Is it theorectically or practically even possible to mooch off if a typical WISP

Is it theorectically or practically even possible to mooch off if a typical WISP

In the iPhone newsgroups, a typical Apple Fundamentalist assumed I mooch off of my SF Bay Area Santa Cruz Mountain WISP simply because I get my Internet connection over the air via a WISP ISP a couple of mountains away.

In my response to this iOS right winger, who is used to so used to paying through the nose for everything that he can't even comprehend the *concept* of legitimate freeware, I told him (nospam) that I can't possibly even

*think* of how a typical WISP would accidentally allow moochers.

While I used to have a 2.4GHz Rocket M2, I switched to the less noisy 5GHz Rocket M5 which has vertical and horizontal channels that are set by the WISP (who logs into the antenna to set it up from afar).

Certainly the WISP keeps logs of all connections, and, in my case, he has to assign a static IP address to *each* customer.

So, this question is only one of theoretical/practical possibilities.

Is it even theoretically or practically possible to mooch off of your WISP provider without him knowing about it (assuming he's a normal conscientious WISP using all the normal tools that a WISP would use).

Reply to
Aardvarks
Loading thread data ...

Sigh. Do you really expect me to post detailed instructions on how it might be done?

I'll assume that the leach has a compatible wi-fi client bridge radio, a decent dish or panel antenna, a good location to see the WISP access point antenna, and is able to associate (synchronize with the pseudo random spread spectrum spreading code). Basically, the means the leach can get a "connect" indication from his client bridge radio.

The next obstacle is how much security has the WISP installed to protect his system. Nobody runs a wide open system, without encryption and no passwords. For a minimum, the WISP is certain to authenticate the MAC address of the client bridge radio. MAC addresses are easily spoofed, but this is mostly for identifying and blocking radios that are attempting to connect, but don't belong on the system.

The next layer is WPA2-AES-Enterprise encryption and authentication. Unlike the typical home wi-fi router, which uses WPA2-AES-PSK (pre-shared key), WPA2-AES-Enterprise does not have a single encryption key for the entire system. A new and unique key is issued for each connection and at regular intervals. Even if you could crack the encryption key, it would only be good for a maximum of 3600 seconds. The RADIUS authorization and 802.1x authentication system would also have a stored login and password.

There are a bunch of other tricks to improve security that are used, which I don't want to disclose or discuss. Most do not really prevent someone from breaking into the system, but rather act as a burglar alarm to identify attempted breakins.

I would say that trying to get past WPA2-AES-Enterprise, even with inside information, is not possible (unless you're the NSA). Spoofing an existing connection or working WISP customer is somewhat less difficult. One would need the previously mentioned hardware list, a means of tweaking the client bridge MAC address, the RADIUS login and password, and inside knowledge of what the WISP is using for authentication. One would also need to somehow disable the real customer as it would not do to have two client bridge radios trying to authenticate using identical credentials. That will certainly set off alarms (if the WISP pays attention to alarms and reads the log files). That's possible, but hardly practical, and certainly not reliable.

Leeching is usually NOT done by trying to connect to the WISP access point. Instead, it's done by connecting to the wireless router installed by the WISP customers. In other words, the neighbors. These are typical home wireless commodity routers, secured by a single WPA2-AES-PSK password key. If you know the key (or its hash code), and have good RF connectivity to the neighbors wireless router, you're on the system.

So, to answer your question... yes, it's theoretically possible but no, it's not easy, practical, worthwhile, or reliable. Incidentally, it's also a crime and legally actionable as "theft of services" which increases the element of risk.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Hi Jeff, I knew you'd be on either a.i.w or s.e.r (although you hang out more on the latter nowadays, I think).

The theoretical leach would be me (but I already have free WiFi access from my WISP in return for being an access point for him) so the question really

*is* theoretical, and you actually know all the WISPs in this area (let's not state their company or real names, for privacy reasons, but you know of Loren at H.....p and Dave at S.....t and Mike at R...........s, and Herman at E.....c, etc., who are the respective WISP proprietors).

Exactly! Nobody runs a wide open system where leaches can just latch on for any reasonable period of time.

Loren is the least restrictive, Herman is the most restrictive - with the others in between on security.

