Slashdot Mirror
Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot (softpedia.com)
An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.
But I always carry a concealed weapon
Why should anyone expect some random WLAN to be "safe" - they are trying to get to the Public Internet, this is just another Public inter-Network along the way.
1. know very little about the road. 2. is it safe? (Marathon Man ref) who knows? 3. who's running it? Feds/State/local/private/etc? WiFi is asphalt for smartphones. full speed ahead.
Or do their devices automatically do it for them?
seems like avast missed the point when google, gmail, and youtube went 100% https
the bit about "detecting" devices is also retarded: just serve up a page to new connectors and log the agent and you should get stats on browsers/oses
Lets face it, people are dumb.
People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.
However airports are strange. A lot of people are stuck there for some time with little to do. So free Wifi is a godsend, I admit, despite being quite security aware, that I've been a bit free and loose with connecting to airport Wifi when bored out of my skull at various airports (mostly Australian ones who didn't have free Wifi until recently).
Free Wifi isn't inherently unsafe, but must be treated with suspicion. However most people wont, so back to my original point... People are dumb.
Calling someone a "hater" only means you can not rationally rebut their argument.
Always assume all networks are insecure. You're always correct.
So if you use HTTPS or SSL secured connections, how are these connection types vulnerable on unsecured wifi?
I'd be curious to see how many of those reckless people would still use their preferred services with an SSL warning coming from a mitm ssl proxy.
"logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. "
Logging is a long way from poisoning an arp table, serving tainted SSL and recording packets plain text.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
The bigger question is, why shouldn't it be safe to connect to any random Wifi hotspot? Literally everything should be using https by now, SSL certs are even available for free, so there's no excuse not to. I often connect to public Wifi hotspots (and use a VPN since I know that everything is *not* secured with SSL) and there's really no other option (other than "never use public wifi hotspots") since there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.
Please, continue this research and expand it to every airport! And make it a permanent thing!
Seriously: Avast is a "security" company that sells security to those feeling "insecure". So it's in their best interest to keep that feeling, seeing threats where there are none. In this case... why should a public WiFi network be more trustworthy than any other network in the middle of the big Internet? You should be doing SSL/TLS, SSH, etc. by now everywhere and that's it.
Simple countermeasure! Just boot up your old Aspire One netbook with XP 'beast', an obsolete alternative distribution of XP where anything that stunk of bloat was omitted or disabled or covered with Hazmat stickers or XOR'd out and ridiculous excess like print spoolers are absent, and nothing is guaranteed but things just might load at all, eventually. This screaming monster only takes three times as long to boot as you'd expect. Then the many Atheros Wifi drivers which do not work fail to load successively, then the only one that does work loads, which happens to be part of an "AT&T Communications Manager" ATTCM bundle that no one in their right mind would choose over anything else. ATTCM wastes your time looking for stupid phone devices they've pissed people off by not supporting and finally gets around to the Wifi. A hundred Wifi beacons later it finally gets around to displaying its hello icon on the screen. Another hundred beacons and the ATTCM user interface is beginning to take shape, drawn before your very eyes, it looks like a cross between a haXor serialz generator and a pinball machine. Another hundred beacons go by and you can almost hear it groan like it's passing a turd, and it manages to say "Scanning for Networks". Now it starts to listen for beacons. It won't show you any network names until it has finished looking and going though its profile database with a tiny spoon and making you wait another few seconds, just because. How cute, now it's trying to show the names. Some jump scroll thing appears that you fear to touch because it is so badly implemented you might jump over whole screens. But the arrows don't work right either. The encrypted login takes too long to describe here. But if you manage to glimpse and click on an unsecured network it's like it has to fill in forms and mail them in, it's so slow. You can feel the excruciating agony of a simple Wifi connect, lose yourself to complete despair "obtaining an IP address" because you've installed countless DHCP servers and watched the packets go by and nothing on God's Green Earth takes this long unless you're being bullshitted. Eventually you realize it has been saying "connected" for awhile but you didn't realize it because there are tears in your eyes. If only you'd have remembered to start Firefox as all this was happening it'd only be a minute or so away from displaying, but you didn't because you feared it would slow things down further. Firefox is now loading, sounds like the drive shaft is loose...
TL;DR It's difficult to imagine doing anything in a reckless manner with this setup. I'm safe.
Actually it's not as bad as I let on. Or maybe it is and I'm so much worse.
<blink>down the rabbit hole</blink>
Always assume wifi is untrustworthy and you'll be fine. You don't need to pay companies like Avast to cover your behind. Most websites these days with sensitive information use https/SSL. Slashdot does not. But I care little about my Slashdot account.
In most circumstances you cannot recognize or verify that a given public WiFi network is safe. What you do instead is assume it is non-safe and use secure communication technologies, like SSH, VPN links, etc. This has been known for ages.
Incidentally, logging traffic is not "hacking".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Terrible use of hyphenation aside (it reads ... like .. it was ...spoken by ... Shatner): people should fear such things, because they're very real and present dangers in our lives. It's not some abstract thing, it's a real issue.
