Hacker News new | past | comments | ask | show | jobs | submit login
WiFi deauthentication attacks and home security (mjg59.dreamwidth.org)
545 points by edward on Dec 27, 2019 | hide | past | favorite | 222 comments



In Norway/Oslo there is a lot of people with equipment sending deauthentication packages, jamming neighboring equipment, and one of the main reason for slow Internet (lot of jitter). Did some research on this together with The Norwegian Communications Authority (NKOM) to isolate the problem.

If you want to check for yourself if someone close by i sending deauthentication packages; fire up a Mac and:

1. Open Wi-Fi-diagnostics and change to 'Sniffer' from the Window-tab

2. Dump 30sec-1min of data. The dump is saved to /var/tmp ending with .pcap

3. Open the .pcap file in WireShark and search for wlan[0] == 0x0C

For all the different WiFi packages to filter for: https://www.willhackforsushi.com/papers/80211_Pocket_Referen...

The router Synology RT2600AC is the only one I have found that guard against deauthentication packages by supporting WPA3 and PMF (encrypt management frames). iOS 13, Mac OS Catalina and Windows 10 support WPA3 so it comes down to your router.


> by supporting WPA3 and PMF (encrypt management frames).

OpenWRT 19.07 adds wpa3 support and the linux kernel supports 802.11w so probably many more APs could be secured.


> OpenWRT 19.07 adds wpa3 support

Neat! Note that it is not enabled by default and requires installing the -openssl or -wolfssl variant of the hostapd, wpa_supplicant, or wpad package[1] and may require recreating the wireless config file.[2]

1. https://openwrt.org/releases/19.07/notes-19.07.0-rc2#wpa3_su...

2. https://forum.openwrt.org/t/wpa3-support-in-openwrt/10554/68


You don't have to have WPA3 to have PMF though. You just have to search more which APs support 802.11w.


Just to clarify: the attack depends on reading (unencrypted) management packets going from the AP to the device, and if PMF is enabled on the AP, it will only send encrypted management packets so the attack is not possible. Is that it?


Supported by almost all Raspberry Pi. Thank you for the comment!

Now I have a good and cheap solution to get it solved for friends/family.


Asus Merlin also supports PMF


Why are people actually doing this on a wide scale?


I think most people don’t know that their equipment is doing this. A lot of WiFi Routers set to auto channel will select some other channel than the one with a lot of deauthentication packages, because the traffic is not stabil on this channel. In this way you get a better Internet connection if your equipment is sending these packages out.

As a manufacture you know that you only need a couple of these “bad” devices before you damage the traffic for everyone, forcing everyone to upgrade all their equipment. It also benefit the Internet providers, because faster network will camouflage the problem a bit.


This is fascinating that some manufacturers may have gone down this Darwinian path in "improving" their products.

Is there any such law against this or any efforts in introducing such laws, either in Norway or elsewhere?


The WiFi frequencies are unlicensed in afaik every jurisdiction (note that the precise frequencies aren’t de jure the same in every country) so it’s legal to send whatever packets you like within certain power constraints.


>so it’s legal to send whatever packets you like within certain power constraints.

No. https://boingboing.net/2014/10/03/fcc-fines-marriott-for-jam...

>No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.

https://www.law.cornell.edu/uscode/text/47/333


That law seems to explicitly apply to transmissions on FCC licensed spectrum, where FCC authorizes operations and ensures that you don't get interference. Wifi happens on unlicensed spectrum, wifi is not "radio communications of any station licensed or authorized by or under this chapter".


Unlicensed spectrum is, as I understand it, spectrum whose use without a license is authorized (but, obviously, not licensed) by that chapter, and so is within the scope of the “authorized or licensed” language; certainly, the FCC has been consistently treated it as within the scope of that rule and hasn't been successfully challenged on it in the courts where, if it wasn't authorized or licensed by the chapter at issue, it would be an easy slam-dunk case against any FCC enforcement action treating it as such.


I really disagree with that ruling and interpretation of that quoted part of the law. Jamming to me means radio interference via indiscriminate analog noise. If we expand the definition of jamming to the protocol level like exemplified here, the law gains broad authority to interpret any online interaction that makes your experience worse as "jamming." The law should really should stick to radio frequency enforcement, and stay out of protocol-level concerns - it's just too big a can of worms.


That's because you are ignorant of radio frequency technology, circa 1940. The only reason a shared frequency band like 2.4 GHz works at all is because we have invented technology that can implicitly synchronize with other senders through avoiding collisions with ongoing transmissions, e.g. through CSMA/CA. Obviously a band like 2.4 GHz will simply not work if devices were allowed to transmit permanently like an analog radio. And so out of simple necessity the regulation for shared bands has very broad language to the effect that you can not interfere in any way with others operating on the same band.


So, is Cisco breaking the law by making rogue de-auth available? Is there then any circumstance where it is acceptable to use?


>Jamming to me means radio interference via indiscriminate analog noise

So according to you, denying everyone usage is worse than denying everyone else usage to improve your usage?

>If we expand the definition of jamming to the protocol level like exemplified here, the law gains broad authority to interpret any online interaction that makes your experience worse as "jamming." The law should really should stick to radio frequency enforcement, and stay out of protocol-level concerns - it's just too big a can of worms.

This is a fundamental misunderstanding of how the legal system works. It's not an algorithm. Intent matters. Going back to the originally quoted text, it says "willfully or maliciously", so maxing out your WLAN to transfer files 24/7 is probably not going to get a knock on the door by the FCC. Intentionally jamming your neighbor's wifi (deauth packets or otherwise) is.


The law does not prohibit “jamming”; it prohibits “willfully or maliciously interfere with...radio communications of any station...authorized by or under this chapter”.

If you’re objecting to the phrasing in the boingboing article (which called it “jamming”), ok, but the law seems clear to me and the interpretation thereof I think was correct.


I just want to comment that this is who HN is great.

I posted what turned out to be a misunderstanding (or incomplete if you are more generous) understanding of spectrum rules. My comment was correctly downvoted to 0, but more importantly I got a response that simply explained where I was (utterly) wrong. No flames, no further conjecture, just references. There's a little bit of following discussion.

This is the way it's supposed to work!!


From the perspective of a relatively new HNer, this sort of comment further reinforces how great the community can be, in a meta-sort of way!


Eh? I haven't seen a single router that monitors packets on the channel other than their own, not to mention management frames of other AP's

A deauth packet needs the MAC address of the AP to deauth clients connected to it and the MAC address of client you want to deauth, the latter is not required and an omission would result in the packet being treated as a "broadcast deauth" but many clients do not accept broadcast deauth requests.

"Auto Channel Selection" is done very poorly on most routers, there isn't an algorithm to do so in the spec and the vast majority of routers either to a round robin on boot up or default to channel 6 when set to auto, I can count on one hand the number of routers I've seen that run any type of spectrum analysis on the available bands before selecting a channel.

