A man accused of pushing porn spam over unprotected Wi-Fi systems has pleaded guilty and faces a maximum three years in a cold cell for his trouble, in what's believed the U.S.'s first conviction under the CAN-SPAM Act.
Nicholas Tombros pleaded guilty September 27 to gaining unauthorized access to a computer to distribute multiple commercial unsolicited email messages, for exploiting a number of unprotected hot spots through which to flush adult Web site advertising spam. Authorities said Tombros did so through an act known as “wardriving” – literally driving around the city looking for unsecured Wi-Fi connections to exploit. His sentencing is set for December 6.
The case underlines a security problem with Wi-Fi networking – there isn't that much of it. And some security experts fear that with Wi-Fi hitting a mass, non-tech oriented audience, there could be more cases like the Tombros case in which Wi-Fi networks get smothered in spam even if wardriving is seen for now as a novelty likely to fade.
"Security measures are getting better, but they're still an issue," Farpoint Group researcher Craig Mathias told CNET.com. "The novelty of wardriving is wearing off, but the fear is those who are malicious, and the threat of installing viruses or spyware onto a network and computer. Many of these attacks can be avoided if people take basic precautions, but many just don't know they should."
At least one Wi-Fi provider understands the problem. "Making security easy is probably the most difficult thing we've had to do," said Linksys president Charlie Giancarlo to a gathering of reporters September 29.
Tombros is the first known conviction directly under the CAN-SPAM law, which continues to be criticized for being far less than it purported to be – primarily because it elected to draw up and enforce an opt-out rather than an opt-in provision. Critics have hammered the law because opt-out essentially still allows spammers at least one entrée to their unwilling recipients. Spam-fighting group Spamhaus.org has made no secret of its disdain for the law, nicknaming it the YOU-CAN-SPAM Act.
And litigation under CAN-SPAM has not come as quickly as supporters thought. In April, the Justice Department slapped four Detroit-area men with a criminal complaint under the law, the first known CAN-SPAM case filed – four months after it took effect. In July, Massachussetts sued a Florida man for spamming thousands.
But when it comes to Wi-Fi, security watchers have already known hackers could break into insecure hot spot connections to hide what they do – even opening Wi-Fi spots to terrorism, CNET said. In spite of it, and in spite of the FBI documenting a number of possible cybercrime incidents involving Wi-Fi access points, the news site continued, "a surprisingly high number of consumers" don't activate Wi-Fi security protocols.
Such break-ins include a try at stealing credit transaction data through a Wi-Fi spot in a Michigan Lowe's department store, a case in which the two would-be breakers pleaded guilty to conspiracy. Another involved a phishing scheme out of Atlanta said to involve hitting Wi-Fi hot spots to spam recipients and trick them into giving up credit and banking information. That case is ongoing.
