This wouldn't be an issue if WiFi APs enabled IEEE 802.11w-2009 protected management frames by default. Most consumer routers have supported this for years, but have it disabled by default.
Android's built-in hotspot functionality still doesn't support this at all, and hotspots are the main thing here being targeted by hotels. If you want to see this fixed in Android, consider starring this issue: https://code.google.com/p/android/issues/detail?id=197440
I have not had much success implementing 802.11w. Either the wireless manufacturer or the client device implementation tends to be buggy. My most recent case is between Extreme Network 802.11ac APs and any MacBook Pro.
It's left me scratching my head as to why a protection mechanism such as this isn't mandatory by now. Because mandating aspects of the protocol seems to be the only sure way of easing compatibility woes.
This kind of attack is really easy to make just by setting up a wireless network with the ssid you want to block and starting wireless containment countermeasures for rogue ap detection.
I have to say that while I am against hotels engaging in this sort of activity, I find the dissenting opinion by Ajit Pai pretty compelling:
>But because of the shared, "commons" model that applies to all unlicensed operations, the Commission has
>repeatedly held that "interference caused to a Part 15 device by another Part 15 device does not constitute
>harmful interference."
In other words because the spectrum is unlicensed and because the transmissions were conformant with the part 15 spec, any such operation following the spec is allowed. How they can then they find that the Hotel was causing harmful interference is a bit troubling.
Clearly in everyday language we could describe what the hotel were doing as harmful, but the whole point of unlicensed spectrum is that it's a commons free-for-all. When wifi gets degraded to usability at trade shows because everyone's wifi is interfering with each other, nobody calls the FCC and files complaints about harmful interference.
Also it appears the FCC have been previously explicitly asked if deauth broadcasts like this are disallowed, and specifically chose not to make a ruling. It makes me wonder what the heck is going on over there. Has this issue become a political football between different factions over at the FCC?
While I'm not a lawyer so I can't speak for how the law looks like, there is a clear difference in intent. The many users wifi interfering with eachother is not by intent, the de-auth packets is nothing but intent to interfere.
47CFR15.5(b) talks about transmit and receive. People intentionally mis-interpret the receive section as somehow referencing transmission. The transmit side is as follows: "Operation of an intentional ... radiator is subject to the conditions that no harmful interference is caused"
47CFR15.3(m) Harmful interference. Any emission ... that ... seriously degrades, obstructs or repeatedly interrupts a radiocommunications service operating in accordance with this chapter.
It is true that on the receive side you have no legal protection according to 15.5(b). However transmitting a jamming signal is quite illegal.
Its very strange, like imagine two laws, one says its illegal to shoot at people, the other says you have no legal protection if you stand in front of a bullet. Then everyone exclusively quotes the latter stating its perfectly legal to shoot people, despite the former explicitly prohibiting that specific act.
The FCC doesn't send men in black in vans when people interfere with aircraft navigation for fun or because they're nice guys, although they are, but because they're legally obligated to do so because those parts don't have "too bad so sad" written into the legal code. All the "you're screwed if you're interfered with" in part 15 means is the FCC is not legally obligated to send in the men in black suits and vans solely for part 15 complaint issues. It doesn't mean interference is legal under part 15 rules, in fact the line right next to it explicitly states it is not legal and if by some miracle you're caught you are in big trouble.
I don't think the issue is with multiple parties using same unlicensed spectrum; it is more that they deliberately jam this common spectrum so that nobody can use it.
This could be similar to some type of wifi blackmail. I could rent an apartment in expensive complex and setup a wifi jammer. then approach tenants that i can turn it off for X amount per month.
As a couple other people have pointed out, intent matters as well.
Over in the ham space if you know you're causing interference you're required to back off, regardless of who was there first(excluding some emergency situations).
It sounds like that line is discussing what happens when two (or too many) WiFi users congest a network, not one entity going around intentionally disrupting the communications of other devices.
It's the difference between not being able to talk to someone because you're in a crowd and not being able to talk to them because someone is standing behind you screaming into your ear.
That said, I guess you'd have to see what those specific repeated rulings were and for example whether they were two neighbors bickering over a network or convention centers blocking all WiFi except their own.
I know it's not that simple, but having adding a "private" channel to the spectrum that can be leased over an area and isn't accessible on non-specialist hardware that could be used by, say, an even organiser to provide low-interference wifi would be a solution to this. Much like the radio waves.
Are there exceptions to this rule, i.e. legit uses for deauth mechanisms?
> Marriott admitted that the Wi-Fi users it blocked did not pose a security threat to the Marriott network.
