Is iPhone app for cracking Eircom WEP code legal?

boccy23

I was wondering if the iPhone app which allows people to access "secure" WEP enabled Eircom modems is legal?

Surely, if I have a password and security is enabled, surely this is not legal?

lucernarian

The act of breaking into a wifi network and using it without permission is illegal, I don't know if the app itself which is used to get the password is illegal however.

watty

Using it is as illegal as tapping into Electricty, Gas, Cable.. Theft of Service.
Also you could be breaking other criminal laws

Also you might be liable to civil suit of "tresspass". Civil law doesn't have same the same limits on penalties as Criminal law.

Seek Legal advice from a Legal Professional. Not on an Internet Forum.

ScrubsfanChris

The app is meant to be used to see if your own wireless network is secure.

jor el

ScrubsfanChris wrote: »

The app is meant to be used to see if your own wireless network is secure.

That may be part of their disclaimer, but it's complete BS. No eircom router, using the default password on WEP encryption, is safe. You don't need a program to check that. That program doesn't test the integrity of anything either, it just decodes the password from the SSID digits. If you haven't changed your password and encryption, then you already know your router is insecure.

buttercupbee

The way you guys are telling it, if a persons security code can be hacked into then if someone can do that, can they actually see what websites you are visiting, take your credit details ect, from that hacked connection?

jor el

They can access your Internet connection, which means free Internet for them. In terms of seeing anything, they would be connected to the same LAN as your computer, and it would be possible for them to connect to it (using something like remote desktop connection) but they would need your password to do that.

They can't see what websites you visit, or steal anything from you, unless of course they get the remote connection working, then they control your computer.

wexic0

jor el wrote: »

They can access your Internet connection, which means free Internet for them. In terms of seeing anything, they would be connected to the same LAN as your computer, and it would be possible for them to connect to it (using something like remote desktop connection) but they would need your password to do that.

They can't see what websites you visit, or steal anything from you, unless of course they get the remote connection working, then they control your computer.

Give me 7mins and on someones network and i could perform network monitoring whereby i could intercept packets of data easily using backtrack3 or some other linux variant. I could intercept images, anything from a php scripted page that would include log in details etc. Screen capture over a network is pretty easy if you are a software developer like me. If you want to secure your network ensure you run wpa2psk as your primary form of security. then use a rlly rlly long password with special characters and spaces. It would make it rlly difficult for most hackers to crack, even myself. Its possible stil to crack but no1 wants to spend the time to do it.
WEP is suicidal unless you want some1 hogging your bandwidth. Also dont bother with MAC filtering as any mac address can be spoofed once a handshake has occured in the network data intercept.

Anyway, to answer your question...,
yes the app is BS but useful if you dont have a guilty conscience.

Cabaal

jor el wrote: »

They can't see what websites you visit, or steal anything from you, unless of course they get the remote connection working, then they control your computer.

Not entirely accurate, there are other ways you can see what people are viewing without accessing the persons PC.

If you use something to sniff traffic on the network you could see none encyrpted traffic very easily, so basically anything except SSL connections could be very easily seen....another reason to use SSL where possiable (gmail etc).

jor el

Obviously, I'm not a l33t hacker like the two above but to generate a good password, you can use something like this. Works for me.

wexic0

jor el wrote: »

Obviously, I'm not a l33t hacker like the two above but to generate a good password, you can use something like

seamus

Cabaal wrote: »

If you use something to sniff traffic on the network you could see none encyrpted traffic very easily, so basically anything except SSL connections could be very easily seen....another reason to use SSL where possiable (gmail etc).

There are attacks for this too (can't remember the specific term for them).

Basically the hackers intercepts the call to https://mail.google.com and redirect it to their server. Because they have access to your web connection, they can fool your browser into believing that their server is mail.google.com *and* has a valid security certificate.
They then proxy this information between you and mail.google.com and log everything that you do. From the user's point of view, nothing is different. The same works for any other SSL connections - banks, paypal, whatever.

However, it does require the attacker to have complete control over the traffic in and out of your network.

watty

jor el wrote: »

They can access your Internet connection, which means free Internet for them. In terms of seeing anything, they would be connected to the same LAN as your computer, and it would be possible for them to connect to it (using something like remote desktop connection) but they would need your password to do that.

They can't see what websites you visit, or steal anything from you, unless of course they get the remote connection working, then they control your computer.

if you never changed the default password on the router admin webpage, once they are in you are cooked.

Completely separate to WEP or WPA passwords/keys.

There are loads of vulnerable services on MAc and PC that don't need passwords. That's why a router/firewall is a good idea even if you have only one PC and wired without WiFi.

This is also potentially a problem with 3G dongles. I prefer to turn off MS client and other related MS services if using one, or use a separate 3G router.

Cabaal

seamus wrote: »

There are attacks for this too (can't remember the specific term for them).

Basically the hackers intercepts the call to https://mail.google.com and redirect it to their server. Because they have access to your web connection, they can fool your browser into believing that their server is mail.google.com *and* has a valid security certificate.
They then proxy this information between you and mail.google.com and log everything that you do. From the user's point of view, nothing is different. The same works for any other SSL connections - banks, paypal, whatever.

However, it does require the attacker to have complete control over the traffic in and out of your network.

I'm sure there are, the only examples I've ever seen in practice where one's that could view all non-SSL traffic but if you tried to visit say bank of ireland 365 it would come back with an invalid SSL cert

watty

Man in middle attacks, if your router DNS is switched. Works for SSL (https) too. Can be done without creating "invalid cert" messages.

People just click OK on Invalid cert messages anyway. The M50 troll people have invalid cert...

wexic0

Man you guys are just way off topic. But just a comment on the last post...
yes man-in-the-middle attacks are possible. Prob the only way it can be done on ssl scripts.
Im done here

Cryos

watty wrote: »

Man in middle attacks, if your router DNS is switched. Works for SSL (https) too. Can be done without creating "invalid cert" messages.

People just click OK on Invalid cert messages anyway. The M50 troll people have invalid cert...

Well yes you can do man in the middle attacks, but your results are different depending on yoru browser as they all handle SSL traffic etc differently.

Back on topic, yes it is illigal.

lucernarian

Cryos wrote: »

Well yes you can do man in the middle attacks, but your results are different depending on yoru browser as they all handle SSL traffic etc differently.

Back on topic, yes it is illigal.

Why is the app itself illegal?

abouttobebanned

I think it's similar to the act of burning CDs. As long as you only use the CDs and DVDs to back up your own things then it's fine. And of course that's what we all use it for. Just like we only use this app when we forget the passcode to our own network.

watty

The app is no use if you already set a password. It only finds default passwords. Always write the WiFi password under the box with a CD marker. Anyone with physical access owns you anyway. Most routers can be physically reset and then the makers default password to Web Admin screen applies. Write the Web Admin password under box too.

Obviously in shared student land, public place or an office you write both passwords/keys in your notebook, not under the box.

It's not illegal to distribute it, but it's absolutely useless for anything other than illegal wardriving.

Cryos

To_be_confirmed wrote: »

Why is the app itself illegal?

It is an application that allows you to access a network which has security without concent from the owner of the network; with the intention of using services on that network. The application circumvents the security measures put in place by the Vendor / Reseller of the product.

The only instance where the application would not be illigal is where you use it to find the key of your own network.

It is illegal to piggyback, something which this application Aids with.

watty

If you have physical access, you don't need it. Honest.

Shiny: Using it to browse in City center is breaking Criminal and Civil law. You are not anonymous on the Internet (here on your post).

lucernarian

Cryos wrote: »

It is an application that allows you to access a network which has security without concent from the owner of the network; with the intention of using services on that network. The application circumvents the security measures put in place by the Vendor / Reseller of the product.

