Wednesday, October 1, 2014

The high price of free wifi: your eldest child?

In keeping with National Cyber Security Awareness Month, I'll be updating a number of articles written over the last 4 years. In January of 2011 I entered the blogosphere with a story about Firesheep, a Firefox plugin that made wireless eavesdropping scarily simple.

Most of us know by now to look for the little "padlock" icon in the browser status bar before logging in to a web site, or the "https://" at the beginning of the URL - we want to be sure our password is protected, right? And most sites now use an SSL (secured) connection for the login page - your password is in fact protected (massive Internet-wide vulnerabilities notwithstanding). But once you log in, many sites used to switch back to non-secured. The problem with that approach was, how does the web site know who you are after you have logged in? It is often done with cookies - little bits of data stored on your computer, and automatically sent to the site that created them every time you load or reload a page from that site. The cookies (usually) do not contain your password, but they do identify you to the site. So, if you log into Facebook, then click a link to reload the page, your computer sends your cookie to Facebook, and the site says "hey, I remember who you are, I saw you just a minute ago; you are already logged in, so here you go!" (OK, not literally, but you get the point).

Since this cookie identifies you to the website, anyone in possession of this cookie can pretend to be you - it's identity theft on a micro scale. A few years ago a researcher in Seattle released a sample plug-in for Firefox that made stealing these cookies almost as simple as point-and-click. Assuming a victim were using an open wifi (one that does not require providing a network key to join), anyone using the same airport / hotel / restaurant / other public wireless access point could run this plug-in and see a list of people's accounts they could impersonate. The attacker could then click on whomever they would like to impersonate, and voila: they are the victim (as far as the website is concerned).

Firesheep was the big news in 2011. Today, many (but not all) major websites will use HTTPS for the entire conversation instead of just the login. That protects you from other people on the same wifi network eavesdropping, but it doesn't help if the wifi hotspot itself is malicious, or makes onerous demands of you.

Recently security firm F-Secure conducted an experiment on the streets of London, setting up a phony Internet hotspot. Dozens of people connected to this phony hotspot and used it to read mail, search videos, and in general browse the Internet, oblivious to the fact that the owner of the hotspot could watch everything they did - including viewing their passwords and reading their email.

Even more bizarre, for a portion of the experiment the researchers set up a "terms of use" page that users had to acknowledge before they could use the hotspot. One of the conditions stated that the user permanently and for eternity gave up their firstborn child in exchange for the free wifi usage - what one reporter called the "Herod Clause." Believe it or not, 6 people agreed to the terms. No word yet though on whether they hoped F-Secure would make good on the exchange. For their part, F-Secure has said they will not hold the users to the contract :-)

In a separate piece of news, a major communications provider in Australia is building out a national network of public hotspots, many of which will make use of repurposed payphone sites (because, when is the last time you used a payphone?). While the eventual plan is for these hotspots to be subscriber-based and to offer a secured connection, the initial deployment will be open, unsecured wifi. That means anyone else on the same access point (which could mean anyone within about 100 meters) could potentially eavesdrop on anyone else using the same AP.

While you can't control the security practices of the businesses you frequent, there are a few things you can do.

1. Think twice before connecting to an open, unsecured wireless network. If the network is open, then anyone else in the area can listen in on anything you do on the network. If you have to enter a wifi key - even if it is a publicly known key as many hotels and restaurants use - your network use is at least hidden from most others. The reason is simple: your computer will use that key to contact the hotspot, then negotiate a new, random key that is not known to anyone else. A determined attacker can intercept the negotiation and learn the secret key, but it at least removes the "hobby hacker."

2. Consider using your 3G/4G data plan. While malicious 3G/4G "femtocells" (laptop wifi antennas connect to wifi hotspots; 4G modems connect to femtocells) have been demonstrated, they cost on the order of a few thousand dollars to build, as opposed to a malicious wifi hotspot that can be built for about $50. More costly means less likely.

3. If you must use an open wifi, consider some sort of a VPN service. a VPN creates a secure tunnel from you, through the untrusted network, to some distant server. Many businesses use VPNs to create a secure connection into the corporate network. For Android and iOS devices, F-Secure recently released a product marketed as "Freedome" which does exactly this.

4. If you absolutely must use an open wifi without a VPN, don't browse anything you want to keep private. Avoid banking, email, social media - and close any browser windows to these applications, because they will continue talking in the background. Consider even using an entirely separate browser (as in, use Chrome for browsing from home, but Firefox when browsing from a public hotspot) to ensure search history and advertising trackers don't leak personal information.

5. Read the terms of use. Don't accidentally give away your child in exchange for a few minutes' Internet access!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen