Wireless crime, wireless criminals

          It was a case of identity theft. A number of "virgin" credit card numbers — issued to new cards — and cardholders' names were used to purchase items online. Internet service provider information showed that the thief was working in a residential neighborhood not known for a high crime rate. More specifically, IP addresses were traced back to a home where no one with criminal records or outstanding warrants lived.

     The resident allowed police to search her home. Upstairs investigators found her computer — a wireless router set up. The antenna was pointed out toward the cul-de-sac she lived in, and the home network itself was unsecured. "Anyone could get into that network from about two blocks away," says Ravi Ram, a 13-year veteran of the Los Angeles County (Calif.) Sheriff's Department at the time he worked the case; Ram is now a reserve deputy with LASD.

     During the interview, police became certain that the resident was not involved with the identity theft, so investigators checked the router. It revealed several suspicious connections, along with the media access control (MAC) address that identified a laptop — and the Windows username that identified its owner. The resident recognized the last name as her neighbor, who lived four houses down.

     Investigators obtained a warrant for that residence. There, they established that the laptop belonged to a teenager living there. He had obtained the credit card information, about 6,000 numbers in all, from a Ukrainian source via Internet Relay Channel (IRC) chat. "He'd used his own family's Internet connection for his first thefts, but as he learned more about what he was doing, he began to hack other people's networks," says Ram.

     James Williams, a detective with the Sacramento County (Calif.) Sheriff's Department and a member of the Internet Crimes Against Children (ICAC) unit within the Sacramento Valley Hi-Tech Crimes Task Force, says most criminals he encounters continue to use their own home networks rather than their neighbors'. "The good news is that we typically find evidence that will defeat any claims that 'someone else did it from my unsecured wireless,' " he says.

     Still, he adds that savvier predators and identity thieves, as in Ram's investigation, use nearby unsecured wireless networks run by their neighbors, small stores, restaurants, repair shops, and so forth — and not all commit their crimes from the comfort of their own homes. "I have spoken with other patrol officers from various California agencies who have been encountering [suspicious activity from] people with laptops," Williams says.

Why wireless?

     Created to improve mobility for business users, wireless network technology has also appealed to home users, who use it to create "peer to peer" networks — to link computers, gaming and other entertainment devices. This has become easier as the cost of components — routers and access points, network interface cards, and computers themselves — drops, and speed improves.

     Currently, 802.11g — five times as fast as 802.11b — is most widely used, although according to a 2007 Computer World article, Internet technology has outpaced it. Thanks to voiceover IP (VoIP), streaming video and gaming applications, wireless networks need to be able to support demand for more bandwidth, faster speed and longer ranges.

     Expected to supply it all is a new standard, 802.11n, which should be formally approved this year. So, along with experiencing fewer dead spots, consumers will be able to download and save video from their computers to wireless-enabled devices such as TVs. Multiple users and uses will also find it easier to work and play.

     These improvements will benefit criminals, too — and potentially present greater challenges to law enforcement. Not only will the networking power make it easier for criminals to create, download and share materials like pornography; it will also enable them to steal networking from their neighbors from much further away — not the next house or two over, but the next block or two over. And stronger security could impact law enforcement's ability to access evidence.

     Thus, even if criminals don't try to hide their activities on their neighbors' networks, they can still take advantage of the technology to store evidence in places that unaware investigators may not think to look — including separate locations entirely. So, investigators need to know what to look for, how to look for it, and what to do with it once they've found it.

802.11 security

     Why was it so easy for the juvenile identity thief to access his neighbor's wireless network? A variety of reasons, all having to do with the way 802.11 security works.

     It starts with Wired Equivalent Privacy (WEP), a set of security features including authentication, encryption and data integrity. The first protocol used for 802.11 networks, WEP was never designed to provide strong security. The features themselves are weak, and there is no auditing or security key management.

     In other words, it's up to users to configure their own username and password, referred to as a key. However, according to Chris Baker, technical consultant at Hopkinton, Mass.-based EMC2 Corp., most remain ignorant of the risks of an unsecured wireless network — and unwilling to take extra steps with their out-of-the-box setup. They use the router manufacturer's default key. Those who do take the time to configure security, meanwhile, "plug in a [security] key and forget about it, never revisit it."

