Beware Thieves!

By Gerry Blackwell

December 21, 2000

Procrastination is the thief of time. Airjackers that don't loot your spectrum today, may target your fixed wireless ISPs lax regard for security—tomorrow.

In the mid-1990s, theft of wireless service became a multi-billion dollar problem for cellular carriers. The industry finally solved the problem with more secure network and terminal equipment.

Pop goes the access
But security experts at the time were fond of saying that network hacking was like a balloon—if you squeezed it with better security on one side, it just bulged out on the other. It never really went away.

So, could ISPs be the next bulge in the balloon of wireless network crime?

After participants in internet.com's ISP-Wireless List discussed the potential for theft of service recently, we ran an article on the subject. But we thought it was worth probing a little further.

Over inflated risk
In this two-part column, we evaluate the risk of theft and then look at some effective risk reducers.

Off the top, it's worth noting that only one of the industry people we talked to knew of an actual case of theft of service from a wireless ISP.

Duane Buddrius, director of product management at Carlsbad CA-based BreezeCOM, the dominant supplier of network gear to wireless ISPs working in the unlicensed 2.4GHz band, had heard of an incident from one small ISP using first-generation BreezeNET equipment.

The ISP finally noticed it was getting wireless traffic from more MAC (Media Access Control) addresses than it had subscribers. A MAC address is the unique hardware identifier of a user's station adapter or Ethernet card.

Buddrius makes the point that the ISP had not set up its network properly and was using equipment BreezeCOM only ever intended for use in wireless LAN applications. He notes that his company has since introduced the BreezeACCESS line with, as we'll see, significantly beefed-up security.

That said, neither of the two BreezeCOM wireless ISPs we polled were using the new, more secure—and more expensive—BreezeACCESS gear. Both use at least some BreezeNET equipment.

Buddrius declines to give further details about what he says is the only case of its kind he's heard about—for which the operator in question will no doubt be thankful.

But as with other types of white collar crime, exactly that instinct to avoid public embarrassment makes it difficult to gage the true extent of the problem.

Bruised pride
Allen Marsalis, president of ShreveNet Inc., an ISP in Shreveport LA that has been offering wireless service for about three months, makes the point that few victims will own up to being hit.

"It's not something someone would exactly be proud to admit," Marsalis notes. Still, he adds, "I would say theft of service is pretty uncommon."

ShreveNet offers wireless Internet access service to residential, small business and corporate customers for $50, $100 and $200 per month, respectively. They get up to 3Mb of throughput, but the amount of data transferred is capped at 1GB per month. Customers pay $30 per additional gigabyte.

ShreveNet is growing its wireless network quickly, Marsalis says, turning up a customer every day or two.

Larceny lacking
Paul Farber, owner of Farber Technology in Pottsville PA, agrees theft of service is probably uncommon. "We're not at serious risk," he says. "And we can limit the risk by taking moderate, sensible precautions."

But there's no doubt it could happen, he says. He calls the wireless side of an ISP's firewall a "free-for-all zone."

Farber has 14 wireless customers so far and 1,500 others, mostly dial-up, in a predominantly rural, small-town triangle of Pennsylvania near Scranton, Harrisburg and Reading.

Breezecom's Buddrius also doesn't think theft of service is a major problem—at least not yet.

"At this point," he says, "I don't consider it a threat, especially for a network that is designed properly. But I imagine as services begin to proliferate, it could become one. It certainly has to be a concern."

Scale of pilfering
The theft of service problem is less severe than it was in the case of cellular in the mid-1990s and less than it might yet become with fixed wireless, partly because of the simple economics of hacking, Farber points out.

Any potential thief would of course have to acquire an antenna and station adapter—not difficult to do, but not cheap.

"Anyone can probably break into any network if they really want to," Farber said. "But I don't think a lot are going to buy an $800 or $900 radio to try it."

"It's probably cheaper in the long run to pay for the service. If you buy the radio and then can't figure it out, you've got a big, expensive paperweight on your hands."

Farber and Marsalis also believe they're less likely to be victimized because they operate in small towns and rural regions.

"In a rural environment you can probably get away with more lax security," Marsalis said. "After all, everybody in a small town knows what everybody else is doing."

Farber doesn't want to suggest ruralites aren't smart enough to figure out how to hack a wireless ISP, but he does suggest that in larger population areas, there is apt to be more people willing to try attacking a service provider.

Downgraded peril
Even if the risk is low for now, it does exist. And Farber and Marsalis say it is essential for all wireless ISPs to take basic precautions against the possibility of theft of service.

Even if you're using older radio equipment, they point out, it should be possible to make it very, very difficult for hackers to steal service.

What do you have to do? There are several layers of security, some exclusive to the wireless portion of your network, some part of what most ISPs are already doing. Or should be doing.

We'll take a look at the basics in a followup article.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.