Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption

Posted by timothy on from the has-some-drawbacks dept.

An anonymous reader writes "In the wake of concerns about FireSheep sniffing credentials from people using unencrypted public WiFi hotspots, a security researcher has proposed that the problem does not just lie with big websites like Facebook, but also with those who provide free wireless internet access. Chet Wisniewski, a researcher at security firm Sophos, proposes that all free WiFi hotspots should be encrypted — with the password 'free.' ''I propose standard adoption of WPA2 and a default password of "free." Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password. Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.'"

50 of 332 comments (clear)

  1. Before everyone says that's idiotic... by Mabbo · · Score: 3, Interesting

    ... just keep in mind that with WPA, the initial password is just used for connecting to the network, after which a session password is shared (right? pretty sure I'm right about that). So, technically, it would prevent someone from stealing your interwebs as long as you were already connected. Now, the guy who got to Starbucks before you and started sniffing before you did, he definitely has your personal information now, and this is a stupid idea.

    1. Re:Before everyone says that's idiotic... by phantomcircuit · · Score: 4, Insightful

      So, technically, it would prevent someone from stealing your interwebs as long as you were already connected.

      Unless of course the attacker sends fake de-authentication packets forcing a new handshake to occur...

    2. Re:Before everyone says that's idiotic... by CosmeticLobotamy · · Score: 2, Interesting

      Security's not my area, so maybe this question is nonsense, but why does each wireless router not have its own unique public/private key pair installed at the factory (that could later be changed by the owner) so that the session key could be generated by the client, sent to the server encrypted by the public key, and now only the router can decrypt the session key?

    3. Re:Before everyone says that's idiotic... by yakovlev · · Score: 2, Interesting

      In other words, the designers of WPA2 screwed up by not using something like Diffie-Hellman to negotiate a private connection before the initial password even changed hands?

      I realize this would be subject to man-in-the-middle, but that would seem to be detectable as you would get two different responses when you tried to do the initial negotiation, after which the OS should report "something's screwy with this network" and refuse to connect.

    4. Re:Before everyone says that's idiotic... by Anonymous Coward · · Score: 5, Informative

      In other words, the designers of WPA2 screwed up by not using something like Diffie-Hellman to negotiate a private connection before the initial password even changed hands?

      I realize this would be subject to man-in-the-middle, but that would seem to be detectable as you would get two different responses when you tried to do the initial negotiation, after which the OS should report "something's screwy with this network" and refuse to connect.

      WPA designers punt the problem of establishing initial session encryption key to EAPOL. Designers of EAP applications can use whatever authentication protocol and crypto bindings between layers that they want.

      DH is pointless in the case you point out because it would be trivial to operate as you point out a middle man to circumvent. For a "This is screwy" response to be possible it would require some prior knowledge to establish a trust relationship between systems. Encryption without trust is less than useless.

    5. Re:Before everyone says that's idiotic... by Anonymous Coward · · Score: 2, Insightful

      Parent post raises an interesting point: Assuming you trust the security of the router itself, it's possible to have perfect inbound wireless security by giving your public key to the router, but it's impossible to have perfect outbound wireless security unless you have a pre-existing relationship with the router (i.e. you know its public key), or unless its key is signed back to a trusted root authority.

      I propose that the pre-existing relationship case is a lost cause, since it would essentially require the hotel or coffee shop publish its router's key behind glass and have the manager periodically check for signs of tampering of the published key (* social engineering hack: "key change notice" on official looking letterhead taped to windows around the store). However, I'll also propose that trusted root signing authority case is also a lost cause because of the massive infrastructure costs required. Essentially only the big players could afford it, and it would require enterprise level security procedures in coffee shops run by high school dropouts. Plus, who would actually check the router certificate to see if it looks valid? It's not something you can check programmatically like comparing a website certificate's subject to the domain name.

      Anyway, even if you somehow manage to secure the outbound wireless portion of the connection, that still leaves the router's private key or ISP connection as weak links. Random strangers won't be able to hijack your connection unless the key is easily cracked, but a determined hacker will still find a way to read everybody's data that passes over the router.