> Similarly, Smart City submitted no evidence that the deauthentication was done in response to a specifically identified security threat.
It seems to me like it might still be okay to use WiFi deauth to automatically defend your network against security threats, such as foreign APs advertising the same SSID as your network?
The FCC isn't saying you can't use active measures to prevent a rogue AP from attacking users who intend to communicate with you. That's why they asked MC Dean to explain exactly how their interference helped secure its own network.
What they're saying is that you can't actively interfere with parties who want to use unlicensed spectrum to communicate with each other, even if they are physically on your property, and the fact that you must share bandwidth with them is not a valid excuse to do so.
Imagine if this were allowed. Would you accept it if someone else did the same to you, for instance a hotel guest would deauthenticate your use of your SSID?
Since no one owns the frequencies no one owns the SSIDs and there is no way to specify who is the legitimate user and who is the adversary. The only solution is if any one party just does not interfere in the business of the other.
That's easy enough to solve: you are only allowed to defend your SSID if you have taken reasonable steps to minimise the chance of a random name collision, and if this is really the most reasonable answer given your threat model.
For example you can't block all "Netgear WLAN" hotspots, but you can block all "Hotel Sunrise NY Guests" networks. And you can not block SSIDs similar to your private network simply because you are too lazy to specify the routers MAC in all your five devices.
But what if we are "Hotel Sunrise NY Guests"? Why wouldn't i use that name as a guest? I think if you want defensible randomization, you actually randomize it.
No. Because these are realistic rules enforced by real and reasonable people.
If you walk into Hotel Sunrise and start walking up to people and saying "I'm with Hotel Sunrise Guest Satisfaction, can I ask you some questions?" the defense "Well, I'm a Hotel Sunrise Guest and it was for my Satisfaction!" is not going to absolve you of any consequences that arise.
Hotel Sunrise guests would certainly connect to APs advertising that SSID. It would be pretty shady for them to set up their own APs with that SSID however.
I think that because the area involved is so local, the FCC is optimistic unlicensed spectrum users can come to consensus on that matter, otherwise it's going to have to deal with it in the more explicit, costly, and user inconvenient manner that it has done so in the past with identifiers used over less locally constrained, longer wavelength frequencies.
I think optimism is warranted. If someone local to you is being a dick with your SSID, you use technical (protocol level) countermeasures to disrupt them. This has been standard practice for a decade. If the attacker uses those countermeasures against legitimate users, apparently the FCC is now willing to respond with financial countermeasures against the attacker if it can.
If there were somehow a situation where the FCC was technically unable to respond, like say the attacker had a swarm of invisible drones equipped with access points advertising your SSID, then it would be helpless. The only solution would be to wait for vendors to come together through the IEEE or IETF with a standard to thwart the evildoers. (Probably years)
And it may yet come to that. But for now, the FCC clearly represents, at least within the United States, that corporate evildoers cannot blatantly perpetrate denial of service attacks on public spectrum without fear of sanction.
Yes, it is generally understood that the FCC rulings on WiFi jamming continue to permit WIPS/WIDS systems that actively mitigate rogue APs that appear to pose a security threat, and broadcasting your SSID without authorization would be a good example of this.
There was quite a bit of talk about this in the WIPS industry after these fines, and while I don't think the FCC has really made a clear clarification on the issue, the vendors have all put out statements that are similar variations on "it's okay for matching SSIDs" and I don't think there has been any contest to this. Vendors do recommend that you be careful that active mitigation will not impact APs operating off your property, implicitly even if they are broadcasting your SSID.
In general I think the FCC is taking an intent approach to this, from the security side - their rulings on WiFi jamming cases have generally specifically mentioned the lack of a reasonable security justification.
This is interesting, because SSIDs are not callsigns and not allocated or registered anywhere. Who's to say the enterprise network's claim on the SSID is more legitimate than the attacker's?
If you are at a HolidayInn, and connect to a HolidayInn SSID then a reasonable person would expect that to be assocated with HolidayInn Chain of Hotels, that is where HolidayInn would have a more legitimate Claim to the HolidayInn SSID then some random Person
Trademarks, Fraud, etc could be the legal basis for this.
There's not really any reason to use the same SSID as the enterprise other than to fool users in to connecting to it for malicious purposes, so targeting networks with the same SSID would probably fall under reasonable security procedures and not subject to this ruling.
I'm glad the FCC is taking this stance, but I'm curious why the hotel can't make "you consent to receive wifi deauth frames" a condition of entry. They let corporations put "you will not sue us" in EULAs, after all.
As others have said, the hotel doesn't have any authority over the spectrum itself so it can't impose any rules on it.
Take the ham operator scenario: One operator can't broadcast a continuous whistle so that nobody else can talk. It's impossible for an operator to obtain consent to do this. A hotel acting as an operator can't do it even if they got permission from every guest because the guests don't have any authority to grant it. It's simply prohibited for any operator to behave that way, full stop.
There are a couple of things a hotel could do though:
1) Kick anyone using wifi in a way they don't like off the property.
2) Encase the exhibition area in a giant Faraday cage so that nobody's cell phone works. Their APs are the only ones with internet access so no point for anyone else to turn one on.
I don't think either option would end well for any business that tried it. The reason they like the deauth method is because they can lock out competitors without the non-technical public realizing what's going on.
It's because the WiFi frequency bands are publicly owned. They don't have the legal authority to ask for consent to deauth because they don't own the channels in the first place. Intentional interference can get in the way of municipal internet access, it can cause safety problems (some channels in some bands are reserved for safety equipment), and of course it can be anti-competitive. Private entities are only being allowed to use WiFi bands in the first place under condition that they will not intentionally interfere with other devices.
But if the convention-goers "agree" to receive deauth frames as a condition of entry, it's an expected transmission desired by the recipient, so not interference. Of course, if they block people outside the building, there's no justification.
Sure, you can deauth all you want for testing and development inside your own home or business where you arent bothering anyone. You cant "test" your deauth technology by blocking every single AP in range at a conference center, then extorting hundreds or thousands of dollars to get access to the only authorized networks. If you cant see the difference between the situations, then go read what the FCC letter says again.
edit: Imagine if this convention center entered into an exclusivity agreement with Verizon, then jammed the frequencies used by the other cellular carriers. Would that be OK?
But I can lawfully use my own WiFi hotspot, even while I am lawfully on your property. You may own the property, but you do not own the radio spectrum.
Imagine you meet an entrepreneur who has a gun and proclaimed he'll shoot everyone in sight by default, but that he provides a service in which he can exchange the bullet for the "BANG!" flag for a small fee. It's not extortion - you're free to refuse the service after all.
That's not at all the same case, you're being threatened. I'm impressed at the dishonesty on this one.
Imagine you're at a hotel, you can access their WiFi but you have to pay for it. Imagine you're at another hotel, you can use their pool but you have to pay for it. Are you being extorted? No. That's a better example.
Yes, but in your example you need to add that I have with me an inflatable pool that magically doesn't spill, and the federal law allows me to use it instead of hotel one - and I get kicked out of the hotel for actually using it (or worse, they make my magic water supply stop supplying water).
The FCC legally regulates use of the electromagnetic spectrum. For example, FCC conformance for EMI in electronic devices is not some optional stamp of approval for the benefit of discerning consumers. It's a legal requirement.
The FCC says don't maliciously interfere with other people's transmissions, yes. But if someone agrees to be sent deauth frames by the hotel, it's not interference anymore, it's the agreed and expected behaviour.
I can stand just outside the venue and sue them for sending me deauth frames... I haven't entered the venue, I haven't agreed to their terms, and they're interfering with my transmission/reception.
That would be the Trump hotel in Las Vegas. There's a metal film on the windows that interferes with cell signals, or at least it did last time I was there a few years ago.
That case isn't what's under dispute, and is unlikely to exist, since most buildings make pretty poor Faraday cages. So it's not really that relevant.
Furthermore, even if the building was a perfect Faraday cage, there are other issues, such as the laws governing public accommodations, and the special scrutiny imposed on "contracts of adhesion" (take-it-or-leave-it standard form contracts) when analyzing them for unconscionability, plus the FCC's mandate which doesn't stop at property boundaries and generally can't be overridden by private contracts anyway. It's not clear that it would be allowable even if you set aside the near-certainty of interference outside the property of the interferor.
Indeed, but they can stipulate other consequences.
For example in current $WORKPLACE, being found to operate an unapproved wifi AP will result in a disciplinary action. Too many of those and dismissal follows.
Operating an AP is not illegal, so I don't see how that example is relevant.
Conversely using a mobile phone to make a phone call is legal, but it's not allowed on the trading floors of banks. So it can be legal to refrain people from performing some legal activities on your premises. So I think a hotel probably can ban guests from operating a wireless AP, but jamming such activity using active measures is going too far.
