Rogue Wi-Fi access points!
You’ll have seen them in any number of places, likely and unlikely.
Admittedly, some of them might have been entirely innocent, set up as altruistic gestures by friendly locals willing to help out visitors.
But a lot of those Wi-Fi networks with names that start with Guest... or end with ...Free Wi-Fi are genuinely fake, even if they’re only there for experimental purposes to see how recklessly passers-by might behave.
In fact, we’re not averse to a spot of Wi-Fi experimentation ourselves, as you’ll see in our World of Warbiking video series, carried out by Sophos road warriors Chester Wisniewski and James Lyne.
In these videos we show you how wireless security stacks up from San Diego to New York City, and from Sydney to Hanoi.
We’re careful to keep it legal, of course, so we don’t find all the insecurities that a cybercrook would, meaning that the true situation is probably slightly worse than our results suggest.
→ Unlike Google Street View when it started off mapping the world’s Wi-Fi, we’re careful not to collect what are called packet payloads, i.e. network users’ own data. Instead, we collect the broadcasts from access points announcing their availability, which is what your computer looks out for when you click “Show Networks.”
That gives us insights into the security settings of the networks available in each city.
Who’s still using WEP, for example? (Don’t – it’s cryptographically useless and only gives a false sense of security.)
How many open access points does each city have, convenient for tourists but potentially risky from a privacy point of view?
Young Pirate on the prowl
But we’ve never gone as far as a chap by the name of Gustav Nipe did at a recent Society and Defence conference in Sweden.
Nipe, who seems to go by the rather Komsomol-style title of Ung Pirat Förbundsordförande (which apparently translates into Pirate Party Youth Wing Chairman), set up a rogue access point at the event.
He hoped that delegates would assume it was provided by the conference organisers and therefore treat it as implicitly safe.
He called it Open Guest and claims that about 100 delegates at the conference, apparently including “politicians and journalists as well as security experts,” not only logged on but went ahead with privacy-sapping searches and other online activity.
According to Nipe:
It is very embarrassing because the data we collected showed that some people were [...] looking for holidays and where you could go and hike the forest. This was during the day when I suppose they were being paid to be at the conference working.
O tempora! O mores!
You know you’ve been really naughty when a Young Pirate has to point out that you’ve been as good as thieving from your employer by surfing the internet on work time.
More seriously, of course, Nipe was right when he pointed out:
To go into general and frequently visited websites like aftonbladet.se [a newspaper] does not say much about the user in question, but if the person then additionally connects to [mail.X.example] and browses websites about the city Y, that rapidly shrinks the list of candidates to only a few.
In fact, there’s something that Nipe forgot to add.
He knows all of this because he set up the rogue access point and gathered data from it by sniffing all the traffic going through it.
→ There seems to be some controversy over the legality of what he did. Perhaps he wasn’t explicit enough about the nature of his experiment? However, announcing it would have spoiled it, and, in any case, the pranked delegates made their own choice to connect to it.
But anyone else in the vicinity could have sniffed all the traffic, too.
That’s the nature of an unencrypted broadcast medium like a open Wi-Fi network: it’s a bit like CB radio, where conversations on side-channels are only nominally private, relying on everyone else’s goodwill not to pay too much attention.
By the way, don’t forget that a WPA2-encrypted network with a Pre-Shared Key (PSK) handed out by the conference would only be somewhat safer against sniffing.
If you know the PSK and can sniff the initial setup packets when a user connects and authenticates, you can later decrypt all of the encrypted packets from that user’s session.
Network sniffing tools like Wireshark can do this automatically, easily turning WPA sessions into regular packet logs.
What to do?
Here are six quick tips:
- Favour HTTPS. Sessions encrypted using TLS can’t easily be logged or modified in transit.
- Use a VPN. That’s where all the raw data in your traffic is encrypted back to your home or office network, forming a Virtual Private Network, and then decrypted and sent out onto the internet as though you were at home or at work, not on the road.