Yes, Avast wants to sell you security. But any halfwit who even pays a little attention to the news headlines on tech websites should be able to grasp that, yes, hacking and information theft is a thing, it happens all the time, and isn't something to just ignore and pretend doesn't exist.
Business models aside, the world is full of crooks and thieves.
Don't believe me? Plug your PC into the internet without a firewall, and see just how long before you get hacked. What's the current numbers for a new Windows machine? Under 30 minutes last I saw.
You'd have to be a moron to think that security isn't a daily issue people using technology should be at least somewhat aware of.
Lost at C:>. Found at C.
Geez. I think folks are getting a little too big for their britches. Who gives a shit about an erasable phone? If you are that afraid to surf some wireless signals then turn the damn thing off. This sort of shows that a lot of people don't care and they shouldn't care.
Would be news for nerds and something that matters.
You know, I see constantly people advising that you use a VPN when connecting with pubic wifi, without anyone ever acknowledging the difficulty of this problem.
You see, between when I click "Connect" on the public wifi click-through, and when I have time to connect my VPN client, probably 50 different applications on either my laptop or my mobile phone HAVE ALREADY likely detected a positive connection and reached out to the internet. Any or all of these connections could already be compromised, BEFORE I can even get my VPN connected.
Until OS vendors like Microsoft, Apple, and Google recognize this problem and allow you to create a rule like "Never connect to non-local addresses over a route that traverses unencrypted wifi", this will continue to be a problem. I wish more people were discussing it, because I see no solution in sight. The closest thing to a solution is with Android you can use Tasker to automate connecting your VPN as soon as it can see the VPN server, but even at this point, at best it's a race against all the other processes on your phone firing up as well.
I once (recently) had a Windows Phone for work - recently enough to be on the beta of Windows Phone 10 (as in in the last 3 months). It automatically connects to any WIFI hotspot, if Wifi is enabled and it's as annoying as hell. Windows Phone 8.1 and 10 both do it.
So I would be in a shopping centre and my phone would auto connect to the wifi (which was of course open but without internet unless you punch in some code you get on your receipt when you buy something). I'd then try to check my mail and find it wouldn't connect - then remember about the stupid autoconnect and turn off my wifi. Then I'd go back to the office and realise after a day or so that my wifi was still off.
So I imagine a good number of these travellers were on Windows Phone and didn't even notice they'd connected to the wifi. Not a huge number because... you know.. Windows Phone.. but still, airports have business travellers and Windows Phone pretty much only exists in businesses, so at least some of them.
most of the traffic these days is encrypted, how does it matter? I would connect to network called - "we_h4x0r_ya", since my traffic can't be man in the middle anyway using SSL certs. So point of experiment is?
Some airports have the worst wifi ever! People who are just passing through won't connect to roaming data services which are beyond expensive but will look for a working wifi anywhere. Passed through Toronto Pearson Airport late January 2016: Possibly the worst wifi ever. Hard to connect, frequent drops, basically no actual network connection. I was basically looking for *anything* to get connected and would most likely have jumped on any open network...
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
When I'm traveling, I always connect to public WiFi in the airport. It is usually pretty easy to tell which is the "official" airport one but whatever. I just fire up my VPN and go about my business. I know it isn't encrypted, isn't secured, etc. However getting things encrypted is cheap and easy as you say.
can be sued (maybe by your next-of-kin)
Good point. Whereas with Wifi, you'll be able to do the suing yourself. Indeed, the worst that could happen with free Wifi is that your weird orange-haired-wankpuffin fetish comes to light, but there's no danger to life-and-limb.
Once you're on the plane, you at least know where the pilot and co-pilot are most of the time.
You might know where they are, but you don't know where they should be. Namely in sick-leave...
and you absolutely won't like the Trojan they leave behind after the full cavity search.
That's not a trojan, that's a femidom!
Victim types BOA.com into their browser. They see the BOA page, and if they bother to look they'll see the secure icon.
If they bother to look back at the address bar again, they'll see bankofamerica.net, BOAonline.com, or BOAbank.com.
Most people won't notice a problem. If some people notice, so what? The bad guy doesn't have to steal from EVERYBODY, just from SOMEBODY.
Nothing new here. I did a similar experiment a year or so back, but instead of an airport, it was on an plane. A surprising (or not!) number of people were happy to give up their details including credit card numbers to sign onto a completely fake wifi network...
So, a security company that makes a living creating software to protect the stupid and ignorant from the dangers of the internet, somehow needs to perform yet another test to prove just how stupid and ignorant consumers are about security.
Sorry, but it doesn't matter if it's political or technical. I grow very tired of pointless surveys proving how stupid consumers can be. It's pointless because consumers don't care. That's not going to change, and we have the statistics to prove it.
Consumers are ignorant about security. That fact hasn't changed for the last 50 years, and it's not going to change in the next 50 years. Stop trying to prove or disprove it already. If you want to be entertained by stupid people that badly, turn on reality TV.
I use Project FI, and on my Nexus phone google already automatically VPNs my data when using public wifi. So the only monster with my data is the same monster I already trust with my data, google.
