Slashdot Mirror

← Back to Stories (view on slashdot.org)

Simple Rogue WiFi Hotspot Captures High Profile Data

Posted by samzenpus on from the protect-ya-neck dept.

jones_supa writes Gustav Nipe, president of Sweden's Pirate Party's youth wing, was successful with somewhat trivial social engineering experiment in the area of the Sälen security conference. He set up a WiFi hotspot named "Öppen Gäst" ("Open Guest") without any kind of encryption. What do you know, a large amount of unsuspecting high profile guests associate with the network. Nipe says he was able to track which sites people visited as well as the emails and text messages of around 100 delegates, including politicians and journalists as well as security experts. He says that he won't be revealing which sites were visited by specific experts, as the point was just to draw attention to the issue of rogue network monitoring. The stunt has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden's Personal Data Act.

67 comments

  1. You want to protect your data? by ArcadeMan · · Score: 5, Insightful

    If you want to protect your data, don't connect to an open WiFi hotspot.

    Also, shame on the so-called "security experts" who used it.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:You want to protect your data? by Anonymous Coward · · Score: 1

      What's wrong with that? Whenever I use an open hotspot, I *assume* the worst... if I can ssh to https into whatever, so what?

      If I don't care about stuff, (e.g. reading cnn.com, for example), then who cares if it's encrypted or not?

      Stunts like this scare people into not using/providing open internet access... I'd rather we have *more* open wifis (monitor whatever you want out of them), just have them be all over whenever I need them.

    2. Re:You want to protect your data? by Cramer · · Score: 5, Insightful

      Are you 100% certain the cnn.com you think you asked for a page is actually cnn.com and not some i'm-gonna-fill-your-browser-full-of-malware spoof?

    3. Re:You want to protect your data? by davester666 · · Score: 5, Funny

      can't be any worse than the reall cnn.com

      --
      Sleep your way to a whiter smile...date a dentist!
    4. Re:You want to protect your data? by hcs_$reboot · · Score: 2

      TFA says the guy tracked sites and mails etc... Who nowadays doesn't use encryption when it comes to mail? Maybe "he won't be revealing which sites were visited" because that would demonstrate how useless the data he tracked is, "https://google.com", "https://mail.google.com", ....

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    5. Re:You want to protect your data? by Anonymous Coward · · Score: 0

      If you want to protect your data, don't connect to an open WiFi hotspot.

      When you have wi-fi enabled, your phone constantly broadcasts probes with a list of SSIDs of networks it's recently connected to.

      So if someone runs a hotspot which sniffs your probe, auto-starts a new open network with your preferred SSID, and your phone gladly auto-connects to it...?

    6. Re:You want to protect your data? by Anonymous Coward · · Score: 0

      I don't think it's even about whether the WiFi spot is "open" or not.

      All unencrypted data traveling across the internet is like a bunch of post cards with text written on the outside. You aren't even trying to hide it at all, so you really can't complain if the postman or anyone else along the way reads it.

      Even if you use a hard-wired LAN cable, your data is likely readable by everyone on your LAN segment, cable segment, and who knows who for every single hop on the way to the destination. Then on the destination, it's readable by other computers on the same segment, perhaps other users on the computer, etc.

      If you actually practice security properly, assume you can't trust your connection, and use things like SSH - then you really have nothing to worry about with open WiFi.
      Anyone who is using plain telnet, plain old FTP for private files, or plain HTTP for private data (including email) pretty much deserves what they get.

    7. Re: You want to protect your data? by Teranolist · · Score: 1

      Disable autoconnect?

    8. Re:You want to protect your data? by TheRaven64 · · Score: 3, Insightful

      I wonder how many people would actually notice if they got SSL errors for Google addresses and how many would just click 'accept' and move on.

      --
      I am TheRaven on Soylent News
    9. Re:You want to protect your data? by retroworks · · Score: 4, Insightful

      Agree with this AC.

      What I'm more concerned about and don't know the answer to are the Smart Phone apps which may check for their own "updates" while I'm on a sinister wifi hotspot. Will a "Bank of App" program open an auto update query in the background, and disclose any details I don't intend it to? I never "save passwords" and rarely enter them in unknown wireless environments.

      The Swedish guy probably did a public service, but the alarms seem aimed at people who don't know the risks. "Never use wifi, and never read CNN online" hyperbole just fatigues people and causes people to treat it as an acceptable risk rather than something they can cope with through caution. The "what if its a fake CNN site" question is a totally separate problem which could occur on a verified hotspot, or wired account... And so what if it's a fake CNN site? They get my lowest concern throwaway password, as I have no money at CNN. I too always am careful which sites I go to on public wifi hotspots.

