Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot (softpedia.com)

← Back to Stories (view on slashdot.org)

Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot (softpedia.com)

Posted by timothy on Monday February 22, 2016 @02:42PM from the practice-safe-computing dept.

An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.

37 of 197 comments (clear)

Min score:

Reason:

Sort:

I have hitch hiked before by invictusvoyd · 2016-02-22 14:47 · Score: 4, Insightful

But I always carry a concealed weapon
1. Re:I have hitch hiked before by KGIII · 2016-02-22 15:16 · Score: 5, Informative
  
  Here's the actual announcement from Avast:
  https://press.avast.com/en-us/...
  That has all you might need. No need to hitch off this softpedia site. They're not adding any value over reading the press release and they don't even include a link (or I didn't see it in their layout) to the original press report. It's the internet, linking is kind of important. Maybe they want to pretend it's exclusive content or real journalism? I dunno... Screw it, avoid entering the unknown and go to a verified source - like the message of the article.
  
  --
  "So long and thanks for all the fish."
2. Re:I have hitch hiked before by invictusvoyd · 2016-02-22 16:20 · Score: 2
  
  I was just trying to point out that using an open wifi without https/vpn/whateve is like the good old hitchiking .. You could get robbed/etc you could theoretically get "robbed" over https or VPN also but its safer. Hence the concealed weapon. From the hitchiking perspective , you play along and wait for an opportunity for your .22
  And I was downmodded .. shhees /.rs
3. Re:I have hitch hiked before by ShanghaiBill · 2016-02-22 17:13 · Score: 2
  
  I was just trying to point out that using an open wifi without https/vpn/whateve is like the good old hitchiking
  I don't worry about connecting to public hotspots. My knapsack laptop is a $50 used Chromebook. Good luck "hacking" that, since there is basically nothing on it. They might be able to read emails going back and forth, so they will find out my wife wants me to buy some kitty litter on the way home. Whatever. I doubt if they are even going to get that, since pretty much everything is HTTPS these days.
4. Re:I have hitch hiked before by Sax+Russell+5449D29A · 2016-02-22 18:25 · Score: 2
  
  you play along and wait for an opportunity for your .22
  
  .22 works well on pests, not so much on 250lbs big rapist-robber dudes. If I had to choose between a .22 and some proper pepper spray to handle such situation, I'd go for the latter.
  
  --
  -SR
5. Re:I have hitch hiked before by Anonymous Coward · 2016-02-22 19:46 · Score: 2, Funny
  
  Funny thing is, me and two other military friends used to pick up hitch hikers when we were stationed in New England just for fun. You get to sit in the passenger seat, to your left right is a 9mm, behind you (me) is a .45acp, and driving is a USMC hand-to-hand instructor with an unhealthy fascination in blades.
  You wouldn't have a prayer.
  #KaBarLurv
  I'm a bit curious, what is the track record against suicide bombers?
6. Re:I have hitch hiked before by Ol+Olsoc · 2016-02-23 03:25 · Score: 2
  
  I don't worry about connecting to public hotspots. My knapsack laptop is a $50 used Chromebook. Good luck "hacking" that, since there is basically nothing on it.
  Exactly this! I'm at breakfast now, using my cheap Chromebook. Altogether too many people seem to think you should only have one device. And nothing of interest on it at all. just a gmail address specifically for the chromebook, and slashdot use.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
7. Re:I have hitch hiked before by Sax+Russell+5449D29A · 2016-02-23 11:34 · Score: 2
  
  Headshots outside CS are not that simple. Hitting a moving target, even at close range, is extremely difficult.
  
  --
  -SR
The Internet isn't "safe" by xaosflux · 2016-02-22 14:48 · Score: 4, Insightful

Why should anyone expect some random WLAN to be "safe" - they are trying to get to the Public Internet, this is just another Public inter-Network along the way.
1. Re:The Internet isn't "safe" by greenfruitsalad · 2016-02-22 23:46 · Score: 4, Insightful
  
  why should i expect it to be unsafe? email is via ssl/tls, chat apps are client-to-server encrypted, all eshops use ssl/tls, google search is by default via ssl/tls, cloud storage i encrypted in transit, so what could they have possibly gained by this devious man in the middle circus? list of websites i access and my http data?
we use roads in the same way by turkeydance · 2016-02-22 14:49 · Score: 4, Interesting

1. know very little about the road. 2. is it safe? (Marathon Man ref) who knows? 3. who's running it? Feds/State/local/private/etc? WiFi is asphalt for smartphones. full speed ahead.
Are people connecting to any free wifi hotspot? by PSXer · 2016-02-22 14:50 · Score: 5, Insightful

Or do their devices automatically do it for them?
1. Re:Are people connecting to any free wifi hotspot? by sims+2 · 2016-02-22 15:24 · Score: 3, Informative
  
  Umm no... That's still standard practice. It's actually one of the only ways I've found to get devices to correctly roam between APs. Works on APs with and without encryption set.
  Best way to solve it? Set a key on the AP you connect to then if another has the same name your computer won't be able to connect to it because the AP doesn't have the right key.
  
