Slashdot Mirror
Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot (softpedia.com)
An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.
But I always carry a concealed weapon
Why should anyone expect some random WLAN to be "safe" - they are trying to get to the Public Internet, this is just another Public inter-Network along the way.
1. know very little about the road. 2. is it safe? (Marathon Man ref) who knows? 3. who's running it? Feds/State/local/private/etc? WiFi is asphalt for smartphones. full speed ahead.
why not?
Or do their devices automatically do it for them?
Oh man, not my traffic stats.
H4X3D.
seems like avast missed the point when google, gmail, and youtube went 100% https
the bit about "detecting" devices is also retarded: just serve up a page to new connectors and log the agent and you should get stats on browsers/oses
Lets face it, people are dumb.
People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.
However airports are strange. A lot of people are stuck there for some time with little to do. So free Wifi is a godsend, I admit, despite being quite security aware, that I've been a bit free and loose with connecting to airport Wifi when bored out of my skull at various airports (mostly Australian ones who didn't have free Wifi until recently).
Free Wifi isn't inherently unsafe, but must be treated with suspicion. However most people wont, so back to my original point... People are dumb.
Calling someone a "hater" only means you can not rationally rebut their argument.
You just can't help yourselves.
Always assume all networks are insecure. You're always correct.
So if you use HTTPS or SSL secured connections, how are these connection types vulnerable on unsecured wifi?
VPN
Mr. Facebook was at Paris sometime ago. Doing?
I'd be curious to see how many of those reckless people would still use their preferred services with an SSL warning coming from a mitm ssl proxy.
"logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. "
Logging is a long way from poisoning an arp table, serving tainted SSL and recording packets plain text.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
The bigger question is, why shouldn't it be safe to connect to any random Wifi hotspot? Literally everything should be using https by now, SSL certs are even available for free, so there's no excuse not to. I often connect to public Wifi hotspots (and use a VPN since I know that everything is *not* secured with SSL) and there's really no other option (other than "never use public wifi hotspots") since there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.
Over 60% can't even manage to marry a compatible mate.
Why would you assume they could hookup with a safe network.
What wanker did this study?
Please, continue this research and expand it to every airport! And make it a permanent thing!
Seriously: Avast is a "security" company that sells security to those feeling "insecure". So it's in their best interest to keep that feeling, seeing threats where there are none. In this case... why should a public WiFi network be more trustworthy than any other network in the middle of the big Internet? You should be doing SSL/TLS, SSH, etc. by now everywhere and that's it.
1) no, nothing like a road. A phone line, perhaps, but anyway.
2) see above
3) see above
3a) one example where your choice of roads was based on 'the feds'.
THIS
Simple countermeasure! Just boot up your old Aspire One netbook with XP 'beast', an obsolete alternative distribution of XP where anything that stunk of bloat was omitted or disabled or covered with Hazmat stickers or XOR'd out and ridiculous excess like print spoolers are absent, and nothing is guaranteed but things just might load at all, eventually. This screaming monster only takes three times as long to boot as you'd expect. Then the many Atheros Wifi drivers which do not work fail to load successively, then the only one that does work loads, which happens to be part of an "AT&T Communications Manager" ATTCM bundle that no one in their right mind would choose over anything else. ATTCM wastes your time looking for stupid phone devices they've pissed people off by not supporting and finally gets around to the Wifi. A hundred Wifi beacons later it finally gets around to displaying its hello icon on the screen. Another hundred beacons and the ATTCM user interface is beginning to take shape, drawn before your very eyes, it looks like a cross between a haXor serialz generator and a pinball machine. Another hundred beacons go by and you can almost hear it groan like it's passing a turd, and it manages to say "Scanning for Networks". Now it starts to listen for beacons. It won't show you any network names until it has finished looking and going though its profile database with a tiny spoon and making you wait another few seconds, just because. How cute, now it's trying to show the names. Some jump scroll thing appears that you fear to touch because it is so badly implemented you might jump over whole screens. But the arrows don't work right either. The encrypted login takes too long to describe here. But if you manage to glimpse and click on an unsecured network it's like it has to fill in forms and mail them in, it's so slow. You can feel the excruciating agony of a simple Wifi connect, lose yourself to complete despair "obtaining an IP address" because you've installed countless DHCP servers and watched the packets go by and nothing on God's Green Earth takes this long unless you're being bullshitted. Eventually you realize it has been saying "connected" for awhile but you didn't realize it because there are tears in your eyes. If only you'd have remembered to start Firefox as all this was happening it'd only be a minute or so away from displaying, but you didn't because you feared it would slow things down further. Firefox is now loading, sounds like the drive shaft is loose...