      --
      Gently reply
    10. Re:You want to protect your data? by Anonymous Coward · · Score: 0

      Modern devices do not do targetted probes unless they first receive a beacon. They do send broadcast probes from time to time to detect networks with a really long beacon interval.

      Think about it, if you have 200 networks configured in the phone and it has to probe them all, it will use a severe amount of battery power.

    11. Re:You want to protect your data? by fuzzyfuzzyfungus · · Score: 3, Informative

      What's wrong with that? Whenever I use an open hotspot, I *assume* the worst... if I can ssh to https into whatever, so what?

      If I don't care about stuff, (e.g. reading cnn.com, for example), then who cares if it's encrypted or not?

      Stunts like this scare people into not using/providing open internet access... I'd rather we have *more* open wifis (monitor whatever you want out of them), just have them be all over whenever I need them.

      I largely agree with you, open hotspots are excessively demonized(both 'if you touch one you'll get cyber-syphilis!' and 'if you operate one pedophiles will smell it from miles away and you'll go to jail forever!'); but they can be dangerous, and people frequently don't take enough precautions.

      Awareness of VPNs is actually pretty high, all things considered; but mostly for the purposes of getting Netflix in foreignistan, or getting to facebook at school/work. This tends to mean that even people who know about, and use, them typically don't ensure that all chatter from their computer(unless you are very careful, that's often a lot, from all sorts of updaters, autodiscovery agents, and annoying background processes) goes over the VPN, since their use of VPNs is all about ensuring that a specific, normally blocked, bit of traffic makes it out alive, rather than ensuring that no traffic leaks locally.

      The area I would argue with you about is 'unimportant' HTTP: Do I care that somebody knows I visited CNN? No. However, if I make an HTTP connection, do I have the slightest assurance that I'm actually visiting CNN, rather than 'CNN, plus some rewrites that add a suite of common browser exploits'? Not so much. That can, and does, happen even on a trusted connection, through sites being hacked or ad network fuckery; but adding another party who can trivially rewrite the site with god-knows-what isn't really something you want.

      If you have a proper VPN, with all traffic either heading over it or blocked before it leaves your system, though, all good.

    12. Re:You want to protect your data? by fuzzyfuzzyfungus · · Score: 1

      More because of ecosystem vendor DRM enthusiasm that because of any real competence on app writers' part, app updates are actually more likely to be safe. Updating may or may not reveal what apps you have installed; but iOS will flat-out refuse to run anything not signed by Apple(which makes it pretty hard to quietly modify or spoof an update) and Android can be made to be more trusting; but the defaults for play store stuff aren't a whole lot more liberal.

      The apps themselves, though, seem to be amazingly shoddy a striking amount of the time. In some cases, outfits that have perfectly respectable, properly SSLed, web sites somehow manage to have 'apps' that are basically just wrappers around a browser view; but still are less safe than just accessing their site directly. I'm not sure if this is just because the 'app' craze has attracted a lot of dumb new entrants, or whether it's because there are fewer people firing up wireshark on their phone and revealing the shameful truth.

    13. Re:You want to protect your data? by Anonymous Coward · · Score: 0

      They clearly missed a particular Dr Who -episode. Who knows what happens after connecting promiscuously. Also, the information collected constituted a register of personal information for the sole purpose of making a point as allowed by the freedom of expression. As long as the information has been used only to this single purpose, protected and disposed of properly after use, the privacy laws should be satisfied. Oh, that pesky consent part slipped from my mind. Perhaps Nipe should have presented a ToS in somewhere..

    14. Re:You want to protect your data? by dave420 · · Score: 1

      The apps come from the store, and the update mechanisms check certificates like crazy. Apps don't update themselves - the store pushes updates. The browsers also (from my experience, anyway) also alert to the presence of untrusted certificates, so MITM with HTTPS is going to be obvious. If one is security conscious, they can very easily get a VPN service and connect their phone to it (sending all traffic over it), ensuring that even open wifi is as practically secure as their own.

    15. Re:You want to protect your data? by Anonymous Coward · · Score: 0

      You obviously don't know the difference between a hub and a layer-2 switch.

