I know who you are and I saw what you did.
October 20, 2014 11:13 AM   Subscribe

How secure is public wi-fi? A lot less than you probably imagine.
posted by Obscure Reference (52 comments total) 26 users marked this as a favorite
 
easily solved by using a VPN?
posted by C.A.S. at 11:16 AM on October 20, 2014


The biggest surprise is that Delicious is still around.
posted by ChurchHatesTucker at 11:19 AM on October 20, 2014 [10 favorites]


Client isolation people. How can someone who designs public wifi access points not know what client isolation is.
posted by GuyZero at 11:23 AM on October 20, 2014


Seems like public wi-fi is still "safe", given the "hacker" didn't hack the cafe's wi-fi network, right? He set up his own private network and waited for people to join. Correct?
posted by a lungful of dragon at 11:23 AM on October 20, 2014 [4 favorites]


VPNs solve a lot of these problems, but VPN software is just terrible. In particular it's very difficult to configure a normal computer to refuse to use public WiFi before the VPN link is set up and established. The moment you're online a bunch of background agents are checking Facebook, email, Twitter. All unsecured. Stupid.

But a shout out to Cloak, a VPN service with a really good MacOS client. It includes some magic that blocks non-SSL web traffic on untrusted networks. Also a really slick signon process. Drawbacks are it's MacOS / iOS only, and their VPN endpoints often seem to be blocked by sites like Yelp for being in spammer IP blocks.
posted by Nelson at 11:27 AM on October 20, 2014 [7 favorites]


the device, or at least one that is substantially similar to this, is called a pineapple. Can do a lot of bad things with them, that's for sure.
posted by k5.user at 11:31 AM on October 20, 2014


He set up his own private network and waited for people to join. Correct?

To join a network that appeared to be one they trusted, yes. Although that implies an active decision, and with most devices it's not.
posted by ChurchHatesTucker at 11:34 AM on October 20, 2014 [2 favorites]


Again we see their Mac-addresses and login history
Aha! Take that, Mac users!

It's little details like this that undermine a writer's credibility.
posted by xedrik at 11:35 AM on October 20, 2014 [13 favorites]


xedrik: MAC addresses have nothing to do with Mac computers:

http://compnetworking.about.com/od/networkprotocolsip/l/aa062202a.htm
posted by I-baLL at 11:39 AM on October 20, 2014 [4 favorites]


It's little details like this that undermine a writer's credibility.

Never attribute to stupidity that which is adequetely explained by autocorrect.

posted by ChurchHatesTucker at 11:40 AM on October 20, 2014 [10 favorites]


Seems a bit alarmist. Many of the DNS redirects he's apparently discussing would at the very least pop up browser warnings.
posted by odinsdream at 11:40 AM on October 20, 2014


"Never attribute to stupidity that which is adequetely explained by autocorrect. "

The original article is in Dutch. This is a translation.
posted by I-baLL at 11:42 AM on October 20, 2014 [3 favorites]


I just want to comment here about how delightful sounding the name "Wouter Slotboom" is to me. Wouter Slotboom. Wouter Slotboom! Wouter Slotboom.
posted by capricorn at 11:45 AM on October 20, 2014 [23 favorites]


Client isolation people. How can someone who designs public wifi access points not know what client isolation is.

Isn't the main issue that most public WiFi doesn't use any kind of encryption? My impression is that the attacks described in the article would all be defeated simply by turning on encryption and setting a password on the WiFi network (even if everyone knew what the password was). I don't think client isolation would help because all the data is being sent in the clear through the air anyway. It doesn't matter if you can't connect to peers on the network if you just want to snoop on the data that is going back and forth.
posted by zixyer at 11:51 AM on October 20, 2014


VPNs solve a lot of these problems, but VPN software is just terrible.

And don't get me started on the VPN server software. I consider myself reasonably technically adept (level: knows what "devops" is but doesn't do it for a living) and I still can't figure out how to set up a VPN on my home Linux server. The best option I've found is OpenVPN Connect, which isn't available via apt (that I know of) and only offers a download over insecure HTTP. Ugh.

He set up his own private network and waited for people to join. Correct?