Actually, as you pretty well know, that end of the MAC address is, think, the harder one to spoof (I think it was you who told me that long ago).

But let me confirm...

The end that the WISP sees is the hard one to spoof, isn't it?

Yup. While Loren doesn't even use encryption on the 802.11 equipment, he has plenty of 900MHz equipment which has to be specially set up, and Mike, for example also makes use of non-wifi protocols. So does Dave and Herman's system isn't at all compatible with customer owned equipment.

Yup. And that doesn't even count the protocol tricks that these guys use to get better bandwidth throughput and noise rejection.

They all run a watchdog of some sort.

Actually, I have more knowledge than most because I'm a repeater so I am sometimes called to do troubleshooting to save them a visit - but for this discussion - we should assume I'm a normal customer of the WISP.

You also need the protocol information, and the IP address information, but presumably you could sniff that over the air.

Yup. While doing a site discovery isn't hard, you have to also crack the admin password on the radio, which changes frequently, among other hurdles.

Agreed. It's just too hard to do and too easy to get caught since a house doesn't move all that fast.

OK. That's *easy* by way of comparison. But we weren't talking about breaking into the homeowners' SOHO router (which is a different topic altogether).

Yes. Plenty of neighbors have wide open networks. Sigh. They're the Santa Cruz 60's hippy trusting type of people. You know ... people like you! :) (jk - you're too knowledgeable to be trusting!)

Yup. Just what I had thought.

The Apple iOS "experts" blandly accuse people of this stuff, not even taking into account *any* of the many potential hurdles, not the least of which that a house doesn't move all that fast and is easy to locate when stealing WISP bandwidth.

If you're not the NSA, then you're probably not hacking into the WISP. It's just not feasible.

Thanks for your insight!

PS: What do you think about the possibility of tapping into a Starbucks in downtown Santa Cruz from Loma Prieta?

Reply to
Aardvarks

I think I've met them all and certainly recognize the companies. However, I'm not currently doing WISP work and haven't worked with any of the companies for many years. Hint: I gave up tower climbing over

20 years ago.

I certainly didn't say that. Some client bridge radios partition their firmware into the part you can replace (e.g. DD-WRT) and the part that remains untouched (boot loader, MAC addresses, encryption keys, serial numbers, manufacturing details, etc). Changing these are possible and fairly easy if you own a logic analyzer, hot air SMT desoldering station and an SPI bus serial EPROM programmer.

However, the leech could also use a commodity wireless card crammed into a PC, and do everything in software, where it is super trivial to tweak the MAC address. No worries about WPA2 encryption because the MAC address and control frames are sent unencrypted.

Security by obscurity has it's merits. Anyone who is willing to spend a few hundred dollars on hardware, and spend many hours hacking, in order to save a few dollars in service charges, needs to take a remedial finance class.

The creative protocols are not for security. The problem is that

802.11 was originally designed to handle a small number of client radios per access point. CSMA/CA works nicely for that because there's plenty of time between packets to allow for collision backoff. However, when dealing with a much larger number of users, the probability of collisions increases rather dramatically, until nothing works. Also, minor network overhead, such as ARP requests and broadcasts, become a major nuisance as they proceed to become the dominant traffic (because broadcasts go to everyone). So, new protocols, based on token passing (VTP-CSMA) or polling are used, which are more efficient for larger systems.

Usually just arpwatch and traffic graphs.

With most WISPs, over the air bandwidth is the main limitation to how many customers they can handle. If you add a leech anywhere on the system, which increases usage beyond normal, it's a problem.

I hate to ruin your illusions, but I never was much of a hippie. Glorified poverty doesn't didn't have much of an appeal. I did try becoming a beatnik as a teenager and a protester in college, but not a hippie.

Zilch. Too much interference along the path on both 2.4 and 5Ghz. Loma to SCZ is about 9 miles. Over 5 miles, one sees timeouts and the ACK timing needs to be tweaked. You can see the SSID's of distant stations (because broadcasts do not need ACK's) but you can't connect. However, without the interference, one can do it by violating the FCC rules with a big dish. I've done this and even under ideal conditions, aiming the dish, and keeping it aligned, is a major problem. Also, at that range and lousy SNR, throughput is gonna be rather low. Incidentally, I know of several point to point links between Loma and various sites on 5GHz that get really good speeds and reliable performance. I'm not sure of the ranges, but most seem to be between 5 and 10 miles. However, both sides use decent hardware, dish or panel antennas, and a clear line of sight, which is not what you'll find at Starbucks. Besides, the downtown SCZ Starbucks is surrounded by tall buildings on all 4 sides (I used to fix Heinz's computers when he had the microscope shop in the basement under Starbucks).