    16. Re:You want to protect your data? by Anonymous Coward · · Score: 0

      > What I'm more concerned about and don't know the answer to are the Smart Phone apps which may check for their own "updates" while I'm on a sinister wifi hotspot. Will a "Bank of App" program open an auto update query in the background, and disclose any details I don't intend it to?

      Doesnt matter.
      It should be using end-to-end authenticated encryption.
      At most, your attacker will learn that you connected to that app's servers.

  2. Hackers Obey the Law!! by muphin · · Score: 5, Insightful
    i like the quote:

    with some angry comments saying that Nipe breached Sweden's Personal Data Act

    like hackers really care about obeying laws?

    --
    It's not a typo if you understood the meaning!
    1. Re:Hackers Obey the Law!! by bunratty · · Score: 2, Insightful

      Most people who go to prison don't particularly care about obeying laws. That attitude doesn't seem to result in much leniency from the courts.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:Hackers Obey the Law!! by Anonymous Coward · · Score: 1

      I think a valuable, although statistically useless, point here is that the police didn't catch this guy. He turned himself in. What happens in a real-world version of this attack? What will that law end up doing? Most of the time, not getting someone in front of a judge to be told he deserves no leniency. Most of the time, it will be as if the law doesn't even exist, and there will be plenty of leniency.

    3. Re:Hackers Obey the Law!! by yacc143 · · Score: 3, Funny

      Worse, did not the delegate commit Theft of Service by using a WLAN they were not authorized to?

    4. Re:Hackers Obey the Law!! by Anonymous Coward · · Score: 0

      There was a case about that in my country. Someone setup networks called 'Free Wifi' or something, and then tried to press charges for 'hacking' the networks. Didn't work out since they assumed (rightfully imho) that a user could not know that he did not have permission given that name.

    5. Re:Hackers Obey the Law!! by tommeke100 · · Score: 1

      How is this different from every Internet Provider who sure as hell is keeping all the information you're looking up as well?
      You can't visit a website without it having +10 trackers on it either.
      Are they breaching the law too? Or is it just illegal if you don't do it to make money out of it?

    6. Re:Hackers Obey the Law!! by Anonymous Coward · · Score: 0

      My defense would be to claim being an ISP, where by law I'm required to log all traffic for 2 years time.

  3. dupe by Kunedog · · Score: 4, Informative

    still on the first page
    http://mobile.slashdot.org/sto...

    1. Re:dupe by jklovanc · · Score: 1

      Maybe the editors are getting Alzheimer's. Twelve hours is a pretty short time for a dupe though.

    2. Re:dupe by jklovanc · · Score: 1

      I just thought of another reason. Maybe since the original post had lass than 70 comments they may have thought adding the term 'Rogue WiFi' might garner more attention. If it doesn't get enough traffic then sensationalize it.

    3. Re:dupe by Crashmarik · · Score: 1

      nahh if that was the motive, they would throw in something about Obama and Global warming.

    4. Re:dupe by hcs_$reboot · · Score: 1

      http://slashdot.org/comments.pl?sid=6620979&cid=48731611

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    5. Re: dupe by Zontar+The+Mindless · · Score: 1

      I've never ever EVER even had a HINT of a desire to create a Twitter account... But perhaps it's time I considered it. #NixonNow

      --
      Il n'y a pas de Planet B.
    6. Re: dupe by Anonymous Coward · · Score: 0

      I'm with you, bro. #NixonNow #NotACrook #EbolaHotSpot #RogueWiFi #ImWithZontar

  4. well by Anonymous Coward · · Score: 0

    Well of course he broke the law, technically you have to break it to expose and inform people. Since the criminal don't actually care when they are breaking it, and usually don't tell you.

    1. Re: well by Zontar+The+Mindless · · Score: 1, Informative

      I always steal a car before informing people about their lord and savior Jebus Christ.

      The Sub-Genii have been doing that for years.

      --
      Il n'y a pas de Planet B.
  5. Simple Editor by Anonymous Coward · · Score: 0

    does not catch dupe.

  6. Re: Throw him in jail by Anonymous Coward · · Score: 0

    Since when is an open network, not claiming nor pretending to be anything special, a "rogue" hotspot?

