Connecting to a public Wi-Fi hotspot, whether open or secured by a password, leaves you open to snooping and hacking. That’s the word from SensePost CTO Dominic White.
White said even when you are connected to a passworded hotspot there are risks, and users must take note of how not to be compromised on a secure hotspot.
White said although hotspots that require passwords to connect to are more secure than those that don’t, it is only so within certain criteria.
A coffee shop that has a daily Wi-Fi password written on a board, for example, would still let an attacker sniff traffic about as easily as if the network was open.
There are ways that Wi-Fi can be made more secure, said White, but no authentication scheme currently available is perfect.
Fortunately many sites use encryption nowadays, making it difficult for hackers to see your usernames and passwords.
However, there is still a lot of information someone can learn about you from just watching your network traffic, such as which bank you are with, your Facebook ID, the company you work for, and apps you’re running.
The infographic below summarises which data an attacker might see depending on whether they are “just looking”, or executing an active attack.
How Wi-Fi attacks work
Open Wi-Fi networks such as those run by Internet service providers (AlwaysOn, Telkom Mobile Guest) do not encrypt any packets.
“This makes it possible to just watch the packets to see what people are doing,” said White.
As the adoption of universal encryption increases, this kind of “sniffing” is increasingly less useful, but it can still yield a lot of data about someone.
This information can then be employed in a more active interception to get the “juicy stuff”.
Hotspots that require you to log in after you’ve connected via a captive portal web page are not any more secure than an open Wi-Fi network, warned White.
“This is all about the provider trying to charge or identify you, and nothing to do with security.”
In fact, since the network is unencrypted an attacker could just sniff your authentication information and impersonate you to log into the network.
Secured hotspots encrypt the traffic sent over them, but in the case of WPA/2 networks with shared passwords (like those at coffee shops or restaurants), attackers can sniff traffic in almost the same way as on an open network.
“It does require that they see the device connected to the network to get enough of the cryptographic input to decrypt the packets.”
Forcing a disconnect (and reconnect) is easily achieved via “deauth frames” with no noticeable impact to the user, he said.
Wi-Fi networks that require a username and password (802.1x EAP) are more secure than those with a shared password, but are still vulnerable to attacks.
“Mostly users don’t validate the certificate from the network (because it is difficult), which means it’s possible to man in the middle an EAP authentication and crack the challenge response sent over it,” said White.
For clients who validate the certificate, 802.1x with a decent Extensible Authentication Protocol (EAP) is about as good as it gets these days.
Is my home Wi-Fi safe at least?
White said home Wi-Fi networks are no safer than others, especially since it is less likely to use 802.1x with proper EAP, and pre-shared keys are handed out to everyone who visits.
“That said, home Wi-Fi is much less likely to be attacked to go after users than say, a coffee shop frequented by hackers,” he said.
“Personally, my home network regularly changes ESSID, BSSID, and 64 character WPA2 key. It’s not perfect, and people get angry at a key that long, but it gets the job done.”
SensePost recently released an updated version of its MANA Toolkit, an evilAP toolkit for rogue access point attacks.