      My conclusion: It's impossible to have true wifi security, so let's not kid ourselves. If you care about your privacy, you should use SSL or some form of VPN to a trusted location. In this case, no wifi security may be the best answer, because it'll help push the adoption of SSL websites. The sooner we stamp out plain-text protocols the better.

    6. Re:Before everyone says that's idiotic... by kwerle · · Score: 5, Insightful

      ... Encryption without trust is less than useless.

      I am so tired of that statement. Encryption without trust is Encryption. It is way less than ideal, but way better than cleartext.

      I don't particularly trust my local cafe'.
      I really don't trust their ISP.
      I especially don't trust the phone company.
      I entirely don't trust the government.
      I certainly don't trust facebook.

      But I use the cafe' wireless who uses their ISP who uses the phone company who is tapped by the government when I use facebook. And if the wifi were encrypted, I would not also have to worry about my fellow cafe' sniffers.

      So is that first hop encryption a complete solution? Nope. Anyone between the wireless router and facebook can still listen in. But it'd sure be a hellofa lot better than in the clear.

      Encryption without trust is not security, but it is encryption.

    7. Re:Before everyone says that's idiotic... by Nursie · · Score: 3, Funny

      Well, given that it takes a tool of some sort to do it in the cleartext situation, and a much more complex tool in the encrypted situation -

      I'd say it's more like you used to have a door that could be opened with a crowbar, now the door's reinforced and you need a number 3 lockpick, possibly a number 4 as well.

      Actually I'm still not happy. Trying to find a simple analogy to a situation where the information is thrown around in the clear but it requires some knowledge and a special tool to access it... It's like you need a screwdriver to open the already unlocked door, and now you... Hmmm. How about -

      Or two people shouting in the street, except they're shouting in french.... no this one isn't going anywhere either. Damn!

  2. Ridiculous And Totally Not Helpful by phantomcircuit · · Score: 5, Interesting

    Maybe he hasn't noticed that wireshark can decrypt WPA2 traffic so long as the network is being sniffed when the client originally connects.

    1. Re:Ridiculous And Totally Not Helpful by tlhIngan · · Score: 4, Insightful

      Maybe he hasn't noticed that wireshark can decrypt WPA2 traffic so long as the network is being sniffed when the client originally connects.

      Yep. And then we'll have a new version of Firesheep with WPA2 decryption. And then another version that'll ARP-spoof the gateway machine so every connected device then routes through your PC.

      It'll end up being that a Firesheep user will just have a fast DHCP server and acting as a gateway for the WiFi so all traffic goes through your PC, forwarding packets to the real gateway.

      No, the ONLY way to defeat Firesheep is to properly encrypt sessions. Otherwise we're just doing an arms race. The ARP spoofing and fake DHCP is basically endgame short of access points going and isolating users from each other. Which would then end up being someone sets up a fake access point that routes to the real one.

      The endgame is, Firesheep can always win. Or anyone with a packet sniffer. Unless the site goes completely SSL.

    2. Re:Ridiculous And Totally Not Helpful by adolf · · Score: 3, Interesting

      The endgame is, Firesheep can always win. Or anyone with a packet sniffer. Unless the site goes completely SSL.

      Indeed, this is the most obvious end result.

      And now, for the most ridiculous question ever: Why isn't this being done? It isn't 1995 anymore: SSL is (at worst) easy and well-understood for these purposes.

      Why does this continue to be an uphill battle?

      --
      Kid-proof tablet..
    3. Re:Ridiculous And Totally Not Helpful by kwerle · · Score: 2, Insightful

      Ugh. Replies about SSL's being expensive. Please.

      SSL is overhead. Let's say that you're facebook, and let's say that the actual cost overhead is 1/1,000,000 of a penny per page served up.

      What is facebook's throughput? I have no idea.
      http://techcrunch.com/2010/04/21/facebook-like-button/

      So it's a lot. So much that even if SSL overhead is just one one millionth of a cent per page served up, it is clearly at least hundreds of dollars a month. From the article, I'd guess that it's at least thousands of dollars a month.

