Comments on: Steal His Wi-Fi

By: wintermute

wintermute — Fri, 01 Feb 2008 18:12:33 +0000

“change the DNS settings on most consumer routers without a password via UPnP” - I’m not convinced the Home Hub actually implements this properly - when I fire a LANHostConfigManagement:1#SetDNSServer at http://192.168.1.254/upnp/control/igd/lanhcm, all I get is a 501 Action Failed.

Admittedly there’s a lot of other stuff in LANHostConfigManagement that *does* work!

By: Adrian Pastor

Adrian Pastor — Thu, 24 Jan 2008 23:07:20 +0000

@Quake - So you always leave legitimate sites that show invalid certificates? Or do you actually take your time to find out the very reason why your browser complains about an “invalid” cert?

Of course you can force gmail to remain on SSL by accessing the site through a https URL. However, this is not the default. In other words, only geeks would bother to type “https://”, which means that most users’ gmail sessions travel in the clear after logging in.

Even the “My Account” homepage of google uses the cleartext http version of the gmail (”http://mail.google.com/mail”) URL: https://www.google.com/accounts/ManageAccount

By: Quake

Quake — Wed, 16 Jan 2008 14:51:51 +0000

I know I would notice if the certs were different and I developed much of my paranoia from reading Bruce for the last ~15 years, so I think Bruce would notice a MITM.

Gmail? If you use https://gmail.google.com to start the connection, then it does not drop back to HTTP.

By: Adrian Pastor

Adrian Pastor — Tue, 15 Jan 2008 22:59:27 +0000

Thanks for your feedback and nice comments Marchiner!

By: Marchiner

Marchiner — Mon, 14 Jan 2008 11:19:13 +0000

Hi… i agree with all of you here… wireless has many problems of security including industrial standards, bad user configurations, hardware limitations and many others. But… if i don’t pay attention in my own AP router … i believe that i am surrendering my self to many threats, and this is not what we intend to do right? If we follow the idea of forget the security of ours owns APs, probably we will have many problems coming soon. I a country that has laws that can arrest someone for web attacks, i believe that is not good try to explain in court that “someone” was using your AP (”Internet”) to attack some target. Imaging that the “wireless signal thief” has successful, against a “big target” like something that can stop a public service or against a government piece , and some cops come to knock in your door in the middle of the night!

I prefer to keep protecting my own AP as i its possible, and donÂ´t use free hotspots.

And to finish here… nice post Adrian.

By: Adrian Pastor

Adrian Pastor — Sat, 12 Jan 2008 00:42:46 +0000

btw, I meant “identity” rather than “identify”

By: Adrian Pastor

Adrian Pastor — Fri, 11 Jan 2008 20:00:36 +0000

@shitbull - haven’t you seen Defcon’s wall of sheep? You would think that people that assist a hacking/infosec event would know better, but the amount of passwords sniffed from cleartext protocols speaks for itself! I remember being wowed when seeing several big consulting firms domains among the email accounts compromised.

Regarding invalid SSL cert dialog boxes, users *are* used to accept them most of the times since even legitimate sites make browsers show such dialog boxes. ie: due to not trusted CA, expired certificate or even missmatching between the site’s domain name and cert’s CN field. Plus, as I said, cookies travel in the clear on most sites. The amount of auth data traveling in the clear when we’re online is crazy.

1. Get gmail cookie via wifi sniffing @ starbucks (gmail downgrades to HTTP after authenticating)
2. Add a filter that forwards victim’s emails to the attacker’s
3. Start compromising victim’s online identify by requesting “reset/recover password” emails from all sites the victim accesses

In my opinion there is a clear problem here.

@Daniel - perhaps the reason why a lack of common sense is present on Bruce’s article is because he’s helping his employer (BT) promote the new FON service.

By: sal-e

sal-e — Fri, 11 Jan 2008 18:21:20 +0000

I have one more idea, Can I borrow Bruce connection to download DVDs, CDs and etc? Then I’d like to here Bruce’s explanations when the RIAA and etc Intellectual Monopolists ask him to show in court! Is he really believes what he wrote or he is forced to protect someone, really ’stupid’ at BT?
I don’t know how much money I can steal from Bruce’s bank account, but I know any teenager will be more then happy to run his BitTorrent client from his IP!

By: pdp

pdp — Fri, 11 Jan 2008 16:25:02 +0000

Daniel, I am not even sure that common sense exists when it comes to security. :)

By: Daniel

Daniel — Fri, 11 Jan 2008 16:22:14 +0000

Another thing Bruce hasn’t taken into consideration are the laws in the territory your wireless is situated.

Let’s see, I visit the UK and decide I want to run a “hacking” tool like, oh i don’t know.. perl, but I’ve had my fair share of being in court and fighting the CPS so I look for someone else with free wireless and download it and run it from their connection.

End result is the owner of the wifi might be visited by Britains most useless and end up being charged, all because they dared to offer free wireless.

Common sense is often forgotten with security, and i’ve yet to find out why :0)

By: BoBaLeX

BoBaLeX — Fri, 11 Jan 2008 14:47:56 +0000

Thanks for this article :)! And, YES, Wi-fi is definitely unsecure!

By: shitbull

shitbull — Fri, 11 Jan 2008 11:39:25 +0000

You are wrong here.
Because, you guys think that everyone is using POP3, IMAP, FTP and are clicking on fake certs.

The problem is not in arp spoofing or MITM’ing, the problem is in insecure upper layer protocols.

Using WPA2 on your home wifi network doesn’t help anyway, because attacker has bunch of ways to sniff and mitm on network points of which you have no control.

I agree with ptacek about why dnssec is pointless anyway.