More and more hotels, airports, and cafes are providing free WiFi. It’s a great, low-cost way for them to attract customers and a convenience for travelers. As with most things that are “too good to be true,” the convenience comes with a trade off. Logging in to one of these hotspots -- particularly one without a password -- exposes information to any number of compromises and attacks. And if someone logs into a corporate account from a public WiFi access point, then the corporate accounts become vulnerable, too. Understanding how these attacks work can help you secure your data and protect sensitive information.
The moment that you connect to a public WiFi network, you are sending information out into the world. There are three primary ways a bad guy can intercept this information:
- Sniffing: Unencrypted information passed over public airwaves can be captured and reassembled into usable information like passwords or cookies. Encryption helps, but some forms of encryption, especially older protocols like WEP, are so easy to crack at this point that they present only a minimum barrier to hackers. Mounting a sniffing attack requires almost no technical expertise on the part of the bad guys. Browser plug-ins and apps from popular app stores can turn a laptop or cell phone into a sniffer and a more powerful dedicated sniffing device can be purchased at a low cost at almost any electronics store.
- Rogue Access Points: This simple form of ‘man-in-the-middle’ attack is predicated on the fact that you do not really know what you are connecting to when you log on to a public hotspot. Let’s say you go to Starbucks and see that there are two public networks available: ‘Starbucks’ and ‘Starbucks Laptop Optimized.’ The latter has a stronger signal and it’s optimized for your laptop -- great, connect to that! But what have you just accessed?
To set up a rogue access point, all the attacker does is configure their laptop or device to act as a soft access point with an innocuous name as in the example above, creating a bridge between the victim and the real access point. From the victim side, everything looks fine -- they’re connected to the Internet and it’s business as usual. But every bit of information, password or access code, is captured by the attacker. If the information is unencrypted, it is immediately compromised. Even encrypted information is transmitted and, depending on the level and complexity of encryption, may be easily decoded.
- Evil Twin Attacks: This is a variant of the Rogue Access Point. Computers and cell phones generally store previously accessed networks so that they can automatically connect next time you are near the network. The bad guy can capture and broadcast an identical network name and trick the victim’s machine into connecting to the evil twin, while appearing to be connected to the legitimate hub instead. Then, as with a Rogue Access Point attack, all of the user’s information flows directly into the attacker’s device. Setting up an evil twin attack is low-cost and requires minimal technical knowledge.
To demonstrate how quickly and easily one of these attacks can be mounted, we got a hold of a device called WiFi Pineapple and a program called Karma. Together, these tools can automate the creation of the ‘evil twin’ access points and start collecting data.
The first step was to sniff out information to determine what previously accessed networks nearby devices were looking for. It is shocking that your phone, tablet or laptop will broadcast this information. Once we had the names of previously used access points, we could set up the rogue network. We have blurred out identifying information, but here are some of the network names we found as soon as we started to listen:
Once we had the names and set up the access points, it was a matter of only few minutes before several users connected to our ‘man in the middle.’ We conducted this test after business hours without much foot traffic and, again, identifying information has been blurred:
With the users connected, we received all Internet traffic transmitted and received via the rogue wifi connection. The image below is a packet capture of a user browsing Instagram. We could now view all images the user was browsing as well as any API calls:
The whole process was simple. The total cost was less than $100 and within an hour we were up and running, “stealing” data.
The fact is that we as users are victims of our own assumptions. We assume that our computer is clean and configured properly, especially if our IT department issued it. We assume that the network we connect to is what it says it is -- Airport Free WiFi, CoffeeHouseHub, etc. And when we see a form that asks us to type in our credentials, we do so without a second thought.
In some cases, these assumptions may be valid. But in others, they expose us to dangerous attacks. Ultimately, we are responsible for the security of our information, but as we’ve demonstrated, it is easy to think we’re doing the right thing, but actually doing wrong.
So how do we solve this? The old maxim that the only secure computer is the one that has never connected to the Internet rings true. We can try to limit ourselves to only known and trusted resources, but that’s not really practical.
The truth is we’re always using other peoples’ resources. Whether a borrowed iPad, a public WiFi or a web service, the compute stack isn’t controlled like it used to be. Silo - the cloud-based browser that our company develops - represents another option. With Silo, you don’t need to control all the variables, Silo creates an insulating wrapper that keeps apps and data safe. It does not matter if the device is infected with malicious software, for example ransomware, how it is connected to the internet, or who may be sniffing for information nearby. All activity in Silo takes place in a secure, one-time use sandbox so web data is secure. Silo communicates via an encrypted, remote display protocol.
Since no web code ever reaches the client’s device, there are no cookies, session keys, or other information to steal. All the real web activity happens in Authentic8’s secure sandbox, where the browser, the network and the destination web site and content can all be analyzed and verified.
If you log into a rogue access point by mistake but access your apps and internet through Silo, it’s like wearing an invisibility cloak behind enemy lines. You are in their territory, but they simply can’t see you.