      Clearly, that's chump change for facebook, but until now, that's all money they've saved. And that's if the overhead is 1/10^6th of a penny. If it's 10^5th we're talking 10's of thousands. If ssl costs 1/10,000 of a penny per page, we're talking 100's of thousands of dollars a month. That starts to add up.

      Again, I have absolutely no freaking idea how much overhead it is, and I have no idea their volume. But at the volume they're doing, you can see where any measurable overhead would cost real money.

      My guess is that they will throw money at the problem and it'll go away. But they won't be happy to do it.

    4. Re:Ridiculous And Totally Not Helpful by muckracer · · Score: 5, Insightful

      > Is it secure? Is it bollocks. MITM is perfectly possible. To the extent that in our arms-race-at-starbucks scenario where the hacker has done his ARP spoofind and DHCP,
      > you just add an MITM proxy for SSL connections. Done, your self-signed certs are now useless.

      You're right. And yet this "It's gotta be perfect or it's gotta be nothing at all!" attitude is IMHO what has held crypto back a lot more than necessary. Regardless of crypto and its setup, it's still just one part of a security chain...a chain, which even in the best of circumstances will NEVER achieve 100% security! So let's cut the scare-mongering and focus on not black or white, but lovely hues of security degrees. Something people already know (traffic lights):

      Browser location bar is:

      Red: unencrypted plain-text HTTP
      Yellow: encrypted, unauthenticated HTTPS
      Green: encrypted and authenticated HTTPS

      Just a suggestion.

  3. WPA2 minimum passphrase length... by atomicstrawberry · · Score: 5, Insightful

    ... is 8 characters.

    1. Re:WPA2 minimum passphrase length... by wilson_c · · Score: 5, Funny

      freeeeee?

    2. Re:WPA2 minimum passphrase length... by selven · · Score: 2, Funny

      freeeeee?

      ...dooommmmmm!!!!!!!

  4. Re:I don't think so. by Anonymous Coward · · Score: 2, Insightful

    No.

  5. 'Free' or 'free'? by snsh · · Score: 3, Informative

    capitals matter. and don't WPA2 phrases have to be at least 8 characters?

    1. Re:'Free' or 'free'? by at_slashdot · · Score: 4, Funny

      FreeWiFi (8 characters, combines lower and upper case to make it more secure ;)

      --
      "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
  6. I find it sad... by metrix007 · · Score: 2, Informative

    That a security research doesn't know better than this. Encryption with a PSK is useless as far as sidejacking is concerned. There is no decent client to client encryption unless you use WPA/2 Enterprise.

    To suggest otherwise is bullshit, and he should be blaming the websites who are the problem.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  7. Re:Careful with those quotation marks by ildon · · Score: 2, Interesting

    Except when you're signifying an explicit string that will need to be readable by a computer. I would tend to err on the side of caution lest someone mistake my correct English punctuation for some sort of design intent.

  8. That says a lot about the 'researcher' by flyingfsck · · Score: 4, Insightful

    Uhmm, maybe Sophos should invest in security training of their staff before they start selling supposed security products.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  9. Re:Careful with those quotation marks by Gadget_Guy · · Score: 4, Informative

    I'm afraid it is not that simple. You should always be wary of assuming that the rules used in your locality are universal. There are two styles in general use regarding punctuation and quotation marks. See the wikipedia entry on the subject:

    In the U.S., the standard style is called American style, typesetters' rules, printers' rules, typographical usage, or traditional punctuation, whereby commas and periods are almost always placed inside closing quotation marks. This style of punctuation is common in the U.S., Canada, and in the U.K. in fiction and journalism.

    The other standard style--called British style or logical punctuation--is to include within quotation marks only those punctuation marks that appeared in the quoted material, but otherwise to place punctuation outside the closing quotation marks.

    Using the British style is less ambiguous in this case.

  10. Re:Standard Default Password? by gnapster · · Score: 2, Interesting

    Unencrypted access points already use a standard password: the empty password. How is this any different?

