Marriott wifi blocking

From: "Chris Marget" <chris@marget.com>

You [I] said:

> It is OK for an enterprise wifi system to make this sort of attack
> *on rogue APs which are trying to pretend to be part of it (same ESSID).

I'm curious to hear how you'd rationalize containing a copycat AP
under the current rules.

In fact, I remain fuzzy on when spoofed de-auth frames would *ever* be okay
when used against unwilling clients within the FCC's jurisdiction given
their position that spoofed control frames constitute interference under
part 15 rules.

This thread and similar discussions elsewhere contain assertions that
enterprise networks "need to defend themselves" in some circumstances,
or that "containing" an AP with a copycat SSID would certainly be okay.

I'm not so sure.

The "need to manage our RF space" arguments ring hollow to me. I certainly
understand why someone would *want* to manage the spectrum, but that's
just not anyone's privilege when using ISM bands. If the need is great
enough, get some licensed spectrum and manage that.

I wasn't making that argument.

I was making the "if someone tries to pretend to be part of my network,
so that my users will inadvertantly attach to them and possibly leak
'classified' data, *then that rogue user is making a 1030 attack on my
network*.

A copycat AP is unquestionably hostile, and likely interfering with users,
but I'm unconvinced that the hostility triggers a privilege to attack it
under part 15 rules. In addition to not being allowed to interfere, we also
have:

You're not attacking it, per se; you are defensively disconnecting from
it *users who are part of your own network*; these are endpoints *you are
administratively allowed to exert control over*, from my viewpoint.

2. This device must accept any interference received, including
interference that may cause undesired operation.

Certificate-based authentication would solve that problem anyway,
wouldn't it?

Probably. And yes, any system big enough to do this stuff is likely
big enough to run 1x as well.

A "rogue" AP plugged into a wired port is best solved at the wired port,

I'm not sure anyone was actually mooting this.

Even large private campuses like oil refineries probably wouldn't be in the
clear doing this sort of thing unless they're able to stop law enforcement,
delivery drivers, paramedics and firefighters at the gate in order to get
them to agree to receive spoofed de-auth frames.

Again: you've shifted topics here from "enterprise rogue protection" (stay off *my* ESSID) to "Marriott Attack" (stay off all ESSIDs that *aren't* mine);
different thing entirely.

I make a clear distinction (now that it's not 3am :slight_smile: between what Marriott
is doing, and what enterprises doing rogue protection are doing, as noted
above.

Still not a lawyer.

Cheers,
-- jra

> From: "Chris Marget" <chris@marget.com>

> You [I] said:
>
> > It is OK for an enterprise wifi system to make this sort of attack
> > *on rogue APs which are trying to pretend to be part of it (same

ESSID).

>
> I'm curious to hear how you'd rationalize containing a copycat AP
> under the current rules.
>
<snip>

> The "need to manage our RF space" arguments ring hollow to me. I

certainly

> understand why someone would *want* to manage the spectrum, but that's
> just not anyone's privilege when using ISM bands. If the need is great
> enough, get some licensed spectrum and manage that.

I wasn't making that argument.

Yes, sorry. I presented two arguments. Only the one about copycat SSIDs is
yours.

I was making the "if someone tries to pretend to be part of my network,
so that my users will inadvertantly attach to them and possibly leak
'classified' data, *then that rogue user is making a 1030 attack on my
network*.

> A copycat AP is unquestionably hostile, and likely interfering with

users,

> but I'm unconvinced that the hostility triggers a privilege to attack it
> under part 15 rules. In addition to not being allowed to interfere, we

also

> have:

You're not attacking it, per se; you are defensively disconnecting from
it *users who are part of your own network*; these are endpoints *you are
administratively allowed to exert control over*, from my viewpoint.

Okay, so we're not talking about wholesale containment of the copycat AP,
but rather management of our own client devices which, by definition, we
can't interfere with. Because they're ours.

