TV Licence Wi-Fi detector vans

[bigredshark]

Seems like a bit of a security vulnerability if an external user can distinguish the streams for different applications separately - I always assumed that at the most basic level the data sent over a protocol would be combined upto the max packet size and indistinguishable.

It's the nature of how IP works - you can't bundle the traffic for iplayer and youtube together because they're going to different places.

Is it a security flaw - well, properly analysed it can give up users and usage patterns, it's a fundamental part of how IP works though and it was designed in an era when those concerns weren't really valid as the people designing it kind of only expected universities and governments to use it...

 

[bigredshark]

Good good, then I can keep watching iPlayer without a licence. No WiFi on the machine I'd watch iPlayer on here

Doesn't need to be wifi on the machine in theory, just on the same network, if you have a wired machine plugged into a BT / VM / virtually any normal home router then it can potentially leak the traffic. That's an extreme case of course, I think they'd be satisfied with catching the wifi users only...

 

[bigredshark]

Regarding VPN use, I seem to recall that the packets are fixed length.

As for the new WiFi detector vans, I think they will be used in the same way the TV detectors were:-

1 Publicise the presence of vans operating in an area to frighten people into buying a license.
2 Attempt to trick any remaining none license holders into admitting they were using the iPlayer illegally by falsely claiming they have proof from their high tech WiFi detector vans.

They're not a fixed length, that's basically impossible, applications will generate different length packets and a VPN basically has to pass them on, you could pad them to a fixed length but you'd have to un-pad them somewhere otherwise they'd make no sense to whatever you're sending them to...

 

[Rroff]

It's the nature of how IP works - you can't bundle the traffic for iplayer and youtube together because they're going to different places.

I would have thought that was irrelevant over the air - the WPA2 stream is "handshaked" between the client and router and the router would then take apart the frame to send the data onto the relevant destination - no need to transmit anything that would allow identification of the destination outside of the encapsulated format used between client and the router.

Sadly not studied any of this since like 1997 so my knowledge is way out dated.

Seems like a massive flaw in WPA2 if you can distinguish that kind of stuff before it is decrypted even if not work out specifics.

 

[bscott]

They're not a fixed length, that's basically impossible, applications will generate different length packets and a VPN basically has to pass them on, you could pad them to a fixed length but you'd have to un-pad them somewhere otherwise they'd make no sense to whatever you're sending them to...

I thought that is exactly what the VPN did (in addition to encryption etc): pad the sent packets to a fixed length then the VPN receiving end removes the padding and passes the original packets on.

 

[bigredshark]

I would have thought that was irrelevant over the air - the WPA2 stream is "handshaked" between the client and router and the router would then take apart the frame to send the data onto the relevant destination - no need to transmit anything that would allow identification of the destination outside of the encapsulated format used between client and the router.

Sadly not studied any of this since like 1997 so my knowledge is way out dated.

Seems like a massive flaw in WPA2 if you can distinguish that kind of stuff before it is decrypted even if not work out specifics.

It's not destination here that's in question, simply size, and size is nothing to do with WPA or wireless generally, it's determined by the packet the application and network stack on the host create...

Taking apart packets to normalise size would be prohibitively expensive in compute terms (ie. you'd get awful performance if you did that...) and also largely pointless. The only thing it shows is you are accessing a certain site and requires both capturing your wifi traffic and controlling the site. There aren't many scenarios where that's a big concern...

 

[Rroff]

Taking apart packets to normalise size would be prohibitively expensive in compute terms (ie. you'd get awful performance if you did that...) and also largely pointless. The only thing it shows is you are accessing a certain site and requires both capturing your wifi traffic and controlling the site. There aren't many scenarios where that's a big concern...

Isn't that just standard encapsulation though? you stick the application packets intact inside a container packet for another layer transmission protocol and then the end point strips them out and send them on.

