Danny Moules, Jisc’s security assessment specialist, sets out the pitfalls of wifi complacency and offers some practical tips for real-world wifi defence.
In 2010, Firesheep was released. It was a tool that allowed anyone using the Firefox web browser to read anyone’s data, such as passwords, private messages or cookies, going across a public wifi network.
This wasn't new at the time. In fact, hackers had been able to do this for a long time. However, it hit the news, and people had to change how they used wifi networks.
Security when browsing in public
Public wifi (wifi without a password) isn't secure1. Adding a password to public wifi, even a password that everyone can read, helps protect against the theft of sensitive data. It's why, when we visit a coffee shop, we can't just connect to the wifi without getting the password.
On the face of it, it seems silly to have a post-it note on the counter with the wifi password which everyone knows, but that keeps your data safer.
Back in 2010 not many sites had HTTPS either. When Sophos rode a bike around London with an open wireless network in 2014, 78% of connections were unprotected by a VPN or HTTPS. When somebody used Firesheep, the data they stole from you wasn't protected.
But we've come a long way since then. When you visit Facebook or Twitter or your corporate sites, most of the time your connection will be encrypted to protect you from this sort of tomfoolery.
Firesheep was scary but you don't have to worry about your data getting sniffed off the wire anymore.
Except... are you connected to a network running older security protocols? Then a hacker might pull out attacks like chop chop, caffe latte, p0841, hirte (also known as cfrag) and other creatively-named mischief.
But probably not. Most wifi networks can't be hacked this way anymore either.
It helps to understand the warning signs that lead to these attacks (in the case of the above, WEP = very bad) but protocols only help so much.
Just how secure is your connection?
So, now let's ask:
- What is the wifi you're connected to?
- Is it the one you were told to connect to?
- Or is it an identical looking one being run by a hacker instead?
- Is someone trying to phish your passwords by tricking you into typing them to their own network when you think it's going out to the internet?
The interlocking layers of security that make up your wifi connection all rely on you being able to correctly identify the computers you connect to. Yet your operating system is constantly working to prevent you from the 'confusion' that comes with being able to see what's really happening under the hood.
In fact, the modern operating system often hides the details of when and where you connect, opting to use credentials shared across the cloud to maintain your connection transparently, even if this means walking right into a trap.
The risks with capture portals
The prevalence of capture portals, where a wifi service demands credentials or other sensitive information to let you access the system, creates an ecosystem where you expect to be challenged. This plays directly into a phisher's hands,
What's even worse, even legitimate wifi services typically demand that you can't access any HTTPS site because they need to hijack your insecure HTTP connection (in itself a man-in-the-middle attack!) in order to provide the capture portal service.
Although this isn't necessary anymore, as browsers offer better ways to do this, the practice persists and the risk remains.
Even if you know you're on a valid connection, what happens if an attacker launches a de-sync attack to disconnect you? Will your operating system just connect to the attacker's network automatically? Most likely. Managed frame protection adoption in the sector appears to be very low, as I've also noticed in other sectors, despite being very easy to achieve for most institutions.
Do the same problems apply to your corporate wifi, protected by ‘enterprise’ security? Some of them do, some of them don't. WPA2-Enterprise is technically complex to configure and there are lots of pitfalls that provide different levels of exposure.
A combined attack
Now what happens when our attacker combines this with other phishing or social engineering attacks?
Technical controls only achieve so much. Without threat modelling and a training element, expect to be outmaneuvered by penetration testers - and any of your own students with the knowledge and the inclination – pretty quickly, with criminals inevitably not far behind.
What if our attacker foregoes the wifi for your mobile phone network's base station instead? Hackers, as well as the authorities, have had the capability to hijack our calls and phone internet connection for a decade, while the price and technical complexity has dropped dramatically in the intervening years.
Android apps such as AIMSICD work for incident responders confirming an attack in progress but when every business call you make could be intercepted, how do you manage that everyday risk?
The introduction of WPA3 will shift the wifi security landscape but simply implementing it blindly will not address all these issues. Fundamentally, wireless technologies can't handle the load of the risk people often burden them with.
We need to think about how we can sustain digital enablement while accepting that we haven't educated users on all the risks, and nor can we. We need to consider whether IT's race towards reduced friction for users has led to greater risks. We also need to sustain a discussion about how wireless infrastructure is designed to meet the needs of different use cases, instead of a one size fits all, bring your own device (BYOD) approach.
- 1 Jisc services like eduroam, govroam and eVA comply with the best practices of wifi deployment and are a great way to provide safe connectivity to your visitors. Note also that Jisc’s public wifi DPS provides a secure offering, and isn’t the same thing that the author was concerned about.