That approach sounds perfectly reasonable. I wonder, absent certificates,
how one can be certain about the identity of the client, and if such a
narrowly scoped containment mechanism is actually implemented by the
various checkboxes available to enterprise wifi administrators.

I make a clear distinction (now that it's not 3am :slight_smile: between what

Marriott

is doing, and what enterprises doing rogue protection are doing, as noted
above.

Is it clear exactly what "enterprises going rogue protection" are up to?
I've asked several, gotten wildly different answers. Keeping "my clients"
off "copycat APs" sounds reasonable. More aggressive action might not be.

Thanks.

The problem is that there's really no such thing as a "copycat" if the client doesn't
have the means of authenticating the destination. If that's really the requirement, people
should start bitching to ieee to get destination auth on ap's instead of blatantly asserting
that somebody owns a particular ssid because, well, because.

Mike

In the enterprise environment that there's been some insistence from folks on this list is a legitimate place to block "rogue" APs, what makes those SSIDs, "yours"? Just because they were used first by the enterprise? That doesn't seem to hold water in an unlicensed environment to me at all.

If the Marriott can't do this, I don't think anyone can, legally.

Now, granted, if I'm doing it with the intent to disrupt the corporate network or steal data, there's certainly other laws to deal with that, but I don't think even that is justification for spoofed deauth.

The problem is that there's really no such thing as a "copycat" if the client doesn't have the means of authenticating the destination. If that's really the requirement, people should start bitching to ieee to get destination auth on ap's instead of blatantly asserting that somebody owns a particular ssid because, well, because.

In the enterprise environment that there's been some insistence from folks on this list is a legitimate place to block "rogue" APs, what makes those SSIDs, "yours"? Just because they were used first by the enterprise? That doesn't seem to hold water in an unlicensed environment to me at all.

Pretty much... Here's why...

If you are using an SSID in an area, anyone else using the same SSID later is causing harmful interference to your network. It's a first-come-first-serve situation. Just like amateur radio spectrum... If you're using a frequency to carry on a conversation with someone, other hams have an obligation not to interfere with your conversation (except in an emergency). It's a bit more complicated there, because you're obliged to reasonably accommodate others wishing to use the frequency, but in the case of SSIDs, there's no such requirement.

Now, if I start using SSID XYZ in building 1 and someone else is using it in building 3 and the two coverage zones don't overlap, I'm not entitled to extend my XYZ SSID into building 3 when I rent space there, because someone else is using it in that location first.

I can only extend my XYZ coverage zone so far as there are no competing XYZ SSIDs in the locations I'm expanding in to.

If the Marriott can't do this, I don't think anyone can, legally.

If I set up something on an SSID Marriott is already using, then my bad and they have the right to take appropriate defensive action to protect their network.

If I stand up a new network using an SSID Marriott isn't already using, then they have no right to cause harmful interference to that network.

Sharing the same channels using different SSIDs, while it may degrade performance (of both networks) isn't technically what I would call "harmful interference", nor is it considered such by the FCC. That's just a matter of sharing the spectrum as intended in the products certified for that service.

Now, granted, if I'm doing it with the intent to disrupt the corporate network or steal data, there's certainly other laws to deal with that, but I don't think even that is justification for spoofed deauth.

Depends on whether you were the first one using the SSID in a particular location or not.

Sure, this can get ambiguous and difficult to prove, but the reality is that most cases are pretty clear cut and it's usually not hard to tell who is the interloper on a given SSID.

Owen

No. Seriously, no. Biggest come, biggest serve doesn't do a damn bit of good dealing with the actual problem which is
one of authentication. Think of this with the big I internet without TLS. What you're asking for is complete chaos.

Stomping on other AP is an arms race in which nobody wins. If I want to guarantee that I only connect to $MEGACORP
AP's, I should be using strong authentication, not AP neutron bombs to clear the battlefield.