 

[bigredshark]

I thought that is exactly what the VPN did (in addition to encryption etc): pad the sent packets to a fixed length then the VPN receiving end removes the padding and passes the original packets on.

No, it'd hit performance hard because you'd have to interact with every packet, work out what was padding and what was original content and then modify it back at the receiving end. That's untenable at any scale at all.

It'd also introduce some latency and potentially some jitter, which isn't ideal for video traffic...

Also - it's pointless...there's no good reason I can think of to do it. For this to work to fingerprint a user you need control of both the content source and access to a dump of their wireless traffic. Nobody aside from government type bodies (and google) really have that capability and they have other, easier, ways of obtaining this information in most circumstances (like getting GCHQ to tell your ISP to hand over your traffic and not tell anybody).

The BBC potentially using this would be the only practical use of this I can think of...though I can't help but think simply implementing log-ons linked to the TV license database would be a better bet...

 

[bigredshark]

Isn't that just standard encapsulation though? you stick the application packets intact inside a container packet for another layer transmission protocol and then the end point strips them out and send them on.

No, because encapsulation is predictable, if I encrypt a packet with simple GRE for instance then I know it's an additional 4 bytes on the packet. So to remove the encapsulation I remove the 4 bytes which are in a predictable place.

If you want to pad the packet to a certain size you need to work out how much to remove at the other end then remove it. It doesn't sound like a big deal but bear in mind most packets are <1500byte so a 10mbit/s stream is at the very minimum 850 packets a second (probably more like 2000 packets/s at least) so doing that for every packet and not killing performance gets very expensive.

EDIT: while it's more of an issue as a receiver, it's not trivial as a sender either, encapsulation puts a set header on every packet, padding requires looking how big packet is, calculating the extra to add and *then* adding it. That's essentially three times as much work per packet compared to encapsulation.

 

[Pottsey]

They'd still have to prove that the device terminating the stream was on your property.

Providing the BBC magic van could sniff and identify packets being sent over a wifi link, they'd than have to prove that "their" packets were being terminated by a device you were responsible for.

Well its easy to show the wireless it coming from your property. It normally takes minuets if that to work out the location of a Wireless access point and it would be very odd to have a wireless access point in your property you are not responsible for.

It seems like they could show a persons access Iplayer over wireless without a licence. I am not 100% on the law, is that enough to justify a search warrant? Would it be up to you to prove someone else accessed Iplayer or up to them to prove you access Iplayer? This is only a guess but I would have thought showing a property access Iplayer without a license is enough to take the owner to court. It remains to be seen how they will handle guess users.

 

[bigredshark]

Well its easy to show the wireless it coming from your property. It normally takes minuets if that to work out the location of a Wireless access point and it would be very odd to have a wireless access point in your property you are not responsible for.

It seems like they could show a persons wireless access Iplayer without a licence. I am not 100% on the law, is that enough to justify a search warrant? Would it be up to you to prove someone else accessed Iplayer or up to them to prove you access Iplayer? This is only a guess but I would have thought showing a property access Iplayer without a license is enough to take the owner to court. It remains to be seen how they will handle guess users.

Oh, it'd easily be enough to justify a warrant.

It might be enough to bring a civil case against you, where (see my previous link) they, in layman's terms, basically only need to prove that their version of events is more likely to be true than yours.

As said earlier though, there is a fairly easy get out - get a friend who has a TV license to say they were round at yours, used your wireless and happened to watch some iplayer on their phone while they were there.

Then you're good (and he, of course, is guilty of perjury and liable for up to 7 years in jail and/or a fine)

 

[Pottsey]

Oh, it'd easily be enough to justify a warrant.

It might be enough to bring a civil case against you, where (see my previous link) they, in layman's terms, basically only need to prove that their version of events is more likely to be true than yours.

As said earlier though, there is a fairly easy get out - get a friend who has a TV license to say they were round at yours, used your wireless and happened to watch some iplayer on their phone while they were there.

