Slashdot Mirror
Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot (softpedia.com)
An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.
But I always carry a concealed weapon
Why should anyone expect some random WLAN to be "safe" - they are trying to get to the Public Internet, this is just another Public inter-Network along the way.
1. know very little about the road. 2. is it safe? (Marathon Man ref) who knows? 3. who's running it? Feds/State/local/private/etc? WiFi is asphalt for smartphones. full speed ahead.
Or do their devices automatically do it for them?
Always assume all networks are insecure. You're always correct.
Not always easy to know what the name of the freewifi service is in an airport you are not familiar with too. All you really know is you're not going to PAY for one, so it's either free or you're tethering. But which one is the free one?
Not always easy to know what the name of the freewifi service is in an airport you are not familiar with too. All you really know is you're not going to PAY for one, so it's either free or you're tethering. But which one is the free one?
That's kind of my point.
/. but not for doing banking or anything else that could potentially harm me, but as a sysadmin, I'm mindful of such things where as the average Joe isn't.
How are you to know the difference between a legit and non legit network if they're both named "LAX Public Wifi".
You should really be suspicious of any Wifi network you dont control or at the very least, know the owners on a personal level. I use free wifi for browsing
Calling someone a "hater" only means you can not rationally rebut their argument.
"logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. "
Logging is a long way from poisoning an arp table, serving tainted SSL and recording packets plain text.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
The bigger question is, why shouldn't it be safe to connect to any random Wifi hotspot? Literally everything should be using https by now, SSL certs are even available for free, so there's no excuse not to. I often connect to public Wifi hotspots (and use a VPN since I know that everything is *not* secured with SSL) and there's really no other option (other than "never use public wifi hotspots") since there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.
Who do you trust as a reliable Internet provider? You're better off just deleting all root certificates (if you're that kind of paranoid) and make exceptions for every single site you visit.
OR you could just do like me: you don't store information that matters in places you don't have full control over.
Custom electronics and digital signage for your business: www.evcircuits.com
Please, continue this research and expand it to every airport! And make it a permanent thing!
Seriously: Avast is a "security" company that sells security to those feeling "insecure". So it's in their best interest to keep that feeling, seeing threats where there are none. In this case... why should a public WiFi network be more trustworthy than any other network in the middle of the big Internet? You should be doing SSL/TLS, SSH, etc. by now everywhere and that's it.
For random browsing of the news, it might be fine. But the other problem with free WiFi in places like airports is that kids will start streaming music and videos and it will be dog slow.
In reality, I am not sure if there is much difference between free WiFi at an airport and free WiFi at a hotel or a coffee shop. They are all effectively the same thing from an insecurity perspective.
I use free wifi for browsing /. but not for doing banking
That's backwards. Your bank's web site is authenticated, so your browser can fairly strongly verify that it's legitimate, and the data is encrypted and authenticated so it can't be modified. Browsing /. (or any non-TLS web site), on the other hand, is dangerous because the Wifi operator can inject whatever they like into the stream. Exploits that target your browser, drive-by downloads, ads, tracking cookies (for any site)... whatever they like.
Unless your bank has screwed something up, you can safely do your banking on a hostile network, but browsing /. is risky.
In most circumstances you cannot recognize or verify that a given public WiFi network is safe. What you do instead is assume it is non-safe and use secure communication technologies, like SSH, VPN links, etc. This has been known for ages.
Incidentally, logging traffic is not "hacking".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.
This "drilling" does very little to actually stop abductions. First off, most abductions are not strangers but rather someone they already know. Secondly, they've done experiments and kids will readily go with someone with a puppy/kitten if they tell them they have more in the back of their van.
The "don't talk to strangers" is completely silly. The one safety tip I try to teach my kids is that if they get lost to immediately walk up to the first stranger they see and ask for help. Don't wait for a stranger to come to you. If you pick the stranger then the odds of picking a bad person are slim to none but if they pick you then the odds of them being a bad person are significantly higher.
BULLSHIT!
See, if someone controls the network, they can also trivially do a man in the middle attack. Just like all the other crap.
It isn't trivial. To perform a successful MITM attack you would need to crack the chain of trust between the sites public key and root cert installed in the browser or invent a parallel chain linking back to a trusted root cert installed in the browser.
This requires obtaining the private key from CA, CA subordinate or bank server. Alternately you could compute a useful collision of signature algorithm and insert your own key into the trust chain as was done /w MD5 signatures using a playstation cluster many years ago.
None of the above is trivial or easy. It is very likely anyone with the capability (e.g. governments) would not elect to piss it away attempting to drain the average Joe's bank account. ROI would be quite negative in the extreme.
If you control the network and have the right stuff, there is nothing which is "safe". And HTTPS falls apart with a malicious actor in the middle who can control your connection and sit in the middle.
Sorry, dude. You're so wrong as to be dangerous. You should fix that.
Networks are not worth defending because their issues can so easily be sidestepped by deployment of end-to-end encryption. I believe various dogmas causing operators to waste money on network castle defenses is harmful. It takes resources away from defending the only thing that matters... systems.
You know, I see constantly people advising that you use a VPN when connecting with pubic wifi, without anyone ever acknowledging the difficulty of this problem.
You see, between when I click "Connect" on the public wifi click-through, and when I have time to connect my VPN client, probably 50 different applications on either my laptop or my mobile phone HAVE ALREADY likely detected a positive connection and reached out to the internet. Any or all of these connections could already be compromised, BEFORE I can even get my VPN connected.
Until OS vendors like Microsoft, Apple, and Google recognize this problem and allow you to create a rule like "Never connect to non-local addresses over a route that traverses unencrypted wifi", this will continue to be a problem. I wish more people were discussing it, because I see no solution in sight. The closest thing to a solution is with Android you can use Tasker to automate connecting your VPN as soon as it can see the VPN server, but even at this point, at best it's a race against all the other processes on your phone firing up as well.
If I want my packets sending to other hosts on the internet, I connect to wifi to do it. Or my ISP. Or my friends ISP. Or my works network. They're just packets being routed - if people are sending *sensitive* packets IN THE CLEAR on anybody's network - including their own internet connection at home or at work - then that is the problem. Not the network, which you shouldn't trust anyway.