
What we give away when we log on to a public Wi-Fi network - ricksta
https://decorrespondent.nl/1101/What-we-give-away-when-we-log-on-to-a-public-Wi-Fi-network/31040493-53737dba
======
jMyles
Here's what I wrote last time this was posted
([https://news.ycombinator.com/item?id=8457167](https://news.ycombinator.com/item?id=8457167)),
with some edits to respond to other comments made in this thread:

An interesting read, but sparse enough on details to be basically useless.
Additionally, there's nothing that I can discern to be new here. The following
is demonstrated, all of which are known (and in fact obvious) to people with
even an elementary understanding of how wifi and TLS work:

* That wifi probes are public

* That wifi devices, by default, expose reasonably reliable evidence about their type and origin via their MAC address

* That many OS's automatically connect to 'trusted' wifi networks, regardless of their apparent physical location

* That many websites don't have TLS by default (or at all)

* That, if a user connects to a network you control and requests a URL not beginning with "https," it is trivial to present them with a fake page looking like the one to which they thought they were browsing (of course they won't see a lock) --(note: if the website has HTTP Strict Transport Security enabled and the user has previous visited that website with a supporting browser, then this part is non-trivial)

* That, if a user transmits unencrypted plain text over a wifi network to which you have access, it's trivial to glean the content of their transmission.

None of this is news, and it's all that this article seems to point out. Even
more bizarre is that, almost without exception, it merely leaves these items
implied, failing to describe the mechanism of action.

~~~
malandrew
Seems like the moment a trusted wifi network is connected to, the system
should try to geolocate itself and figure out if it is likely to be the same
network.

Knowing what other networks are around is another approach. e.g. if I connect
to network A, when networks B, K, L, T, U and X are all visible, the next time
I connect to A, I can be reasonably certain that A is the same A as before if
I see at least xx% of the networks that were visible the first time I
connected to A.

~~~
jMyles
Agreed. This seems like a good basis for a warning at the OS UI level.

------
sktrdie
How was the hacker able to get Facebook credentials? Facebook uses HTTPS and
so does Live.com. Even if I'm connected to a malicious router, only me and
Facebook know about the data we're sending each other.

Am I missing something or should the author of this article provide more
evidence on the type of attack?

~~~
leepowers
If an attacker controls the access point he could do the following:

* Redirect all HTTPS traffic to an HTTP spoof site. Many users probably wouldn't notice.

* If the attacker has access to a short, 2-3 character domain, they could redirect to a wildcard HTTPS connection like, [https://facebook.aa.com/](https://facebook.aa.com/) \- again, many users wouldn't notice. They'd see "facebook" and the lock icon and assume they're ok.

* In either case the attacker could simply proxy all HTTP requests from victim to Facebook (or any other site). So the user's browsing experience remains the same but all passwords, cookies and personal info are logged. Scary stuff!

~~~
MichaelGG
Probably don't even need a short domain.
Facebook.login.secureauthredirectsystem.moregibberish.com probably would seem
sorta legit. After all, Microsoft's auth systems do crazy stuff like that. So
does the moronic Verified by Visa system - it's something like
"ww2.secpayment.com" and looks totally sketchy but it's legit.

~~~
voltagex_
So does MasterCard (for "3D Secure" 2 factor auth) - I had to do a
whois/traceroute on the domain before I trusted it the first time.

------
ambrop7
Most people don't understand the WPA PSK security model and its insufficiency
for anything but private networks where every device is trusted. When you give
someone the PSK, you give them the capability to impersonate the access point.

That being said, is there any better solution for public networks? One where
giving someone a password doesn't let them impersonate you. I'm not sure how
good support for EAP-TLS is on common client devices. To actually make it
secure the device would not only need to support it but also validate the AP's
public key some way.

~~~
zobzu
since theres no url associated any trusted ca-signed cert is valid (for
example a cert from startssl).

if you use self signed that actually protects you since then the client
complains. SOME clients pin the certs (thus you cant impersonate the AP even
with a trusted CA-signed cert) but its still quite rare.

~~~
ambrop7
But in theory the same CA infrastructure as used for the web could be used.
The SSID of the network would be interpreted as the "domain".

So if I try to connect to SSID example.com securely, I would verify that the
AP can identify itself as example.com (based on the CA roots which I trust) -
exactly the same way as a web browser would if I tried to connect to
[https://example.com](https://example.com).

Or is this already supported but nobody uses it?

~~~
wiml
I think there are a couple of things that would have to happen in order for
that to work:

1, we would have to set up a global registry for SSIDs, like we have for
domain names. (Otherwise, what's to keep someone else from using a colliding
or misleading name and getting a certificate for it?) And even then you run
into the problem that the CA infrastructure used for the web is pretty
terrible.

2, clients would need some kind of policy database to know what kinds of
traffic must go over a "secured" AP and what kinds, if any, can go over the
local coffeeshop's or convention hotel's wifi.

And all of this to secure just one link of the communication— all the rest
remain vulnerable. Really what we want is end-to-end encryption, not link-by-
link encryption. If you have #2, for example, you could instead use that
policy database to implement mandatory IPsec (or equivalent end-to-end
encryption; MinimaLT if you prefer) for all sensitive traffic, and bingo,
you're secure against whole classes of attack even when you are using unknown
APs.

------
tunap
Interesting but dated info for techies. I was hoping for something more along
the lines of how retailers triangulate & track your movements inside their
brick & mortar sites. Or how public providers scrape your browsing habits
whilst on their net. I was even more interested in learning what other tricks
they employ that I am not yet aware of.

With the ubiquity of broadband mobile I recommend avoiding public wifi
whenever possible because the items listed in TFA are ubiquitous at most
Starbucks, airports and other hi-profile public spots. I also highly recommend
disabling any equipments' wifi by default, the world is full of liars, cheats
& thieves smarter than myself. When you go for "free", what you get never is.

~~~
Retric
Retailers can use video footage + motion capture software to track you which
works much better as not everyone has active wifi.

------
fredsted
Are my devices really broadcasting the SSIDs they have been connecting to?

~~~
victorvation
Yep. Whenever wifi is enabled, your device is sending out probe request
frames, which includes your list of preferred networks/networks you've
connected to before.

~~~
MichaelApproved
Could it be used as a sort of fingerprint to identify phones? I'm imagining
using a scanner to create a list of phones in the area. You walk through the
halls of congress to compile a list of devices. Do this every few days or over
the course of a month, to eliminate visitors.

Now that you have your fingerprint, you can leave a few scanners around where
you're trying to track the congressmen. IE, if you want to blackmail, put it
around strip clubs.

Seems like a major security hole to me.

~~~
adestefan
iOS 8 somewhat mitigates this through using random MAC addresses when scanning

~~~
breakall
> somewhat

Due to the extremely narrow circumstances [1] under which the MAC address
randomization is actually used, the feature may as well not exist.

[1] [http://blog.airtightnetworks.com/ios8-mac-
randomgate/](http://blog.airtightnetworks.com/ios8-mac-randomgate/)

------
ris
Hm. So are there any 802.11_ proposals for cryptographically "signed" SSIDs?
Using public key cryptography, this is surely doable in a way that is
"anonymous" too, right? (i.e. doesn't reveal the identity of the AP you're
probing for)

------
xamolxix
Considering how ridiculously cheap an anonymous VPN service is these days I am
surprised how many people do not use them.

~~~
HorizonXP
Because it's difficult to setup and configure for most people?

People struggle with connecting their laptops/tablets to WiFi. Expecting them
to configure a VPN on their own is a stretch.

You could start a small SaaS business that could make "lifestyle business"
type money if you did this well.

~~~
colinbartlett
PrivateInternetAccess.com gives you an installer with all the credentials in
it ready to go. It was so easy my dad could do it.

I don't think ease is a barrier anymore. I think it's just lack of education
about how necessary these measures are.

~~~
xtian
PIA gets a lot of recommendations but no one ever mentions that a great number
of sites prevent you from using them from the PIA addresses. I've had a lot of
trouble with financial and e-commerce sites in particular (which are also the
situations I really care about using a VPN).

I think it might be that PIA is frequently used for DDOS and abuse since it's
so inexpensive.

Just something I wish I had known before signing up.

------
byoung2
_All names in this article are fictitious, except for Wouter Slotboom’s_