- Avoid unknown Wi-Fi access points. In many countries, it’s easy to buy a pre-paid SIM card on arrival, often right in the airport, giving you reasonably-priced mobile data plans while you travel.
- Pick proper passwords and consider using a password manager. If one of your passwords does get compromised, it won’t give the keys to the rest of your castle.
- Use 2FA whenever you can. Inadvertently leaked account passwords are much less useful if they have to be combined with a one-time code that changes at every login.
- Arrrr-ange your hiking holidays when you are off the clock, in case any Young Pirates are around.
• Check out our Wireless Tips.
• Read about our World of Warbiking tour.
• Learn more about Sophos Secure Wi-Fi.
• Watch our video: Three wireless security myths – busted!.
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
Image of pirate Wi-Fi flag courtesy of Shutterstock.
6 comments on “Young Pirate pulls off Wi-Fi privacy prank – sucks in security experts”
When it comes to Wi-Fi, most of us (including myself) are clueless. Is there a “Wi-Fi for Dummies” out there that one can read to become more aware?
I enjoy your articles but most of it is way over my head. In this article you discussed PSK’s and WPA2, which are all a foreign language to me. Do you guys have anything that would explain things for an old guy like myself.
Hi George, try to think of a wireless connection as a wired one instead and it could make more sense. Imagine that everyone connecting to the Wi-Fi network is splicing into (borrowing a portion of) your cable. Since you’re all using the same cable now, everything you send over the cable can be seen by them. In contrast, an actual wired connection is dedicated to each PC (to a point.) Only some traffic can be captured instead of all traffic, and the capturer must also have a dedicated physical connection that’s a part of the same network. That’s why there are so many encryption technologies for Wi-Fi; Wi-Fi is inherently far less private than wired connections, especially since the nature of wireless connections is such that you can’t see who it is that is invading your privacy–they could be across the street for all you’d know.
What used to be the most common form of wireless encryption was called WEP, which stands for Wired Equivalent Privacy. Unfortunately, it wasn’t equivalent to the privacy offered by a dedicated wire… It’s very easy to break. In fact, in a test network I set up years ago I was able to find the password to an encrypted WEP network in under ten seconds using a low-powered laptop.
Probably the most secure form of wireless encryption now is WPA2. However, even if it’s difficult to improbable to break, there are some vulnerabilities in the way that very secure connection is created in the first place. It all starts with a four-way handshake. It is possible to “watch” someone else’s four-way handshake to decrypt their traffic later. However, the wireless connection would have to use a pre-shared key (PSK), and you would have to know what it is in order to succeed.
You’ve surely dealt with PSKs in the past… If you go to any coffee shop or restaurant where you have to ask for the wireless password, you’re using a PSK (the password.)
Hope that helps! 🙂
Did you take a look at the video at the end if the article?
It isn’t a “dummies guide to Wi-Fi,” but it *does* deal quite specifically with WPA and PSK.
Simply put, WEP and WPA are abbreviations for encryption algorithms you can choose for Wi-Fi security, and the PSK is the encryption key you choose to secure them.
We can’t tell you how to set them up on *your* router because there are so many different Wi-Fi configuration screens out there, but we give you an example configuration screen from an example router…you might find it helpful.
The video covers these acronyms, and explains them:
Myth 3 covers WPA and PSK. Hope this helps.
People were surfing the Internet during a conference, looking for places to hike. Oh the horror…
Pirate Gustav should have limited his sanctimony to the dangers of unsecured wireless.
Thanks for the article! It’s the first time I hear that you cannot even trust WPA2 encryption with a Pre-Shared Key. Is that an inherent problem of all public wifi? I had assumed that using private and public keys would also work for wifi – if it is possible for TLS, it should also work for wifi (so the PSK would only open access but not do the encryption). That way also password-less wifi should theoretically be able to offer encryption (like https where you don’t need to enter a password to get connected).
Just goes to show how if you know your way around security protocols for wifi that you can get a lot of information out of it from just about any place that uses wifi.