Slashdot Mirror

← Back to Stories (view on slashdot.org)

Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot (softpedia.com)

Posted by timothy on from the practice-safe-computing dept.

An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.

4 of 197 comments (clear)

  1. Logging=hacking? by fred911 · · Score: 3, Informative

    "logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. "

    Logging is a long way from poisoning an arp table, serving tainted SSL and recording packets plain text.

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  2. Re:I have hitch hiked before by KGIII · · Score: 5, Informative

    Here's the actual announcement from Avast:
    https://press.avast.com/en-us/...

    That has all you might need. No need to hitch off this softpedia site. They're not adding any value over reading the press release and they don't even include a link (or I didn't see it in their layout) to the original press report. It's the internet, linking is kind of important. Maybe they want to pretend it's exclusive content or real journalism? I dunno... Screw it, avoid entering the unknown and go to a verified source - like the message of the article.

    --
    "So long and thanks for all the fish."
  3. Re:Are people connecting to any free wifi hotspot? by sims+2 · · Score: 3, Informative

    Umm no... That's still standard practice. It's actually one of the only ways I've found to get devices to correctly roam between APs. Works on APs with and without encryption set.

    Best way to solve it? Set a key on the AP you connect to then if another has the same name your computer won't be able to connect to it because the AP doesn't have the right key.

    --
    Minimum threshold fixed. Thanks!
  4. Re:Colour me unsurprised. by WaffleMonster · · Score: 3, Informative

    BULLSHIT!

    See, if someone controls the network, they can also trivially do a man in the middle attack. Just like all the other crap.

    It isn't trivial. To perform a successful MITM attack you would need to crack the chain of trust between the sites public key and root cert installed in the browser or invent a parallel chain linking back to a trusted root cert installed in the browser.

    This requires obtaining the private key from CA, CA subordinate or bank server. Alternately you could compute a useful collision of signature algorithm and insert your own key into the trust chain as was done /w MD5 signatures using a playstation cluster many years ago.

    None of the above is trivial or easy. It is very likely anyone with the capability (e.g. governments) would not elect to piss it away attempting to drain the average Joe's bank account. ROI would be quite negative in the extreme.

    If you control the network and have the right stuff, there is nothing which is "safe". And HTTPS falls apart with a malicious actor in the middle who can control your connection and sit in the middle.

    Sorry, dude. You're so wrong as to be dangerous. You should fix that.

    Networks are not worth defending because their issues can so easily be sidestepped by deployment of end-to-end encryption. I believe various dogmas causing operators to waste money on network castle defenses is harmful. It takes resources away from defending the only thing that matters... systems.