The only thing I've seen that even resembles closely to what you claim is that some ISP provided routers default to "disconnect" every 12-24 hours. Some just reset the DSL connection, but some also reset the clients. This is done primarily by cheap ISP's that want to free up IP addresses they basically reset the DSL connection and complete the handshake but does receive a lease until a client on their network attempts to connect to the internet, think of it as a standby mode. To ensure that random traffic on the network does not trigger a lease some deauth their wifi clients to reset all existing connections. However this is pretty rare as most DSL providers just reboot the router remotely....

However again random deauth MGMT frames on the same channel would not affect your own wifi network since the MAC addresses of those APs are not identical, conflicting MACs could cause issues but they could cause so many other issues as well way before anything like this could become an issue.

I really don't know why home internet connection and particularly WIFI has so many insane myths and conspiracy theories around it. The reality is simple the 2.4ghz spectrum is the most contested unlicensed spectrum in common use with everything down from your microwave to house and car alarms, wireless headsets and other wireless radio equipment using because that spectrum has been pretty much defined as unlicensed globally way before WIFI every became a thing.

As a result WIFI equipment and especially old and or cheap equipment works really poorly, and the fact that everything from your mobile phone to your toothbrush today comes with wifi and in many cases spams the spectrum even when it's not enabled only complicates the issue.

Then you have housing that outside of the US is primarily built out of reinforced concrete or bricks even for internal walls and you get the worst possible environment for a stable connection.

It's slightly better now in Europe as wood, foam and composites are becoming more and more common for housing both internally and externally but still I've seen flats in London that the wifi won't work from one room to another if the door was closed, we later figured out that the door had an old layer of lead paint and the flat was in a converted victorian town house from the late 1800's which was built from brick and still had lead piping, some of the windows can also be made out of lead glass especially if they are old and pebbled or painted if they weren't replaced recently (which if you live in a graded building they likely weren't because it would cost a small fortune), and some of the clay bricks and fire bricks may contain high levels of tin and lead naturally.


>This is done primarily by cheap ISP's that want to free up IP addresses they basically reset the DSL connection and complete the handshake but does receive a lease until a client on their network attempts to connect to the internet, think of it as a standby mode

How many IP addresses can you possibly save with this tactic? If you have 1000 subscribers, are you really going to only get 990 IP addresses, and hope that your subscribers don't all come online at the same time?


You’ll be surprised just how many people are not using their home internet most of the time.


>most of the time

That's the problem though. Even if most people are offline during the night or during holidays/weekends, you still need to provision enough IP addresses for peak demand. ISPs aren't paying for IP addresses by the hour, they're probably leasing/buying subnets on a yearly basis, if not longer.


Your phone doesn’t sleep, its always talking to Apple or Google. IP addresses are rotated to keep trouble users at bay. Just like qos isn’t really saving on bandwidth costs.. if you download via http you’re gonna get full transfer speeds available to you, but a single BitTorrent connection won’t. It’s all about mitigating power/problem users


Peak demand is much lower than the total number of actual subscribers many ISP run as much as 30% deficit these days.


Maybe 10 years ago, but these days just about every Internet-connected device talks constantly.

So they would have to be not home, and not leave any IoT device on when away. Of course this happens, but is probably very rare in the evenings (and at night).


Just replying to point Ubiquiti APs can regularly scan channels for utilization and direct clients away from congested ones. I don’t think it has protection from deauth attempts but I think it would come across as congestion and send clients elsewhere..


I was looking into this last night, and just wanted to point out that Ubiquiti's 3rd generation APs do support 802.11w. The feature is labeled "Protected Management Frames" (PMF) under the WLAN Group settings on the controller.


Ubiquiti is hardly a common CPE, pro/enterprise grade WiFi equipment client management is a whole other story they balance based on anything from spectrum congestion to usage congestion on individual APs and the handover protocol between APs doesn’t use deauth unless it’s a very crude implementation.

There is roaming support in management frames and for signal strengths clients usually do their own roaming if you have 2 APs on different channels for the same SSID your client would select the best on and roam if necessary as the signal strength changes.


Can you name any routers (brands) that do this?


they want privacy?


I can't see how screwing up the internet for everyone else improves your own privacy.


Really, you can't? While I don't think this is what GP meant, I sure can! We all had a lot more privacy before the internet.


Internet sure. But we are talking wifi specifically here.


> screwing up the internet for everyone else

Unless you're on ethernet, then you suffer none of wifi's many downsides.


I don't get the point of this post - are you saying deauth attacks are fine and everyone should just abandon Wi-Fi?


I am saying not everyone is affected, only those who solely rely on wifi. Others have realized that a shared medium with questionable security is inherently unreliable and have other options at their disposal.


> Others have realized that a shared medium with questionable security is inherently unreliable

The real the8472 would have never said that. Then again without you coming to pin your message on an actual bulletin board for everyone to see you we can neither confirm the authenticity of this message nor of it author. Implicitly its validity is questionable.

> have other options at their disposal

When I tried connecting all the phones, tablets, watches and other such devices in my house to Ethernet cables it proved to be a real hassle for my cat. Do not recommend.

There's value in convenience and it probably outweighs the drawbacks for all but a (very) few specific applications.


Your analogy is flawed, the validity of my argument is independent of whether I am who I claim to be. HN does not require strong identity verification to function.

As for the convenience, I think the same kind of reasoning brought us endless ads and tracking.


> Your analogy is flawed

Of course it isn't. The person making one argument against convenience chose convenience over the massive downsides of using the option with "questionable security" and that is "inherently unreliable". Hence the validity of the claim is undermined. Tomorrow your message might read that "WEP secured WiFi networks are the pinnacle of security and reliability" because dang decided it's a funny thing to do, with little recourse from your side.

The world is not only black or white. You're using the downsides of one extreme as an argument to support the other extreme. Do you realize now that they're both extremes and likely equally wrong?

There's always a balance between security and usability. A sweetspot where the system is convenient to use and still offers as much security as possible. Make it too inconvenient and it's either not used at all or people just end up circumventing all the controls to get that convenience. And this happens ad-hoc, uncontrolled, which is worse.


You seem to mistake this as an either-or-argument. I said that people who realize that wifi is unreliable and insecure will make sure to have other options at their disposal. That does not rule out using wifi when convenient and appropriate (e.g. making a guest wlan available to people who wouldn't trust your ethernet either).

But it should not be the only option since it can't be relied on due to its many problems. Deauth attacks aren't the only issue.


Ethernet is a shared medium as well if you want to talk to other devices on your network. So instead of deauth they do ARP poisoning.


But then they're already inside the house, so to speak. Your neighbors are unlikely to be cabled into your LAN.


True, but if their goal is to kick you offline then sending interference on the coaxial lines might disrupt certain cable providers.


Not in the same way that wifi is, where anyone outside the building can attack it. And even if your ethernet is under attack you have the advantage of being able to physically locate ports.


What's your thoughts on EMP attacks?


Lead vest should be worn around groin. Safety first.


Let me guess, you can also build a better dropbox with curlftpfs


I can think of 2 potential reasons but neither seems satisfying. The first would be state agencies testing attack vectors in real life. Would suck to send out an agent who commits their crime 100% flawlessly only for them to get caught by some unsecured doorbell or other random internet device. The second would be attempts to force increases in security through intentional hacks and sabotage.

Although if someone can think of better reasons I would love to hear it.


