Illicit use of a wireless network involves an attacker using the network because of its connection to other networks. Attackers may use a network to connect to the Internet or to connect to the corporate network that lives behind the AP. Illicit use may not cause any operational problems, but it still may be unwanted and unlawful use of the wireless network. An attacker in this case may simply be someone who drove up near the AP, associated to the network and is checking his mail. Alternatively, the attacker may be sending spam to thousands of email addresses. The attacker may even be attempting to exploit a file server that lives on the same network as the AP or use the AP as a mask to hide the source of illegal actions, such as hacking other networks.
No matter what the attacker is doing, his use is unacceptable. However, the different types of illicit use pose varying degrees of problems for the organization running the WLAN. Again, in a wired network, illicit use is not a likely problem. In order to use a wired network, an attacker must have physical access to the network infrastructure. For reasons already outlined, this is unlikely and generally risky for an attacker to do. However, in most wireless networks, an attacker has much more freedom and is less likely to be caught attempting to use the network. (Illicit use by authorized users is a different matter. They already have proper access to the network but are using it for activities that are forbidden by a network-usage policy.)
Access points are not difficult to find. An attacker can simply drive around an area looking for unprotected APs using war-driving software such as NetStumbler. Once an attacker finds an open AP, he can use it for whatever illicit use he desires.
Databases of APs have been created, removing the war-driving step. Some databases such as Cisco’s Hotspot Locator (http://www.cisco.com/pcgi-bin/cimo/Home) provide the location of closed APs that require payment to access outside resources. Other databases such as The Shmoo Group’s Global Access Wireless Database (http://www.shmoo.com/gawd) or NetStumbler’s database (http://www.netstumbler.com/query.php) consist of APs entered by individuals who have encountered them via various means including war driving. An attacker can query any of these public databases to determine nearby APs to use as a launching point.
Illicit resource use is a risk for several reasons. An attacker may launch attacks against external servers. These attacks will be seen as originating from the IP addresses of the owner of the access point. If these exploits are detected by remote administrators, they will be tracked down to the owner of the AP. The AP owner may be subject to punishment from his ISP or even a criminal investigation. Without a clear and complete audit trail, this form of illicit use may cause large problems for the AP owner.
In addition, the AP owner may be paying for transit to the Internet on a usage basis. If an attacker is using relatively large amounts of bandwidth, his usage may cost the AP owner money. Even when Internet access is not paid for on a usage basis, the attacker may be using enough bandwidth to infringe on the legitimate use by other clients using the same Internet connection. If an attacker is downloading mp3s via a 265 kb/s DSL connection, then other users of the DSL connection may experience extremely slow connectivity to external services.