  --
  Minimum threshold fixed. Thanks!
isn't gmail/google all https? by xxxJonBoyxxx · 2016-02-22 14:56 · Score: 2

seems like avast missed the point when google, gmail, and youtube went 100% https
the bit about "detecting" devices is also retarded: just serve up a page to new connectors and log the agent and you should get stats on browsers/oses
1. Re:isn't gmail/google all https? by FictionPimp · 2016-02-23 00:55 · Score: 2
  
  Why would anyone using exchange 2013 ever enable imap? You would be using activesync (which is ssl) or RPC over HTTP aka outlook anywhere (which is actually over HTTPS). For legacy support there is still MAPI, which is not over HTTPS, but can be configured to use encryption.
  IMAP connectivity for exchange servers makes no sense today. Everyone has a phone that supports activesync or outlook anywhere. On the laptop, if you are willing to buy exchange but not a recent version of office you need to seek professional help.
  What is next? Enable POP3?
Colour me unsurprised. by mjwx · 2016-02-22 14:57 · Score: 2, Insightful

Lets face it, people are dumb.

People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.

However airports are strange. A lot of people are stuck there for some time with little to do. So free Wifi is a godsend, I admit, despite being quite security aware, that I've been a bit free and loose with connecting to airport Wifi when bored out of my skull at various airports (mostly Australian ones who didn't have free Wifi until recently).

Free Wifi isn't inherently unsafe, but must be treated with suspicion. However most people wont, so back to my original point... People are dumb.

--
Calling someone a "hater" only means you can not rationally rebut their argument.
1. Re:Colour me unsurprised. by Austerity+Empowers · 2016-02-22 15:00 · Score: 3, Insightful
  
  Not always easy to know what the name of the freewifi service is in an airport you are not familiar with too. All you really know is you're not going to PAY for one, so it's either free or you're tethering. But which one is the free one?
2. Re:Colour me unsurprised. by mjwx · 2016-02-22 15:06 · Score: 4, Insightful
  
  Not always easy to know what the name of the freewifi service is in an airport you are not familiar with too. All you really know is you're not going to PAY for one, so it's either free or you're tethering. But which one is the free one?
  That's kind of my point.
  
  How are you to know the difference between a legit and non legit network if they're both named "LAX Public Wifi".
  
  You should really be suspicious of any Wifi network you dont control or at the very least, know the owners on a personal level. I use free wifi for browsing /. but not for doing banking or anything else that could potentially harm me, but as a sysadmin, I'm mindful of such things where as the average Joe isn't.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
3. Re:Colour me unsurprised. by toonces33 · 2016-02-22 15:33 · Score: 4, Insightful
  
  For random browsing of the news, it might be fine. But the other problem with free WiFi in places like airports is that kids will start streaming music and videos and it will be dog slow.
  In reality, I am not sure if there is much difference between free WiFi at an airport and free WiFi at a hotel or a coffee shop. They are all effectively the same thing from an insecurity perspective.
4. Re:Colour me unsurprised. by shawn2772 · 2016-02-22 15:47 · Score: 5, Interesting
  
  I use free wifi for browsing /. but not for doing banking
  That's backwards. Your bank's web site is authenticated, so your browser can fairly strongly verify that it's legitimate, and the data is encrypted and authenticated so it can't be modified. Browsing /. (or any non-TLS web site), on the other hand, is dangerous because the Wifi operator can inject whatever they like into the stream. Exploits that target your browser, drive-by downloads, ads, tracking cookies (for any site)... whatever they like.
  Unless your bank has screwed something up, you can safely do your banking on a hostile network, but browsing /. is risky.
5. Re:Colour me unsurprised. by mjwx · 2016-02-22 17:07 · Score: 2
  
  That's backwards. Your bank's web site is authenticated, so your browser can fairly strongly verify that it's legitimate, and the data is encrypted and authenticated so it can't be modified. Browsing /. (or any non-TLS web site), on the other hand, is dangerous because the Wifi operator can inject whatever they like into the stream. Exploits that target your browser, drive-by downloads, ads, tracking cookies (for any site)... whatever they like.
  