Maybe an unethical Wi-Fi manufacturer thought they were clever to deauth clients of APs with MACs not in their own range, to clear other traffic off the band they use and have their products perform better than others by means of sabotage.


That surely would be noticed in any sort of rigorous certification program.


What 'rigorous certification program'? Aren't the only regulations that they comply with FCC rules about creating/accepting interference, frequency ranges, and transmission power? These regulations do not have any say on what is actually transmitted on those frequencies.



You mean the kind not used by any vendor on Alibaba?


Before going all conspiracy, most likely it's due to a poorly-implemented WiFi-enabled widget.

There are devices that act as AP like the chromecast. This is then used by a smartphone app to connect and configure the device. I don't think the chromecast in particular is the culprit but I wouldn't be surprised a similar device was sending deauth packets due to an implementation mistake.


Devices like the Pwnagotchi (https://pwnagotchi.ai) make this ridiculously easy and really fun. It’s getting very popular. Definitely recommend giving it a go if you have spare raspberry pi zero lying around.


More likely bored teenagers discovering Kali than state agencies.

Rehearsals are done in controlled manner.


That’s really interesting. Did you ever publish a report on this? If you feel like it, please post a link. (Norwegian is fine.)


No report, been thinking about it.

Would then drive around with 4 devices collecting data on different channels simultaneously. With GPS and signal-strength you can calculate how often this is.

Been walking around in my neighborhood with a GPS-logger and a simpler setup (WiFi hopping to gather data). Found 4 houses where these signals come from in a 300m radius.


Would you have any recommendation for those of us without a Mac?


Boot Kali Linux with USB/CB or use VM (that support mapping USB): https://www.kali.org

Use a WiFi Dongle that support Monitor mode, as described here: https://www.aircrack-ng.org/doku.php?id=faq#what_is_the_best...


Ah shoot, I was hoping to not have to buy something. But okay thanks!

Edit: Seems my card might actually support monitor mode, I'll probably give it a shot.



I'd suggest blackarch and archstrike. Archstrike is sometimes a little more up-to-date, but blackarch has more packages; you can use both if you want to, but be warned you may hit dependency version conflicts. You can run aircrack-ng suite (specifically aireplay-ng tool) to deauth after that. Linux is a better choice anyway because many monitor mode drivers work only on linux.


> a lot of people with equipment sending deauthentication packages

Why do they do that?


Why might this be a phenomena in Oslo?


Probably a problem elsewhere also, just not cooperated with someone to check


I am NOT a laywer, but I checked how much of what the article describes is illegal in Germany. The answer is just about everything.

Installing a doorbell with a camera that looks into the hallway is illegal. You may not record what happens in public spaces on security cameras. And even inside your home, you still have to ask for consent to make an audio recording. Otherwise, this constitutes a crime.

Also, sniffing Wifi for data not aimed at you is illegal. The law is quite broad and covers unencrypted data. Sniffing MACs of devices that don't communicate with your own network falls under that. Sending deauthenticarion packages using those MACs proves the intent to deliberately obtain that data. Thus might even result in a prison sentence. Deliberately interfering with the operation of a Wifi network may also constitute computer sabotage, but the bar for that is higher.

EDIT: I also forgot: creating the program that is intended to specifically interfere with the doorbell is also punishable. This is one of the rare cases where the preparation of a crime constitutes a separate crime in itself. The same goes for the distribution of such tools.


You might find it interesting that some German universities [1] actively send out deauthentication packages to clients that connect to SSIDs that are not on their internal whitelist to "protect" the clients from "rogue APs".

A lecturer from my Hochschule was fired for protesting this practice.

[1]: https://meinehochschulebehindertdaswlan.de/


This letter from the BNetzA, which is in charge of regulating the use of the EM frequency spectrum in Germany, specifically states that sending deauthentication packages to disrupt other wireless networks is not allowed. It's in German, naturally:

https://meinehochschulebehindertdaswlan.de/BnetzAStellungnah...


From a network admin's perspective- this is necessary to protect the integrity of the air space. It discourages the use of rogue AP's which wreck the channel utilization for everyone. It's common to find this feature in enterprise wifi systems. Some actively spoof the SSID of the rogue AP in order to draw the client back to the institution's network.


And what about the people who don't/can't use the institution's network? Why should the institution be allowed to effectively monopolize the unlicensed airwaves?


If I was in some kind of debate club or moot court or something like that and got assigned to side that is supposed to argue for allowing this, I'd probably look into some kind of property rights approach and make a distinction between radio waves transiting the property and radio waves that originate on the property.

The property owner could make not operating an access point on the property a condition of granting permission to enter the property. Someone who then operated an access point would be trespassing and they (and their access) point could be evicted. In other words, the property owner is already allowed to monopolize those unlicensed airwaves on their property.

If they choose to exercise this monopoly by using technical measures to stop other access points from working, rather than by physically evicting those access points, why should that make a difference as long as those technical measures do not interfere with access point not on their property?


>If they choose to exercise this monopoly by using technical measures to stop other access points from working, rather than by physically evicting those access points, why should that make a difference as long as those technical measures do not interfere with access point not on their property?

By the same argument, can I also ban cellphones from my property and set up cellphone jammers to enforce this ban? You're free to set up arbitrary "rules" and ban people from your property for it, but that doesn't mean you're deputized by the government to do whatever you want to enforce those rules.


Emergency calls are given a lot of special protections, and for this reason, you cannot.


Can you prove that you wont deauth people just outside your property? Probably not.


Why not? It's unlicensed, so it's a free-for-all. If we don't like that, the answer is to license it. Which doesn't seem better to me.


>Why not? It's unlicensed, so it's a free-for-all.

Unlicensed doesn't mean no rules. For example, even though 2.4 Ghz is unlicensed, you're still subject to transmission power limits. In the US at least, there's also statues against interference.

https://www.law.cornell.edu/cfr/text/47/15.5

https://www.law.cornell.edu/uscode/text/47/333


There are still many rules to follow when using unlicensed frequency ranges. So it's not free for all, really.


Too bad for the admins then that newer standards don't tolerate this fuckery.


In the US, that practice is black-letter illegal. A major hotel chain had to pay a rather large fine for doing exactly what you describe.[1]

There is no private property right to the radio frequency energy traversing someone's property. The owner / lessor of a property may not interfere in someone's use of the airwaves.

[1] https://www.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fin...


From a security/technology standpoint I do not see any gain in using deauthentication packets against others. Any (half decent) skilled enough attacker will find ways to counteract these (e.g. by enabling PMF/WPA3 or using a stronger signal) or just leaving the property if a movable end device is attacked. A network and end devices are secure by design or they are not. Separation of privileges, different accounts, multi factor authentication, certificates, modern protocols, no single password policy… Making users, superiors or yourself believe that one is “secure” because of using deauthentication packets will actually result in the opposite because it will hide the existing structural security issues in your network/end devices and give a false sense of security.

