Security

Convenience or security: You can't have both when it comes to Wi-Fi

Open Wi-Fi networks can be a godsend when you need them. Michael P. Kassner interviews a network-security expert who explains why bad guys like them even more.

I've been at this IT thing for 35 years, and I've yet to find an explanation why security should trump convenience that has any appeal to those who lose the convenience. Does this sound familiar?

Why do I always have to use the VPN? It's a pain. It's slow; not like when I'm at the office. I don't need the aggravation.

Telling employees, friends, and family members to avoid open (unencrypted) Wi-Fi networks is a particularly difficult sell. So I've been trying a different approach. Instead of only offering explanations, I'm showing what can happen if a security measure is ignored.

It's been hard, but I'm making progress, thanks, in large part, to someone who ironically likes it when people use open Wi-Fi networks. It makes his job easier.

I'm referring to Jacob Williams. Jake is a skilled digital forensic scientist and network penetration tester. You may remember my writing about how he subverts file-sharing services to get his spy program, DropSmack, installed on a computer inside the client company's perimeter. Well, Jake is also intimately familiar with Wi-Fi networking; it's his preferred attack vector when trying to compromise computers.

Unencrypted Wi-Fi networks are...

The first thing I did was ask Jake why using unencrypted Wi-Fi networks is a bad idea. Here's what he had to say:

When you join an unencrypted Wi-Fi network (such as one at an airport or coffee shop) there are two main concerns. The first is the interception of your data while in transit. The second concern is that your computer can be remotely exploited if it is running a vulnerable service, or the attacker has a zero-day exploit handy.

If you are using an open (unencrypted) Wi-Fi network, securing data in transit can be accomplished by connecting to HTTPS websites, using a VPN, or enlisting a proxy application. But VPNs and proxy applications are a pain, so people avoid using them if at all possible. And, SSL is not a surefire solution; not all websites support SSL. And many of the websites that do support SSL do a poor job of it.

I asked Jake for an example of what he meant:

I was online at Staples.com. I finished my shopping, and was getting ready to check out, only needing to enter my rewards coupon. After entering the information, I pressed the submit button. Immediately, my web browser warned me; it was being redirected to an unencrypted site.

Hold the phone! This site is supposed to be secure. It seems part of the website (Staples reward) was not secure, and my data was submitted using HTTP instead of HTTPS. Had I been on an unencrypted Wi-Fi link, my personal and sensitive data could easily have been intercepted by an eavesdropper.

I wasn't sure about the easy part. So I thought I'd try my own eavesdropping experiment. I followed the instructions at this link, installing the program (Wireshark); and in no time at all, I was reading the digital bits. If I can figure it out, well...

Next, I asked Jake to explain why it is easier to exploit computers attached to an unencrypted Wi-Fi network:

Anyone capable of joining the Wi-Fi network (connect to the access point) can reach out to your machine, and using an unencrypted Wi-Fi network makes that real simple. Unsecured networks are also subject to spoofing.

Jake then goes on to explain how he uses this to his advantage when checking for security weaknesses at a client:

In penetration tests, we often configure fake access points with names similar to the legitimate access point a user should connect to. Once a user connects to our fake access point, we redirect their communications using a Man in the Middle (MitM) attack. We use this technique to harvest legitimate credentials to a HTTPS-secured corporate intranet portal. Make no mistake -- real attackers use the same techniques to steal financial data or credit card numbers.

Now let's look at another Wi-Fi convenience that makes Jake's job a lot easier.

"Connect automatically" makes it even easier

Being able to connect to Wi-Fi networks automatically is super convenient. That's why the feature is enabled by default, and most users are completely unaware of it. Jake explains how it works:

After connecting to a Wi-Fi network for the first time, the user has the option of allowing automatic reconnection. If that is agreed to, the computer, tablet, or mobile phone will automatically connect to this wireless network in the future.

The following slide shows where to set up automatic connections in Windows 7.

The problem is it's also convenient for the bad guys. It tells them which network names (SSID) to use for their MitM attack. Here's Jake again:

One attack we use regularly during penetration tests is to deploy a device called Wi-Fi Pineapple when we have physical access to the site. We setup the Wi-Fi Pineapple to listen for new clients broadcasting for their preferred Wi-Fi networks. These are the networks people have saved and said 'automatically connect to this Wi-Fi network in the future.'

When you turn on your device, the Wi-Fi client sends out probe requests with the names of these networks to see if any providers with those names are available. When the Wi-Fi Pineapple hears this, it says 'why yes, I am your preferred network,' and allows the client to authenticate.

Once the connection is made, the device's traffic flows through our Wi-Fi Pineapple to its final destination, but not before the Wi-Fi Pineapple captures what we need. This technique is old hat in the pen-test community, but most lay people I talk to are surprised to learn devices like the Wi-Fi Pineapple even exist.

I pride myself on knowing what's out there, and I had no idea tools like the Wi-Fi Pineapple were available. I'm wondering what other cool devices Jake has.

Keep quiet about the shared key

While we were discussing this, Jake mentioned something I hadn't given much thought to. Encrypted Wi-Fi networks that use a shared key are no better off than unencrypted Wi-Fi networks once the bad guys have the key. Jake explains:

Here's the rub. Even if I had been on an encrypted wireless network (with WEP, WPA, or WPA2), my transmission could have been intercepted by any eavesdropper. Many people incorrectly assume their individual data is secure when they connect to an encrypted wireless network with a shared key.

I asked Jake for an example:

This sort of thing happens often at training events. All participants use the same encryption key. Once attached to the network, their communications are secure from outside eavesdroppers who do not know the key, but everyone in the class can see everyone else's traffic (remember they have the key).

Final thoughts

We're only human; and in the thick of it, convenience will win. I'd challenge anyone who disagrees. What's more, we all know what we're supposed to do, too; it's plastered on every tech-media site. What's not generally known is what the bad guys are capable of. Hopefully, I was able to be of some help with that.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

33 comments
techieindeed
techieindeed

It is not necessarily true that you cannot have both convenience and security with Wi-Fi. The need of networking and vast connectivity has increased since it increases the productivity of your work, but it also puts your business at risk. However, if you have highly secure networking software, the risks of getting your business disrupted are reduced exponentially. This task can be accomplished with ease by the assistance of network service providers. There are many tech support companies who specialize in networking security and a well-reputed one can give you very satisfying results.

mla_ca520
mla_ca520

Hi Michael, I always use the setting that isolates clients from other clients on my network, so that WiFi clients can use the internet but not connect to other clients sharing the network or the WiFi. I'm curious, first, if this security measure significantly enhances the security of open WiFi networks? Second, if this significantly decreases the risk of data being compromised on a WPA2 protected network with a shared key, even if an attacker has somehow gotten the key?

Tardx
Tardx

Useful article but I'd like to see some clearer recommendations in addition to 'use VPNs'. How can I turn off beaconing in Win 7 and IOS? If I use Starbucks or airport wifi for web browsing but not for logging onto my bank account, am I still at risk? (Presumably yes, from malware on a spoofed site?) Thanks.

Edward D
Edward D

Thanks, Michael, for another eye-opening article. I received a Nook as a Christmas present and found little information in the user manual regarding security for Wi-Fi connections. As a result, I have used the Wi-Fi once in a B&N store, but only to look around. I have avoided Wi-Fi connections other than home and work (which requires a login). I am a technical writer (no IT experience, just long time computer tinkering). Can you point me to any information about adding security to my Nook? I am thinking of firewall and VPN, among other things, but I am just learning how to control the device and know nothing about making it secure. Thanks again for all of your great articles on computing security. Ed

deepakd_fic
deepakd_fic

Hi Mike, Nice Article for beginners, i have MAC address filter and Shared key at same time in my home network... does this setup makes secure ? i feel it is.. :) please let me know your thoughts.. thanks in advance Deepak D...

cfc2000
cfc2000

A friend of mine is a retired programmer who used to work at Motorola. I spent a weekend at his house recently and discovered his own wifi had no encryption at all - he was relying on IP address filtering. I studied the allowed IP addresses on his network, used etherchange to alter my computer's IP address and I was in, just to prove a point. Next time I went he had added WEP encryption which again took me (or my collection of linux programs) a few minutes to decrypt. In other words, no-one is really that safe on any wifi network.

Adam_12345
Adam_12345

Security in Wi-Fi connection is a vast issue with many points. All I heard (or read) about Wi-Fi is that WPA2 has already been broken by some guy from Russia but it is said that the technique is quite difficult and it even requires buying new Wi-Fi card, setting it in promiscous mode and so on. I'm not sure if that is true but there was an article on Internet that someone already done that.

nhoeller
nhoeller

Michael, excellent article on the risks of open and shared key WiFi networks. The good news is that VPNs are becoming easier and cheaper to implement - I can now run OpenVPN on any Android 4+ device. I find the performance hit is typically acceptable. The bad news is that the smartphone I bought two years ago is stuck on Android 2.3 and will likely remain so unless I root it. UDP VPNs run at dial-up speed on my home Internet connection, something my ISP is unable to explain (TCP VPNs are fine but add overheads). I have also found some WiFi providers that actively block VPNs, quoting 'bandwidth and security concerns'.

iPos
iPos

We are in the hospitality industry and working with a local Cloud based POS solution. Mobile devices communicate through WiFi. We advise our customers: 1. Have your guest network always on another accesspoint and do not share your business accesspoint with your guests. 2. For more security ask your internet provider for a new IP address, and use this for your guest (public) WiFi network. POS and WiFi Security Local based POS system and WiFi security

lymanp
lymanp

A great education for those only familiar with the convenience aspect. Thanks for this well written article.

jeb.hoge
jeb.hoge

More and more new users are coming into the Internet space (for instance, my three kids aren't yet old enough to establish their own identities online, but that time will come), but they aren't and won't learn the IT security "fundamentals" that the typical TechRepublic reader takes for granted. I think that the future is going to actually see a move to walk away (at least in consumer internet terms) from ever-increasing security & prevention measures and into improving, wider-ranging loss mitigation measures. People are going to be less interested in clamping down more and more on access and usability and will be more attracted to resources that offer the best post-"violation" recovery options.

Neon Samurai
Neon Samurai

Do wifi devices call out for broadcast SSID? If the AP does not broadcast the SSID then the client devices constantly call out. If in range then they connect. If out of range then the announce your list of known wifi networks for anyone to hear. If the AP does broadcast the SSID then the client devices know not to call out for it constantly. Instead, they listen and connect when in range. When out of range, they simply keep quiet. Potentially with the requirement that they are set to only connect if SSID is broadcast. Is this correct though. I'm not sure if I've ever got confirmation.

georgeou
georgeou

For client SSID to be on, the auto connect *and* the "Connect even if the network is non-broadcasting" is checked. This is true since Windows Vista and up. See: http://technet.microsoft.com/en-us/library/bb726942.aspx#EDAA "Because configured wireless networks are now explicitly marked as broadcast or non-broadcast, Windows Vista and Windows Server 2008-based wireless clients only send probe requests for wireless networks that are configured for automatic connection (the Connect automatically when this wireless network is in range check box on the Connection tab) and as non-broadcast."

Kieron Seymour-Howell
Kieron Seymour-Howell

This is the type of stuff that needs to be shared as much as possible. Maybe it just might scare a few people into behaving a little more responsibly online.

georgeou
georgeou

"This sort of thing happens often at training events. All participants use the same encryption key. Once attached to the network, their communications are secure from outside eavesdroppers who do not know the key, but everyone in the class can see everyone else’s traffic (remember they have the key)." It's more complicated than that. It's true that anyone who knows the shared PSK can derive an individual session key if they can monitor the initial key exchange when a user first connects to the network. But if they miss that initial exchange they will not be able to decrypt the traffic. Fortunately there's an easier and better way to achieve anonymous security in a hotspot. http://www.zdnet.com/blog/ou/a-secure-wireless-lan-hotspot-for-anonymous-users/587

Michael Kassner
Michael Kassner

A sneak look at a pen tester's secrets for utilizes open Wi-Fi networks. Not surprising, the techniques are also used by the bad guys.

Michael Kassner
Michael Kassner

I also use client isolation on my networks. Work Wi-Fi networks is a different story, but there are other ways to protect data and computers. I believe isolation does help, and experts are particularly adamant about using it on guest networks.

Michael Kassner
Michael Kassner

I can see that I have several more articles to get to. As for VPNs, that depends a lot on what you want it to do. If you just want to encrypt your traffic over the open Wi-Fi then a proxy service would be the best. I use WiTopia. A VPN is more of an end to end service that requires a device or computer at the remote site that acts as the VPN server, communicating with your computer to encrypt all traffic flowing in between. You don't want to turn off beaconing. I think you are looking to not use automatic connections on open networks. Using an open network is a bit dangerous, as anyone on the same network can see your traffic or attack your computer unless individual isolation is enabled on that network. You can ask, but most store employees do not know. So to be safe, use a service like WiTopia.

Michael Kassner
Michael Kassner

I am not an expert on Nook, but I suspect that if all you do is use Wi-Fi is to download books, I think you are pretty safe. I have asked a friend who uses a Nook and is a network engineer what he thinks and will get back to you with his thoughts.

Michael Kassner
Michael Kassner

MaC addr filtering is not really doing much. It is easy to spoof an accepted address. But, if you feel it is helping by all means keep using it. It is a layer of security.

Michael Kassner
Michael Kassner

That is a good example, I remember reading a few articles many years ago, that stated IP addr filtering was the way to go. Next trip, you have to get your friend up to WPA2. Good luck.

Michael Kassner
Michael Kassner

The bad guys are business types now days, so they are mindful of RoI. So if you have WPA2 enabled, and the next Wi-Fi network is open, they will look there. That is unless there is a specific reason for targeting your systems.

Michael Kassner
Michael Kassner

I appreciate you updates as well. The problem is to most users, a VPN does not add value, only inconvenience unless they have to get to their company's internal network.

Michael Kassner
Michael Kassner

I am as guilty about convenience as the next, so this was a reminder for me as well.

Michael Kassner
Michael Kassner

George Ou and I have been discussing this offline. Here is what George said: "The way the auto connection should work is that the Access Point (Infrastructure) should beacon so that the clients do not have to beacon. You also do not want the clients going around beaconing. When the client hears the AP beacon for an SSID that is on its auto-connect list, the client will automatically request the connection with the AP. If the AP does not beacon because the AP is configured to not beacon the SSID, the client has to do all the beaconing and they go around exposing their entire list of SSIDs they are trying to connect to." If I understand correctly, when the "Connect even if the SSID is not beaconed by the AP" is enabled then the client will actively broadcast that it is looking for those SSIDs that are not beaconed.

Michael Kassner
Michael Kassner

It is appreciated. Jake is an awesome source, making it easy for me.

slam5
slam5

Unfortunately, people don't want to listen to what IT guy say. I do use open wifi network BUT I use a VPN tunner provider (in my case ProXPN) to encrypt my tunnel. It cost me $ 5 per month but it make me sleep a little better! Not everybody want to spend that $ 5.

Brainstorms
Brainstorms

is apparently passe as far as security goes today. So, too, is MAC address filtering -- which I was using until recently. (And it IS a pain, so I was not unhappy to finally be convinced it's not a panacea.) What I read was that the best way to secure an AP is WPA2 and a monster passphrase. So that's what I use now... All 27 characters worth... My "to do" list includes "Implement OpenVPN at home", for additional peace of mind. I'll deal with the inconvenience.

Brainstorms
Brainstorms

Which is why they'll pass on the WPA2 sites and keep looking for 'easy' open APs...

Neon Samurai
Neon Samurai

Sounds like I understand correctly then. If the AP beacons then correctly configured clients listen quietly instead of beaconing constantly. Now, I gotta go play with a few toys to see if they adhere to the intended behavior.

Michael Kassner
Michael Kassner

I asked Jake if there was any way that he could mess with your computer. My question: Is it possible for you with the Wi-Fi Pineapple to overcome a VPN service? Let's say I am ready to access an open public network. You have the Pineapple setup to mimic the real open access point. I attach to your device, then connect to the VPN service, could you capture the credentials and act as MitM. I have read where SSL has been co-opted this way, but am not sure it is true. Jake's answer: "If the VPN service is properly configured, then I wouldn't be able to break the actual VPN connection or credentials. All of the SSL attacks of late have depended on other vulnerabilities, not the actual SSL per se. The fact that you're on my public network though means that your machine is vulnerable to attack directly. This is becoming less of an issue these days with more people implementing good personal firewalls, but still a consideration. An SSL VPN is definitely a good approach to take."

TRgscratch
TRgscratch

(or several): should I disable "auto-connect when this wifi is in range" on my machine? I currently have only my home and office netowrks set this way; all others (hotels, airports, etc) I do not select this when I connect how do I know if it's my machine that's asking or the AP that's advertising itself? (perhaps "beaconing" is the term)

Editor's Picks