  Here's the thing, I dont really care about something as trivial as a /. account. To expend efforts on securing that against all manner of threats wastes resources.
  
  Also TLS is not immune to MITM attacks. It makes it harder, sure but not immune. Besides this you've got the traditional methods of social engineering, for example, a user goes to hsbc.co.uk and the rouge access point is configured to send them to hsbc.malice.com which looks identical to HSBC's internet banking site. You can collect their username and password without even bothering to break TLS. Depending on the sophistication of the site, they can even collect 2nd factor authentication info.
  
  Granted, the risk of this kind of attack is low, which is why it's not worth protecting my /. account but it is worth protecting my banking details and credit card numbers.
  
  As a security minded IT professional, I always assume two things about public Wifi.
  1) that it is rouge.
  2) that technology does not magically protect me.
  
  I've always found it wise to err on the side of caution.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
6. Re:Colour me unsurprised. by Wycliffe · 2016-02-22 17:07 · Score: 5, Insightful
  
  People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.
  This "drilling" does very little to actually stop abductions. First off, most abductions are not strangers but rather someone they already know. Secondly, they've done experiments and kids will readily go with someone with a puppy/kitten if they tell them they have more in the back of their van.
  The "don't talk to strangers" is completely silly. The one safety tip I try to teach my kids is that if they get lost to immediately walk up to the first stranger they see and ask for help. Don't wait for a stranger to come to you. If you pick the stranger then the odds of picking a bad person are slim to none but if they pick you then the odds of them being a bad person are significantly higher.
7. Re:Colour me unsurprised. by WaffleMonster · 2016-02-22 17:35 · Score: 3, Informative
  
  BULLSHIT!
  See, if someone controls the network, they can also trivially do a man in the middle attack. Just like all the other crap.
  It isn't trivial. To perform a successful MITM attack you would need to crack the chain of trust between the sites public key and root cert installed in the browser or invent a parallel chain linking back to a trusted root cert installed in the browser.
  This requires obtaining the private key from CA, CA subordinate or bank server. Alternately you could compute a useful collision of signature algorithm and insert your own key into the trust chain as was done /w MD5 signatures using a playstation cluster many years ago.
  None of the above is trivial or easy. It is very likely anyone with the capability (e.g. governments) would not elect to piss it away attempting to drain the average Joe's bank account. ROI would be quite negative in the extreme.
  
  If you control the network and have the right stuff, there is nothing which is "safe". And HTTPS falls apart with a malicious actor in the middle who can control your connection and sit in the middle.
  Sorry, dude. You're so wrong as to be dangerous. You should fix that.
  Networks are not worth defending because their issues can so easily be sidestepped by deployment of end-to-end encryption. I believe various dogmas causing operators to waste money on network castle defenses is harmful. It takes resources away from defending the only thing that matters... systems.
8. Re:Colour me unsurprised. by Kjella · 2016-02-23 00:17 · Score: 2
  
  but if they pick you then the odds of them being a bad person are significantly higher.
  In case of a child who looks obviously lost? I don't think that's significantly higher. There are a lot of people who would want to help a lost child.
  If the odds are say 99% and 99.99%, then the odds of a good outcome is only increased 1% because usually either way is fine. But the risk of a bad outcome is increased by a factor of 100 from 0.01% to 1%. The latter is the significant number.
  
  --
  Live today, because you never know what tomorrow brings
False security by HeadSoft · 2016-02-22 14:59 · Score: 5, Insightful

Always assume all networks are insecure. You're always correct.
HTTPS or SSL isn't enough? by blahbooboo · 2016-02-22 15:00 · Score: 2

So if you use HTTPS or SSL secured connections, how are these connection types vulnerable on unsecured wifi?
1. Re:HTTPS or SSL isn't enough? by guruevi · 2016-02-22 15:20 · Score: 3, Insightful
  
  Who do you trust as a reliable Internet provider? You're better off just deleting all root certificates (if you're that kind of paranoid) and make exceptions for every single site you visit.
  OR you could just do like me: you don't store information that matters in places you don't have full control over.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:HTTPS or SSL isn't enough? by KGIII · 2016-02-22 15:34 · Score: 2
  
  A friend of mine recently sent me these two links:
  http://www.vpngate.net/en/
  http://www.vpnbook.com/feature...
  I've played with them both, they're not bad backups. They're as trustworthy as they are but they're free. They seem to be fairly legit. If I were just browsing at an airport, I'd be okay with that. I wouldn't do banking on 'em or anything like that. As I recall, the second one was better than the first as far as throughput and reliability. I played with 'em for a few days.
  