What remains as argument is the service quality aspect. One wants to deliver the best wireless quality. Either because of own quality needs or because for a production environment. In either case one is using an unlicensed band that still has certain constraints based on the country. The choice of technology might just not be the right one for these needs. How about 5G? I can imagine that one can define certain rules only for a private property though. Radio waves usually do not stop on property fences. One would need to convince a court that it is 100% certain that deauthentication packets can not reach others outside of the property. I guess if the property is big enough that will work or one puts up a Faraday cage around the property or building. Still one can not send with more power as it might have health consequences for employees or visitors. Private property right is solely for how one uses the property and whom is given access to under what conditions. It does not allow a completely new rule set that conflicts with the “surrounding” law (not to mention human rights). One can still not lawfully murder a person on their private property just because the own property rules allow it.

For public universities I do not see any way to implement wireless restrictions in any lawful way. Their properties are usually public for everyone. So making rules for employees and students that can not be enforced on visitors is probably against the principle of equal treatment. Then there is the constitutional Academic Freedom in most democratic countries. Not allowing researchers or teachers to freely choose the technology suited for their needs is probably against the constitutions of these states. Also students can not be denied access to a university because of such a rule set because they have freedom of choice where and what they want to study.

Last but not least we discuss this because of a WPA design flaw that is fixed with PMF/WPA3. If we would not have had this flaw to begin with I guess we would never ever had this discussion as we do not have it for Bluetooth or wireless mice/keyboard combos or other wireless protocols that use the same frequency bands.

And finally I wonder about the mindset of the mentioned network admin’s. I can not agree if one assumes just because an organization might have more people or more important ones or richer ones or has a higher building or … to then assume might is right and enforcing it by using design flaws in network protocols. This will eventually lead to an arms race with no winner at all.


> Also, sniffing Wifi for data not aimed at you is illegal.

Ugh, yuck, I hate when lawmakers write laws like that. What does that even mean? All WiFi that I can hear is aimed at me. That's how radio works.

No, I'm not being disingenuous or obtuse, this is a legitimate concern with the way we're allowing artistic liberty into the written law. It's really badly ambiguous, not to mention the ridiculous violation of autonomy that you can't listen to broadcasts you can hear is.


I'm reminded of early Unix, with default permissions that made one's files public, in the spirit of sharing. Well before one could Google, I wanted good examples of TeX vitas, so I searched all unprotected files of every math department server I could access. Some people were horrified to learn that this was possible or that I had done this.

That most people do not choose 802.11w is a similar state of ignorance. Yes these are public broadcasts. The laws are substitutes for more thoughtful engineering.

We have little privacy on the internet; that ship has sailed, through similar ignorance. It's worth worrying about doorbells, but that's not the big picture.


Poor word choice on my part. You are only free to capture and process information that either a broadcast without target or addressed specifically to you in some form. And that makes total sense. There is some leeway in the interpretation so that the mandatory reception and decoding as part of the technical implementation are not illegal in themselves, but any further processing of data clearly addressed at someone/something else is not legal.


So when you are actually developing such a technical implementation, you must make sure you're in a Faraday cage?


In Belgium there's a similar law which almost prohibits the usage of Ring. In the law, there are two main usages of this kind of system. In case you want to use it to identify persons who ring your doorbell, you need to comply with the following:

- The camera can only be active when someone actually rings your doorbell

- You cannot store any images from this camera.

If the system you have installed doesn't abide by those rules, it falls under the more stringent camera surveillance law. That includes hanging up pictograms indicating camera surveillance, registering and obtaining permission,... and so on (gdpr becomes relevant).


I suspect that your rules are also the ones that the GP is subject to in Germany, since you actually can buy video doorbells here and use them at least without an Überwachung sign -- not sure about registration since I don't have one myself.


> You may not record what happens in public spaces on security cameras

In America this could be up for debate. Much of this kind of law depends on a "reasonable expectation of privacy", meaning that if anyone could see you there, it's not an issue to record or take pictures. An apartment hallway actually may or may not count as a public space, depending on whether or not the building is access controlled.


In America, as a rule, anything in public can be filmed.


It can be filmed, but audio may not be unless you are a party to the conversation. Doing so is a felony is many places.


This is incorrect, it is not a felony to record audio from a security camera in the US. Two party /all party consent only applies to confidential communications.


I am not incorrect.

Record audio at your peril: (This is re: New York)

http://www.dmlp.org/forum/newsgathering-law/new-york-recordi...

“...it is possible to violate the Wiretapping Act (and thereby commit a felony) by pointing a camera at a person speaking on a cell phone and creating an audio recording of part of the telephone conversation.”

Recording audio is always fraught with risk. You should avoid it, especially in indoor locations that you do not control.


One party/all party consent laws only apply to confidential communications, or put another way private conversations, not anytime a phone is used. If you can only hear one person speaking, it is not a conversation. And even if you can hear both people, like if they were on speakerphone, someone talking on speakerphone in a public place is not having a "private" conversation.


Isn't recording video equivalent to recording audio, as long as a potato chip bag is in view? (https://arstechnica.com/science/2014/08/researchers-reconstr...)


It’s a hard question because of the imprecision of the law. If it’s a potential problem, talk to counsel.


That depends on the state. In Florida, I had to put up notices that audio was being recorded in one room in order to hook up a microphone to a surveillance camera.


If you're not a party to a conversation, then one-party rules don't apply. I.e., in one-party States you can record any conversation to which you are a party, but you can't eavesdrop on conversations that you're NOT a party to.

This means you can't leave a microphone at a bus stop to record random conversations, say, not without a) owning the bus stop, and b) loudly announcing the presence of the microphone to all users of said bus stop. Replace "bus stop" with any public space. This also applies to private spaces as well, even when you're the owner. Thus you can have video surveillance at any office, but audio surveillance is generally a big no-no.


This does vary by U.S. state, though. Most are “one-party”, but some are “two-party”.

https://en.wikipedia.org/wiki/Telephone_call_recording_laws#...


GP refers to zero-party recording. I would be surprised if surreptitious (i.e., not announced) audio recording by non-parties were legal anywhere at all in the U.S.


depends on the state


Define public


Anywhere you don't have reasonable expectation of privacy.


Strange example - in a hotel, with an open window, on the 45th floor. If paparazzi with a telephoto lens can see you, it is considered fair game.


If you're standing in front of a window and can see out (and can be seen), you don't really have a reasonable expectation of privacy. This applies to my single floor single family residence. If I want privacy, I close the blinds and/or drapes.

As a matter of courtesy, I never aim a telephoto at windows. Paparazzi are an entirely different class though in that most have no "class" anymore it seems.


You don't have a practical expectation. Its reasonable to expect polite neighbors not to stare in windows, take photos etc. Used to be called a 'Peeping Tom' and was actionable. Nowadays we've become jaded?


This is a poor example for two reasons. The reasonable expectation of privacy standard is for audio, not images. And you do have an expectation of privacy in your own hotel room


Not a Lawyer, but it looks like it varies by state. CA penal code 647 j makes this illegal even without entering the property, but mississippi code 97-29-61 does require entering the property.