Mike

>
>> The problem is that there's really no such thing as a "copycat" if
>> the client doesn't have the means of authenticating the
>> destination. If that's really the requirement, people should start
>> bitching to ieee to get destination auth on ap's instead of
>> blatantly asserting that somebody owns a particular ssid because,
>> well, because.
>
> In the enterprise environment that there's been some insistence
> from folks on this list is a legitimate place to block "rogue" APs,
> what makes those SSIDs, "yours"? Just because they were used first
> by the enterprise? That doesn't seem to hold water in an unlicensed
> environment to me at all.

Pretty much... Here's why...

If you are using an SSID in an area, anyone else using the same SSID
later is causing harmful interference to your network. It's a
first-come-first-serve situation. Just like amateur radio spectrum...
If you're using a frequency to carry on a conversation with someone,
other hams have an obligation not to interfere with your conversation
(except in an emergency). It's a bit more complicated there, because
you're obliged to reasonably accommodate others wishing to use the
frequency, but in the case of SSIDs, there's no such requirement.

Now, if I start using SSID XYZ in building 1 and someone else is
using it in building 3 and the two coverage zones don't overlap, I'm
not entitled to extend my XYZ SSID into building 3 when I rent space
there, because someone else is using it in that location first.

So your position is that if I start using Starbuck's SSID in a location
where there is no Starbuck, and they layer move in to that building,
I'm entitled to compel them to not use their SSID?

I can only extend my XYZ coverage zone so far as there are no
competing XYZ SSIDs in the locations I'm expanding in to.

Is ther FCC guidance on this, or is this "Regulations As Interpreted By
Owen"?

Depends on whether you were the first one using the SSID in a
particular location or not.

Sure, this can get ambiguous and difficult to prove, but the reality
is that most cases are pretty clear cut and it's usually not hard to
tell who is the interloper on a given SSID.

It's usually easy to tell, but I doubt the FCC would find it relevant.

There's a lot of amateur lawyering ogain on in this thread, in an area
where there's a lot of ambiguity. We don't even know for sure that
what Marriott did is illegal -- all we know is that the FCC asserted it
was and Mariott decided to settle rather than litigate the matter. And
that was an extreme case -- Marriott was making transmissions for the
*sole purpose of preventing others from using the spectrum*.

     -- Brett

This would be why commercial entities
often use their trademark identifiers
as part of the SSID. You can compel
them (briefly) not to use the SSID, until
they sue you for trademark infringement
and serve cease-and-desist orders against
you for unlicensed and unauthorized use
of the Starbucks name. Totally separate
realm of enforcement, and in many ways
far more effective.

Matt

Very true. I wasn't talking about ideal solutions. I was talking about current state of FCC regulations.

Further, you seem to assume a level of control over client behavior that is rare in my experience.

Owen

The problem is that there's really no such thing as a "copycat" if
the client doesn't have the means of authenticating the
destination. If that's really the requirement, people should start
bitching to ieee to get destination auth on ap's instead of
blatantly asserting that somebody owns a particular ssid because,
well, because.

In the enterprise environment that there's been some insistence
from folks on this list is a legitimate place to block "rogue" APs,
what makes those SSIDs, "yours"? Just because they were used first
by the enterprise? That doesn't seem to hold water in an unlicensed
environment to me at all.

Pretty much... Here's why...

If you are using an SSID in an area, anyone else using the same SSID
later is causing harmful interference to your network. It's a
first-come-first-serve situation. Just like amateur radio spectrum...
If you're using a frequency to carry on a conversation with someone,
other hams have an obligation not to interfere with your conversation
(except in an emergency). It's a bit more complicated there, because
you're obliged to reasonably accommodate others wishing to use the
frequency, but in the case of SSIDs, there's no such requirement.

Now, if I start using SSID XYZ in building 1 and someone else is
using it in building 3 and the two coverage zones don't overlap, I'm
not entitled to extend my XYZ SSID into building 3 when I rent space
there, because someone else is using it in that location first.

So your position is that if I start using Starbuck's SSID in a location
where there is no Starbuck, and they layer move in to that building,
I'm entitled to compel them to not use their SSID?