To join a network that appeared to be one they trusted, yes. Although that implies an active decision, and with most devices it's not.

Yeah, here's something that's kinda mindblowing about how lousy Wifi security is.

So, you have a list of "trusted" Wifi access points in your phone, right? Let's say you just have your home and work APs trusted, and your phone is set up to never connect to anything else. Safe, right? Nope.

Because the way your phone (and every other wifi device) discriminates APs is completely bonkers. It doesn't scan all available wifi APs and look for one named "neckro's Home AP". Instead it does this:

(your phone finds a random access point)
Phone: Hey, are you "neckro's Home AP"?
AP: Nope, sorry.
Phone: Well then, are you "neckro's Work AP"?
AP: Nope.

So a device like the Wifi Pineapple (which is probably what the "hacker" was using) just has to do this:

Phone: Hey, are you "neckro's Home AP"?
Pineapple: Suuuure, I'm... "neckro's Home AP". Go ahead and connect!

...and then your phone doesn't care that you previously connected with a WPA2 passphrase, it just notices that this AP is letting it connect. This is all happening with your phone in your pocket. You don't have a reason to notice or care.
posted by neckro23 at 11:53 AM on October 20, 2014 [30 favorites]


zixyer: I'm not done reading the article but encryption was on. They logged in to the place's wifi. Client isolation would help as traffic from client A can't be seen by client B.

Also,

odinsdream: "Many of the DNS redirects he's apparently discussing would at the very least pop up browser warnings."

Haven't gotten to that part but why would it? Since the router is the dns server no warnings will pop up.
posted by I-baLL at 11:56 AM on October 20, 2014 [1 favorite]


Apparently, there is no way to forget old public wifi networks on the iPhone without connecting to them first. You can go to Settings > General > Reset > Reset Network Settings to clear all of your saved wifi networks, but there is no way to individually delete long-forgotten airport networks that I am aware of.
posted by a dangerous ruin at 11:57 AM on October 20, 2014 [1 favorite]


Seems a bit alarmist.

Yes. Not a big fan of articles in this style because the author doesn't project that they have enough knowledge to accurately reflect the level of risk involved. Is the author telling me HTTPS sites are nothing to this hacker? Seems like it. Other text implies that a bunch of information has been gleaned directly from devices, "magically", when in fact they did a web search for a person once they had a name and found out their details based on public web stuff. This is quite different from the magical-hacking aura that pervades the article.
posted by sylvanshine at 11:58 AM on October 20, 2014 [6 favorites]


zixyer: I'm not done reading the article but encryption was on. They logged in to the place's wifi. Client isolation would help as traffic from client A can't be seen by client B.

My impression is that the people they were hacking weren't connecting to the store's WiFi, but to a cheap dongle that was spoofing an unencrypted WiFi network (Starbucks).

The thing I dislike about articles like this is they spend all their time trying to scare you and precious little information is given on how the hacks actually work and how you can effectively protect yourself.
posted by zixyer at 11:59 AM on October 20, 2014 [10 favorites]


Modern public WiFi systems are very sophisticated and built from the ground up for security - going so far as to identify and block rogue networks, and even tell you exactly where in the building they are.

They're very expensive, require a lot of specialized network engineering talent to set up and run, so nobody except very large companies bothers with it. When they do, there's a chance they'll be misconfigured into an insecure state, or not have anyone monitoring security alerts. Yeah, a cafe probably isn't going to have an Aruba or FortiWiFi. Apple and Google and Microsoft really need to start taking zerto-trust models seriously for their consumer systems. There's no such thing as a secure network these days.
posted by Slap*Happy at 12:03 PM on October 20, 2014 [1 favorite]


That's what hacking is though, sylvanshine. Like stage conjuring, it's magic that relies on a lot of pretty humdrum techniques, once you know what they are.
posted by dontjumplarry at 12:04 PM on October 20, 2014 [1 favorite]


VPNs solve a lot of these problems, but VPN software is just terrible.