Only the ring owner would get caught though


I need help with something much more nefarious. I know of a location in a downtown area where someone has set up a malicious wifi "thing". I'm guessing the PWNAGOTCHI since the device changes patterns and comes and goes? It has learned how to use deauth to do man-in-the-middle attacks and absolutely closed down wifi in a half block radius by sending RTC packets of 12 second wait times and also waiting for others to send RTC packets and transmitting over them. Businesses close to it have no wifi. As you move away, wifi starts to improve. And no, it's not flooded as there is plenty of open air time not being used by the many devices there.

Steps taken: - Have talked to multiple business owners nearby and they can't figure out why their wifi won't work. - Comcast Business is worthless and weeks of calls by business owners and multiple tickets have led to nothing. - Have talked to the mayor of the town and their tech guy agrees something is wrong. - A "smart guy" that works for the government doing security did a quick scan and said it was because one wifi was on a channel between 1 and 6 so the overlap was causing the problem... that wasn't it. - Have approached university researchers to see if their students would be interested in looking at/for it. No response. - Have walked with laptop watching signal strength and know roughly which building it is coming from.

From what I understand, there is NOTHING one can do to attack it, other than sending massive RF interference, which would be a crime in itself.

How the heck does one get rid of this thing? Any suggestions?


Find a ham. We go nuts on people polluting the airwaves. Even wifi. Most hams will know exactly how to help.



Yes, I told the people about this precedent. And the FCC. Not really my place to get them to call.

I think people don't believe a technical glitch is a real world problem. I've tried to tell them that it is definitely impacting their business (restaurants and cafes) and so there is in addition, a monetary impact, just as if someone was causing damage to their business that drove away customers.


Actually, numerous studies have shown that restaurants that offer wifi spend a surprising amount of time assisting customers with logging in, and the average sit time skyrockets when people are checking email instead of consulting the menu. If these aren't designated cyber cafes we're talking about, it could be good for business. On the other hand, the situation described here would drive me crazy and I would be fantasizing about picking locks and climbing on rooftops trying to find the evil little device.


My thought also. It might be a hotel or conference or somewhere the host can charge for wifi. That should narrow down the culprits.


Use the guide I posted here to locate the device responsible using the signal-strength in Wireshark (search for NKOM).

Could be you can break the device by flooding it with fake SSID, using AirPlay-ng. A bit more technical but should be possible with every Mac or most WIFi dongles that support monitor-mode (could be illegal).


I did follow it and found roughly where it is. But, have not talked to that landlord. It is a 3 story building with a handful of apartments in an old stone and brick building locked at the ground floor (i.e. refection is a problem but I imagine signal strength outside the door would be a good indicator once inside).

Not sure about breaking the device by flooding with SSIDs? Sorry, not my area here. From what I know, it isn't on any network (it does appear to have a network with an SSID though), but it is attacking up and down all nearby devices regardless of channel or SSID.


"Flooding with SSIDs" means generating lots of fake SSIDs each second to trick that device into attacking those fake SSIDs and keep it busy. Keept it genrating even more (use several wifi adapters) until the other device goes crazy. You can use some of the tools (like aireplay) from the aircrack-ng suite for generating fake SSIDs


"I did follow it and found roughly where it is. But, have not talked to that landlord. It is a 3 story building with a handful of apartments in an old stone and brick building locked at the ground floor (i.e. refection is a problem but I imagine signal strength outside the door would be a good indicator once inside)."

Have you considered that what you are seeing is unintentional ? I myself have set up many different (RX only!) experiments in GNU Radio, etc., and had to leave them sit for weeks at a time while I was busy with actual work.

Maybe someone was tinkering/playing/experimenting and just left it on ? I would suggest putting up a polite, but loud and eye-catching one page sign at the entrance to this building alerting someone that they are dramatically impacting their neighbors.


Look for the one SSID that is unaffected and I'd bet you'd find the culprit. It's possible that someone set it up solely to screw up WiFi for everyone else but I'd bet money that the reason why they did that is specifically so that the spectrum is left wide open for themselves. WiFi in an apartment right next to a bunch of businesses generally sucks because of the density, it's probably just some selfish script kiddy thinking they're some uber l33t hacker and thinking they can't be caught screwing over their neighbor's WiFi.


Contact your local HAM group.

They do this kind of thing - it's called a "fox hunt".


Confused, it seems you realize this might be a crime, but you've talked to everyone except the most obvious point of contact—law enforcement. Is there a reason that's not an option?


"There you go, giving a fuck when it's not your turn to give a fuck" --Bunk Moreland, The Wire

Finding a cop that's willing to go out on their own to find a potentially unsolvable crime is going to be pretty hard. There are way bigger cases they are already tasked making them too busy to actually get interested in this kind of non-violent/non-life threatening case. 1st world problem: my wifi isn't working because someone else's wifi is being mean.


While I agree somewhat, most decent officers will follow up if you give them enough info and make a point to keep updating them. We got a stolen phone back this way by being the "detective" and having the officers knock on candidate doors. Took about 4 hours, and their knowledge of the suspects history, family, and whereabouts was invaluable.


Agreed. But evidence? I've tried to convince the businesses to talk to the police. But, what they heck do the police/businesses do? How do you prove that there is a crime? They probably would believe me and would probably knock on doors and probably get a warrent. Then what? I'm not a professional cyber security person so how do I prove that device if found is causing damage?

Also, the device is intermittent. I can collect traces, but who do I send them to?


I called the police once when I noticed a wifi AP that was MiTM'ing traffic at the local Kroger. They sent someone out and said it was a misconfigured system in the Deli.

Guy was real nice and seemed to understand what I was worried about.


In the US, what law makes it illegal to MitM network traffic using a WiFi evil twin or other technique? I'm genuinely curious because I was under the impression there are generally no such statutes and that the only thing that would be illegal is if the MitM used found credentials.


It doesn't have to be illegal for the cops to check it out. Sometimes it scares people off.

I had an officer acquaintance who said he pulled over a car with a shotgun in the back seat and asked who it belonged to, nobody was willing to claim it. He impounded it as abandoned property despite it being perfectly legal to possess.


Possibly the CFAA?


The CFAA only applies to protected computers and intrusion into those computers. Watching network traffic or modifying network traffic in a MitM possition, without using found credentials doesn't seem to rise to the level of a computer intrusion. Of course, it's unlikely a protected computer is going to be connecting to a public WiFi AP in the first place..

https://en.wikipedia.org/wiki/Protected_computer


> The only computers, in theory, covered by the CFAA are defined as "protected computers".

> In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the interstate nature of most Internet communication.

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#P...


Have you considered contacting the landlord for that apartment building?


Contacting the police about any computer-related crime is just as (if not more) likely to land you in their sights as it is to resolve the problem. Cops in the US routinely pin crimes on people to close cases and juke their stats.


In Norway I did that but the similarity to FCC could only look at signal strengths and radio spectrum (not data), it was the equivalent to NSA that had the power to look into network traffic.


Turn on protected management frames on the equipment, should make it at least more difficult to deauth.


Seems widespread; sad state of affairs... wonder how many locations suffer from (mis)configured APs battling each other..

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortig...

"In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients."


Rogue APs are generally defined as APs that you don't manage but have been connected to your wired network. Obviously this could be a significant security risk. I don't think they're sending deauth messages to every client/AP they see.

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortig...