  --
  "So long and thanks for all the fish."
3. Re:HTTPS or SSL isn't enough? by ChunderDownunder · 2016-02-22 15:44 · Score: 2
  
  Neverthless, clickbaity summary is clickbaity. All the article mentioned was that traffic had analysed which sites users had visited, NOT that any of them had been compromised.
  Does one trust the findings of a paranoid article at face value pimping avast and various VPN services?
  That's not to say indiscriminate public wifi is legit but I don't think it's telling us anything we didn't already know.
Logging=hacking? by fred911 · 2016-02-22 15:08 · Score: 3, Informative

"logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. "
Logging is a long way from poisoning an arp table, serving tainted SSL and recording packets plain text.

--
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Why shouldn't it be safe? by hawguy · 2016-02-22 15:08 · Score: 5, Insightful

The bigger question is, why shouldn't it be safe to connect to any random Wifi hotspot? Literally everything should be using https by now, SSL certs are even available for free, so there's no excuse not to. I often connect to public Wifi hotspots (and use a VPN since I know that everything is *not* secured with SSL) and there's really no other option (other than "never use public wifi hotspots") since there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.
1. Re:Why shouldn't it be safe? by PhrostyMcByte · 2016-02-22 17:17 · Score: 2
  
  there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.
  And there's no way to know what these "legitimate" hotspots are doing with your data either. Treat everyone as the attacker and your options become far clearer.
Please, Avast, continue! by Nicopa · 2016-02-22 15:30 · Score: 3, Interesting

Please, continue this research and expand it to every airport! And make it a permanent thing!
Seriously: Avast is a "security" company that sells security to those feeling "insecure". So it's in their best interest to keep that feeling, seeing threats where there are none. In this case... why should a public WiFi network be more trustworthy than any other network in the middle of the big Internet? You should be doing SSL/TLS, SSH, etc. by now everywhere and that's it.
You cannot recognize "safe" WiFi by gweihir · 2016-02-22 16:12 · Score: 4, Insightful

In most circumstances you cannot recognize or verify that a given public WiFi network is safe. What you do instead is assume it is non-safe and use secure communication technologies, like SSH, VPN links, etc. This has been known for ages.
Incidentally, logging traffic is not "hacking".

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
VPN Difficulties by brunes69 · 2016-02-22 19:15 · Score: 5, Interesting

You know, I see constantly people advising that you use a VPN when connecting with pubic wifi, without anyone ever acknowledging the difficulty of this problem.
You see, between when I click "Connect" on the public wifi click-through, and when I have time to connect my VPN client, probably 50 different applications on either my laptop or my mobile phone HAVE ALREADY likely detected a positive connection and reached out to the internet. Any or all of these connections could already be compromised, BEFORE I can even get my VPN connected.
Until OS vendors like Microsoft, Apple, and Google recognize this problem and allow you to create a rule like "Never connect to non-local addresses over a route that traverses unencrypted wifi", this will continue to be a problem. I wish more people were discussing it, because I see no solution in sight. The closest thing to a solution is with Android you can use Tasker to automate connecting your VPN as soon as it can see the VPN server, but even at this point, at best it's a race against all the other processes on your phone firing up as well.
1. Re:VPN Difficulties by AmiMoJo · 2016-02-23 00:36 · Score: 2
  
  On Windows you just configure the firewall to block all apps from accessing the wifi (only allow connections to the VPN's TAP connection), except for a browser you keep installed specially just to access the wifi login page.
  Presumably the same thing would work on Linux. On Android you can do it if you have root and install something like iptables for your firewall.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Why would that be a reckless behaviour? by Afty0r · 2016-02-23 01:23 · Score: 3, Insightful

If I want my packets sending to other hosts on the internet, I connect to wifi to do it. Or my ISP. Or my friends ISP. Or my works network. They're just packets being routed - if people are sending *sensitive* packets IN THE CLEAR on anybody's network - including their own internet connection at home or at work - then that is the problem. Not the network, which you shouldn't trust anyway.