Steal His Wi-Fi

Leaving your WiFi network open is not a good idea. Bruce Schneier does not agree and wrote an interesting article. The following is an extract of it:

I'm also unmoved by those who say I'm putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much. Wired

Although Bruce is making some good points regarding the smaller likelihood of being attacked via wifi at home as opposed to a public place, he makes one mistake: he assumes the attack will be an attempt to compromise his PC/laptop or eavesdrop his traffic. Of course these are valid attacks, but how about attacking his router? In all these three attacks the victim is ultimately a user: Bruce in this case, but the nature of the attack is different.

Let's think about it: who gives a darn about compromising your computer when you can change the DNS settings on most consumer routers without a password via UPnP? We've said it before here at GNUCITIZEN: people are stuck on the old-school mentality of rooting the user's box. Things have changed. Your data is now online, your router is a computer much more insecure than you XP desktop that runs an AV + firewall and updates itself automatically on a regular basis. For instance, did you know that CSRF attacks against home routers have already been intercepted in the wild which change DNS setting in order to phish banking login details!

Of course the wireless sniffing attacks could also have terrible consequences. Most sites send cookies in the clear, even the ones that encrypt the connection when submitting passwords. Getting your gmail account hijacked could lead to really bad things. However, I do agree with Bruce that is much more likely that someone will perform wireless sniffing attacks on public places such as airports and coffee shops, since many more victims can be attacked at once.

Regarding "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter" I couldn't disagree more strongly! This would perhaps be only true if your computer wasn't part of a network (isolated), and yes, I'm ignoring physical attacks from the picture. However, being on a wireless network will expose sensitive information on your Internet traffic since now you depend on websites enforcing encryption at all times, not to mention clear-text protocols such as POP3, IMAP, FTP, etc. Even if all traffic was always encrypted - which won't happen unless you tunnel it via VPN - SSL MITM would still be possible. Of course Bruce would get an invalid SSL certificate dialog box when visiting sites, but would he click on "Cancel"? Hmmm, maybe not! Also again, even if your computer is secured, your router could be compromised (i.e: weak pwd, auth bypass or UPnP) which means that the attacker controls the flow of your traffic among other attacks!

pdp and I propose a friendly challenge to Bruce: let us drop by your place and give us a chance to convince you that the threat is more than you think by simply testing a few attacks on your router (BT Home Hub as he works for BT?).

Archived Comments

shitbull

You are wrong here. Because, you guys think that everyone is using POP3, IMAP, FTP and are clicking on fake certs. The problem is not in arp spoofing or MITM'ing, the problem is in insecure upper layer protocols. Using WPA2 on your home wifi network doesn't help anyway, because attacker has bunch of ways to sniff and mitm on network points of which you have no control. I agree with ptacek about why dnssec is pointless anyway.

BoBaLeX

Thanks for this article :)! And, YES, Wi-fi is definitely unsecure!

Daniel

Another thing Bruce hasn't taken into consideration are the laws in the territory your wireless is situated. Let's see, I visit the UK and decide I want to run a "hacking" tool like, oh i don't know.. perl, but I've had my fair share of being in court and fighting the CPS so I look for someone else with free wireless and download it and run it from their connection. End result is the owner of the wifi might be visited by Britains most useless and end up being charged, all because they dared to offer free wireless. Common sense is often forgotten with security, and i've yet to find out why :0)

pdp

Daniel, I am not even sure that common sense exists when it comes to security. :)

sal-e

I have one more idea, Can I borrow Bruce connection to download DVDs, CDs and etc? Then I'd like to here Bruce's explanations when the RIAA and etc Intellectual Monopolists ask him to show in court! Is he really believes what he wrote or he is forced to protect someone, really 'stupid' at BT? I don't know how much money I can steal from Bruce's bank account, but I know any teenager will be more then happy to run his BitTorrent client from his IP!

Adrian Pastor

@shitbull - haven't you seen Defcon's wall of sheep? You would think that people that assist a hacking/infosec event would know better, but the amount of passwords sniffed from cleartext protocols speaks for itself! I remember being wowed when seeing several big consulting firms domains among the email accounts compromised. Regarding invalid SSL cert dialog boxes, users *are* used to accept them most of the times since even legitimate sites make browsers show such dialog boxes. ie: due to not trusted CA, expired certificate or even missmatching between the site's domain name and cert's CN field. Plus, as I said, cookies travel in the clear on most sites. The amount of auth data traveling in the clear when we're online is crazy. 1. Get gmail cookie via wifi sniffing @ starbucks (gmail downgrades to HTTP after authenticating) 2. Add a filter that forwards victim's emails to the attacker's 3. Start compromising victim's online identify by requesting "reset/recover password" emails from all sites the victim accesses In my opinion there is a clear problem here. @Daniel - perhaps the reason why a lack of common sense is present on Bruce's article is because he's helping his employer (BT) promote the new FON service.

Adrian Pastor

btw, I meant "identity" rather than "identify"

Marchiner

Hi... i agree with all of you here... wireless has many problems of security including industrial standards, bad user configurations, hardware limitations and many others. But... if i don't pay attention in my own AP router ... i believe that i am surrendering my self to many threats, and this is not what we intend to do right? If we follow the idea of forget the security of ours owns APs, probably we will have many problems coming soon. I a country that has laws that can arrest someone for web attacks, i believe that is not good try to explain in court that "someone" was using your AP ("Internet") to attack some target. Imaging that the "wireless signal thief" has successful, against a "big target" like something that can stop a public service or against a government piece , and some cops come to knock in your door in the middle of the night! I prefer to keep protecting my own AP as i its possible, and don´t use free hotspots. And to finish here... nice post Adrian.

Adrian Pastor

Thanks for your feedback and nice comments Marchiner!

Quake

I know I would notice if the certs were different and I developed much of my paranoia from reading Bruce for the last ~15 years, so I think Bruce would notice a MITM. Gmail? If you use https://gmail.google.com to start the connection, then it does not drop back to HTTP.

Adrian Pastor

@Quake - So you always leave legitimate sites that show invalid certificates? Or do you actually take your time to find out the very reason why your browser complains about an "invalid" cert? Of course you can force gmail to remain on SSL by accessing the site through a https URL. However, this is not the default. In other words, only geeks would bother to type "https://", which means that most users' gmail sessions travel in the clear after logging in. Even the "My Account" homepage of google uses the cleartext http version of the gmail ("http://mail.google.com/mail") URL: https://www.google.com/accounts/ManageAccount

wintermute

"change the DNS settings on most consumer routers without a password via UPnP" - I'm not convinced the Home Hub actually implements this properly - when I fire a LANHostConfigManagement:1#SetDNSServer at http://192.168.1.254/upnp/control/igd/lanhcm, all I get is a 501 Action Failed. Admittedly there's a lot of other stuff in LANHostConfigManagement that *does* work!