It looks like it allows you to mark any AP as "rogue" even if they're not detected as "on-wire" despite that not being the purpose of the feature.


I would define "rogue" as any AP intentionally using the SSID of my network to trick users into connecting to it instead of my own infrastructure.


Did I read the article correctly in that it is possible to disrupt WiFi networks to make devices disconnect from it, without breaking its encryption? Wow.


So easily that a tamagotchi style game has been made of it and other wifi attacks https://pwnagotchi.ai/


hadn't seen this one yet and just got a zero, thanks for posting this


Not only that,you don't have to be in close range when attacking, weak signal that won't get you connected or even shown up in the list is enough to make it work, you can stay even farther if you have high gain antennas, as this attack doesn't require your response packets to work, you just have to send the target AP one-way fake frames.


Regardless of any encryption, wireless can always be disrupted via jamming. Even if management frames were encrypted you can still disconnect devices by jamming the signal.


The power requirements for jamming are much higher. Making it much easier to detect a jammer, and harder to run one. Also quite a bit more illegal.

Besides, jamming has a much less targeted effect than a de-auth.


When talking about home security I doubt the attacker cares much about legality, and detection requires specialised equipment, by the time it is brought in the robbery has already been committed and the attacker is long gone.


Jamming is not as useful as a targeted attack, so this still seems like a defect in the WiFi spec.

For example, an attacker may wish to keep their network working while disrupting others (there is an example of Marriott hotels doing this linked elsewhere in the comments here).


Enterprise wifi systems from Cisco, xirrus, ruckus and others implement this feature for rogue access point suppression.


Wait what? Enterprise WiFi Systems are actively attacking each other if you put them close enough together and they overlap on some details like frequency band?

... skims search result for "rogue access point suppression"

wow this is just stupid


It's been a feature of enterprise WiFi for a long time. Airespace had the functionality before their acquisition by Cisco, that was March of 2005.

Edit: minor grammar clarification.


Though I don't see this feature in my environment anymore I am guessing it was pulled by Cisco after https://boingboing.net/2014/10/03/fcc-fines-marriott-for-jam...


Yup. You can buy a little open source ESP8266-based watch to do it too: https://dstike.com/


Unless the devices and AP support 802.11w, yes.


Temporarily. Most devices (rescan and) reassociate when this happens. Obviously this is enough to break devices that assume that the link is always up and never retry failed transmissions.


If you keep sending disassociate frames, most devices will continue dropping off and spending time reassociating. If you don't have significant quantities of local storage then that's enough to break video streaming.


When I was an edgy kid staying in hotels with shitty WiFi on vacation with my family, I would use a tool like this on Android to boot people off the WiFi and “clear up” some room.

Not proud of it today of course, but fun times ;)


I think the title should be changed to something like "how to protect your privacy with Wifi deauthentication".

Incidentally, I was considering one of these devices as an addition to my home automation setup, then I realized that it would not be cool to monitor every person getting out of the elevators on my floor.


I suppose the idea of the article is to resist your neighbours monitoring you as you come home? That is actually a pretty good idea.

Also, deauth isn't anything new and you don't have to 'hack' anything in aircrack-ng since all of the tools for this are available out of the box, with nice configuration to select what has to be included and what excluded from deauth.


If you want to do this against arbitrary endpoints without knowing the channel they're on you can't just parse airodump-ng output and pass that to aireplay-ng - it takes too long. The hack is just to automate this within the same process.


What if someone were to offer you, oh, $50/mo for that feed?


Do you think $50 the going rate to convince the average person to record their neighbors?


Does deauthing it actually stop it from recording and later uploading?

Wouldn’t the Ring just buffer and send once it rejoined the network?


I doubt Ring devices have the local storage to do this.


> The industry doesn't seem to have learned from this.

I think industries follow the money. If the end user doesn't absolutely demand security features, then there won't be such features. Typically people who obsess about security build a product that provides security as a product (vs. a camera as a product).

The guy who wrote Minix makes this argument (and no, he doesn't dislike Linux Torvalds): There are solutions to security problems, but you need to be interested in them in the first place. The military for example is interested in microkernels because in their case security is critical. Minix I believe is written more for reliability (e.g.: uptime) and (better) security comes as a added benefit.


People send deauth packets just for fun, as part of social networking. While it is fun for the sender, the those that are affected, are probably very annoyed.

https://pwnagotchi.ai/


Just beware that in many jurisdictions using that thing on other people's devices is punishable by serious jail terms. Sometimes even possession of such a device.


> The most interesting one here is the deauthentication frame that access points can use to tell clients that they're no longer welcome. These can be sent for a variety of reasons, including resource exhaustion or authentication failure. And, by default, they're entirely unprotected. Anyone can inject such a frame into your network and cause clients to believe they're no longer authorised to use the network, at which point they'll have to go through a new authentication cycle - and while they're doing that, they're not able to send any other packets.

Anyone has background info on why the hell WiFi spec is designed this way?


The wifi alliance has a long history of failing when it comes to security audits and not doing public RFCs


A man-in-the-middle attack is what can happen here. Deauth and then the device tries to reauth. At that point, the attacker can pose as the router and collect the password hash. The WiFi spec has serious problems.


WiFi doesn't work the way you're claiming. You can use Deauth to be obnoxious/DoS but MITM could be accomplished without Deauth (via higher signal strength + cloned SSID) and WiFi Auth doesn't involve sending a "password hash" over the air that can be "collected."

WiFi is protected via PSK (pre-shared [encryption] key), public cryptography (via CA generated key-pairs), or RADIUS. With RADIUS auth you may be able to harvest the username but the password is used as a PSK which is a shared secret between the client and RADIUS server. This is a two way check (i.e. the client confirms the RADIUS backed WiFi AP has the password too). After they both confirm each other has the password, a different encryption key is used.

There's no WiFi Auth protocol that I know of that involves sending a password over the air (hashed or otherwise).


Absolutely false, the PTK is sent over the air and is constructed from a hash of the PMK, client/ap MAC, and client/AP Nonce. The attack the parent comment is describing is exactly why WPA3 was made with SAE. One need only capture 2 packets of the initial handshake to start offline cracking by comparing MICs and then you can decrypt the entire conversation since there was no perfect forward secrecy in WPA2 and older.

Also what you describe with RADIUS is incorrect as well but there are too many ways to configure 802.1x and RADIUS to cover all of why in a comment. Overall it is considered safer than WPA2 though so the conclusion is sound.


> Absolutely false

Let's first off go back to what I was replying to:

> At that point, the attacker can pose as the router and collect the password hash.

By claiming my correction is "absolutely false" you're asserting that the above statement is "absolutely true." But even your technically unsound correction doesn't actually address the underlying inaccuracy of the original statement or why you seemingly believe it is "absolutely true."

It is also pretty clear from your reply that you're attempting to muddy the waters by conflating the PTK with the PSK or any other "password." The PTK isn't a password. It isn't like a password, and in order to derive it you need additional information which you need to attack (which is easier than attacking the PSK itself, thus WPA3's improvements, but doesn't make the above statement technically sound or true).