I thought for sure that name was fake!

~~~
tim333
Wouter is easy to google. You can see him and his black box here (although the
sound is in Dutch)

[http://www.rtlnieuws.nl/editienl/betrapt-door-wifi-ik-ga-
vre...](http://www.rtlnieuws.nl/editienl/betrapt-door-wifi-ik-ga-vreemd)

------
z92
Login into a public WiFi and turn on your VPN. Problem solved.

VPN accounts are cheaper than ever before. You can also install one on a cheap
DO box.

------
VexXtreme
I see a lot of comments here presenting HSTS as some kind of silver bullet for
preventing MITM attacks. While it does help, it's not impenetrable. If a
website hasn't been preloaded into the STS preloaded list, then the HSTS
header can be stripped on the first visit and the client will never upgrade to
SSL.

The only foolproof way to make sure you're not being MITMd is to visually
verify that the domain checks out and that you are indeed connected using SSL.

------
tiatia
Don't like your MAC? get a new one...

import random

import os

mac=''

# os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 down')

os.system('ifconfig eth1 down')

for i in range(0,3):

r=random.randint(16, 256)

mac=mac+":"+str(hex(r))[2:]

mac="00:07:E9"+mac

print mac

os.system('ifconfig wlan1 hw ether '+mac)

os.system('ifconfig eth1 hw ether '+mac)

os.system('ifconfig wlan1 up')

os.system('ifconfig eth1 up')

# os.system('/etc/init.d/networking stop')

os.system('/etc/init.d/networking start')

os.system('ifconfig')

print "echo 'MAC changed..."

print "new random MAC "+mac

------
JoshGlazebrook
I've read about this kind of thing before, so when I'm in public, or even at
school I prefer to fire up my phone's personal hotspot instead of using any
public wifi available.

~~~
cbsmith
That's good, because now you are just broadcasting your phone's SSID & MAC
everywhere. ;-)

Seriously, just VPN over the hotspot.

~~~
ris
You have too much trust in your VPN provider.

~~~
cbsmith
Considering I look at his face in the mirror every morning when I get up, I
feel like that trust is justified.

------
tetraodonpuffer
why aren't 'know networks' gps-geofenced on smartphones? You have GPS, if your
previous 'known network' (say, home) was in location X, it should not
automatically connect (or even _try_ to connect) to it at X + 20 miles.

This way you should be able to keep your phone from connecting automatically
to (or even looking for) a network that shouldn't be there in that location in
the first place, and if you always tether to it it would work for your laptop
too...

~~~
janinge
For that to work the networks themselves would have to securely distribute a
list of locations, or it would have to be configurable on the devices. Many
business and educational networks (like eduroam) span multiple locations. Even
my "home" network is available multiple places (home, cottage, boat...).

Smartphones mostly use wireless networks and cell towers to determine their
approximate location, which can be easily spoofed, except for the current
active cell (which could be miles away). If devices had to acquire GPS fix
every time they reconnected to a network, batteries would drain much faster.
And satellite navigation doesn't work properly indoors. Civilian GPS can also
be spoofed.

Manufacturers would probably prioritize usability over rectifying such a
"problem" which never had bothered anyone before, except maybe if there was PR
involved. I think there's still no way to list all configured wireless
networks on iOS devices? Fixing this would probably improve privacy more (if
people cared) than this randomized MAC feature.

~~~
tetraodonpuffer
I am not really sure why networks would have to distribute a list of
locations: the default for connecting is simply 'do not autoconnect or look
for any network I have not already connected previously _in this location_ '.

If the user does not want to incur the GPS battery impact triangulating with
cell towers already should give you enough location information not to look
for your home network at work, or the network you saw in Spain last month when
you are in the Netherlands.

And finally obviously everything can be spoofed, however I don't think it's
reason enough not to have a minimal set of protections: the user can decide
how much battery to dedicate to the task (i.e. no checking, cell tower
checking, gps checking in increasing order of impact)

------
tcdent
How is he able to get them to trust the network? Is it common for software to
connect to known SSIDs without verifying any other information?

~~~
zokier
What "other information" is there to verify?

~~~
tcdent
Hardware ID/MAC address, for example.

~~~
nandhp
And how would you verify the MAC address of the router at the coffeeshop/train
station/bus?

~~~
lucb1e
You can't, of course. But even if you could, many networks allow for ARP
spoofing so connecting to the right access point is not really the solution.
And if ARP spoofing is not possible then you run airmon-ng and wireshark.

------
goblin89
I wonder if it's true that iOS 8 only randomizes device's MAC when the SIM
cart is not installed[0]. Was stoked to learn about this feature, too bad it
apparently doesn't work as you'd expect it to.

[0] [http://9to5mac.com/2014/09/26/more-details-on-how-
ios-8s-mac...](http://9to5mac.com/2014/09/26/more-details-on-how-ios-8s-mac-
address-randomization-feature-works-and-when-it-doesnt/)

------
yuhong
I wonder if anyone has tried to use CloudCracker to sniff MS-CHAPv2 VPN
traffic.

------
ColinWright
[https://news.ycombinator.com/item?id=8461206](https://news.ycombinator.com/item?id=8461206)