It isn't "Starbuck's SSID". There are no ownership rights or registrations of SSIDs for unlicensed wireless networks. So, under the existing regulatory framework, whoever arrived last is the one causing "harmful interference".

I can only extend my XYZ coverage zone so far as there are no
competing XYZ SSIDs in the locations I'm expanding in to.

Is ther FCC guidance on this, or is this "Regulations As Interpreted By
Owen"?

This is many FCC responses to various part 15 interference complaints as interpreted by Owen.

Depends on whether you were the first one using the SSID in a
particular location or not.

Sure, this can get ambiguous and difficult to prove, but the reality
is that most cases are pretty clear cut and it's usually not hard to
tell who is the interloper on a given SSID.

It's usually easy to tell, but I doubt the FCC would find it relevant.

There's a lot of amateur lawyering ogain on in this thread, in an area
where there's a lot of ambiguity. We don't even know for sure that
what Marriott did is illegal -- all we know is that the FCC asserted it
was and Mariott decided to settle rather than litigate the matter. And
that was an extreme case -- Marriott was making transmissions for the
*sole purpose of preventing others from using the spectrum*.

I don't see a lot of ambiguity in a plain text reading of part 15. Could you please read part 15 and tell me what you think is ambiguous?

Owen

Perhaps. I admit that trademark would be a novel approach that might succeed. Of course if I put a satire of Starbucks up on the captive portal, do I qualify under the fair use doctrine for satire?

I think in most cases, people are able to be adults and work it out reasonably without involving the FCC or the PTO.

Owen

I this particular case, I think that enterprise could go a very long way to driving a solution through
standards and deployment. They, after all, call the shots of who does and who doesn't get over
the corpro-drawbridge. A much different state of affairs than the typical unwashed masses dilemma.

Assuming that there's the perception that this is a big enough problem, of course.

Mike

Though this requires you to buy the argument that the use of a wordmark
*in an address of some time* is infringing under the terms of the Lanham
Act, which is a point on which I don't believe there's presently any case
law, and which I think would be a difficult argument to prosecute against
a properly defended plaintiff.

Just *using a word* that someone has registered as a wordmark is not
inherently infringement, or Ford City PA would be in serious trouble.
The Lanham Act is *quite* clear on what is an infringing use, and I
don't myself believe the posited case qualifies.

Cheers,
-- jr 'IANAL' a

Marriott was actually accused of violating 47 USC 333:
   No person shall willfully or maliciously interfere with or cause
   interference to any radio communications of any station licensed or
   authorized by or under this chapter or operated by the United States
   Government.

In cases like the Marriott case, where the sole purpose of the
transmission is to interfere with other usage of the transmission,
there's not much ambiguity. But other cases aren't clear from the
text.

For example, you've asserted that if I've been using "ABCD" as my SSID
for two years, and then I move, and my new neighbor is already using
that, that I have to change. But that if, instead of duplicating my
new neighbor's pre-existing SSID, I operate with a different SSID but
on the same channel, I don't have to change. I'm not saying your
position is wrong, but it's certainly not clear from the text above
that that's where the line is. That's what I meant by ambiguity.

(What's your position on a case where someone puts up, say, a
continuous carrier point-to-point system on the same channel as an
existing WiFi system that is now rendered useless by the p-to-p system
that won't share the spectrum? Illegal or Legal? And do you think the
text above is unambiguous on that point?)

     -- Brett

[snip]

Actually... I would suggest that it is not entirely clear if you have
to change or not. Your conflicting SSID in no way impedes the use of
the spectrum, one of you just has to recode your SSID; this is
different from setting up a WIPS Rogue AP containment feature to
completely block an AP from ever being used. If your SSID happens
to conflict with your neighbor's SSID by coincidence, and the SSID is
a common name such as Linksys, then this conflict alone probably does
not qualify as willful or malicious interference.