     In fact, even though security has improved (via Wi-Fi Protected Access, WPA, with an automatically rotating key — meaning users do not have to configure their own — and WPA2, which layers encryption on top of the automatically rotating key), Baker says most users don't to take advantage of it. "People don't understand the security aspect," he explains. "They think in terms of speed, not security."

     It is possible to break encryption and figure out a WPA key, but this is a time-consuming process. Chris Armstrong, a high-tech crimes training specialist with the National Consortium for Justice Information and Statistics (SEARCH), explains that "war-drivers" can capture data packets — which contain information about the encryption key — until they get enough to break the encryption.

     However, says Williams, "In my experience, it's much easier for [criminals] to use an open unsecured wireless. 'Why break a window when the next house down has an open door'-type thinking."

     For law enforcement, this means those investigating, say, a sex offender's wireless network or unauthorized access (as in the above example) will have little trouble accessing data on devices — once the devices are found.

The wireless crime scene

     "In years past, law enforcement first responders bagged and tagged evidence, then brought it to a computer forensic lab for examination," says Armstrong. "But examiners started to find that their forensic software was mapping evidence they hadn't received. In other words, the first responders were missing evidence, like wireless hard drives. In one case, detectives got a second warrant, but when they returned to the site, they found only the spot where the hard drive had been."

     Armstrong explains that technology changes so rapidly, investigators must receive regular training on what to look for, what to take into evidence, and what not to take. These kinds of evidence, Williams says, include networked drives, removable hard drives and external drives.

     Other examples include wireless-capable mobile phones, especially those with cameras, and gaming devices. "The Sony Playstation Portable has [the Memory Stick Duo], which can hold thousands of pictures," says Armstrong. Likewise, the XBox has a 10GB hard drive, enough to hold plenty of evidence. Although Williams' unit hasn't yet seen many cases of gaming devices used for storage, he says they do consider this during every search and have on occasion taken game systems.

     That's why it's important to specify all equipment in a court order. "Spell out everything you suspect you might collect," says Armstrong. "You can do this in detail, or use more general language, such as 'any device that may contain digital data.' "

     Williams adds that his task force will typically include information regarding wireless networks in their warrants. "Even if a suspect accessed someone's wireless, there would be evidence at that location, such as the router information and/or MAC address. So we'd still need to serve a warrant [at that second location]."

Interrogating the router

     A key part of investigating the wireless crime scene is router interrogation. "This is how you find out how many IP addresses were leased," says Armstrong. Leases tell how many devices might be found on a network. No device can have two IP leases, so for example, if there are two devices but three or four IP leases in a router's routing table, investigators need to start looking for more devices — whether they belong to the suspect, or someone who may have accessed the network.

     The router must be interrogated on scene because lease data, contained in random access memory (RAM), is volatile. In other words, says Armstrong, "if the router is unplugged, the data will be gone."

     To interrogate a router, an investigator needs an investigative laptop which, when connected to the router, allows the investigator to view routing tables. Williams says this is simple if the user hasn't changed the default security key. "[But] if the suspect won't talk or reveal their locations, and no one else in the residence knows, we have to use old-fashioned investigative techniques."

     This may include searching for evidence such as equipment receipts or printouts. If those are found, it's possible to preserve the device. If not, however, only a complete forensic exam — typically done several months later, Williams says — will show storage. "At that point, the suspect would have had ample time to connect to his off-site storage and destroy any evidence there," Williams adds.

     In the case of a criminal using someone else's network, the router IP lease can remain for 24 hours or longer, depending on router settings. However, says Armstrong, because the lease expires once the specified time is up, warrant execution is time sensitive. Also, Williams says it's impossible to tell the difference between in-network devices and those connecting from a different location.

     Traditional investigation once again comes into play. "If a child exploitation suspect is hopping on and off a wireless network, and you need to identify the offender, use traditional investigative techniques." Armstrong suggests investigators check the sex offender registry to find out if a neighbor might be on it. "Talk to the neighbors and the local patrol officers to see if they've noticed anything suspicious," he says.

     Other possible ways to identify a suspect: Police may use a victim's router, or take over a victim network's identity. Law enforcement might also try to set up its own wireless access point (WAP) in a mobile environment and hope the suspect jumps on board.

     But Armstrong cautions that high-tech investigation is complex subject matter, requiring hands-on training, equipment and specific software knowledge.

     Christa Miller is a writer based in Greenville, S.C. She can be reached at christammiller@gmail.com.