Your post reads like you decided to correct before having any corrections to actually make then tried to muddy the topic as much as possible in the hope that others would be fooled. Plus is "collect the password hash" really a hill worth dying on for WiFi Auth? That's obviously an unsound technical claim, that isn't how the protocol works at all (and you seemingly must know that given your knowledge).

> Also what you describe with RADIUS is incorrect as well but there are too many ways to configure 802.1x and RADIUS to cover all of why in a comment.

So it is "incorrect" because I simplified it rather than describing the process in intricate technical detail? And you won't point out why it was "incorrect" because it is too technically difficult..? K.


> > At that point, the attacker can pose as the router and collect the password hash.

> By claiming my correction is "absolutely false" you're asserting that the above statement is "absolutely true."

Correct.

> technically unsound correction

Please explain how.

> It is also pretty clear from your reply that you're attempting to muddy the waters by conflating the PTK with the PSK or any other "password."

The PMK is part of the PTK hash. When using a PSK the PSK = the PMK. Not much to conflate, the PTK is a hash of the password with other variables. Exactly as I explained.

> in order to derive it you need additional information which you need to attack

I already explained how the rest of the information needed to derive the PTK is sent in the handshake frames.

> Your post reads like...

Please stick to talking about WiFi authentication.

> Plus is "collect the password hash" really a hill worth dying on for WiFi Auth?

Prior to WPA3, yes - as explained already.

> So it is "incorrect" because I simplified it rather than describing the process in intricate technical detail?

It was incorrect because the password isn't used as a PSK so cracking the PTK gets you a nonce instead of the user password.

> And you won't point out why it was "incorrect" because it is too technically difficult..?

Given we are still trying to agree how the 4 way handshake works and what parts get hashed in it, yes - it is.

.

https://www.wifi-professionals.com/2019/01/4-way-handshake

https://security.stackexchange.com/questions/66008/how-exact...

https://www.aircrack-ng.org/doku.php?id=cracking_wpa


I think you’re wrong on this. In the WPA handshake, you sniff the hashed password. You start this by first deauthing them off the network. See https://en.m.wikipedia.org/wiki/Wi-Fi_deauthentication_attac....


I’m not asking for an explanation of what the problem is (and your explanation is wrong), I’m asking about why WiFi spec is designed with this very specific, seemingly obvious flaw (anyone can fake deauth to DoS anyone else). I doubt this wasn’t considered during the design process, and I don’t think the rationale is “screw you”, so there’s gotta be a reason.

Edit: According to other comments, it seems that “spoofed” deauth does have legit use cases (other than DoS’ing neighbor’s internet of shit devices).


The "legit" use cases people found for it were unlikely to be the reason the protocol was designed that way. Remember 802.11 came out in 1997. In 2004 WPA2 was released and allowed for protected management frames but no devices/users cared enough at the time. Now in 2019 users are more security aware and encryption is cheap so WPA3 requires it.


The proper thing to do here would be to call a HOA meeting to decide whether or not devices like these should be allowed in the common spaces. Typically a HOA will have pretty strict rules in the articles and household rules about what you can and can not do in common areas. Another angle is that you may live in a place where two party consent is required for recording, this is not a public space ('the street') nor is it a private area (the dwelling of the owner of the device).

Running this software is likely illegal depending on the jurisdiction might be anything from a misdemeanor to a crime.


Does that mean you can monitor when someone is pushing your neighbors' ring bell?


You can certainly detect when your neighbour's doorbell is streaming video, yes.


Interesting, you could use it to turn your neighbors devices into unintentional motion detection sensors without them ever knowing. You could use it for foot traffic analysis or something.


He doesn't describe an attack, he describe literally what 802.11 was designed to do. An attack is forcing a deauth and then stealing the 4-way handshake data and, say, cracking WEP. Which is why WEP was decommissioned ... checks notes ... 15 years ago.

No need to edit aircrack-ng, WireShark does what he did natively (filter out and set channels), and a good realtek chipset allows you to set the scan interval so you can cover more channels (which is why the new ALFAs suck).

Also the DTIM and keepalive can be set such that the MCU can sleep while the phy link maintains a connection without a costly handshake, esp. if using TLS <1.3 to talk to the cloud. Reconnecting costs a shit ton of energy so they usually don't disconnect.

Hacking Wi-Fi has become exceptionally more difficult, as noted by the slow dating of materials at DefCon's WiFi Village over the past 8 years: cracking WPA2 is basically so hard no one bothers, even in CtF games.


Denial of service is also a type of attack.


Does anyone here believe there is now a market for securing the masses against the obvious gaping security issues associated with these devices?

"Smarter Home Networks" and creating a business around bolstering security on the slew of IoT devices available today.


I'm not familiar with these devices. Are they not capable of caching a little (15 seconds or so) of recorded video (or much more audio) for sending later when it re-auths with the access point?


Probably, but it would block the alerting feature they highlight in their ads. That said, I find motion detection alerting to be useless on outdoor-facing cameras due to vegetation, weather, and wildlife. The false positive rate makes it annoying.


I've said it before and I'll say it again:

20+ years ago when I was a Windows sysadmin, you could immediately discern the technological savviness and technological maturity of an individual by looking at their system tray:

The number of little icons in their system tray was inversely proportional to their level of this kind of technological maturity.

The system tray of 2019 is connected/smart/cloud devices in ones home.


Depending on where you live, your neighbors recording audio may be illegal and you should confront them about it https://www.southerncaliforniadefenseblog.com/2018/04/do-rin...


Unlikely. Devices installed for security purposes cannot trigger wiretapping charges since there's no reasonable expectation of privacy in a public place and no intent to record confidential conversations in the first place.

Either way, it's not a well written post. I'd shred it here but the comments below it already cover what I would have said.


> Devices installed for security purposes cannot trigger wiretapping charges since there's no reasonable expectation of privacy in a public place

These ring devices are also installed outside of the US. The law is entirely different in other countries. A statement as "no reasonable expectation of privacy": why not? Just because people could record and film you doesn't mean it's allowed or that it's ok.

For Netherlands: You cannot just have a camera recording the public. Though there's a bit of leeway, meaning if you have a camera recording your property it's logical that it'll record a bit of the road. You just have to minimize that bit. Interestingly enough, police actually encourages the installation of Ring camera's (so specifically Ring over anything else). It seems you can install these if it's just in front of your door and property. However, if they're on a flat (where neighbours need to walk by your door to get to your door), then you cannot have these.


> A statement as "no reasonable expectation of privacy": why not? Just because people could record and film you doesn't mean it's allowed or that it's ok

In the US, it is allowed and is OK, though. Legally, you do not have a right to privacy if you are in a public location as a hallway in an apartment building would be considered. Whether or not it is a nice or considerate behavior is moot when it comes to the law.

Edit: it seems findings have gone both ways in the US for expectation of privacy in apartment buildings: https://illinoislawreview.org/print/vol-2018-no-3/fourth-ame...


I understand that it's US and per law, but "no reasonable expectation of privacy" is more of a judgement. It should always mention that it's due to the law.

The statement probably is entirely reasonable if you're born in the US (as you're used to it). Other countries have other expectations of what's reasonable and normal.