The banks, presumably, have a fairly good reason for restricting that activity, and the people on the trading floor have been given significant consideration (employment, perhaps, or access to the trading floor on behalf of their employer) in exchange for agreement to those terms.
Chucking a "you can't bring your own WiFi [because we want to make more money selling it to you]" term into the standard language on a hotel agreement might have a much harder time passing muster.
Further, there's a lot of caselaw built up over time that treats dwelling places, even temporary ones like hotels, differently than workplaces. (E.g. it's perfectly fine for your employer to set up cameras in your office to keep an eye on employees, but if a hotel did that in guests' rooms they'd have a problem on their hands, and I strongly suspect that wouldn't change even if they put some "you consent to be photographed!" small print on the check-in agreement along with the no-smoking policy and other boilerplate.)
While the hotel owns the property (land) it does not own the spectrum. Spectrum is a limited resource that government manages for the public good. The hotel cannot interfere with my lawful use of spectrum, even if I am lawfully on their property.
We did a trade show in Minneapolis' convention center a few years back and had the same issue. We were charged ~$1200 for a few days of Wifi access from SmartCity. Even though we paid for them to allow us to use our Wifi AP (Cisco enterprise AP, not some consumer gear bought at BestBuy) we still had to beg and plead with their on-site network engineers to get them to stop issuing de-auths on all our traffic. Then again, you have to pay hundreds of dollars to have a trash can in your booth as well. These venue are such a racket it's ridiculous.
I wonder if there was any action taken against the vendor of this equipment, Xirrus. The FCC clearly identifies that this feature was marketed by Xirrus as a "shoot first and ask questions later" aggressive anti-AP technology. There does not appear to be any legal way to use this feature, so hopefully the FCC at least sent them a warning.
Hmm. What's interesting is MC Dean is an electrical/telecommunications contractor. They would be responsible for doing the actual work of installing and maintaining the network equipment, but usually at the behest of someone else. How did they end up with the liability for this? Did they go off the reservation and decide to start blocking WiFi on their own, or did the BCC request for them to do so?
Contractors, especially licensed ones are usually liable for their work. So too is Marriot, for asking them in the first place, but they settled:
> Marriott agreed to settle the investigation by paying a civil penalty of $600,000 and establishing operating procedures to ensure that it does not engage in further Wi-Fi blocking
Right, I just thought they would usually be liable to the owner, and the owner would be the one legally liable. Now, if the owner got fined because MC Dean screwed something up, they could turn around and sue MC Dean for the amount of the fine. But separately fining both the owner and the contractor for the same infraction seems like double dipping on the part of the government, unless they're being fined in proportion to culpability or something like that.
IANAL, but "someone hired me" is not a defense for any crime. Perhaps Marriott could use ignorance as an excuse for hiring a wireless communication firm to break a wireless communication law (under the somewhat silly theory that they are only experts in hotel law), but the wireless communication firm itself certainly can't.
"Double-dipping" is allowed in criminal cases. If two people cooperate to murder someone both can go to jail for the full sentence; they don't split up the sentence between them.
> On October 23, 2014, the Commission received an informal complaint from a company that provides private Wi-Fi networks for exhibitors at trade shows by shipping equipment to customers around the country. The complainant stated in part that it had "just spent all morning arguing with M.C. Dean company who provides wireless [at the BCC] until they finally ceased sending de-auth signals to our router."
They were actively harming/disrupting others' equipment. It wasn't just "oh, your signal sucks, use ours!" but "we're going to knock you offline unless you pay."
Disclosure: I used to work for MC Dean 10+ years ago.
Right, but I'm sure it wasn't someone at MC Dean who decided "hey let's jam everyone else's signal". They're just the contractor. Someone had to tell them "please install equipment to jam other people's signal".
Now, they probably should have pushed back and advised the owner that what they wanted was illegal, but I'm sure it wasn't their idea. They don't own the building or host the conferences, so why would MC Dean care who uses which Wifi?
It is illegal. Ignorance of the law is no excuse. It's not much different than hiring someone to hack, rob or murder someone. We don't throw just the person doing the hiring in prison, we also pursue the person who performed the act.
Believing that a company is not liable for an illegal act they are hired for shows just how far the rabbit hole modern society has gone with respect to business ethics.
I suspect that the definition of "maliciously interfere" is the tricky part to define. In this case, the convention center was effectively DOS-ing its visitors/customers to vendor-lock internet access, which is as clean a case that a court could receive.
