Tim Simons, UK Security Product Manager at Proact
Public Wi-Fi is everywhere – airports, trains, cafes, hotels – and we all like how convenient it is. It’s fair to say that most of us don’t really think about what might happen when we connect to these Wi-Fi points. Typically, a name such as “STARBUCKS_FREE_WIFI” installs enough confidence in us that we’re happy to connect. But how do we know this connection is legitimate, and can be trusted?
Imagine this – an attacker sets up a ‘rogue access point’ in a busy area like a shopping centre or train station, and waits to see who connects… and somebody does. It’s only a matter of time before the attacker is in complete control of that user’s internet connectivity and easily redirects them to fake websites. From these sites they aim to steal credentials or conduct some other type of malicious behaviour.
Another technique called ‘evil twin’ allows the attacker to eavesdrop on connections to an existing Wi-Fi network. This method involves using a cloned copy to intercept communications, so it’s possible that even a legitimate access point can present the same risk.
We refer to these as ‘man in the middle’ attacks. They’re a bit like a postman reading the correspondence between you and someone else by intercepting the mail, in either direction, at your local post office. Rogue access points provide the eavesdropper with the ability to see the communications between you and the websites you are accessing.
What about encryption?
The vast majority of websites use encryption to keep your communications with them secure, preventing this kind of attack. But many users simply ignore warnings in their browser about trust issues and continue to the website, or accept a non-encrypted connection without giving it much thought. That said, browsers are getting better at enforcing protection and now display non-encrypted (http) websites as ‘non-secure’. However, it’s still relatively easy to miss the small warning that appears in the top of your browser window and it can be dismissed if the user doesn’t think it’s relevant.
The idea is that the padlock symbol in the browser bar shows whether or not the website is trusted. This works through the implementation of a system called PKI (public key infrastructure) where a group of globally trusted organisations called CAs (certificate authorities), such as GeoTrust, Digicert etc., issue digital signatures to organisations to verify their identity to your browser. This ensures that when you see this padlock next to the likes of ‘neflix.com’ in your address bar, it’s the real Netflix that you’re actually connected to. It also means that communications are encrypted and secure, and only Netflix can use this digital signature.
For example when you go to Proact.eu, our signature is issued by GeoTrust. Your browser automatically trusts GeoTrust as the CA and therefore trusts that the site belongs to Proact (i.e. GeoTrust have steps to ensure we are Proact when we purchase the Proact signature).
So in other words the padlock should confirm you are safe! However, this can be manipulated…
Device browsers and apps are configured to trust a list of these CAs automatically, but additional CAs can also be manually added on the device itself meaning it will equally trust any digital signature they issue too. In fact many enterprises do this across their end points in order to monitor encrypted web traffic, and even some governments. Recently Kazakhstan attempted to roll out a CA certificate to their citizens to enable them to view all web traffic as it flowed through the national ISPs.
It’s more difficult to achieve, but the attacker could use the rogue access point to trick a more naive user into installing such a certificate, perhaps through exploiting some unpatched software on the device or simply convincing the user to install it themselves. Ever seen “install this for access to our internet”?
After all, hotels, trains, airports etc. often use captive web portals to get you to agree to terms of usage which means we’re familiar with this kind of interaction before getting online. Putting instructions into such a website can easily trick a user into following what they think are legitimate instructions in order to proceed. The attacker would then have full visibility of all the web traffic – encrypted or not!
This is a 10,000 feet view of an area that is very complicated and attacks like these will not work with every user, device or application – but the key take away is that public Wi-Fi is not to be trusted and you should take precautions when connecting to it. Always avoid internet banking and other sensitive browsing, never download or install any software from websites or sign in portals, and avoid, where possible, using non-encrypted websites completely.
Using a VPN (virtual private network) is very effective and if you don’t have one, tether your phone as a mobile hotspot. Cellular networks are relatively secure as the resources and equipment needed to interfere with them are way beyond that of a hacker in a coffee shop with a Raspberry PI.