TL;DR It's difficult to imagine doing anything in a reckless manner with this setup. I'm safe.
Actually it's not as bad as I let on. Or maybe it is and I'm so much worse.
<blink>down the rabbit hole</blink>
Always assume wifi is untrustworthy and you'll be fine. You don't need to pay companies like Avast to cover your behind. Most websites these days with sensitive information use https/SSL. Slashdot does not. But I care little about my Slashdot account.
Avast has a problem. They apparently do not understand that their business model - to sell people protection - skews their perspective - that people should fear hacking and theft of information - and leads them to believe that people need them to protect them and the protection they offer.
It's a common problem companies have, and starts at the top - the US Government believes it needs to protect those outside it's borders because surely they cannot defend themselves and accordingly, they find evidence to support it.
Protection and mafia style businesses selling protection have a tendency to perpetuate themselves.
And go and set up what they think are "traps" to teach consumers just how dumb they are.
And how much they need Avast to help them for protection.
The Mafia has had this same method of operation for a number of years.
The funny thing being, the mafia was protecting those who paid from the mafia themselves who would beat you up if you quit paying them.
I wonder how many people believe the marketing crap these companies are trying to sell?
In most circumstances you cannot recognize or verify that a given public WiFi network is safe. What you do instead is assume it is non-safe and use secure communication technologies, like SSH, VPN links, etc. This has been known for ages.
Incidentally, logging traffic is not "hacking".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Everyone wants to stick their dick in, preferably unprotected, and paying as little as possible.
Is it worth it??
Protect yourself. Use a VPN.
Geez. I think folks are getting a little too big for their britches. Who gives a shit about an erasable phone? If you are that afraid to surf some wireless signals then turn the damn thing off. This sort of shows that a lot of people don't care and they shouldn't care.
Researchers looking at a superficial behavior decide that it is indicative of a deeper innate human property, despite calling themselves Behaviorists. News at 11.
Would be news for nerds and something that matters.
What is the percentage of users compromised? I would love to connect to any network and remain completely anonymous. My motto is "Anonymous Coward for life!". How many are actually being compromised? I am absolutely sure anyone with a smartphone can setup a rogue access point. Probably even DNS spoof. How many users is this happening to? Its like saying someone lied, or someone stole the car I left the key in. Do you want to educate people? What is the end game? People are always going to take advantage of people. I want to foil their attempts where possible, but I do not want to live in an Orwellian society.
I do not know a single person who does not have a data connection. As soon as I leave me house, wifi gets turned off. If I bring my tablet I can tether it to my phone. The last time I tried a free wifi hotspot it was like dial up on aol. Shit actually. VPN's are not trustworthy imo either.
I agree that using a VPN is the top when travelling and using public wifi networks, but as far as I know every phone (android, at least) starts sending some data (email check, push messages check, etc) just as the wifi connection is estabilished, while the VPN is connecting.
Is there a mobile OS that has an option to not send data on wifi until a vpn link is estabilished?
Or, better, a mobile OS that considers itself to be connected only after a VPN link is activated and not considers itself online when connected to a wifi.
Thank you
You know, I see constantly people advising that you use a VPN when connecting with pubic wifi, without anyone ever acknowledging the difficulty of this problem.
You see, between when I click "Connect" on the public wifi click-through, and when I have time to connect my VPN client, probably 50 different applications on either my laptop or my mobile phone HAVE ALREADY likely detected a positive connection and reached out to the internet. Any or all of these connections could already be compromised, BEFORE I can even get my VPN connected.
Until OS vendors like Microsoft, Apple, and Google recognize this problem and allow you to create a rule like "Never connect to non-local addresses over a route that traverses unencrypted wifi", this will continue to be a problem. I wish more people were discussing it, because I see no solution in sight. The closest thing to a solution is with Android you can use Tasker to automate connecting your VPN as soon as it can see the VPN server, but even at this point, at best it's a race against all the other processes on your phone firing up as well.
I once (recently) had a Windows Phone for work - recently enough to be on the beta of Windows Phone 10 (as in in the last 3 months). It automatically connects to any WIFI hotspot, if Wifi is enabled and it's as annoying as hell. Windows Phone 8.1 and 10 both do it.
So I would be in a shopping centre and my phone would auto connect to the wifi (which was of course open but without internet unless you punch in some code you get on your receipt when you buy something). I'd then try to check my mail and find it wouldn't connect - then remember about the stupid autoconnect and turn off my wifi. Then I'd go back to the office and realise after a day or so that my wifi was still off.
