German courts may fine users for unsecured WLANs

According to the Associated Press, the ruling in the Karlsruhe court means that German domestic users who are found to be operating an open WiFi access point (i.e. one without a password) could be fined in the event their connection is found to have been used for illegal filesharing.

The ruling will be undoubtedly watched with interest by internet service providers and lobby groups in the UK, Infosecurity notes, as it shies away from holding the WiFi access point owner from being responsible for the illegal downloads – which many have said is an unfair approach in any case – and instead issues a penalty for simply failing to secure access.

In its ruling, the German court said that domestic users are now required to check whether their WiFi connection is adequately secured against an unauthorised user illegally sharing files across their internet connection.

Unfortunately for German WiFi access point owners, the court has not defined what 'securing your wireless LAN' means, especially since some of the weaker password schemes - WEP and WPA - can be cracked using a combination of parallel processing and suitable software.

As reported by Infosecurity late last year, security researcher Moxie Marlinspike has launched an online service that acts as a useful tool for security auditors and penetration testers who want to know if they can break into certain types of WPA networks.

In return for $17, the WPA Cracker service claims to return a WPA password for a given WiFi access point within around 20 minutes.

The service works because of a known vulnerability in Pre-Shared Key (PSK) networks, usually used by home and small-business users.

To use the service, the tester submits a small 'handshake' file that contains an initial back-and-forth communication between the WPA router and a PC.

Based on that information and using a 400-node PC cluster, WPA Cracker can then tell whether the network seems vulnerable to this type of attack or not.

The AP newswire says that the Karlsruhe court ruling stems from an unidentified musician who took legal action against an internet WiFi access point whose connection was used to allegedly download one of his/her songs without permission, and which was subsequently offered on an online file-sharing network.

Because the access point owner was able to prove that he was on holiday at the time of the alleged incident, he was able to side-step direct responsibility for the fileshare.

However, the court ruled that he was still partially responsible for failing to secure his wireless LAN and, as such, was handed down a fine of 100 euros.

According to Kirsten Grieshaber of the AP newswire, the court has "limited its decision, ruling that users could not be expected to constantly update their wireless connection's security - they are only required to protect their internet access by setting up a password when they first install it."

The AP newswire quotes the German national consumer protection agency as calling the court ruling balanced, since "it made sense that users should install protection for their wireless connection and that at the same time it was fair of the court not to expect constant technical updates by private users."

What’s hot on Infosecurity Magazine?