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Per Jeff Liebermann:

In my book, those guys are, along with tree trimmers, modern-day heroes in the sense of the old Inuit kayak hunters: One bad move or error in judgment and you die.

--
Pete Cresswell
Reply to
(PeteCresswell)

' Heh heh. Yeah, if I only had a hot air SMT desoldering station, I could change my MAC address too. :)

OK. But that's a lot of work to just get free WiFi from a WISP, and still more has to be done so as not to get caught (which, I state, would be virtually impossible and certainly not worth the $100/month WiFi fee).

Yup. That was my point to the guy, nospam, who accused me of stealing my WISP just because I knew enough about WISP to spout the words reasonably coherently.

What I do know is that it wouldn't be easy for me, and even for you, it wouldn't be easy not to get caught (since your house doesn't move all that fast except that you're near the fault line so it jumps a few feet every hundred years or so).

This makes sense that the protocols they are all starting to use (except Loren, and Herman was *always* using the new protocols) are for communication reasons, and not for security.

Still, Dave switched his Santa Cruz company off of the WiFi protocol a few years ago (maybe 5 years ago?) even though all his equipment was still

2.4GHz for a long time. Without that specialized protocol knowledge, nobody with a 2.4GHz radio is gonna connect to him, with or without security.

Actually, they also log stuff because I talk to one local WISP who tells me he is sick of getting take-down notices for most of his customers, so he has assigned everyone a static IP address just to make his logging backtracks easier. To him, since he just has to forward the notice, he's not irritated by the notice - but by the need to figure out who it was. He solved that by giving everyone a static IP address.

Luckily, most of these guys are very nice guys (except Dave over by you who is only exceeded in crassness by Brett, his Arizona support guy who has an utterly amazing lack of customer service support skills.

I would agree. But I see a few hundred homes on the connection I'm on, and there are multiple APs they're connected to, even on the same tower (Loma Prieta is the main tower but others exist in the surrounding hills). They have fiber-optic backhauls, so, the way "I" understand it (I'm just a customer though) is that they aren't limited by their backhaul but by the number of access points they set up and their painting coverage.

Wow, Jeff. Interesting picture. I've seen the insides of your routers, and lots of your test equipment over the years, but that 1975 picture sure did look beatnik hippy to me!

Is that a park-ranger uniform? Big Basin?

Interesting. Yes, I have seen SSIDs of the sort of a LOS from Loma Prieta down to Santa Cruz, where I couldn't get better than about -85dBm at the best but there was never the necessary SNR headroom of a half dozen to a dozen decibels. I didn't even think about ACKS but the radio does automatically adjust for distance.

Mine is a 27dBm output -94dBm sensitivity 5GHz Rocket M5,

formatting link
although I have 28dBM -97dBm 2.4GHz Rocket M2s and nano bridges and even high-power bullets scattered all about the hillside.

I had a talk with Ubiquiti support over in San Jose, and they said the AirOS firmware was set that you couldn't possibly go over the 1 Watt legal limit of the 5 GHz frequency power output (which itself is ten times higher than the 2.4 GHz band legal limit), once you set the country (which is usually set to the USA because the limits are highest in the USA).

They told me that you can try, but the firmware won't let you, even though it might *report* that it's over the legal limit.

My connection is at the higher end of that 5 to 10 mile range, and my throughput is just OK. I have clear LOS with nothing in the first Fresnel zone too.

This is correct. The biggest problem though, I thought, was that the

*transmitter* at Starbucks would be the major limitation. Basically I figured we could transmit a strong signal to the Starbucks AP, but without a far better antenna, the signal from Starbucks would never get back in sufficient 6 to 10 decibel strength over the noise to us.

Ah, yet another pragmatic obstacle to overcome, borne from experience.

