Beware the Airport Wireless

schwit1 writes to tell us that a recent study by a Silicon Valley-based security company shows that black-hats have been ramping up their use of tempting free or unsecured wireless access points in high travel areas like airports and hotels. "According to their study, even the 'secure' networks weren't all too safe. Eighty percent of the private Wi-Fi networks at airports surveyed by Airtight were secured by the aging Wired Equivalent Privacy (WEP) protocol, which was cracked back in 2001. Almost as many — 77 percent — of the networks they surveyed were actually private, peer-to-peer networks, meaning they weren't official hotspots. Instead, they were running off someone else's computer."

Old

[sopssa]

Isn't this quite old story? Already years ago I read that people have been setting their own hotspots near crowded places, and it works good because if you get better signal than the official hotspot the computers usually pick your hotspot first. This was even covered in The Real Hustle [youtube.com] many seasons ago.

And for that matter, you're in a insecure place connecting via some random network. Its just stupid.

Re:Ahh, the old "Free Public WiFi" issue

[Anonymous Coward]

A few years ago, I was at a SANS security course being hosted at the University of Minnesota. One of the tools we were using was Cain & Abel. The people at the university who had set up Wi-Fi for the class of 125 students had done a horrible job, a bunch of Apple Airports, all sharing the same SSID and the same channel, and each performing their own NATing. You'd bounce between APs and get IP collisions as you'd hit someone who already had that IP on the other AP. It was a total joke, and if you were lucky, you'd maybe get 10-20 minutes of working internet before it'd die again. So, I bought a day pass from the Starbucks access point in the lobby downstairs, which was very reliable by comparison. I then remembered I had my little Apple Airport Express in my bag that I carried with me for when I traveled to hotels that didn't have wireless, so I could set up my own network and sit in the bed, rather than at a desk chair. I used that to create an infrastructure wireless access point called "Free Better Internet" and routed all the traffic through my laptop back to the Starbucks AP downstairs. People would get so frustrated using the shoddy supplied internet that they'd try the other SSIDs they'd see in the list. I then turned on Cain & Abel, and within a couple of hours, I had over 700 username & password combinations, and this was in a class where they handed me the tool to do it on the class CD, and we were talking about it! The looks on my classmates faces when I showed them their usernames and passwords were priceless. I was amazed that large research schools weren't even using SSL on their IMAP connections, and I had a ton of AIM and ICQ passwords, not to mention dozens of web site passwords, even my co-worker's password to her World of Warcraft Guild web site! :) The moral of the story, is that even "smart" people, who know exactly what the risks are, and who know how to use a VPN, will give up a LOT of security in exchange for free internet access!

Re:relay

[Anonymous Coward]

(New Hampshire is the one that touches the ocean. The other one is Vermont, which is the one that touches Canadia.)

Canadia? [urbandictionary.com]

Re:SSL?

[Runaway1956]

You should read more. There's a book out, "Beautiful Security". There is a chapter devoted to airport wireless. Joe Sixpack doesn't look at the SSL certificate, doesn't even notice the little lock emblem. Even a lot of "sophisticated" people continue doing their banking, rationalizing the absence of the secure symbol. The author of the section has collected TONS of personal details by spoofing a WIFI service at an airport.

Re:they were running off someone else's computer

[Anonymous Coward]

only problem is, that u have to be an uber-dork to exploit them... meaning extensive programming knowledge which i doubt any aviation worker has.. so it's a false warning really, as nobody is truly going to attack a single laptop on an airport (your not gonna do online-banking on a public connection, unless your an idiot...)

A black hat is, however, going to be perfectly happy with leaving the trojan on your PC so that, when you get back home and log into your bank from your "secure" connection, you're pwn3d.

All it would take is a few hours running a properly-configured (2 network interfaces, one to the airport's wireless, one acting as the WAP) laptop doing DNS redirects on common banner-ad hosting sites to run the malicious Javashit, Flash, or even just replace the ads with a .gif/.jpg/ that contains suitably-malformed headers/metadata.

Re:Old

[cbiltcliffe]

Your education is your responsibility. It's assumed that if you're installing a wifi router, you will do your homework on how to set it up and read all the included documentation.

The local major DSL provider to me used to provide DSL modem/routers to their customers with built in wireless. The wireless was disabled by default.
When you went through the initial setup, though (had to do it before the router would let you online) it encouraged you - strongly...it would have been hard for a non-techie user to figure out how to avoid it - to enable wireless.
When setting up the encryption, it had four radio button options that looked like this:

O No encryption.
O 64 bit WEP
O 128 bit WEP (recommended)
O WPA-PSK

So the recommended option was something that could be broken into in 15 minutes or so.

About a year ago, they stopped distributing those routers, and started sending out a different type, that come by default with 128 bit WEP enabled, and with the customer's username/password pre-programmed, so the documentation just says "Your router is preconfigured. Just plug it in, and it will connect and work properly."

Microsoft's web site says if you must use WEP, change your key once a month, so if somebody gets the key, they'll be locked out again. So out of the 43200 minutes in an average month, you'll only be vulnerable for 43185 of them if you follow Microsoft's advice.

Most of the computer stores in my city are still using WEP on their networks. If the customer hires them to set up their network properly, they'll still end up hackable.

Then, on top of that, very few techs even know of the vulnerabilities in WPA. If you use a passphrase that's in a dictionary/wordlist/phraselist somewhere, you can still be broken into, even using WPA. It's a little harder, as it requires a legitimately connected client, which WEP doesn't, but it also doesn't require anywhere near the amount of wireless traffic collection that WEP does.
30 seconds will typically be long enough to collect the data you need, then you can go crack remotely, whereas WEP requires 5-15 minutes worth of data collection.

The bottom line is, you can't trust the documentation, you can't trust the advice from the "experts," and you can't trust articles you read on the Internet. The only real way to be secure is to ask somebody who knows how to break into these things if they can break into yours. If they can't, you're probably safe.