As the spectrum is unlicensed, neither of you is a licensed station, and
neither of you has "priority"; neither of your stations is a primary
or secondary user. Both of your stations has to accept the
unintended interference in the unlicensed frequencies; it is
essentially up to the two of you to either take it upon yourself to
change your own SSID, or to negotiate with your neighbor.

On the other hand, if you chose a SSID for your AP of "STARBUCKS" and
you set this up in proximity to a Starbucks location or selected
"[YOURNEIGHBORSCOMPANYNAME]" as your SSID; it would seem to be more
evident that any interference that was occuring to their wireless
station operation was willful and possibly a malicious attempt to
compromise client security.

> > There's a lot of amateur lawyering ogain on in this thread, in an area
> > where there's a lot of ambiguity. We don't even know for sure that
> > what Marriott did is illegal -- all we know is that the FCC asserted it
> > was and Mariott decided to settle rather than litigate the matter. And
> > that was an extreme case -- Marriott was making transmissions for the
> > *sole purpose of preventing others from using the spectrum*.
>
> I don't see a lot of ambiguity in a plain text reading of part 15.
> Could you please read part 15 and tell me what you think is
> ambiguous?

Marriott was actually accused of violating 47 USC 333:
   No person shall willfully or maliciously interfere with or cause
   interference to any radio communications of any station licensed or
   authorized by or under this chapter or operated by the United States
   Government.

In cases like the Marriott case, where the sole purpose of the
transmission is to interfere with other usage of the transmission,
there's not much ambiguity. But other cases aren't clear from the
text.

For example, you've asserted that if I've been using "ABCD" as my SSID
for two years, and then I move, and my new neighbor is already using
that, that I have to change. But that if, instead of duplicating my
new neighbor's pre-existing SSID, I operate with a different SSID but
on the same channel, I don't have to change. I'm not saying your
position is wrong, but it's certainly not clear from the text above
that that's where the line is. That's what I meant by ambiguity.

I've watched this discussion with much amusement. In a manner similar
to our legal system, where a lot of the law is actually defined by what
is commonly called "case law", most of the non-radio geeks here are
talking about radios and spectrum as though all of this represents some
sort of new problem, when in fact the agency tasked with handling it is
older than any of us.

(What's your position on a case where someone puts up, say, a
continuous carrier point-to-point system on the same channel as an
existing WiFi system that is now rendered useless by the p-to-p system
that won't share the spectrum? Illegal or Legal? And do you think the
text above is unambiguous on that point?)

It doesn't matter if you think your quoted text on this point is
ambiguous. The fact of the matter is that decades of policy are
that the FCC decided many years ago that you cannot go onto shared,
unlicensed spectrum with a powerful transmitter and hold the mic
open with the intent to disrupt the legitimate communications traffic
of others on that channel. This logically derives fairly
straightforwardly from the quoted text, and the fact that wifi deauth
interference is merely a packet-pushing variant of this isn't really
hard for the average person to extrapolate.

But they also have decades of experience with other aspects of more
subtle radio shenanigans, and they have the authority to sort it all
out, so what we should really be hoping for is that the FCC doesn't
do something onerous like mandate registration of access point MAC's
and SSID's if and when it gets to a point where it is considered a
true problem. That could well be the regulatory "solution" to your
ABCD problem, but it would be a heavyhanded fix to a minor problem.

... JG

Very true. I wasn't talking about ideal solutions. I was talking about current state of FCC regulations.

Further, you seem to assume a level of control over client behavior that is rare in my experience.

Owen

I this particular case, I think that enterprise could go a very long way to driving a solution through
standards and deployment. They, after all, call the shots of who does and who doesn't get over
the corpro-drawbridge. A much different state of affairs than the typical unwashed masses dilemma.

Not sure what you mean by corpro-drawbridge in this context.

Some corporations exercise extreme control over their clients. They are the exception, not the rule.

The vast majority of corporate environments have to face the realities of BYOD and minimal control over client configuration, software load, etc.

Assuming that there's the perception that this is a big enough problem, of course.