Reply to
Aardvarks

I bought mine on eBay for about $80. However, it's not quite as easy as reading all the data from the original chip, editing it, and putting it back. Many such eeproms have protected areas that can't be directly read. My luck in dealing with these has been dismal. Fortunately, such chips are priced a little higher than ordinary eeproms, making their use in price conscious consumer hardware rather limited. Some details:

Suggestions: When looking at costs, I try to annualize the numbers. To many financially marginal users, $1200/year is well worth the effort and would subsidize a fairly substantial collection of electronic burglar and reverse engineering tools.

Oddly, I have the opposite problem. Because I know too much about wireless (and cellular) security, readers automatically assume that I spend my evenings in front of a computah, merrily hacking my way into as many systems as possible. This is hardly that case, but it does improve my otherwise lackluster and boring image.

If it were easy, it would not be fun.

Yep. Because these protocols often do not show up on Wi-Fi sniffer, finder, and site survey programs, they present a serious interference potential. I've been told that some have 802.11b compatible beacons, but I haven't seen any.

Although we haven't talked in a long time, I don't have any problems with Brett. No clue on the rest of the company. Several friends and customers use their mesh wireless service. I don't hear any complaints, so I presume it mostly works.

The limiting factor is what I call "air time" or how much time it takes to send something. Since wireless is a shared medium, only one transmitter can use the bandwidth at a time. If that transmitter happens to be running extremely slow due or is spewing junk, there will not be enough "air time" to service the rest of the channel users. Details if you need them.

Incidentally, mountain tops tend to have fiber backhauls because that's all the telcos will provide these days. Copper is so 20th century and so unreliable.

I used a bad title. It was really about 1970. I was scheduled to renew my drivers license and needed a suitable disguise. I shaved off the beard but kept the mustache after the license arrived. The common description was "motorcycle thug", not beatnik.

Nope. I was cheap and tended to wear military surplus clothes, much to the irritation of my father, who owned a factory in the L.A. garment district. At the time, the industry was pushing "polyester blend" crap. I wanted cotton and the only way to get it at affordable prices was military surplus. I think I had about 20 identical shirts. I still do much the same thing today, but no more military surplus clothes.

It adjusts, but only to a point. If the timeout is less than the flight time, it will retry BEFORE the ACK is received. Many outdoor radios have a "long distance" check box in the settings to increase the timeout. Few home wireless routers have this feature.

Ignoring the legal limit, cranking up the power output to unreasonable levels usually causes the output stage to go non-linear. This is not a good thing and will produce distortion and errors. Better lower power and linear, than higher power and distorted. I found some photos where someone demonstrated this on a WRT54G, but can't locate the URL right now.

That would probably be the major limitation. However, it won't be because of insufficient RF from Starbucks. It will be because even the narrowest beamwidth dish antenna at your end, will pickup hundreds of other wi-fi devices along the line of sight. Starbucks signal will be buried under the interference.

Try Fing on your iphone or Android device at the local wi-fi hot spot: It will give you a list of what is connected to the local wireless router. If you look through the list, you'll also get a list of wireless cards and devices, which can usually be helpful in identifying the hardware. It's quite common to find desktops and outdoor client bridge radios, which are not what one would expect to see at Starbucks. I know one local hot spot that routinely has between one and three Ubiquiti radios connected.

Gone to replace the LNBF on a C band dish for the 4th(?) time. It's not tower work but still slightly dangerous.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

This is a good point to annualize costs. Saving $1,200 a year for ten years is a serious tool cache!

That makes sense. Over the years, on a.i.w, you have joked that you could break in to many home broadband routers, simply because people don't secure them properly.

Good for you that you can communicate well with Brett. I guess he doesn't insult you as much as he insults less knowledgeable people. :)

Dave is just as cocky in sales. Contrast that with how Loren deals with the hoi polloi who are his customers, and it shows that these small WISP outfits have entirely different personalities when you deal with them.

The Comcast & satellite customers don't get that "personal" connection with the proprietors! :)

The mountain top I'm using *does* have a fiber-optic backhaul, so, as you noted, it's the "airtime" that limits my bandwidth (plus any throttling done by the AP operator).

I bleached and sandpapered my fingerprint when I went for a license. Heh heh ... it was the wrong thumb! I was sore for a week!