  7. some things for any judge to consider by ihtoit · · Score: 5, Informative

    An open network connection at a security conference. That's either a honeypot or a freebie. Were it me, I'd assume the latter, but I wouldn't be doing my online banking through it. If I were an attendee, I'd know better.
    If he's guilty of providing free internet service then people the world over who open their wifi connections are also guilty. I say, and cue the flaming for this, that data security starts and ends with the owner of the data. Take some fucking responsibility for yourself instead of relying on a Government that doesn't give a fuck about you, to do it for you. If anybody should be prosecuted for leaking data in clear text through an unencrypted radio stream (he was literally the guy on the next bench listening in on a shouted conversation, here!), then it should be the administrators of the websites that were visited for not using properly secured data channels such as SSL, endpoint encryption, tunnelling or whatever.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    1. Re:some things for any judge to consider by Anonymous Coward · · Score: 0

      (he was literally the guy on the next bench listening in on a shouted conversation, here!)

      Well, kind of. He was the guy standing there holding up the cups-and-string so that the guy could shout through it.

    2. Re:some things for any judge to consider by Floyd-ATC · · Score: 1

      I would go even further and say that the government is the last instance you should trust if you have any interest in privacy because then have a clearly expressed interest in denying you any.

      --
      Time flies when you don't know what you're doing
    3. Re:some things for any judge to consider by Floyd-ATC · · Score: 1

      s/then/they;

      --
      Time flies when you don't know what you're doing
    4. Re:some things for any judge to consider by Minupla · · Score: 3, Interesting

      An open network connection at a security conference. That's either a honeypot or a freebie.

      This. At the security conference I attend (defcon), assuming you got drunk enough to be dumb enough to connect an open hotspot, you'd be thanking your lucky stars if the worst that happened to you was getting on the wall of sheep (which is essentially the same stunt this guy pulled, with the information projected on a wall for everyone to see). I personally VPN *everything* during that week, and if I have to absolutely connect to a work system, I drive to a random McDs outside of the conference and do my VPNing from there (it's usually faster and more reliable then any network at the conference too, since it's not the prize in a big game of Spy vs Spy).

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    5. Re:some things for any judge to consider by Anonymous Coward · · Score: 0

      s/;/\/;/

    6. Re:some things for any judge to consider by Anonymous Coward · · Score: 0

      And even using a VPN could be risky. There was one year where there was a DHCP exploit that could own your machine before your VPN was even connected...

  8. Encrypted WIFI doesn't protect you anyway by Anonymous Coward · · Score: 0

    It doesn't matter if the WIFI connection is encrypted or not encrypted.

    Even when it would be encrypted, the operator of the access point has access the unencrypted data, because the WIFI transmission is decrypted when forwarded to the wired connection.

    So if you are not using encryption of the data itself (HTTPS, VPN etc.) you actually only get some "sense" that you are secure, but actually it will keep you save for the small distance between you and the WIFI AP.

    For the rest for thousands of miles that you data might travel, no encryption will be there and the data is passed through several routers which might capture any the data inbetween.

    It might be harded to capture data in a mid way point and associate it to a particular user, but it is not impossible.

    For any type of access, don't rely on any "provider" (it being WIFI or wired) to protect anything, but make sure your the payload that you really want to secure is secured itself.

  9. The set up was so nice by future+assassin · · Score: 0

    they dupped it twice.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  10. Re: Throw him in jail by jones_supa · · Score: 1

    It claimed to be "Öppen Gäst" (open for guests) in the SSID name.

  11. Tonny by Anonymous Coward · · Score: 0

    Artk neredeyse her ülkede her ehirde ücretsiz internet balantlar veren wireless alar mevcut zaten. Bu olay büyütmenin pek mant yok örnek vermek istersen LAN a datm yapan http://www.mirclan.net adresiniz baz alarak kontrol edebilirsiniz.

    1. Re:Tonny by Anonymous Coward · · Score: 0

      ülkede her ehirde ücretsiz internet balantlar veren wireless

      Nisht vergetten dtas reingelst biere. Esne ne bitter nlessweitdt.

  12. Tonny by Anonymous Coward · · Score: 0

    Now available wireless networks, providing free internet connections in almost every city in every country already. If you do not want to give an example so you can check the logic of the growth of this event taking LAN network deployment that http://www.mirclan.net address basis. [url=http://www.mirclan.net]Mirc indir[/url]

  13. not a ICT security conference by Anonymous Coward · · Score: 1

    The "Sälen security conference" is a defense security conference,
    It is not some IT guys meeting for some cood white/black hat stuff.

    They should still be aware of the dangers, but it is perfectly understandable since these people are usually the ones fired up to their incompetence level..
    And they don't have a clue of network security. And if you inform them they do not care since they think all should be provided for them.

  14. Re: Throw him in jail by Anonymous Coward · · Score: 0

    And it was open for guests to use!