The only instance where the application would not be illigal is where you use it to find the key of your own network.

It is illegal to piggyback, something which this application Aids with.

I thought it would take something specific in legislation to make the claim of mere posession of the app itself to be an offense. For it to be illegal, legislation describing the consequences of posession must exist somewhere. Or better put, posession of that particular piece of software must be linked with the crime of "theft of service".

This is a discussion that's better for the legal discussion forum perhaps.

jor el

WARNING
Do not request where to find this (or any similar) application.
Boasting of your illegal use of this software is about as smart as telling people you sell cocaine in nightclubs at the weekend. As mentioned, it is a criminal and civil offence to access a network that you don't have permission to.

Cryos

To_be_confirmed wrote: »

I thought it would take something specific in legislation to make the claim of mere posession of the app itself to be an offense. For it to be illegal, legislation describing the consequences of posession must exist somewhere. Or better put, posession of that particular piece of software must be linked with the crime of "theft of service".

This is a discussion that's better for the legal discussion forum perhaps.

Well you could argue that even though you have a gun, havnt done any crime's so its ok? You could draw a line of questioning that the application has been aquired for use under certain circumstances.

Ive no legal qualifications so i bow to anyone who can clarify accordingly, again something for another form. Perhaps i would say it is illigal to use the application in anything other than a test or personal equipment.

There is specific legislation in most European States (i say most because i havnt gone and looked at them all, ireland included) for piggybacking.

watty

Even pre-electronic age civil law of Trespass can apply.

Having the app isn't illegal, but it is absolutely pointless. Using it on anyone's WiFi without permission is illegal. If you have possession of the app and you are suspected of stealing WiFi, then it's major circumstantial evidence against you.

I'm not a lawyer. I can't give legal advice. But simply deleting this is cheaper than consulting a solicitor, since its only use is to steal a service.

If you have permission to access the WiFi, you will never ever need this application.

The Web Admin page is a separate password anyway, and can be easily reset to factory default. You access that via ethernet cable if you don't know WiFi password.

teddy b123

i just leave encryption off ::o
then again, with my eircom router, unless youre within 10 feet of it, you will not get a signal, so its not much of a problem leaving it off

Nody

Cryos wrote: »

It is an application that allows you to access a network which has security without concent from the owner of the network; with the intention of using services on that network. The application circumvents the security measures put in place by the Vendor / Reseller of the product.

The only instance where the application would not be illigal is where you use it to find the key of your own network.

It is illegal to piggyback, something which this application Aids with.

Yes, and a crowbar could also be used to remove a plank in your wall or break into another house; still does not make the tool illegal, only certain uses of the tool would be illegal.

Then again any one who've done Wifi walking (when it would be applicable) have better ways of doing it.

watty

If you want to offer Free WiFi in Germany the users must get a key from you.
(this is sensible as you can get registration details and have some comeback if they are bad).

It's now an offence in Germany to leave your WiFi insecure. €100 fine as you are potentially assisting others to break copyright or do illegal actions anonymously.

http://news.bbc.co.uk/2/hi/technology/10116606.stm

In a similar case in the UK in 2005, Gregory Straszkiewicz was fined £500 and given a 12 months conditional discharge for using the wireless network of an Ealing resident without permission. The owner of the network was not charged.

watty

teddy b123 wrote: »

i just leave encryption off ::o
then again, with my eircom router, unless youre within 10 feet of it, you will not get a signal, so its not much of a problem leaving it off

Untrue.

If someone has an MMDS dish with WiFi aerial on it, they can tap your WiFi at maybe 100m to 1000m.

Zapho

Geez lads, this has gone way off topic. I would imagine there's nothing illegal
about the iPhone app itself. It depends on what you use it for. Just like its not illegal to own a lock picking kit, but breaking and entering is illegal.


Anyway, I think eircom at this stage have realised their amazingly stupid blunder
(it's not their first!) and have updated customer routers to WPA.

Good luck cracking that on an iPhone!