I buy at the military surplus stores all the time. That's where I get my boots, for example. And all my rope for climbing on the mountain. I don't think I have shirts though. I do love their parachute line which I use for lots of things except shoelaces! [Parachute line sucks at long hiking boot laces - you have to rub Elmers glue on the slippery line just to get some friction from the dried residue - ask me how I know.]

I use the Rockets mostly nowadays, where AirOS has some pretty good diagnostics (I love the noise interference waterfall display information!)

I keep to the limit. I'm pretty much *at* the legal limit though, since my AP is something along the lines of 10 miles away (or so).

I agree, even at 5GHz, noise is *everywhere*, so, I need a good dozen decibels above the noise to connect.

It would be *fun* to actually connect to a downtown library or coffeeshop from ten miles away; but, it's just not pragmatic unless I'm within a mile or two.

Ah, that's what I thought. I would guess that a mile or two LOS is no problem. But ten miles is too far, at least for me.

Good luck. I bought an orange OSHA-compliant safety harness from a military surplus store if you ever want it. I never used it! You can have it. It has a big aluminum D ring sewn to the middle of the harness for safety tethering.

Reply to
Aardvarks

No need to go beyond 1 year. The idea is to have a common cost reference so that you can better compare various methods of payment. $100/month doesn't seem like much, until you annualize the costs.

It's not a joke. Most scripted router attacks include a list of well known login and password combinations. The manufacturer default passwords are always included. Few manufacturers force the user to change the default password. So much for my "secure by default" campaign.

He's been very nice and polite to me when I call. Of course, that was many years ago and I haven't had a good reason to call recently, which might explain why I don't have a problem with Brett.

The do with me. How many customers would bother asking Comcast or the bird people about their broken kitchen appliances, home entertainment boxes, or phone systems? Last week, I did a service call where I spend about an hour on the computers, and another hour programming the various TV/hi-fi/satellite/dvr/media-player remote controls. Now, that's what I call a personal connection.

I would be angry for much longer than a week. Fingerprints are digitized, scanned for patterns, and classified so that they can be easily searched and located. The fingerprints must pass a sanity check or you get to redo the whole ordeal from the beginning. That's what happened to me the last time I went for a drivers license exam. I had to go back to the fingerprint window once or twice (I forgot which) until the computah was happy.

Yech. Go thee unto thy local hardware store, and get some "liquid tape" from the electrical section. Something like this: If you just slop it onto the parachute shrouds, you'll make a mess and it won't work. I had to dilute it in some kind of solvent (I forgot what I used). Paint it onto the parachute shrouds and quickly wipe off the excess. The rubber ends up between the strand, which should help convert the parachute shrouds into something it was never intended to do.

We moved and installed the dishes a few months ago: The plan is now set in concrete, literally. The big 3 meter dish is strong and flat enough that I can just climb up with a ladder and work standing on the dish. No need to climb anything or use a harness. The current problem is that both LNBF's crap out when they get hot. One recovers when shaded by a cardboard box. The other does not. We have

2 generations of LNBF's that use DRO (dielectric resonant oscillators) which are responsible for the temperature drift. These were replaced by yesterday with PLL (phase lock loop) type LNBF's, which didn't work at all. The problem was traced to the DC voltage supplied by the stone age digital audio receivers, which are set to a single output voltage and know nothing about switching between vertical and horizontal polarization. Looks like I get to build a power supply, switch, injector, RF isolator, volt/amp monitor, flashing lights, etc panel.
--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Wait until "Live Scan" hits the DMV. That involves fingers and thumbs of both hands and palm prints. Currently "Live Scan" is required for all sorts of stuff from criminal background checks to various professional licences from nurse/RN, EMS/EMT, teachers and a whole bunch more, with an expanding list of trades and professions requiring that sort of clearance.

--
Regards, 

Savageduck
Reply to
Savageduck

Wow. To me, a "dish" is a Rocket M5! Yours are far larger than mine!

Reply to
Aardvarks

Think bigger:

If you want to play with a really big (30 meter) dish, the Jamesburg Earth Station is nearby:

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

We have dishes like that at Stanford, as you well know, which can be seen from 280 heading north to SF.

Mine can go about 10 miles reliably, but it's only about 18 inches or so in diameter.

Reply to
Aardvarks

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.