    Just like FaceBook is open and without you having to pay.

  15. The danger of open networks by ruir · · Score: 3, Interesting

    I remember seeing a open network in lots of odd places, like trains, when you had no wifi in trains. It was usually in hadhoc mode. Some time later on I learnt it was a virus in Windows that opened it up to try to propagate to other hosts.

  16. At some point ... by cascadingstylesheet · · Score: 2

    ... you have to take responsibility for what you are doing.

    Yes, I could call up the post office and ask if that new blue mailbox on the street corner that says "post office" is legit. That would be so efficient, societal-ly speaking, huh?

    Or we could just throw people in jail who set up fake post boxes.

    1. Re:At some point ... by Anonymous Coward · · Score: 0

      I don't know about where you live, but for me anyway, I had to get a key to my mailbox from the post office, and since they only told me the number of my slot, but not which of the groups it was in, I had to try several until I found which group my box was in. And my key didn't work in any of the others I tried, so this gives me some confidence that the box I use is legit. Plus, you know, mail arrives for me in it. If I'm not sending mail through that, then it's probably actually at the post office, where I imagine somebody would take issue is some stranger came in and set up a box in there.

      As for a random mailbox on the street, I've never seen one of those anywhere other than in movies. And no, I wouldn't trust it.

    2. Re:At some point ... by cascadingstylesheet · · Score: 1

      I live in the United States. Blue public mailboxes (for sending, not receiving, obviously) are all over the place. And if some bozo bolted a fake one to the sidewalk so he could harvest the mail, he'd be put in jail.

  17. Slashdot entry is only half-true by Anonymous Coward · · Score: 1

    First, it was not a security conference, it was a conference regarding government surveillance. Nipe was Survailing the government representatives who want to Survail citizens more.

    The conference was'nt really about security it was about anonymity and personal integrity,

  18. VPN? by plaukas+pyragely · · Score: 2

    I'd say use VPN and enjoy even dodgiest open WiFi hotspots.

  19. Cap'n Jack Sparrow for President by geekmux · · Score: 1

    "...The stunt has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden's Personal Data Act."

    Uh...maybe the whole country ah...missed something here..

    "Gustav Nipe, president of Sweden's Pirate Party's youth wing..."

    Uh...yeah..I mean THAT part.

    Helllloooo.... Pirate. Remember? Cap'n Jack Sparrow made that concept pretty damn clear I thought. Don't act so surprised.

    Oh, and be thankful it was a pirate. Those damn ninjas are sneaky.

  20. I weep for humanity by BVis · · Score: 2

    I keep seeing stuff like this. Someone who is not stupid makes enough rope available, someone who IS stupid hangs themselves with it, and the first guy takes all the blame. We protect the stupid at all costs. The appropriate response to this is "Don't connect to hotspots you're not sure about, and if you do, take appropriate measures (VPN, https, etc)". No, this is too hard for the shitheads out there who keep getting protected from their own stupidity.

    What I think the non-stupid people need to do is to stop helping these people. Next time, this guy should just keep quiet about what he did at the conference, and quietly sell the incriminating information he collects. Eventually the stupid people will either get tired of having their identities/all their money stolen, and wise the fuck up, or they won't and will be removed from the useful ranks of society. Either way the situation improves.

    I'm not saying I'm smarter than anyone else. I'm saying that if I do something stupid, it's my own damn fault. We don't blame the truck driver when someone plays in traffic. The internet has been part of society in one way or another for over twenty years. It's long enough.

    --
    Never underestimate the power of stupid people in large groups.
  21. Wifi name by hattable · · Score: 1

    I just name mine xfinity

    --
    OMG facts!
  22. Fucking Google by Anonymous Coward · · Score: 0

    If Google would fix their shitty VPN bug in Android 4.4.3, we could return to using VPNs on our phones and use WiFi hotspots with relative security. But, as always, Google has no interest in security or user experience. Google is only interested in how to better package me and my information for their advertising customers.

  23. And thus the surveillance crowd is put on notice by Anonymous Coward · · Score: 1

    Two can play at this game, or more. The NSA wants to watch us? We can also watch *them*. You may not. I may not. But I guarantee you that someone will, and that their names, addresses, phone numbers and movements will some day show up on the equivalent of wikileaks.

    Revenge is a dish best served cold.

  24. Re: Throw him in jail by Anonymous Coward · · Score: 0

    just like your home network is "Öppen Gäst" for government agencies