Then you're good (and he, of course, is guilty of perjury and liable for up to 7 years in jail and/or a fine)

Thanks, I suspected that but wasn't up on the law enough to be sure.

Just for double measure make sure they have accessed your WAP recently with their own device leaving a log trail. Assuming you have a WAP that records device access.

 

[bscott]

They're not a fixed length, that's basically impossible, applications will generate different length packets and a VPN basically has to pass them on, you could pad them to a fixed length but you'd have to un-pad them somewhere otherwise they'd make no sense to whatever you're sending them to...

I agree that I was wrong about fixed length packets but I believe I would be correct in saying that the size of the data to be encrypted has to be a multiple of the cipher block size which means that the data has to be padded with zero or more bytes before encryption.

 

[bigredshark]

I agree that I was wrong about fixed length packets but I believe I would be correct in saying that the size of the data to be encrypted has to be a multiple of the cipher block size which means that the data has to be padded with zero or more bytes before encryption.

This is partially true (it depends on the encryption algorithm and implementation) but isn't always true in modern encryption.

But the padding in the cases where it is used it always pads to the next multiple. This is the obvious implementation as padding to anything else would be a slightly insane waste of data.

If you're padding for obfuscation then you need to pad to maximum packet size that might be sent by the application (so around 1400bytes for most home connections), if you padded 64byte packets to 1400bytes then for every megabyte of actual data you'll be sending nearly 21MB of padding...

Even for a more reasonable packet size like 300bytes, padding to maximum packet size would end up with 80% of your traffic being padding. Or to put that another way, to get 20Mbit/s of actual data you'd need a 100Mbit/s link.

 

[bscott]

So if the device running iPlayer uses a VPN with a cipher that requires padding it would not be possible for a sequence of specific packet lengths sent by the application to be accurately detected by anyone monitoring the WiFi.

 

[Caged]

Or just set a stupidly low MTU on the appropriate interface.

 

[bigredshark]

So if the device running iPlayer uses a VPN with a cipher that requires padding it would not be possible for a sequence of specific packet lengths sent by the application to be accurately detected by anyone monitoring the WiFi.

Well, I haven't run the numbers but I think even then, because the padding is somewhat predictable, you could use a similar pattern and statistical analysis to get to a fair degree of certainty...

This is all academic really, this is merely about what's technically possible, it's not actually going to be done at any scale if at all - if they sent the sequence every 10 seconds even, they'd need to be in range of each network for, perhaps, 30 seconds to get sufficient evidence...that's incredibly slow to cover any useful number of properties.

If anything they'll catch a few people, let the press have a field day with it and watch people buy licenses...it's only economically sane they go for the minimum credible deterrence. 10 high profile prosecutions would serve their purposes and 95% of people would buy a license for ~£10/month rather than trying to evade it with VPNs (as, unless you really hate the BBC for some reason but still want to watch their content, that's the logical response).

 

[bigredshark]

Or just set a stupidly low MTU on the appropriate interface.

That might work, unless they used a sequence of really small packets - if they used packets in the 30-40 byte range you're hardly going to kill the performance of your connection by setting the MTU to 20 bytes are you (or maybe you are, but it's a poorly thought out response).

Another amusing thing would be, if you lived at say, number 21, to set the name of your wifi to 'number22-wifi' - that'd introduce a level of doubt that would probably make it less attractive to pursue.

But again, I'm just talking about the technical feasibility of this, it's not going to happen at scale - if anything they'll just prosecute a handful of people and make sure they all make the papers and get the book thrown at them...

 

[Caged]

They've done it in a lab so they can say "we can do this" and it not be a lie. It's a propaganda piece to scare people into paying (and if you genuinely think you deserve to watch content that costs money to produce free of charge and other people should cover your share then please go and play in traffic), I very much doubt a single van will actually exist.

 

[KIA]

Put the damn thing behind a paywall. This is ridiculous.