Say you are sitting in an airport and want to send emails from your personal email account. You start up your laptop and use your wireless software to look for the free internet service that the airport has advertised. You see an SSID option labeled with something like “airport wireless,” and it’s unsecure. You might figure it’s unsecure because that makes it easier to use, so you click “connect.”
You open your browser and select your email login from your favorites list. The login page appears. All looks normal. So you enter your user ID and password and start using your personal email account.
The next day, you start getting email and calls from friends telling you to stop sending them the very inappropriate material they have been receiving in emails from you. And they are also asking why you are asking for their credit card information. You then try to log in to your email account, but the password has changed. What happened?
What happened was that your login information was captured by a rogue wireless access point. These scams have always been an issue, but the recent proliferation of wireless capabilities in laptops, tablets and smartphones make it easier to spoof unsuspecting users. This is possible because people don’t pay attention to how they use the internet.
The scenario above is possible because of a vulnerability in wireless security that can be easily exploited. Essentially this is a man in the middle attack. It works partly because most people don’t look to see if they are using an HTTPS secure session, rather than an HTTP unsecure session. The rouge access point captures data from a wireless device and forwards it to the real site. So working as a proxy it can capture whatever you send.
All the software tools needed for the exploit are freely downloadable, and all the hacker needs is a laptop with wireless and 3G/4G access. New smartphones combine all this in one small, easy-to-use package. They can set up rogue access points in any location including airports, coffee shops, libraries or in your office parking lot.
What actually happens? When you go to a site’s homepage, it will most likely be something like “HTTP://WWW.THESITE.COM/.” If the site offers secure content, it will probably have a user name and password field on the homepage. You type in your user name and password, and then hit return or submit. What really happens is that you get redirected to a secure site (HTTPS) for the login, but your user name and password were sent in plain (or easily readable) text to the server before redirection.
Anyone who can see network packets, including a hacker using a wireless packet sniffer like the one described later, now would then have your user name and password. And if you use the same user name and password on multiple sites, you are really exposed.
To prevent this attack, always make sure you see “HTTPS” in the address bar when entering your user information. This will encrypt your user information even if you get connected to a rogue access point.
Another problem is that our devices want to connect to available wireless networks automatically. Many people just use the default, unsecure SSID that comes with their home wireless router. That’s why you often see the well-known “Linksys” label on unsecured networks when looking for wireless options.
Here’s another scenario to illustrate this point. You take your laptop to someone’s home or office and use their unsecure wireless or go to a business meeting and your client says, “Just use our guest network to access your email.” You know you are safe on their network, so you connect, start your VPN and get your email. All is safe and secure for now.
Sometime later, you go to a coffee shop and decide to use their free wireless service. You turn on your laptop, and it automatically connects to a “guest” network. Your laptop thinks that’s okay because you’ve chosen that option before, and you assume it’s the coffee shop’s network. You don’t know that a few tables away, someone is operating a rogue access point and hoping you give them your unprotected information.
A wireless sniffer can detect your laptop trying to find SSIDs it has accessed in the past and use them to spoof your laptop this way. You might be surprised to be connected to what you think is your brother’s SSID even though you may be several thousand miles away from his home.
A similar type of threat is a “sidejacking” attack in which hackers set up sniffing tools to steal user identities. There’s a free browser plug-in that lets them view and use the identities they have captured. This vulnerability is exploited because many internet service sites, including the popular social networking sites, don’t send all of the data securely when communicating with browsers.
In many cases, cookies containing user information are sent unsecure to the browser and can be identified with software like “Firesheep.” All identity thieves have to do is know what to look for. Unfortunately, there really isn’t a fix for this until the sites fully use the secure session.
What are some best practices to avoid this vulnerability?
– When you want to log in to any site, make sure you see “HTTPS” in the address bar not “HTTP.” If it shows “HTTP,” then figure out what to click to get into a secure session. This will help keep your user information safe.
– Don’t set up unsecure access points at home, and encourage others not to do so either.
– Don’t connect to an unsecure access points if you can avoid it. But if you must, make sure it does not get set to “automatically connect” in the wireless profile.
– Delete unsecure wireless profiles from your wireless configuration whenever you can.