So I imagine a good number of these travellers were on Windows Phone and didn't even notice they'd connected to the wifi. Not a huge number because... you know.. Windows Phone.. but still, airports have business travellers and Windows Phone pretty much only exists in businesses, so at least some of them.
most of the traffic these days is encrypted, how does it matter? I would connect to network called - "we_h4x0r_ya", since my traffic can't be man in the middle anyway using SSL certs. So point of experiment is?
Some airports have the worst wifi ever! People who are just passing through won't connect to roaming data services which are beyond expensive but will look for a working wifi anywhere. Passed through Toronto Pearson Airport late January 2016: Possibly the worst wifi ever. Hard to connect, frequent drops, basically no actual network connection. I was basically looking for *anything* to get connected and would most likely have jumped on any open network...
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
When I'm traveling, I always connect to public WiFi in the airport. It is usually pretty easy to tell which is the "official" airport one but whatever. I just fire up my VPN and go about my business. I know it isn't encrypted, isn't secured, etc. However getting things encrypted is cheap and easy as you say.
Victim types BOA.com into their browser. They see the BOA page, and if they bother to look they'll see the secure icon.
If they bother to look back at the address bar again, they'll see bankofamerica.net, BOAonline.com, or BOAbank.com.
Most people won't notice a problem. If some people notice, so what? The bad guy doesn't have to steal from EVERYBODY, just from SOMEBODY.
Nothing new here. I did a similar experiment a year or so back, but instead of an airport, it was on an plane. A surprising (or not!) number of people were happy to give up their details including credit card numbers to sign onto a completely fake wifi network...
So, a security company that makes a living creating software to protect the stupid and ignorant from the dangers of the internet, somehow needs to perform yet another test to prove just how stupid and ignorant consumers are about security.
Sorry, but it doesn't matter if it's political or technical. I grow very tired of pointless surveys proving how stupid consumers can be. It's pointless because consumers don't care. That's not going to change, and we have the statistics to prove it.
Consumers are ignorant about security. That fact hasn't changed for the last 50 years, and it's not going to change in the next 50 years. Stop trying to prove or disprove it already. If you want to be entertained by stupid people that badly, turn on reality TV.
I use Project FI, and on my Nexus phone google already automatically VPNs my data when using public wifi. So the only monster with my data is the same monster I already trust with my data, google.
duh
Even if the wifi is legit who says it's safe? Any number official and unofficial persons can be listening in. The only save way is to use end-to-end encryption (like https for browsing) and then who cares how sage the wifi is. It either works or not.
If I want my packets sending to other hosts on the internet, I connect to wifi to do it. Or my ISP. Or my friends ISP. Or my works network. They're just packets being routed - if people are sending *sensitive* packets IN THE CLEAR on anybody's network - including their own internet connection at home or at work - then that is the problem. Not the network, which you shouldn't trust anyway.
Once in an airport during a relatively short connection, I had the need to access my company's VPN on my Windows laptop, could not do it on the phone's browser. My phone was 4G capable but I had not set it up for tethering. In a pinch, I downloaded a free tethering app and connected with my laptop. Did not take the time to setup a password as my flight was boarding by then and I was just going to be connected for a minute. By the time I was done, there were 4 people connected through my phone. In total, less than 5 minutes had elapsed.
I have no sensitive information stored on my laptop. So they can hack all they want, worst case I reinstall.
IIRC, Win 10 asks you if you want to automatically connect to free WIFI spots in the setup screens.
Just how I do it.
I wander by several open or semi-open WiFi hotspots daily, and having my phone latch onto one, wait for me to sign on, and fail to get email, texts (yes, texts), etc until it figures out I am gone is not just annoying, it is a failure mode. My carrier hates me for this, and tries to force WiFi on by various means. I average 10-12GB mobile data, and use my mobile hot spot for my tablet when I'm in marginal WiFi signal areas, which is most of the time.
WiFi hotspots can be a serious pain - for me, not worth the trouble.
deleting the extra space after periods so i can stay relevant, yeah.
Sure, I don't know who or what is running the WiFi where I connect but I don't know who runs each router on the path between me and my bank either. Why is trusting a random WiFi access point any different than trusting all the random routers my traffic crosses? Does Avast have a product they're hoping to sell that miraculously protects users from malicious WiFI APs? I can't think of any other reason for this "study."
They trust that the airport is on the job-- just like they are when they purchase a ticket, check their luggage, go through screening, sleep in the terminal, and eventually board the plane. An airport is an extremely safe place.