  11. I tried it by goombah99 · · Score: 2, Funny

    Watch out! I tried typed in "Free" instead of of "free" like the Sophos Dude recommends and it wiped out all my time machine backups.

    Well, at least that's what happened after I hard crashed my computer in the middle of a back up. But I'm sure it was sophos to blame.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:I tried it by duguk · · Score: 2, Funny

      Watch out! I tried typed in "Free" instead of of "free" like the Sophos Dude recommends and it wiped out all my time machine backups.

      Well, at least that's what happened after I hard crashed my computer in the middle of a back up. But I'm sure it was sophos to blame.

      "Free" doesn't seem a very secure password. They should put some numbers and symbols in it.

    2. Re:I tried it by anUnhandledException · · Score: 3, Informative

      Because WPA2 generated per session keys.

      Although everyone connecting would use same password (in this instance free).
      Each session key would be unique and thus would prevent snooping.

      Theoretically one could redesign WPA (WPA3) to have a passwordless mode where traffic is still encrypted however no password is needed. This is simply a "could work today" modification of existing protocol.

    3. Re:I tried it by jc42 · · Score: 3, Insightful

      ... educate people ...

      I think I see a problem with your scheme ...

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  12. Free by Alsee · · Score: 3, Funny

    That's amazing! I've got the same password on my luggage!

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  13. Here's how I'd do it. by dannycim · · Score: 3, Insightful

    1. Bring laptop with extra WiFi dongle into a public area.
    2. Connect to Free WiFi spot using internal nic.
    3. Act as an Access Point on second nic with a cooler sounding SSID.
    4. NAT traffic to first WiFi net and grab everything of interest.
    5. ???
    6. Profit!!!1!!ONE!

  14. Re:Per-client encryption: WEP vs WPA by rew · · Score: 2, Insightful

    Two guys, Diffie and Hellmann thought up a protocol that allows someone to listen to a "key exchange" without being able to determine the key that the two parties decide on.

    One party decides on a base (g) and a modulus (p) and sends it to the other side. Our attacker will of course grab this info. Next each party will think up a number. Alice choses a, Bob choses b. Alice sends g^a mod p to Bob. Bob sends g^b mod p back to A. They key is then easy to calculate for Alice and bob. Alice does K = (g^b)^a = g^ab , while Bob does K = (g^a)^b = g^ab where the listening crook just has g^a and g^b and can't figure out a or b which are needed to find the key K in reasonable time.

    Thus this protocol being known for almost 35 years allows easy encryption with a key that a eavesdropper cannot easily snoop..

  15. Let's says that this is really idiotic! by louarnkoz · · Score: 2, Informative

    There are so many ways this suggestion is wrong, it is not even funny.

    TFA says WPA2 negotiates unique encryption keys with every computer that connects to it. This means you and I cannot spy on one another's traffic even when sharing access on the same access point. That's true, but anyone who can listen to the exchange and know the shared key will be able to learn the key. Plus, there is a very neat man in the middle attack.

    Suppose that I am an evil sheep herder near a Starbuck cafe. Nothing prevents me from broadcasting a Wi-Fi beacon that announces that I am running a Starbuck access point. Here comes the sheep, who is really happyto see that the connection is secure. Hey, he used WPA2 and the "free" password, his packets are encrypted. Except they are all coming to my laptop. Oops!

  16. Re:This will not work. by yuhong · · Score: 2, Informative

    The client has the keys only to decrypt traffic targeted to the client, not to other clients.

  17. Re:This will not work. by yuhong · · Score: 3, Informative

    It is easy to bypass though by capturing a four-way handshake. A fake authentication can be used in order to have a client go though it again.

  18. Re:I like this. by TheLink · · Score: 5, Interesting

    I've suggested this before a few times: http://it.slashdot.org/comments.pl?sid=457132&cid=22455074

    Thing is he left out the part where there are two different modes of WPA2.

    One (WPA2 PSK) where if everyone has the same password, it's still not secure (know the same key, sniff a session's 4 way handshake, and you can decrypt that session's traffic).

