Author(s): Jan Wiewiora, Posted 01/3/11
Say you’re sitting in an airport and want to send e-mails from your personal e-mail account. You start up your laptop and use your wireless software to look for the free Internet service that the airport has advertised. You see an SSID option labeled with something like “airport wireless,” and it’s unsecure. You might figure it’s unsecure because that makes it easier to use, so you click “connect.”
You open your browser and select your e-mail login from your favorites list. The login page appears. All looks normal. So you enter your user ID and password and start using your personal e-mail account.
The next day, you start getting e-mails and calls from friends telling you to stop sending them the inappropriate material that you’ve been clogging their inbox with. And they’re also asking why you’ve been asking for their credit card information. You try to log in to your e-mail account to see what’s going on, but the password has changed. What happened?
What happened was that your login information was captured by a rogue wireless access point. These scams have always been an issue, but the recent proliferation of wireless capabilities in laptops, tablets, and smartphones makes it easier to spoof unsuspecting users who don’t pay attention to how they use the Internet.
The scenario above is possible because of a vulnerability in wireless security that’s easy to exploit. Essentially this is a man-in-the-middle attack. It works partly because most people don’t look to see if they are using an HTTPS secure session, rather than an HTTP unsecure session. The rouge access point captures data from a wireless device and forwards it to the real site. So working as a proxy, it can capture whatever you send.
All the software tools needed for the exploit are free to download. All the hacker needs is a laptop with wireless and 3G/4G access. New smartphones combine all this in one small, easy-to-use package. They can set up rogue access points in any location including airports, coffee shops, libraries, or in your office parking lot.
What actually happens? When you go to a site’s homepage, it will most likely be something like: http://wwwthesite.com/. If the site offers secure content, it will probably have a user name and password field on the homepage. You type in your user name and password, and then hit return or submit. What really happens is that you get redirected to a secure site (HTTPS) for the login, but your user name and password were sent in plain (or easily readable) text to the server before redirection.
Anyone who can see network packets, including a hacker using a wireless packet sniffer like the one described later, would then have your user name and password. And if you use the same user name and password on multiple sites, you are really exposed.
To prevent this attack, always make sure you see HTTPS in the address bar when entering your user information. This will encrypt your user information even if you get connected to a rogue access point.
Another problem is that our devices want to connect to available wireless networks automatically. Many people just use the default, unsecure SSID that comes with their home wireless router. That’s why you often see the well-known Linksys label on unsecured networks when looking for wireless options.
Here’s another scenario to illustrate this point. You take your laptop to someone’s home or office and use their unsecure wireless, or go to a business meeting with a client and are told to, “just use our guest network to access your e-mail.” You know you’re safe on their network, so you connect, start your VPN, and get your e-mail. All is safe and secure for now.
Sometime later, you go to a coffee shop and decide to use their free wireless service. You turn on your laptop, and it automatically connects to a “guest” network. Your laptop thinks that’s OK because you’ve chosen that option before, and you assume it’s the coffee shop’s network. You don’t know that a few tables away, someone is operating a rogue access point and hoping you give them your unprotected information.
A wireless sniffer can detect your laptop trying to find SSIDs it has accessed in the past and use them to spoof your laptop this way. You might be surprised to be connected to what you think is your brother’s SSID even though you may be several thousand miles away from his home.
A similar type of threat is a sidejacking attack, where hackers set up sniffing tools to steal user identities. There’s a free browser plug-in that lets them view and use the identities they have captured. This vulnerability is exploited because many Internet service sites, including the popular social networking sites, don’t send all of the data securely when communicating with browsers.
In many cases, cookies containing user information are sent unsecure to the browser and can be identified with software like Firesheep. All identity thieves have to do is know what to look for. Unfortunately, there really isn’t a fix for this until the sites always use the secure session.
What are some best practices to avoid this vulnerability?
- When you want to log in to any site, make sure you see HTTPS in the address bar not HTTP. If it shows HTTP, then figure out what to click to get into a secure session. This will help keep your information safe.
- Don’t set up unsecure access points at home, and encourage others not to do so either.
- Don’t connect to unsecure access points if you can avoid it. But if you must, make sure it does not get set to “automatically connect” in the wireless profile.
- Delete unsecure wireless profiles from your wireless configuration whenever you can.
The statements posted on this blog are those of the writer alone, and do not necessarily reflect the views of Unisys.