So if the concern is that people are risking their digital health by connecting to bad Wi-Fi spots, there's an easy 4-step solution:
1) Provide free Wi-Fi. Most airports do this.
2) Require all Wi-Fi spots to follow a specific naming system. (LAX-Terminal17). Provide the warning throughout the airport that if you're connected to a Wi-Fi hotspot and you can't see the terminal or business from where you are, you may have connected to a hotspot attempting to exploit the demand for free Wi-Fi. 3) Forbid all non-airport-supported open Wi-Fi hotspots.
4) Download a wardriving app for Android and get to sniffing out bad Wi-Fi hotspots.
Then brag about it. Seriously. "We at Slashdot International Airport care about your personal safety and the safety of your private information. We implemented a system that finds malicious Wi-Fi hotspots and punishes their creators. We have found and stopped X hotspots already. We would like to remind you that Slashdot Airport provides multiple secure and reliable hotspots throughout the airport labeled per their areas. If you connect to a hotspot whose area you're not in, your data may be at risk."
Then apply for awards. Seriously. "And the winner of the Mobile Data Best Practices Award is... "
Free would be nice, open source even nicer.
SURELY NOT!!!!!
list of websites i access and my http data?
Which by the way, if using HTTPS (either because explicitly type it, or because you use a plug-in like HTTPS everywhere) is quite limited. From the outside you only see connection to *IP* address (to the front load-balancing/reverse proxy server, or to the apache server hosting all the virtual domains if that one is straight facing internet). The actual URL (server's full name, and document) is only asked once the encryption is established. (That's why you need stuff like SSL's SNI extension, so the server can hand out the correct certificate corresponding to the peculiar virtual server you want to visit).
so what could they have possibly gained by this devious man in the middle circus?
Indeed, intercepting data isn't probably the main goal. Even back since FireSheep, the security of internet websites has been getting better. Not that the end users care much (I think I remember an article on /. back then that lots of "victims" were amused but didn't really grasp the implication), but the companies have reacted a made HTTPS at least an option if not the main access point.
The risk might comes from the network it self: a public network is an ideal place for an hostile to perform network scan, looking for vulnerable services or even vulnerable network stack component to exploit.
A public Wifi network might not be handing out public IPs/might be NATed/might not be accessibly routed from the internet - thus the various device connected to it might not be scannable from the internet at large.
But from within the network it would be possible to perform a scan (brute force the SSH port of unix-running laptops*), including looking for services which aren't normally routed (like SMB network shares, Zeroconf)
Note that, regarding such a risk, the notoriety of the Wifi sport doesn't play such a big role.
- You might be at risk if you connect to some shady Wifi network operated by hostile.
- But you might as well be at risk if you connect to some well known "clean" public Wifi, but on which there's a rogue device connected scanning its neighborhood for vulnerabilities.
------
*: If you're fed-up with constant hammering on your SSH server - which still pollutes your logs EVEN AFTER you've switched to key-based-only logins or 2-factors, Fail2ban is your friend.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
He also has a diesel truck fleet, which he fills with gasoline because that's all that he has available.
After the first airport WIFI services began, I noticed a number of other AP's showing up. Because of the proliferation of these odd APs I've occasionally carried an older MBP set to act as a VM honeypot running either Windows XP SP2 or OSX 10.7. On various layovers and I have walked or used the airport conveyor system to roam the terminals and I've had hundreds of connections to "free" APs that start hitting all of the usual ports. The most disturbing thing is that a good many of these appear to be honeypots themselves. I have not looked into the situation closely (among other reasons: nobody is paying for my time), but I have always assumed that the APs were set-and-forget devices coupled with a burner phone to send data to untrackable recipients. I first noticed these in the 2004-5 period and assumed that the APs were created with Gumstix, or similar, embedded systems. With today's proliferation of Arudino and Raspberry Pi systems, I don't doubt that many of these APs are made with them.
I expect that a really nasty man-in-the-middle could be hidden in plain sight. I'm not naming the very nice hospitality suites available to frequent travelers or those with the proper color of credit card - but, some of those suites provide showers, nap facilities, a bar and restaurant - and it would be trivial to set up the MITM on a current, high-end laptop and just 'forget' it when leaving the suite. The folks using that facility are, literally, the gold standard for high-value data capture.
Needless to say, I never use public WIFI and when in a hotel, I have my own AP that I connect to CAT-5 cable and open a VPN before enabling my own, invisible, in-room WIFI. It's getting harder every day to find hard-wired ethernet and MITM is an ever present danger when traveling.