Not sure. The issue you seem to be talking about seems somewhat orthogonal to the original topic of the thread, so I”m not sure going too deep into it in this forum is appropriate.

Owen

It means that they can exercise control of what they allow on their corporate network, byod or not. Nobody
would allow a WEP-only wireless device on their network these days, so it's not hard to imagine that if a standard
for authenticating AP's became available and enterprises went to the effort to upgrade their AP kit, they could
reasonably say "use a client that supports this, or you must vpn in".

That's a much better outcome than quibbling about squatter's rights, blah blah blah.

Mike

For example, you've asserted that if I've been using "ABCD" as my SSID
for two years, and then I move, and my new neighbor is already using
that, that I have to change. But that if, instead of duplicating my

[snip]

Actually... I would suggest that it is not entirely clear if you have
to change or not. Your conflicting SSID in no way impedes the use of
the spectrum, one of you just has to recode your SSID; this is
different from setting up a WIPS Rogue AP containment feature to
completely block an AP from ever being used. If your SSID happens
to conflict with your neighbor's SSID by coincidence, and the SSID is
a common name such as Linksys, then this conflict alone probably does
not qualify as willful or malicious interference.

Right… You probably don’t face the issues under 47CFR333, but you’ve
still got a 47CFR15.5 problem of harmful interference.

As the spectrum is unlicensed, neither of you is a licensed station, and
neither of you has "priority"; neither of your stations is a primary
or secondary user. Both of your stations has to accept the
unintended interference in the unlicensed frequencies; it is
essentially up to the two of you to either take it upon yourself to
change your own SSID, or to negotiate with your neighbor.

Actually, in multiple situations, the FCC has stated that you are responsible
when deploying a new unlicensed transmitter to insure that it is deployed in
such a way that it will not cause harmful interference to existing operations.

Using the same SSID of someone else who is already present would, IMHO,
meet the test of “causing harmful interference”.

On the other hand, if you chose a SSID for your AP of "STARBUCKS" and
you set this up in proximity to a Starbucks location or selected
"[YOURNEIGHBORSCOMPANYNAME]" as your SSID; it would seem to be more
evident that any interference that was occuring to their wireless
station operation was willful and possibly a malicious attempt to
compromise client security.

Willful and malicious only comes into play if you’re looking to prosecute under 333.

Any harmful interference is still a problem under 15.5.

Owen

Very true. I wasn't talking about ideal solutions. I was talking about current state of FCC regulations.

Further, you seem to assume a level of control over client behavior that is rare in my experience.

Owen

I this particular case, I think that enterprise could go a very long way to driving a solution through
standards and deployment. They, after all, call the shots of who does and who doesn't get over
the corpro-drawbridge. A much different state of affairs than the typical unwashed masses dilemma.

Not sure what you mean by corpro-drawbridge in this context.

Some corporations exercise extreme control over their clients. They are the exception, not the rule.

The vast majority of corporate environments have to face the realities of BYOD and minimal control over client configuration, software load, etc.

It means that they can exercise control of what they allow on their corporate network, byod or not. Nobody
would allow a WEP-only wireless device on their network these days, so it's not hard to imagine that if a standard
for authenticating AP's became available and enterprises went to the effort to upgrade their AP kit, they could
reasonably say "use a client that supports this, or you must vpn in”.

I think most environments already support this to some extent in terms of the APs participating in the controller framework and 802.1x authentication.

However, that doesn’t cover the guy that brings a linksys in and plugs it into his wired port.

I think the only solution for those is detection followed by blocking the wired port until resolution. Most companies I have worked with that took the time to think this through simply made it an instant firing offense for anyone to plug in an unauthorized WAP to the corporate wired network, problem solved.

That's a much better outcome than quibbling about squatter's rights, blah blah blah.

To the extent that such is a feasible solution, I think it was long since done. That’s got nothing to do with what this discussion was about, however, you’ve warped it into a completely different problem space.

Owen