I've read that they can see what sites your viewing or even access your computer if you're connected on the same WIFI connection but how exactly?
1
-
BackTrack, a debian based linux distro, is frequently used for this. It's often the OS of choice for both Black Hats and White Hats.– BlomkvistCommented May 11, 2011 at 15:57
Add a comment
|
5 Answers
Some clarifications should be made. Firstly, an attacker can only trivially perform the following techniques if the public Wi-Fi is totally unencrypted (which is to say, does not require a password) or is implementing the weak WEP privacy protocol. To ensure greater security, wireless networks can use the WPA or WPA2 certifications. As pointed out by @BlueRaja in the comments on this post, WPA and WPA2 use tougher security protocols, called TKIP and CCMP. Both WPA and WPA2 support TKIP, but only WPA2 supports CCMP, which is much more secure. In an ideal world, WPA2 using CCMP would be in use in all places. (There is also a whole world of room to talk about WPA2-Personal versus WPA2-Enterprise, but that is another question.) For the purposes of this answer, we'll assume that no password is present, and so the network is entirely unencrypted.
The answers by Spiff and diogo_rocha both point out packet sniffing, which is the simplest form of intrusion. A free program like tcpdump can be used to capture all of the data sent over the wireless connection, including both traffic to or from your computer. Thus, any unencrypted internet traffic to/from your computer can be transparently viewed, either at the time or later. In the simplest case, this includes every website you visit, but if the websites in question don't use HTTPS (the green lock symbol in your browser bar), this can include passwords and usernames. This is BAD.
Spiff mentioned weak intrusion points, either through VNC (or SSH on Unix-based machines) or known vulnerabilities. A tool like nmap can be used to quietly scan a machine for any services you may have left open, and can then be used to attempt to break into them. In particular, remote desktop and screen sharing allow for simple visual observation of all behaviour on your machine.
Unpatched exploits are worse. Using these, an attacker can run arbitrary code on your machine. Most commonly, this will involve installing some piece of spyware, such as a keylogger. Again, on an open wireless network, if you have such a vulnerability it can be quite simple to locate using nmap, and the Metasploit Framework provides free access to a huge number of known vulnerabilities. This is why security professionals and savvy computer users insist that you should always apply patches and updates ASAP, unless you have a very good reason not to. On a Windows machine, turn automatic updates on.
Additionally, mentioned by both @yosh m and @Scott Chamberlain, session hijacking became a major news item in the past few months, and this is also relatively simple to implement over open WiFi. For me to explain what this is, you need to understand that when you log-in to a site, your login is stored in a browser cookie, so that the website knows that each new connection is still you (this is an enormous oversimplification, but for space considerations I won't elaborate: see the firesheep link in this paragraph for more info). Unfortunately, if HTTPS is not used (or a man-in-the-middle attack is used to set up a false HTTPS connection, see next paragraph), these cookies are sent in plaintext and broadcast to the entire wireless network. Thus, anyone who is listening for it can catch that cookie, and piggyback on your session. This was implemented in a Firefox plugin called Firesheep. A great discussion from the author of the plugin is here: http://codebutler.com/firesheep-a-day-later , and you can find the plugin yourself with no real difficulty. The simplest way to protect yourself from this is to ensure that you are always using HTTPS to send your credentials and establish connections with authenticated services.
Finally, open wireless networks enable attacks known as Man-In-The-Middle attacks. These are when a machine intercepts your traffic intended for a third party, adjusts or records it, and then sends it on. This can be implemented when you believe you are using HTTPS, and as a result caution should be used on open wireless networks even when HTTPS would cause you to believe you are safe.
Although you didn't directly ask it, I'll quickly suggest the easiest way to avoid these problems: set up and use a VPN whenever you use an unsecured wireless network, and make sure you know how your firewall works. Both of these things can be investigated with a quick Google search, and should mitigate all of the problems I mentioned.
