The indictment says they used a pen/trap device to monitor the wirless traffic. Does that mean they busted the encryption? I'm not saying that's a shock, it would seem more likely that they would monitor the traffic from the ISP's end rather than monitoring the wireless traffic.
No, they wouldn't have looked at anything that was encrypted. A "pen/trap" means they didn't examine the contents of the traffic at all, only where it was sent to (IP address). The term dates back to the old days of telephony -- a pen register would record dots for every digit dialed on a rotary dial (e.g., 8 dots if you dialed "8"). This would only allow the police to determine what phone numbers you dialed. There is another type of warrant that allows you to actually eavesdrop on the conversation; that type of warrant was apparently not used in this case.
If you're monitoring the encrypted wireless traffic of a wifi router without busting the encryption, then what good are IP addresses? Do you even see IP addresses if the traffic is encrypted. Wouldn't you just see MAC addresses? And even if you did "see" IP addresses, wouldn't you just see the wireless client and the router's IP addresses?
correct, you would not see IP header, if you were snooping encrypted wireless traffic. But thats not really what was described.. They describe a "wireless router monitoring device"...however I don't think think they mean "wireless router", but wireless "router". My guess, this is a physical 'wired' device, attached to, or installed in a router, that transmits data to nearby monitoring (FBI)agent 'wirelessly'. This is why they can see IP (wired, so no encryption), but can't see anything else (tor).
Right. If you're the FBI and you have a warrant, you have access to the cable or wire coming out of the house and also to the ISP. There's no reason why you'd need to bother decrypting the transmissions between the user's computer and his wireless router. Although I've also read about the possibility that WPA wireless encryption can be cracked.
I would assume that up through the TCP/UDP header would be accessible to a pen/trap device. That's probably how they determined it was mostly TOR related traffic.