    And one (the other WPA2) where it's supposedly more secure, but apparently still has problems: http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html

    Yeah, not so simple for Starbucks to get right...

    Basically the WiFi standards bunch screwed up. So I actually blame them for a lot of the problems. So many years and they still haven't got WiFi to the level of TLS/HTTPS.

    HTTPS doesn't solve the "stupid user problem", or the "browsers not warning users of changed CAs", but at least the tech/standard isn't that crap, it's more a people problem.

    --
  19. He's not a researcher, he's a salesman by Anonymous Coward · · Score: 5, Informative

    Uhmm, maybe Sophos should invest in security training of their staff before they start selling supposed security products.

    He's neither a researcher (someone who works in the virus labs) nor an engineer (someone involved in development of our endpoint or management products). He's in sales. Nothing to see here people, move along.

    Posting anonymously because I work there.

    1. Re:He's not a researcher, he's a salesman by Anonymous Coward · · Score: 2, Informative

      From the Article's About the Author:

      Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.

      If Mr. Wisniewski is in sales, perhaps Sophos should reconsider how it hands out titles. It kinda reminds me of that article about McAfee's horrible advertisement e-mail which looked like a phishing attempt.

      Basically, If you're in the security business maybe you should avoid abusing trust....

  20. "British" style is indeed logical by Kupfernigk · · Score: 4, Interesting
    Do I need to point out that the so-called British style is syntactically correct, whereas the traditional style is not? NoSig has obviously never thought about syntax, or it would be obvious that nesting requires the stop to go outside the quoted material.

    It's also perhaps worth noting that punctuation style is nothing at all to do with correct English. Punctuation is there to help understand the text, not to be part of it, and anyone who has ever trained as a copy editor knows that there are endless arguments over its proper use. If putting a full stop inside a quote means someone would naturally consider it part of the quoted material, it is clearly wrong.

    --
    From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
  21. Set SSID to "password = free" etc. by billstewart · · Score: 4, Interesting

    If you put the password in the SSID so it's obvious, people won't have to guess if you're following that convention, or the convention that the password is "guest" or whatever.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  22. A simple modification to EAP-TLS by yuhong · · Score: 5, Interesting

    Christopher Byrd has a simple modification to EAP-TLS that disables client certificate validation to provide more secure open wi-fi:
    http://riosec.com/open-secure-wireless
    This would require modifying only the Authenticator and the Supplicant, and it would be a simple modification to both.

  23. Standards conflate encryption and authentication by billstewart · · Score: 5, Informative

    Most of the Wifi systems are negotiating a random session key and using the password to authenticate it, so that's doing pretty much what you want.

    However, they were mostly designed with the assumption that the objective is to prevent unauthorized access, not to protect the contents of the communications from eavesdropping, so the only way you can get encrypted sessions is to have password control, which is too bad.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  24. Re:I like this. by bemenaker · · Score: 2, Informative

    Nevermind, read more posts and my question was answered.

  25. Re:I like this. by clone53421 · · Score: 4, Informative

    On a WPA2 network, a user cannot eavesdrop on another user despite having the same key, because a unique handshake is performed when each user connects. Without the data that was passed in the handshake, an eavesdropper has no way of decrypting your traffic.

    They can, however, force your connection to be reset, and when you reconnect they can capture the handshake. With the data that was passed in the handshake, they can decrypt all of your traffic.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  26. Re:I like this. by Hatta · · Score: 4, Insightful

    Basically the WiFi standards bunch screwed up. So I actually blame them for a lot of the problems. So many years and they still haven't got WiFi to the level of TLS/HTTPS.

    So use TLS/HTTPS over wifi. Why should the Wifi standard solve a problem that's already been solved? Wifi only has to be as secure as a wired network, at which point we can use all the protocols we use to keep our systems secure on the public internet.

    --
    Give me Classic Slashdot or give me death!
  27. Re:Standards conflate encryption and authenticatio by bberens · · Score: 3, Funny

    If only there were some sort of encryption standard that individual websites could implement which would cause the browser and server to encrypt the data between them. Some sort of socket layer which is secured via encryption. That would readily solve these problems. Oh computer gods, why hast thou forsaken us?