Another fun detail is that most computers are IPv4/IPv6 dual-stack by default nowadays but your favorite VPN is probably gonna be IPv4 only. So guess what happens when you connect to a dual-stack router and silently acquire both types of IP addresses, faithfully connect to your VPN and then browse to a site with an AAAA record? It doesn't go over your precious VPN that's what.
posted by George_Spiggott at 12:06 PM on October 20, 2014 [5 favorites]


All names in this article are fictitious, except for Wouter Slotboom’s.
posted by bendy at 12:09 PM on October 20, 2014 [3 favorites]


So a device like the Wifi Pineapple (which is probably what the "hacker" was using) just has to do this:

Phone: Hey, are you "neckro's Home AP"?
Pineapple: Suuuure, I'm... "neckro's Home AP". Go ahead and connect!

...and then your phone doesn't care that you previously connected with a WPA2 passphrase, it just notices that this AP is letting it connect. This is all happening with your phone in your pocket. You don't have a reason to notice or care.


This is horrifying.

I never use public Wifi and thought I was safe and now I learn my phone is the equivalent of a labrador puppy who will take treats from anyone's hand.
posted by winna at 12:19 PM on October 20, 2014 [18 favorites]


Haven't gotten to that part but why would it? Since the router is the dns server no warnings will pop up.

If you try to redirect DNS at the router level for any HTTPS site, modern browsers will freak the fuck out with super scary pages that force the user to click through multiple steps to continue. Once the user does click through, the browser will remain visually different from a "comforting" green secure state, so that's another red flag.

When the author mentions the hacker was able to sniff a username and password out of Microsoft Live, he's leaving out something significant, either a warning he dismissed, or APT-style software attack that preceded the login attempt. It's unclear from the article, but it surely would be nice to have some more exact write-ups that would give readers at least some chance of doing research into how to protect themselves. As written it's just a "throw up your hands and run screaming from the coffeeshop" type thing.
posted by odinsdream at 12:19 PM on October 20, 2014 [2 favorites]


Many apps, programs, websites, and types of software make use of encryption technologies. These are there to ensure that the information sent and received from a device is not accessible to unauthorized eyes. But once the user is connected to Slotboom’s WiFi network, these security measures can be circumvented relatively easily, with the help of decryption software.
It's hard to tell exactly what is meant here. Are they talking about https? And I'm guessing that instead of literally decrypting data it would be more accurate to say that they're neutralizing https via ssl-stripping man-in-the-middle attacks? I understand the need to make the technical concepts accessible to a wide audience, but I found it a little confusing in its vagueness.
posted by jjwiseman at 12:22 PM on October 20, 2014 [4 favorites]


I recommend sshuttle. It's pretty easy to use and passes all local traffic (including DNS queries) over ssh to the remote host. All you need is local root access and a non-root access to a remote host where you can login to over ssh and run a python script. I use a cheap VPS myself. Won't work on smart phones though, at least not easily.
posted by Poldo at 12:41 PM on October 20, 2014 [1 favorite]


Ok, I'm a dumbass about this stuff and so have to ask embarrassing questions. Perhaps it will help someone else too embarrassed to ask.

So, I get the local Wifi concept. I have an iPad, I go into McDonald's, I click on Firefox, there's a little pop-up screen for me to ok that I am using McD's wifi. I get that. And hackers can spoof these/they're not very secure. Ok.

But then, if I go to McDonald's and use my data plan on my smartphone, that is not on their Wifi, so it doesn't have these security issues. Or not? At least, I don't get a popup screen and it doesn't ask me to connect to anything. I assumed this data was going over my phone/satellites/whatever the fuck and had nothing to do with a router in the McD's stockroom.

I ask because of all the "your phone will connect it doesn't care!" comments. Do people use phones the way I used to use my iPad? And how does that differ from the way I'm using my data plan?
posted by emjaybee at 12:51 PM on October 20, 2014


I'm pretty sure (don't have one with me right now to confirm) the default settings for iOS prefer Wifi connections to Cellular Data, so you'd need to turn off Wifi completely. But yes, at that point you wouldn't be a candidate for these kinds of attacks.
posted by odinsdream at 1:01 PM on October 20, 2014 [1 favorite]


But then, if I go to McDonald's and use my data plan on my smartphone, that is not on their Wifi, so it doesn't have these security issues. Or not?