The often repeated "no reasonable expectation of privacy" in a public place to me is entirely odd. It's also something that could change (whether such a change/perception is in e.g. NL or in the US).

Technology makes things possible that weren't possible before at all. Meaning, you can store camera recordings for a ridiculously long time. From my buildings security (again: NL) I understood that legally they cannot store such recordings over 28 days. Above that things become difficult (possible but quite a hassle).

In the past people could see what you're doing in a public space. But nowadays you can easily be recorded and that recording could be stored forever. That was never the case before. As a result, things such as "no reasonable expectation of privacy" should change with the changed circumstances, IMO.


In US privacy (case) law. "Reasonable expectation of privacy" is a specific term that determines whether it's okay to record things. There is a lot of case law around what does and doesn't imply a reasonable expectation of privacy.

Hence people are using the term in a specific legal way, rather than saying "I don't think it is reasonable to expect privacy here", they are saying "I think legal precedent would make a judge rule there is no 'reasonable expectation of privacy' here".


Hey bkor, thanks for the interesting information on CCTV laws in the Netherlands. I am curious from a photographic perspective. What if I visit NL and I take some photos of buildings and happen to capture pictures of the public? (Its on my list of places to see someday) Can you not post those photos publicly online without consent?

Generally much of the US protections for photography of the public reach pretty far, nice legal outline here http://www.krages.com/ThePhotographersRight.pdf

I found this fun guide I think others would enjoy while I was looking up this topic: https://commons.wikimedia.org/wiki/Commons:Country_specific_...

Sadly I don't find much on NL would be cool to build a chart to contrast and compare laws in each nation as they pertain to video/photo/audio recording in public.


> For Netherlands: You cannot just have a camera recording the public. Though there's a bit of leeway, meaning if you have a camera recording your property it's logical that it'll record a bit of the road. You just have to minimize that bit.

This is simply not at all true. You can film anything you want in public. I believe the laws around publishing photographs or films of other people is a bit more complex though.


Pointing a permanent security camera at a public space as a private person really is illegal.

This is different from occasionally using a handheld camera.

Because one is surveillance that is meaningfully different from what you could do just by watching someone, and the other is not (this is my argument, not sure whether this is the legal argument in NL)


Well that scenario is prohibited by the GDPR (though I’m not sure if different authorities would have differing views on that). But the statement that you cannot film public scenes or the people who happen to be in them is simple false.


This article is about a Ring camera and something installed on a door. These things are static and do not move around. That is what I was referring to.

You could read this as something else, but IMO it was pretty obvious what I was referring to. And for static cameras I'm entirely correct. For other cameras there's been various new restrictions for them as well.

Your summary of "cannot film public scenes or the people who happen to be in them is simple false" for one distorts what I wrote, secondly, if you do this with a static camera, you will have a problem and your statement is _not_ true. Friends had a "crazy lady" with cameras pointing at public space. It took a while, but eventually the cameras were removed. Something similar you can find via Google, plus (work) building security mentions the same.


Most of Western Europe has pretty strict surveilance laws. The GDPR applies even when recording people in private space, e.g. visitors, employees or ATMs inside bancs. Recording public space on a permanent base is a big nono. Accidentally recording strangers for a one off video is no problem.

Then again, after the Brussels terrorist attacks, the police managed to reconstruct the path of a terrorist pretty well by puzzling together all kinds of recordings, so my impression is enforcement is lax as long as nobody complains.


Wrong. You can not aim a security camera at a public space in the Netherlands.

First Google result: https://www.politie.nl/themas/camera-in-beeld.html?sid=42aaf...


It's not clear that a corridor inside an access controlled building is a public place.


Edit: it seems it is divided and cases have gone both ways in regards to expectation of privacy in apartment buildings: https://illinoislawreview.org/print/vol-2018-no-3/fourth-ame...


There’s more here: http://www.wisconsinappeals.net/on-point-by-the-wisconsin-st...

> Because the state offered credible testimony — specifically believed by the trial court — that third parties had unfettered access to the basement of this four-unit building, the defendant did not have a subjective expectation of privacy

GP suggested this wouldn’t be allowed in the hallway of an access-controlled building and precedent suggests that’s accurate. The key is whether a random person could wander into the area without encountering something analogous to a locked door.

If the door to the apartment block wasn’t locked (i.e. Joe Public could wander in and right up to your door), however, then when in the hallway a person would have no more expectation of privacy than when in the street.


Private clubs include many authorized families and people, yet they are not public. Your definition of public space seems very off...


Do you have case law citations for that?


It looks like it is quite divided and could go either way at least wrt apartment buildings: https://illinoislawreview.org/print/vol-2018-no-3/fourth-ame...


What experience?

Edit: Parent comment edited such that this makes no sense now


> Devices installed for security purposes cannot trigger wiretapping charges since there's no reasonable expectation of privacy in a public place and no intent to record confidential conversations in the first place.

In the US, perhaps. My office in Brussels can't aim a camera at the public road, for example.


The article you link to suggests that people with these doorbells probably have nothing to worry about ("Unless you are deliberately using a recording for exploitive or commercial purposes, you face little risk of facing charges for violating wiretapping laws through your everyday use of a doorbell camera."); not sure why you're using it as evidence to the contrary.


Not sure if DoSing a device that's not yours is much more legal.


Marriott Hotels fined $600,000 by FCC for jamming Wi-Fi hotspots [using deauth packets] https://news.ycombinator.com/item?id=8406022


That article is nonsense. “Wiretapping” is the interception of a signal, generally a telephone signal, to record or listen in on a conversation. A monitoring device, such as a Ring doorbell — those aren’t “wiretaps.”

The linked article is nothing but SEO spam designed as lead gen for a law firm. A lawyer certainly didn’t write that.


It's surprising how easy it is to perform a deauth attack, you can also gain some information just by scanning the airwaves about the devices connected to a particular router.

I created a little tool as a test of this a while back: https://github.com/dom96/deauther


If you go to /r/esp8266 there are far too many posts from kiddies asking for help with their deauther projects.


>Finally, none of this is even slightly new. A presentation from Def Con in 2016 covered this, demonstrating that Nest cameras could be blocked in the same way. The industry doesn't seem to have learned from this.

Well that's a kind of fundamental flaw of Wifi networks, so you're kinda stuck with this if you use Wifi, nope ?


Says in the article "unless you use 802.11w" So, fixable; just not supported by everything.


Even 802.11w doesn't fix the fundamental problem... WiFi runs in an unlicensed band, and anything else in those bands might disrupt it. There is no service guarantee. You should never rely on it working, especially not for security or safety.


Anything running over rf is vulnerable to jamming. It's really just a matter of how much disruption an attacker is willing to cause.


> Anything running over rf is vulnerable to jamming

Yeah, and the same sentence can be changed to "Anything running anywhere is vulnerable to something" and it's still true. I guess the valuable lessons are "There is never any service guarantee" and "something will always go wrong" when you want to built something reliable.


Owner of wired cameras that do not store data in the cloud unaffected.


Yep. Wired is always best. You get (almost) the entire electromagnetic spectrum to yourself for each device. There's no reason to share a single spectrum if you don't have to.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: