Open Wi-Fi networks can be a godsend when you need them. Michael P. Kassner interviews a network-security expert who explains why bad guys like them even more.
I've been at this IT thing for 35 years, and I've yet to find an explanation why security should trump convenience that has any appeal to those who lose the convenience. Does this sound familiar?
Why do I always have to use the VPN? It's a pain. It's slow; not like when I'm at the office. I don't need the aggravation.
Telling employees, friends, and family members to avoid open (unencrypted) Wi-Fi networks is a particularly difficult sell. So I've been trying a different approach. Instead of only offering explanations, I'm showing what can happen if a security measure is ignored.
It's been hard, but I'm making progress, thanks, in large part, to someone who ironically likes it when people use open Wi-Fi networks. It makes his job easier.
I'm referring to Jacob Williams. Jake is a skilled digital forensic scientist and network penetration tester. You may remember my writing about how he subverts file-sharing services to get his spy program, DropSmack, installed on a computer inside the client company's perimeter. Well, Jake is also intimately familiar with Wi-Fi networking; it's his preferred attack vector when trying to compromise computers.
Unencrypted Wi-Fi networks are...
The first thing I did was ask Jake why using unencrypted Wi-Fi networks is a bad idea. Here's what he had to say:
When you join an unencrypted Wi-Fi network (such as one at an airport or coffee shop) there are two main concerns. The first is the interception of your data while in transit. The second concern is that your computer can be remotely exploited if it is running a vulnerable service, or the attacker has a zero-day exploit handy.
If you are using an open (unencrypted) Wi-Fi network, securing data in transit can be accomplished by connecting to HTTPS websites, using a VPN, or enlisting a proxy application. But VPNs and proxy applications are a pain, so people avoid using them if at all possible. And, SSL is not a surefire solution; not all websites support SSL. And many of the websites that do support SSL do a poor job of it.
I asked Jake for an example of what he meant:
I was online at Staples.com. I finished my shopping, and was getting ready to check out, only needing to enter my rewards coupon. After entering the information, I pressed the submit button. Immediately, my web browser warned me; it was being redirected to an unencrypted site.
Hold the phone! This site is supposed to be secure. It seems part of the website (Staples reward) was not secure, and my data was submitted using HTTP instead of HTTPS. Had I been on an unencrypted Wi-Fi link, my personal and sensitive data could easily have been intercepted by an eavesdropper.
I wasn't sure about the easy part. So I thought I'd try my own eavesdropping experiment. I followed the instructions at this link, installing the program (Wireshark); and in no time at all, I was reading the digital bits. If I can figure it out, well...
Next, I asked Jake to explain why it is easier to exploit computers attached to an unencrypted Wi-Fi network:
Anyone capable of joining the Wi-Fi network (connect to the access point) can reach out to your machine, and using an unencrypted Wi-Fi network makes that real simple. Unsecured networks are also subject to spoofing.
Jake then goes on to explain how he uses this to his advantage when checking for security weaknesses at a client:
In penetration tests, we often configure fake access points with names similar to the legitimate access point a user should connect to. Once a user connects to our fake access point, we redirect their communications using a Man in the Middle (MitM) attack. We use this technique to harvest legitimate credentials to a HTTPS-secured corporate intranet portal. Make no mistake -- real attackers use the same techniques to steal financial data or credit card numbers.
Now let's look at another Wi-Fi convenience that makes Jake's job a lot easier.
"Connect automatically" makes it even easier
Being able to connect to Wi-Fi networks automatically is super convenient. That's why the feature is enabled by default, and most users are completely unaware of it. Jake explains how it works:
After connecting to a Wi-Fi network for the first time, the user has the option of allowing automatic reconnection. If that is agreed to, the computer, tablet, or mobile phone will automatically connect to this wireless network in the future.
The following slide shows where to set up automatic connections in Windows 7.
The problem is it's also convenient for the bad guys. It tells them which network names (SSID) to use for their MitM attack. Here's Jake again:
One attack we use regularly during penetration tests is to deploy a device called Wi-Fi Pineapple when we have physical access to the site. We setup the Wi-Fi Pineapple to listen for new clients broadcasting for their preferred Wi-Fi networks. These are the networks people have saved and said 'automatically connect to this Wi-Fi network in the future.'
When you turn on your device, the Wi-Fi client sends out probe requests with the names of these networks to see if any providers with those names are available. When the Wi-Fi Pineapple hears this, it says 'why yes, I am your preferred network,' and allows the client to authenticate.
Once the connection is made, the device's traffic flows through our Wi-Fi Pineapple to its final destination, but not before the Wi-Fi Pineapple captures what we need. This technique is old hat in the pen-test community, but most lay people I talk to are surprised to learn devices like the Wi-Fi Pineapple even exist.
I pride myself on knowing what's out there, and I had no idea tools like the Wi-Fi Pineapple were available. I'm wondering what other cool devices Jake has.
Keep quiet about the shared key
While we were discussing this, Jake mentioned something I hadn't given much thought to. Encrypted Wi-Fi networks that use a shared key are no better off than unencrypted Wi-Fi networks once the bad guys have the key. Jake explains:
Here's the rub. Even if I had been on an encrypted wireless network (with WEP, WPA, or WPA2), my transmission could have been intercepted by any eavesdropper. Many people incorrectly assume their individual data is secure when they connect to an encrypted wireless network with a shared key.
I asked Jake for an example:
This sort of thing happens often at training events. All participants use the same encryption key. Once attached to the network, their communications are secure from outside eavesdroppers who do not know the key, but everyone in the class can see everyone else's traffic (remember they have the key).