There are still potential security issues. Someone with a hacked femtocell (aka base station or signal booster) can essentially spoof a cell tower. Or so I've been led to understand. Your phone thinks it's just connecting to the phone network, but it's doing so via the femtocell, which can view and potentially modify the traffic in between.

My understanding is that this is fairly complex, so it's not likely, but the hardware exists.
posted by CheeseDigestsAll at 1:07 PM on October 20, 2014 [3 favorites]


But then, if I go to McDonald's and use my data plan on my smartphone, that is not on their Wifi, so it doesn't have these security issues. Or not? At least, I don't get a popup screen and it doesn't ask me to connect to anything. I assumed this data was going over my phone/satellites/whatever the fuck and had nothing to do with a router in the McD's stockroom.

In GENERAL this is a safer mechanism as long as you're on your cell provider's network its quite a bit more difficult to do this type of attack.

Remember however most of the time your phone will try to switch to wifi if it can and will do so without notifying you. So in this case you have to ensure you won't switch to wifi (turn it off)
posted by bitdamaged at 1:45 PM on October 20, 2014


if it's open, unsecured wifi, then I'll just take three AP's, put then into promiscuous sniffer mode on channels 3, 6 and 9 and scoop up ALL THE PACKETS...
posted by Annika Cicada at 1:47 PM on October 20, 2014


If a device has an outdated operating system, for example, there are always known “bugs,” or holes in the security system that can be easily exploited.

It's 2014. Can stop using scare quotes around bugs now?
posted by flyingfox at 1:56 PM on October 20, 2014 [4 favorites]


The writer implies that being able to log into someone's bank account is the same as being able to "plunder" someone's bank account. That seems a bit of a leap. For my bank, anyhow, you can't just use the Internet to send money anywhere, only transfer between known accounts. Making an account known requires things like signatures and snailmail.
posted by feral_goldfish at 2:05 PM on October 20, 2014


One thing the writer doesn't explore at all is how Wouter Slotboom actually operates. Slotboom claims his purpose is to show people how dangerous the Internet is, or whatever. But then why is Slotboom meeting a journalist only 'by chance'? Does Slotboom just strike up conversations with random people in coffeeshops to show them this stuff? Did Slotboom first cyberstalk him, realize he was a journalist, and then decide to show him stuff? What are the social power dynamics of demonstrating this ability?

And how do they pertain to the social dynamics of coffeeshops, and to striking up conversations with strangers?

In less than 20 minutes, here’s what we’ve learned about the woman sitting 10 feet from us: where she was born, where she studied, that she has an interest in yoga, that she’s bookmarked an online offer for a anti-snore mantras, recently visited Thailand and Laos, and shows a remarkable interest in sites that offer tips on how to save a relationship.


That information won't let you plunder a bank account. But it seems handy for something akin to sleazy pick-up artistry.
posted by feral_goldfish at 2:19 PM on October 20, 2014 [3 favorites]


Wait, did anyone actually think Public WiFi was secure in any way?
posted by qcubed at 3:07 PM on October 20, 2014


The thing about this attack is that you are trying to convince the endpoint wireless radio that you are a better AP than the one connected to the infrastructure. By using higher gain and other signaling methods you can convince the radios on the laptops around you re-negotiate and flow all the traffic across your machine. This allows you to pretty much bypass any encryption scheme.

Here's where I get to thinking...

If I can catch you downloading a file in flight that has a known vulnerability that you are susceptible to, or say, your VPN client is still susceptible to heartbleed, or I can exploit any of a range of local attack surfaces on your laptop that potentially allows me shell access to your machine, I can immediately think of a few "worthwhile" bad things to do:

Insert my own local Certificate Authority onto your laptop for certificate re-chaining. This allows to me to unencrypt SSL traffic (SSL MITM)
Install a full tunnel VPN connection to a VPN endpoint on the other end of a TOR exit node. This allows me to catch everything you do and unencrypt it for information.
Install malware for keylogging and remote access. Just to get anything that's encrypted at Layer 7 outside SSL in the browser. (AD credentials, TACACS logins, local admin accounts, etc.)

Weaponize that on a pineapple, set it up in a coffee shop near Amazon.com for a few weeks and work then your way into the inside of AWS to begin building a botnet of immense scale...
posted by Annika Cicada at 4:26 PM on October 20, 2014 [1 favorite]


Any name can be lovely if you just add enough Wouters to it.
posted by aramaic at 4:42 PM on October 20, 2014


This article seems particularly bad because it fucks up the big takeaway: the lesson isn't "don't connect to public wifi networks," the lesson is "turn your phone's wifi off whenever you aren't near a trusted wireless access point. " You can never connect to a single public or unsecured wireless access point in your entire life and still be vulnerable to the sorts of attacks outlined in the article, so long as you have at any point connected to a TRUSTED wireless access point and have asked your device to automatically connect to this trusted access point.
posted by chrominance at 5:18 PM on October 20, 2014 [5 favorites]


Or, for the more paranoid, "never have your phone automatically connect to any wireless network, ever."
posted by chrominance at 5:19 PM on October 20, 2014 [1 favorite]


If your phone does get hacked, what are your options? Throw the phone onto the railroad tracks?
posted by quiet earth at 6:39 PM on October 20, 2014


I've never encountered this sort of thing on Windows machines, but I haven't deliberately attempted it on Windows 7. I do know that on old XP machines I would often run into problems if I tried to connect to an SSID that previously had WPA2 TKIP/AES or WEP 64/128 set up, but the particular access point was using a different form of encryption and prompted me to re-enter the key.

It seems apparent that all future 802.11blah standards should tie back to the UI layer and require a stronger trust relationship at the "remembered AP" level -- especially if I'm entering a static, passphrase, simply don't automatically connect me to another SSID that doesn't have the same encryption AND key set up. It gets more complicated with enterprise and RADIUS and whatnot, but at the consumer level, c'mon.

An interesting thing I learned in the Vista era is that Microsoft discourages people from connecting to networks where the SSID is not broadcast (i.e. your home wireless with broadcast turned off, if that's how you roll). The reason is that when you turn off SSID broadcast (presumably to "hide" your wireless network) all devices that are configured to connect to it will continually "beacon" looking for the SSID everywhere you go.

So the scenario described earlier in this comment thread appears to be an exaggeration that particularly applies to this situation, but I could be wrong, and the "threat landscape" and penetration tools have changed a lot, and it's never been something I've explored a "haxory-interest" in for whatever reason.
posted by aydeejones at 8:13 PM on October 20, 2014


It follows (to me anyway) from Microsoft's advice at the time that hiding your SSID at home doesn't really accomplish all that much anyway in the modern AES/WPA2, post-WEP era (WEP being so weak that the SSID was arguably a useful factor, and now it's an afterthought and just a sort-of-meaningful description) and if you routinely take devices out and about with you that connect to your home network (or any network you control), you're better off electing not to hide any SSIDs on those networks.
posted by aydeejones at 8:17 PM on October 20, 2014


If your phone does get hacked, what are your options? Throw the phone onto the railroad tracks?

Your phone is fine, none of this is about bad guys installing malware on it. The concern here is that your activities can be monitored while you're connected to one of these spoofed hotspots, and this may include revealing your login credentials for sites you visit (and note that this includes apps that you use).

This by the way is why I don't use banking apps on my phone, I go to their mobile site. At least I can tell if the connection is encrypted, and using a browser that is regularly patched is better than a mystery meat app that doesn't tell you a thing about what it's doing.

For laptops and android devices, if you're not using HTTPS Everywhere, you should look into it; it automatically reduces your exposure to some of these risks.
posted by George_Spiggott at 8:18 PM on October 20, 2014


neckro23: "The best option I've found is OpenVPN Connect, which isn't available via apt (that I know of) and only offers a download over insecure HTTP. Ugh."

Fortunately, I do do devops for a living, and can settle this. You appear to have confused openVPN and openConnect as a single thing, but they're different packages. openVPN is its own thing built on top of OpenSSL (for better or worse). From the package:
Description-en: virtual private network daemon
OpenVPN is an application to securely tunnel IP networks over a single UDP or TCP port. It can be used to access remote sites, make secure point-to-point connections, enhance wireless security, etc.
The reason you can't find an OpenConnect server package is that openconnect is designed to be compatible with Cisco Anyconnect VPNs; Cisco charges quite a bit for AnyConnect servers, and I assume it runs IOS, not Linux. Unless you're connecting to work, you probably want openvpn, not openconnect. If you're just setting up a VPN for yourself, there are wrappers for ssh you can use and not do any further server configuration.
posted by pwnguin at 11:47 PM on October 20, 2014


At least half of the scare here is "steal the password, then try it elsewhere". Nothing new in that, really. In the interests of getting my digital life more secure I have finally begun the arduous process of not reusing passwords. The toughest part? Getting my wife to learn how 1Password works. So far, she doesn't give a crap and can't be bothered to learn how to use it. Which is great, because she handles most of our financials. Yay? For now my email and MeFi accounts are using stronger passwords than my bank. Ugh. She knows it is bad but trying to remember a unique password for each site is too much work. (Which is why I ponied up the $100 for 1Password in the first place, goddamnit. It works so well, I don't know what the deal is. She simply doesn't care to learn it.)
posted by caution live frogs at 6:10 AM on October 21, 2014


If you're just setting up a VPN for yourself, there are wrappers for ssh you can use

Can you say more? Are you talking about simple application port forwarding, or is there some way to create a whole new routable network interface that tunnels through ssh? And if so, does that mechanism work in MacOS? Presumably no way to do it in iOS, although I could imagine an Android hack working.

Man, times like this make me wish IPSEC wasn't a dead end. That's the proper solution both to WiFi insecurity and all the SSL nonsense we do. Just make every IP packet be encrypted, end to end. Sadly that didn't work out so well in practice although I still don't understand why.
posted by Nelson at 7:36 AM on October 21, 2014


Just make every IP packet be encrypted, end to end. Sadly that didn't work out so well in practice although I still don't understand why.

I can't imagine why end-to-end encryption at the raw network level never took off. It's almost like there are huge secretive government agencies hell-bent on peeping into every bit of communication that would have been severely hampered by such attempts.
posted by odinsdream at 11:45 AM on October 21, 2014 [1 favorite]


So can anyone recommend an Android app that lets you configure auto-connecting to select WiFi networks and never connecting to an unknown network?
posted by Zed at 1:37 PM on October 21, 2014


odinsdream: government meddling has occurred to me, particularly after we learned from Snowden just how much NSA has been subverting various security technologies. But IPSEC got pretty far along in development, and some good cypherpunk types took a serious effort at making it work. My suspicion is IPSEC failed more because security is never a selling point for a mass product, so never justifies the added cost. Also SSL kind of satisfied many of the primary commercial needs on the Internet.

Taking pwnguin's hint about ssh I found my way to sshuttle, an interesting poor-man's VPN. It uses ipfw to forward TCP traffic through an ssh tunnel. It's nice because it requires no server other than sshd, but it's awfully hackish and incomplete. Better than nothing though, at least for Mac/Linux clients.
posted by Nelson at 2:03 PM on October 21, 2014 [1 favorite]


odinsdream: government meddling has occurred to me, particularly after we learned from Snowden just how much NSA has been subverting various security technologies. But...

I gave up on thinking there was any kind of "line" with the NSA after the disclosures that they were directly subverting technology standards, physically intercepting packages and installing hardware into devices. There's currently no proof that they fucked up IPSEC, but I can no longer personally believe it beyond them either in logistical or ethical terms.
posted by odinsdream at 5:50 AM on October 22, 2014


If you haven't seen it already, these slides from djb might interest you: http://cr.yp.to/talks/2014.10.18/slides-djb-20141018-a4.pdf

It's a thought experiment along the lines of "If the NSA etc. wanted to deliberately manipulate the crypto ecosystem to give them an edge in monitoring, what would they do?" Even if it strikes you as paranoid, and you don't believe that all of the more annoying things about the current crypto ecosystem are consequences of deliberate attempts to make monitoring easier, it's still interesting to think about how the end result is still exactly what orgs like the NSA want: It's hard to get crypto right.
posted by jjwiseman at 11:28 AM on October 22, 2014


« Older I went down to the crossroads, fell down on my...   |   certainly not “95% unexplored” Newer »


This thread has been archived and is closed to new comments