One of my readers sent me the following question and I thought it posed an interesting question on ethics. I'll post his email and then I'll answer his questions.
I helped a friend move, and re-established her wireless network working with a new ISP. While working, I encountered 7 wireless networks (in addition to hers), 3 of which were wide open, 2 were SSID belkin and one called linksys, etc. It was the same old problem, they plugged the router in, said "hey we're connected" and that was it. I want your opinion on this.
I connected to each one, then using 192.168.2.1, 192.168.0.1, etc, I connected to their wide open routers, then changed the network to be WPA-PSK and made the passphrase "Secure your network, you are totally unsecure". I did not change the router password.
Worst case, I figure geek squad will be called, but maybe, they call their router helpdesk, and learn something. I still think pressure needs to be brought to bear on router providers to default to WPA-PSK, the last "wizard I ran" never even touched on securing the link.
I have little doubt that what I did was illegal, the same way it is illegal to open someone's car door and turn off their lights, but was what I did wrong?
Besides the fact that what you did was illegal and would get you arrested if you were ever caught, turning off someone's car lights does cost the owner a penny but saves them a bundle by saving their car battery. But if the victim of your "good deed" needs to call Geek Squad to come and fix their router, they're out a hundred dollars or whatever the going rate is for tech support. In many cases I think the user will simply call tech support and find out that WPA-PSK was enabled, but there are people who will suffer economic damage. Perhaps if you dropped an envelope with a letter explaining what happened with instructions on how to configure WPA-PSK for Windows or Mac, then the user won't have to suffer agitation or a Geek Squad bill.
Using a random 10-character alpha-numeric upper/lower pass-phrase would be better since your pass-phrase would be known by everyone though the owner should be scared enough to learn how to change it themselves. Changing the SSID would also be a good ideal. That has nothing to do with security but it does prevent accidental connections between neighbors. Changing the router default password is as important as enabling wireless LAN security. Of course all these changes would have to be in the letter.
There have been proof of concept browser scripts that can go in to your router using the default password and change the router configuration. Criminals simply need to change the DNS server on your router and redirect all of your DNS requests though proxy servers that can harvest all of your browser session and snoop on all of your communications. This would be even worse than a PC root kit because it hijacks every computer on the network and you can't clean it off the computer because it's on the router.
Again I reiterate that breaking in to someone's router (even if it's to lock down their network) is ILLEGAL and you need to ask yourself if it's worth the risk of going to prison. But if you want to continue doing this, please consider the potential economic impact to the owner of the wireless network and at least drop a letter in their mailbox explaining how to fix it. While I admit the damage is far lower than getting hacked by a real criminal, the law isn't going to see it that way. Personally I wouldn't be caught dead doing this because I have nothing to gain and everything to lose.
Update 12:45PM - It seems the readers have spoken in the talkback and they are pretty much universally against changing someone's wireless settings. I personally don't view it as negatively since I believe the dangers of leaving it open are greater, but I do think it falls on the side of unethical. Changing the Wi-Fi settings will break things for the user and most cause them some real economic damage so the ethics of doing changing the Wi-Fi security is very questionable. I think changing the password on the router so that the person doesn't get hijacked by someone malicious wouldn't be unethical since that doesn't really break day-to-day operations like changing the Wi-Fi security settings. I'll add a poll to see what all of you think.