely

      Your are very much, correct. If it is not yours, do not touch it. You do not know who these people are and you may as well be a hacker yourself. Wrong move on this guys part for doing so and be aware that some people would take the seek and destroy approach to deal with it. Just a thought.
      zeusx64@...
      • Financial ramifications

        Has he thought about the financial ramification for the person whose network he has illegally accessed? If the person has left their network unsecure, there is a good odds that they know little about IT, so then call out the tech support people or whatever and incur costs. Would our do-gooder be happy if they land him with the bill?
        andy.nelson@...
    • in apartment building this would be difficult to do

      i agree with george.
      pcguy777
      • mind your own business

        oh tech gurus that feel they need to protect us - just mind your own business.
        Akumal
        • it affects us ALL

          i don't agree with the comment "mind your own business";
          unsecure wireless network affects us all:
          - if my neighbor is using the same cable internet provider but has unsecure network (used by people from the street or nearby cafe), it will slow down my connection as well
          - if there is 50% people having unsecure network, and say half of them gets their credit cards/internet banking passwords stolen, it again affects me: the banks will have to deal with the losses by increasing rate, fees for all customers (including me)
          - if their computer gets hacked because of that and start sending more spam, i will have to spend more time cleaning my email from unwanted messages
          etc..
          jaos1@...
          • so do people having babies

            unprotected sex affects us all:
            my neigbour is thinking of having unprotected sex. this will impact me because it will
            overpopulate our schools and hospitals and they will make really crappy parents.
            surely their kid will end up peeing in my bushes or convincing my kids to gamble and
            drink booze and steal credit cards- I think I will slip birth control into their milk.

            people... this is life. start living it and mind your own business.
            Akumal
          • Head in the sand

            Hi,
            That kind of head in the sand mentality is what got the world into WWII ultimately. Mind your own business? When someone uses a wide open internet connection to hack or spam the rest of us it becomes our business - it costs me money to secure and monitor my systems.

            No, we shouldn't slip birthcontrol into people's milk. no, we shouldn't just arbitrarily hack someone's router. But there needs to be some method / system in place to lock down insecure systems where people just don't know what they are doing.

            If there was some way to educate everyone to the problems with security and notify them of their vulnerability with a wide open system... banging on numerous doors trying to find the household doesn't seem to be an effective method.

            As a society it is our responsibilty to improve the world around us in my opinion.
            reesmv@...
    • Not without permission...

      If you can figure out who owns it, offer to add security to them. But to change their settings without permission is wrong... That's like changing the code to someone's keyless entry simply cause they forgot to lock their doors.

      Some people actually want to offer free wifi... Who's business is it of ours (or anyone's) to interfere?
      lyndaj70@...
  • RE: Is it ethical to turn on wireless security for an open access point?

    Not in situation is this ethical to do. It is hacking whether or not the intention is to be helpful.
    vmcginnis69@...
  • Don't mince words.

    [i][b]While I admit the damage is far lower than getting hacked by a real criminal, the law isn???t going to see it that way.[/b][/i]

    As you note, it is [i]illegal.[/i] Therefore, your correspondent [i]is[/i] a real criminal. He needs to get off his bloody high horse and repair the damage he caused, and never ever do it again. Period.
    dave.leigh@...
    • Really?

      Ethical and legal are two completely different distinctions...no one is mincing words.

      If you don't think so, you are just plain wrong.

      </soapbox>
      YngAcct
    • its ppl like you

      that just dont want a trend like this to catch on...

      so you can download all your warez undetected right.

      please.
      pcguy777
    • The question should be phrased

      "Is it ethical to deny someone access to their own wireless network?"

      By enabling encryption and setting a password, who's to say that you didn't just
      prevent their life support system contacting the hospital with updates on the patient's
      health?

      Or even worse, disconnected the main tank in a Karazhan raid...
      grail@...
      • Wait a minute!

        I think it is unethical and illegal but tempting to help get your own setup because the out of the box plug-n-play installs are screwing up the show. But, I am not so sure about this "Medical" wifi situation, frankly if my doctor had me setup on some equiptment to monitor my life and it is unsecured I'd own him via a malpractice suit.
        Uncle Buck
  • RE: Is it ethical to turn on wireless security for an open access point?

    I'm an ardent fan of security, but most people would call this malicious, no matter how well intentioned your reader was. It gives security experts a bad rep and doesn't help the user out at all. Would you lock someone out of their house for failing to lock their front door?

    I don't even think a letter is the best way to approach someone. If you know their apartment (which writing a letter assumes you do), just leave a post-it: "Your wifi is as vulnerable as an apartment with an unlocked door. Call me, I'll fix it for free in 5 minutes"

    I have a low opinion of trying to educate non-technical users about wireless security. Does a locksmith make you learn how to rekey your own locks? Nope, he secures them for you and gives you a key.
    mysterious1der
  • What if...

    ...there was a legitimate reason for the wireless to be unsecured? Or what if the person simply didn't care if others tapped into his wireless network - or maybe even wanted to allow it? There could be any number of reasons.

    It isn't the correspondent's responsibility or right to save others from themselves. That's a common self-justification that vandals use.

    Carl Rapson
    rapson
    • This was open wireless and open password

      This was open wireless and open password. In these situations, I can just go in and change the DNS server on the router and I can divert some or all of your traffic through my personal sniffer for analysis. Having an open wireless access point is one thing but having an unlocked router is extremely dangerous.

      Perhaps he could leave the Wi-Fi alone and just change the router password and drop him a note that the router password was changed. This would not cause anything to break. It would be like enabling someone's combination lock to a critical part of someone's house that they never use but forgot to lock and you leave them a note what the key is. Again that's illegal (and dangerous) but I don't think it would be unethical. Changing the Wi-Fi connection could cause some serious unforeseen consequences but changing the router password would not.
      georgeou
      • NO NO NO

        >Perhaps he could leave the Wi-Fi alone and just change the router password and drop him a note that the router password was changed.

        No way. Bottom line, if anyone ever encounter an open wifi network they have absolutely no idea why it is that way. It is absolutely unethical for them to change ANYTHING on their own. If they want to be good smaratians, notify the owner first. Explain the risk, then offer to change it for them or show them how to do it themselves. Doing anything on their own is an invasion of privacy.
        JakAttak
        • I understand what you are saying, but consider the alternative

          I understand what you are saying, but consider the alternative. Say you leave the router wide open and a browser script or driveby attack hijacks the DNS setting on the router. That means any traffic can be diverted to a sniffer the hacker controls. Changing the router's password doesn't break day-to-day operation and it highlights the dangers.

          Sending someone a letter offering to help might get you yelled at and it isn't worth it.
          georgeou