AFAIK (and IANAL) in the USA (IANAL in other countries either :)), some areas even criminalize the act of intentionally joining an open wifi, so I imagine a court could be extremely broad in its definition of "interfere" -- in our technophobic atmosphere, I wouldn't be shocked if this extended to scanning for SSIDs outside of the context of the OS.
aircrack-ng itself doesn't send anything, so it wouldn't be affected by this. Its sister tool aireplay-ng however can be used for exactly this kind of attack, and that is illegal.
Nothing has changed though, those laws have been in place since soon after the invention of radio.
As I understand it, ownership of a space does not confer ownership of the radio spectrum, even within the confines of the space. They don't have the authority to regulate radio signals at all.
This is a weakness in the Wi-Fi stack, I can't see than he have interfered with the signal it self. It is the router and/or the client that have picket up these signals and misinterpreted them (though they were targeted). The rule they mean he have broken: ###"harmful interference” as “[a]ny emission, radiation or induction that endangers the
functioning of a radio navigation service or other safety services or seriously degrades, obstructs or
repeatedly interrupts a radio communications service operating in accordance with this chapter.###
I think this is the exception that swallows the rule.
Let's say I observe two ham radio operators having a morse code communication. I decide to stop them from communicating, so I transmit "<callsign 1> QRT DE <callsign 2>", where callsign 1 and callsign 2 are the callsigns of the two ham radio operators.
Is this harmful interference, or did one of the ham radio operators just misinterpret my signal?
I decide to stop them from communicating, so I transmit "<callsign 1> QRT DE <callsign 2>"
Is this harmful interference?
On amateur radio, you're obliged to identify yourself, so this would be a breach of licence: failing to identify your station, or misrepresenting your station.
I don't think that's correct. Cryptographic authentication of messages should be allowed (ARRL agrees with me[0]), the language specifies you cannot "obscure the meaning" of the communication.
That's correct. There's one exception to the encryption rule, which is when sending commands to a space station. (That does not allow you to encrypt the responses, though.) See 47 CFR 97.211, https://www.law.cornell.edu/cfr/text/47/97.211
> It is the router and/or the client that have picket up these signals and misinterpreted them
From what I understand of this attack, the signals are not being misinterpreted. The client receives a packet which basically says "I'm the AP and want you to disconnect", so the client correctly does what the packet asks it to. The packet, however, was spoofed; who send it was not the AP, but someone else.
The solution to this particular attack, as someone else mentioned, is 802.11w, which authenticates these control packets so they can't be spoofed. Unfortunately, it's still uncommon.
I don't really understand why you cannot fully be in control over electromagnetic radiation that occurs solely in your own private property? Logically it doesn't make any sense, unless of course there is leakage of that radiation affecting someone else outside of your private property.
Will we soon be banned from using red light bulbs at home, because their wavelength is illegal?
Why is electromagnetic spectrum special? A convention center couldn't put poison in their air, couldn't stab people, couldn't libel anyone, couldn't cook meth, and couldn't produce patented pharmaceuticals in their own private property either.
You may own the property, but you don't own the electromagnetic spectrum. The spectrum is a limited resource. It is managed by the government for the public good.
Some spectrum is licensed. Some is for public use, such as WiFi, Bluetooth, baby monitors, and many other uses.
How would you like it if someone else on their own private property interfered with your use of WiFi on your property by sending you deauth packets?
I pay AT&T for my phone, including the use of it as a hotspot. AT&T paid handsomely to license the spectrum it uses to provide service to my phone. I'm sure they would not be happy if I am unable to use that service because I am maliciously blocked by someone interfering with my lawful use of WiFi spectrum on my own lawful hotspot, regardless of what property I am lawfully on, such as a hotel.
> unless of course there is leakage of that radiation affecting someone else outside of your private property.
There always is. Radio waves don't respect walls (unless they're made of metal). If you look at the linked document, it shows strong indications that the attacks did affect wifi networks from vehicles passing by, that is, fully outside of the property.
It sounds more like they are saying "Yes, this is bad, but technically not illegal under our laws". Sounds more like they are doing their job rather than being emotional about it.
Perhaps you are unfamiliar with this idiom. "Mental gymnastics" can be motivated by emotions, but they don't have to be. It isn't motivation that makes any particular mental activity gymnastic, but rather it is incoherence. The commissioner writes as if [0] doesn't exist, even though he probably had it open in another window on his screen while writing the dissent. Ideology and avarice were probably more salient motivators than emotion.
Android's built-in hotspot functionality still doesn't support this at all, and hotspots are the main thing here being targeted by hotels. If you want to see this fixed in Android, consider starring this issue: https://code.google.com/p/android/issues/detail?id=197440