Rogue Wi-Fi access points!
You’ll have seen them in any number of places, likely and unlikely.
Admittedly, some of them might have been entirely innocent, set up as altruistic gestures by friendly locals willing to help out visitors.
But a lot of those Wi-Fi networks with names that start with Guest... or end with ...Free Wi-Fi are genuinely fake, even if they’re only there for experimental purposes to see how recklessly passers-by might behave.
In fact, we’re not averse to a spot of Wi-Fi experimentation ourselves, as you’ll see in our World of Warbiking video series, carried out by Sophos road warriors Chester Wisniewski and James Lyne.
In these videos we show you how wireless security stacks up from San Diego to New York City, and from Sydney to Hanoi.
We’re careful to keep it legal, of course, so we don’t find all the insecurities that a cybercrook would, meaning that the true situation is probably slightly worse than our results suggest.
→ Unlike Google Street View when it started off mapping the world’s Wi-Fi, we’re careful not to collect what are called packet payloads, i.e. network users’ own data. Instead, we collect the broadcasts from access points announcing their availability, which is what your computer looks out for when you click “Show Networks.”
That gives us insights into the security settings of the networks available in each city.
Who’s still using WEP, for example? (Don’t – it’s cryptographically useless and only gives a false sense of security.)
How many open access points does each city have, convenient for tourists but potentially risky from a privacy point of view?
Young Pirate on the prowl
But we’ve never gone as far as a chap by the name of Gustav Nipe did at a recent Society and Defence conference in Sweden.
Nipe, who seems to go by the rather Komsomol-style title of Ung Pirat Förbundsordförande (which apparently translates into Pirate Party Youth Wing Chairman), set up a rogue access point at the event.
He hoped that delegates would assume it was provided by the conference organisers and therefore treat it as implicitly safe.
He called it Open Guest and claims that about 100 delegates at the conference, apparently including “politicians and journalists as well as security experts,” not only logged on but went ahead with privacy-sapping searches and other online activity.
According to Nipe:
It is very embarrassing because the data we collected showed that some people were [...] looking for holidays and where you could go and hike the forest. This was during the day when I suppose they were being paid to be at the conference working.
O tempora! O mores!
You know you’ve been really naughty when a Young Pirate has to point out that you’ve been as good as thieving from your employer by surfing the internet on work time.
To go into general and frequently visited websites like aftonbladet.se [a newspaper] does not say much about the user in question, but if the person then additionally connects to [mail.X.example] and browses websites about the city Y, that rapidly shrinks the list of candidates to only a few.
In fact, there’s something that Nipe forgot to add.
He knows all of this because he set up the rogue access point and gathered data from it by sniffing all the traffic going through it.
→ There seems to be some controversy over the legality of what he did. Perhaps he wasn’t explicit enough about the nature of his experiment? However, announcing it would have spoiled it, and, in any case, the pranked delegates made their own choice to connect to it.
But anyone else in the vicinity could have sniffed all the traffic, too.
That’s the nature of an unencrypted broadcast medium like a open Wi-Fi network: it’s a bit like CB radio, where conversations on side-channels are only nominally private, relying on everyone else’s goodwill not to pay too much attention.
By the way, don’t forget that a WPA2-encrypted network with a Pre-Shared Key (PSK) handed out by the conference would only be somewhat safer against sniffing.
If you know the PSK and can sniff the initial setup packets when a user connects and authenticates, you can later decrypt all of the encrypted packets from that user’s session.
Network sniffing tools like Wireshark can do this automatically, easily turning WPA sessions into regular packet logs.
What to do?
Here are six quick tips:
- Favour HTTPS. Sessions encrypted using TLS can’t easily be logged or modified in transit.
- Use a VPN. That’s where all the raw data in your traffic is encrypted back to your home or office network, forming a Virtual Private Network, and then decrypted and sent out onto the internet as though you were at home or at work, not on the road.
- Avoid unknown Wi-Fi access points. In many countries, it’s easy to buy a pre-paid SIM card on arrival, often right in the airport, giving you reasonably-priced mobile data plans while you travel.
- Pick proper passwords and consider using a password manager. If one of your passwords does get compromised, it won’t give the keys to the rest of your castle.
- Use 2FA whenever you can. Inadvertently leaked account passwords are much less useful if they have to be combined with a one-time code that changes at every login.
- Arrrr-ange your hiking holidays when you are off the clock, in case any Young Pirates are around.
• Check out our Wireless Tips.
• Read about our World of Warbiking tour.
• Learn more about Sophos Secure Wi-Fi.
• Watch our video: Three wireless security myths – busted!.
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.