If I want my packets sending to other hosts on the internet, I connect to wifi to do it. Or my ISP. Or my friends ISP. Or my works network. They're just packets being routed - if people are sending *sensitive* packets IN THE CLEAR on anybody's network - including their own internet connection at home or at work - then that is the problem. Not the network, which you shouldn't trust anyway.
Once in an airport during a relatively short connection, I had the need to access my company's VPN on my Windows laptop, could not do it on the phone's browser. My phone was 4G capable but I had not set it up for tethering. In a pinch, I downloaded a free tethering app and connected with my laptop. Did not take the time to setup a password as my flight was boarding by then and I was just going to be connected for a minute. By the time I was done, there were 4 people connected through my phone. In total, less than 5 minutes had elapsed.
I have no sensitive information stored on my laptop. So they can hack all they want, worst case I reinstall.
Just say "NO!" .... To Windows....
Unless you insist on running Windows 10, then just say "No" to the dialog during the setup..
Just in case it's lost on somebody, I'm making a joke....
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Just how I do it.
I wander by several open or semi-open WiFi hotspots daily, and having my phone latch onto one, wait for me to sign on, and fail to get email, texts (yes, texts), etc until it figures out I am gone is not just annoying, it is a failure mode. My carrier hates me for this, and tries to force WiFi on by various means. I average 10-12GB mobile data, and use my mobile hot spot for my tablet when I'm in marginal WiFi signal areas, which is most of the time.
WiFi hotspots can be a serious pain - for me, not worth the trouble.
deleting the extra space after periods so i can stay relevant, yeah.
Yup: "...people should utilize a VPN service that anonymizes their data while connecting to public hotspots to ensure that their connection is secure. Avast SecureLine VPN for Android and iOS devices encrypts connections on unsecured public Wi-Fi and allows users to browse anonymously. " https://press.avast.com/en-us/...
They trust that the airport is on the job-- just like they are when they purchase a ticket, check their luggage, go through screening, sleep in the terminal, and eventually board the plane. An airport is an extremely safe place.
So if the concern is that people are risking their digital health by connecting to bad Wi-Fi spots, there's an easy 4-step solution:
1) Provide free Wi-Fi. Most airports do this.
2) Require all Wi-Fi spots to follow a specific naming system. (LAX-Terminal17). Provide the warning throughout the airport that if you're connected to a Wi-Fi hotspot and you can't see the terminal or business from where you are, you may have connected to a hotspot attempting to exploit the demand for free Wi-Fi. 3) Forbid all non-airport-supported open Wi-Fi hotspots.
4) Download a wardriving app for Android and get to sniffing out bad Wi-Fi hotspots.
Then brag about it. Seriously. "We at Slashdot International Airport care about your personal safety and the safety of your private information. We implemented a system that finds malicious Wi-Fi hotspots and punishes their creators. We have found and stopped X hotspots already. We would like to remind you that Slashdot Airport provides multiple secure and reliable hotspots throughout the airport labeled per their areas. If you connect to a hotspot whose area you're not in, your data may be at risk."
Then apply for awards. Seriously. "And the winner of the Mobile Data Best Practices Award is... "
Free would be nice, open source even nicer.
SURELY NOT!!!!!
list of websites i access and my http data?
Which by the way, if using HTTPS (either because explicitly type it, or because you use a plug-in like HTTPS everywhere) is quite limited. From the outside you only see connection to *IP* address (to the front load-balancing/reverse proxy server, or to the apache server hosting all the virtual domains if that one is straight facing internet). The actual URL (server's full name, and document) is only asked once the encryption is established. (That's why you need stuff like SSL's SNI extension, so the server can hand out the correct certificate corresponding to the peculiar virtual server you want to visit).
so what could they have possibly gained by this devious man in the middle circus?
Indeed, intercepting data isn't probably the main goal. Even back since FireSheep, the security of internet websites has been getting better. Not that the end users care much (I think I remember an article on /. back then that lots of "victims" were amused but didn't really grasp the implication), but the companies have reacted a made HTTPS at least an option if not the main access point.
The risk might comes from the network it self: a public network is an ideal place for an hostile to perform network scan, looking for vulnerable services or even vulnerable network stack component to exploit.
A public Wifi network might not be handing out public IPs/might be NATed/might not be accessibly routed from the internet - thus the various device connected to it might not be scannable from the internet at large.
But from within the network it would be possible to perform a scan (brute force the SSH port of unix-running laptops*), including looking for services which aren't normally routed (like SMB network shares, Zeroconf)
Note that, regarding such a risk, the notoriety of the Wifi sport doesn't play such a big role.
- You might be at risk if you connect to some shady Wifi network operated by hostile.
- But you might as well be at risk if you connect to some well known "clean" public Wifi, but on which there's a rogue device connected scanning its neighborhood for vulnerabilities.
------
*: If you're fed-up with constant hammering on your SSH server - which still pollutes your logs EVEN AFTER you've switched to key-based-only logins or 2-factors, Fail2ban is your friend.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]