Michigan wardrivers await sentencing

'This has messed up my entire life,' laments wireless felon

  • alert
  • submit to reddit

High performance access to file storage

In what prosecutors say is likely the first criminal conviction for wardriving in the US, a Michigan man plead guilty Wednesday to a federal misdemeanor for using the Internet through an open Wi-Fi access point at a Lowe's home improvement store in suburban Detroit.

Paul Timmins, 23, pleaded guilty to a single count of unauthorized access to a protected computer. He was cleared of more serious charges of participating in a scheme organized by his roommate and another man to later use the wireless network to hack into Lowe's computers and siphon credit card numbers.

Timmins, who works as a network engineer, and his then-roommate Adam Botbyl, now 21, initially stumbled across the unsecured wireless network at the Southfield, Michigan Lowe's in the spring of 2003, while driving around with laptop computers looking for wireless networks - the geek sport of "wardriving".

Timmins immediately used the network to check his email, not knowing that it wasn't intended for public access, he claimed in an a telephone interview with SecurityFocus on Thursday. Then when he tried to surf the Web, and found himself connected to a Lowe's corporate portal instead, he realized it was a private corporate network, and he disconnected, he says.

"Was it in violation of the law?" Timmins said. "Technically, yes... Did Adam seeing it help him decide to hack Lowe's? Definitely. But it's not like I said, 'Here's a good place to hack,' or anything. Had he not seen me do that, he would probably have chosen a different retail store."

Botbyl noted the network, and six months later returned with his friend Brian Salcedo, now 21, a young hacker on the last month of a three-year probation term from a juvenile computer crime conviction. From the parking lot of the Southfield Lowe's, Salcedo and Botbyl used the wireless network to route through the company's corporate data center in North Carolina and connect to the local networks at stores in Kansas, North Carolina, Kentucky, South Dakota, Florida, and two stores in California.

At two of the stores - in Long Beach, California and Gainseville, Florida - Botbyl and Salcedo modified a proprietary piece of software called "tcpcredit" that Lowe's uses to process credit card transactions, building in a virtual wiretap that would store customer's credit card numbers where the hackers could retrieve them later.

"I tried to discourage Adam several times," says Timmins. "He kept saying, 'They won't catch us.' I'm like, 'Whatever. Don't do it here.'"

Prison terms

At some point, Lowe's network administrators and security personnel detected and began monitoring the intrusions, and called in the FBI. In November, a Bureau surveillance team staked out the Southfield Lowe's parking lot, and spotted a white Pontiac Grand Prix with suspicious antennas and two young men sitting inside, one of them typing on a laptop from the passenger seat, according to court documents. The car was registered to Botbyl.

After 20 minutes, the pair quit for the night, and the FBI followed them to a Little Ceasar's pizza restaurant, then to a local multiplex. While the hackers took in a film, Lowe's network security team pored over log files and found the bugged program, which had collected only six credit card numbers.

FBI agents initially misidentified Timmins as the passenger in Botbyl's car, and both men were arrested on 10 November. Under questioning, Botbyl and Timmins pointed the finger at Salcedo.

All three men were slammed with a 16-count federal indictment in North Carolina, where Lowe's data center is based, charging them with computer intrusions, damage and fraud. Last June, Salcedo and Botbyl both entered guilty pleas in plea agreements with prosecutor Matthew Martens. Botbyl faces 41 to 51 months in prison under federal sentencing guidelines; Salcedo faces an unusually harsh 12 to 15 year prison term, based largely on a stipulation that the potential losses in the scheme exceeded $2.5 m. Both men are eligible for lower sentences if the government credits them with providing substantial assistance in prosecuting other suspects. No sentencing date has been set.

Salcedo is being held without bail, and could not be reached for comment.

In an interview Thursday, Botbyl, free on bail, unemployed, banned from computers and awaiting a certain prison term, expressed regret over the credit card scheme.

"I'm accepting responsibility for what I did, and the consequences" said Botbyl, who was a computer science student at the time of his arrest. "It's going to take a lot to start to get my reputation back. This has messed up my entire life for at least 10 or 15 years. It'll be at least 2010 before I can even touch a computer again."

Timmins' misdemeanor conviction will leave him better situated than Botbyl and Salcedo: his possible sentence ranges from probation, to a maximum of 12 months in custody. No sentencing date has been set.

Cyberlaw lawyer Jennifer Granick, director of Stanford Law School's Center for Internet and Society, agrees with the government that Timmins' is likely the first wardriving conviction. But she isn't convinced that he actually committed a crime.

"Using an open wireless access point isn't the same thing as using a computer illegally," says Granick. "Convictions for this type of thing are possible where it's part of a larger criminal case, but it shouldn't happen in the absence of some other criminal purpose, like stealing credit cards, or knowledge that the network is closed. Wardriving isn't criminal."

"All he did was check his email and try to browse the Internet," said Botbyl. "That's the only connectivity he had with their network. He didn't do anything at all... I think the only reason they charged him is because they arrested him."

Copyright © 2004, 0

Related stories

US wardriver pleads guilty to Wi-Fi hacks
Wi-Fi 'sniper rifle' debuts at DEFCON

High performance access to file storage

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.