    --
    Check out my lame java blog at www.javachopshop.com
  28. Re:I like this. by TheLink · · Score: 3, Insightful

    So use TLS/HTTPS over wifi. Why should the Wifi standard solve a problem that's already been solved

    Solved already? Really? The last I checked "zillions" of sites don't support https. Slashdot for instance.

    Some people can tunnel or VPN everything to a trusted gateway, but how many cafe users can do that? So the problem is NOT solved.

    I hope you can figure out for yourself the difference between someone sniffing/exploiting traffic at a cafe, and someone doing it at the ISP or peering level.

    Wifi only has to be as secure as a wired network

    Yes, but it's _far_ from as secure at the moment. So they have failed.

    1) It's harder to "sniff" a wired network that a wireless one. You need a free port for the former and you need to do stuff like mac-flooding (which can be detected). Or you need super duper Tempest stuff.

    2) It's easier to set up a wired network where devices plugged into one port cannot snoop traffic from devices in another port. You could do this by either using what Cisco calls "port security" (other vendors have their own terms for it), or do "per port VLANs".

    I was in the "hotel internet" line for a while, and we configured our switches so that guests plugged into a port could only talk to our gateway server. So guests using the wired connections were protected from other guests. They might not be protected from the NSA/CIA/KGB/FBI once their traffic leaves our control, but that's arguably beyond our responsibility.

    Whereas wireless connections didn't allow us to protect guests from each other (at least while making it easy for guests to still use the system).

    I am well aware that wireless connections can be DoSed more easily than wired connections, so no matter how much crypto you have, it's still jammable, but that would be a different threat level. Guests could still plug in to the wired port, lose the convenience, but still do their stuff.

    FWIW: if a guest plugs into a wired port and intentionally/unintentionally tries to mess with the system we can usually figure out where that guest is, call the guest up and usually resolve things, even if we are in a different continent.

    --
  29. Re:Standards conflate encryption and authenticatio by hedwards · · Score: 2, Interesting

    That's why after the WEP fiasco they should've handed the problem off to somebody competent. WEP was pretty much always a joke, because you really do need a lot more security when things are going over the air than you do when they're going over the wire. At least when things are going over the wire you need some access to the equipment relaying the messages. With wireless you don't even need that.

  30. Re:I like this. by TheLink · · Score: 2, Informative

    Because they screwed up: http://wiki.wireshark.org/HowToDecrypt802.11

    "WPA and WPA2 use keys derived from an EAPOL handshake to encrypt traffic. Unless all four handshake packets are present for the session you're trying to decrypt, Wireshark won't be able to decrypt the traffic. You can use the display filter eapol to locate EAPOL packets in your capture. "

    So if all four handshake packets are there (there are ways to help ensure you see them ;) ), you can crack WPA2 PSK, today with wireshark.

    And both the PSK and "Enterprise" mode are apparently vulnerable to this: http://www.airtightnetworks.com/wpa2-hole196

    So Mr "Senior Security Advisor at Sophos Canada" doesn't know what he's talking about. It's not so simple as just typing "free" (since no username is mentioned, I think he means the very broken PSK modes and not the less broken Enterprise modes).

    I blame the WiFi standards bunch.

    --
  31. Re:I like this. by anUnhandledException · · Score: 2, Interesting

    You can capture the handshake w/ WPA but not WPA2.
    Or more technically sniffing the WPA2 handshake will not allow you to decrypt the traffic.

    Of course TKIP is flawed and was only really included to allow backwards comptibility. WPA2 AES should be the only option.

  32. Struck out HTTPS by tepples · · Score: 2, Insightful

    someone sees the 'https' and thinks it's secure

    Chrome does it right, with three different indicators in the URL bar: nothing for HTTP, a struck-out HTTPS for a self-signed certificate, or a plain HTTPS for a commercial certificate. But you still need an IPv4 address because downlevel clients won't send the SNI.