A US student in the state of Omaha has admitted to redirecting the school's outbound traffic to an Android device, leaving the school with intermittent network access over three days.
The student, whose identity has not been revealed, reportedly used "ARP" (Address Resolution Protocol) spoofing or poisoning to siphon off Horizon High School's network traffic to the smartphone.
ARP spoofing (PDF) could allow an attacker to silently reroute packets between two machines to a third machine if they were able to forge an IP/MAC address association in a target machine's ARP cache.
However, if the attacker were able to associate their device's MAC address with, for example, a local area network's gateway, it could give them access to the network's entire outbound traffic.
Staff said the student admitted using an app called Arpspoof and showed them how it worked, but then deleted it and password-protected the phone before they knew what the student was doing, according to MSNBC.
The free open source network auditing tool available on Google's Android Market contains a link to a tutorial which notes that "arpspoofing between a machine and the LANs gateway you can see all the traffic it's sending out to the Internet", which appears to be exactly what the student did.
The school's IT staff discovered that "all of the outgoing Internet traffic was redirected to the student's Android cellphone instead of the intended recipients", according the search warrant obtained to MSNBC.
"arpspoof is an open source tool for network auditing," the product description reads on Android Market.
"It redirects packets on the local network by broadcasting spoofed ARP messages. Arpspoof displays the packets that the victims are sending to the device, but it doesn't save them. If you're wanting to analyse the packets then you should save them by running tcpdump."
Staff were "unable to actively use their computers" between 9 and 11 January, according to a search warrant issued by Douglas County police.
The sherrif's office has a warrant giving it the authority to forensically examine the device, according to the report.