-
3Great post, but you never really talk about session hijacking, for example, what firesheep does. I bet money that the OP heard something about firesheep and came here to ask about that. Commented May 11, 2011 at 19:22
-
3Nitpick: WPA and WPA2 are not protocols (like WEP), they are certifications. "WPA" means it supports the weaker TKIP protocol, and "WPA2" means it supports both TKIP and CCMP protocols. The distinction is important, because someone with a WPA2 router may believe they are using the more secure protocol (CCMP), when really they are using the weaker protocol (TKIP). Commented May 11, 2011 at 20:29
-
6HTTPS on unsecured networks with a modern web browser is perfectly safe and not vulnerable to man-in-the-middle attacks, without plenty of warning by the browser of how the certificate isn't valid. The HTTPS handshake first checks with the server that its certificate for the site is valid from a trusted authority for the specific domain, then your browser generates a master secret, encrypts it with the server's public key, sends it back to the server encrypted, and then the master secret is used by both client and server to create a symmetric key. support.microsoft.com/kb/257591 Commented May 11, 2011 at 20:40
-
1@jimbob: Unfortunately, government intervention isn't necessary. There have been a few high-profile news stories recently of CAs who have handed out certs for sites including skype.com, facebook.com and addons.mozilla.com to a guy from Iran. This is a single instance, but it does happen. With a bit of social engineering, it is perfectly possible to fraudulently obtain a cert. While I make a habit of checking the certs of the sites I visit, and pay attention to browser warnings, many don't. Add to that the ease of intercepting traffic on an unsecured wireless network, and you see my concern.– LukasaCommented May 12, 2011 at 8:30
-
3Public hotspots that use WPA[2] almost always do so with a single Pre-Shared Key (a.k.a. WPA[2]-PSK, WPA[2] Personal) that everyone on the hotspot uses. Used this way, anyone on the network can forge a deauth to your computer, capture your next key handshake, and then decrypt all your WPA/WPA2 encrypted traffic from then on. That doesn't get them around replay counters and such so it makes you less vulnerable to wireless MitM attacks and session hijacking, but they can still see your unencrypted web surfing. WPA2-PSK isn't any better than WPA-PSK in this respect.– SpiffCommented May 12, 2011 at 17:09
For a sobering (and scary) look at some of the things they can easily do, take a look at Steve Gibson's discussion of Firesheep located at http://steve.grc.com/2010/10/28/why-firesheeps-time-has-come/ - and also a discussion of how hotspot owners can easily protect against that exploit.
-
I think the original post was asking about firesheep the way he asked it, I also would recommend listening to the security now episode about it too(transcript). Commented May 11, 2011 at 18:59
For seeing the sites you're viewing, they just have to run a packet sniffer tool that captures all the network traffic being transmitted over the air. Unencrypted HTTP traffic is simple to reconstruct.
As to viewing your computer, some people leave file sharing and/or Remote Desktop/VNC/Screen Sharing enabled with exceedingly weak passwords. It's also possible they could use known unpatched security exploits in your machine to gain access.
-
1+1 Very easy and all too common. Some even set up a fake hot spot with a common name to attract users.– Dave MCommented May 11, 2011 at 13:53
Another potential danger with public WiFi is the existence of "Rogue Access Points", especially the Evil Twin variant.
Simply put, an attacker creates a wireless access point with the same name and (spoofed) MAC address as a real AP near the victim's computer -- say, for example, Starbucks.
The attacker can then send de-authentication packets, causing all connected clients to disconnect from the real Starbucks network. When the affected devices attempt to reconnect, they will instead connect to the "Evil Twin" access point (so long as it is broadcasting a stronger radio signal).
An attacker can then perform a person-in-the-middle attack on affected devices, allowing for e.g. session hijacking and other attacks outlined by the above posters.
One of the tecniques is sniffing the packets that the wifi router/switch are routing, however most of actual wifi routers use criptography to encrypt the data on traveling packets. What a hacker could do on this case is use brute force to discover the criptografic key (on this case when you are using low-level of criptografy algorithm like WEP). Nowadays most of wifi modens are using 802.11n protocol, that uses a high level of criptografic algorithms.
