How to Protect Against the Dangers of Public WiFi Abuse

Art Gross blogs on Breach Secure Now: “An article over at medium [by Maurits Martijn] gives excellent insight into the real dangers of open public WiFi. After reading this article you will never use a public WiFi hotspot again!” 

Source: creditcards.com

Really? I’ve actually been on vacation for a week, practically living off free WiFi with “cellular data roaming” firmly turned off, cast into the dustbin of history where services priced for artificial scarcity belong. What new tragedy of the commons is this with my wonderful free WiFi?

That public WiFi could be abused was hardly news. But…mea culpa for the mental laziness of not performing the due diligence to really check on the risk. That stops now!

What, me Worry?

 Summarizing Gross: 

• A small device is all it takes to setup a fake WiFi hotspot
• Its easy to attract victims
• Every move you make can be tracked
• Stealing passwords is extremely easy
• You may be served “Phish” (via website from the MITM)

Ok, ok. I’m worried.

HTTPS May not Help

Here’s where the laziness comes in. I tended to assume that HTTPS (use of SSL or TLS) had me covered from the public WiFi risk on login or other sensitive data transfer. I never considered the risk of cookie-sidejacking (demonstrated in programs such as Firesheep). I never stopped to think that the same techniques any legitimate proxy can use for good, a man-in-the-middle (MITM) attacker can use for evil.  In the public WiFi case, the attack software on a wireless access point (WAP) simply needs an HTTPS-proxying module to be the server to your client, and the client to your server. Martijn’s article seems to assert this exploit is easy to obtain, and I don’t doubt it.

According to Wikipedia, cryptographic systems that are secure against MITM attacks require an additional exchange or transmission of information over some kind of secure channel. Also various defenses against MITM attacks use authentication techniques. In the case of HTTPS, that generally means having the ability to authenticate that the server certificate doesn’t belong to an attacker.

HTTPS anti-MITM authentication is most commonly done through certificate pinning, where an application has or saves a trusted copy of a server (or service) certificate, and compares it on future use with the certificate corresponding to the private key used in the HTTPS exchange with what what is supposed to be the same service. Wikipedia goes on to say that Google Chrome practices certificate pinning to validate Google’s certificates, offering us Google users a bit of a warm fuzzy, but not solving the general problem with HTTPS session interception, or the Facebook login snoop cited in the Martijn article.

Virtual Private Networks – A Silver Bullet?

If you’ve followed me so far, congratulations. Hard as it is to follow some of this, believe me its harder to write it. Now let me try to offer some solutions to this messy and inconvenient problem. The challenge is that no solution is completely satisfactory, leading to more mental laziness from users and some sources I consulted.

Gross and Martijn both suggest using an IPSec VPN, or something that can be configured for shared secrets or mutual certificate-based authentication to make MITM attacks much harder. An IPSec VPN protocol can tunnel right through any potential MITM on the public WiFi to connect with a VPN gateway that becomes your proxy to the Internet. 

I’m not sure how practical the VPN is for everyone. If you’re lucky you have VPN provided by your employer. But it may be slow. Otherwise, according to one source, public VPN services run about six or seven dollars per month. Also, VPNs may have issues supporting all your devices. And, I’ll leave it for another post to investigate the likelihood of MITM attacks against different kinds of VPNs out there.

 Recommendation – Be more Streetwise Online!

To organizations – consider outfitting your road warriors with the best VPN you can find.

But – to individual road warriors that may not have a VPN (or not have the right VPN for all situations): Reduce your need to wander the risky neighborhoods of public WiFi. Here’s how:

• Get a personal umbrella plan from your cellular carrier: If you roam frequently, consider  a month plan that turns your smartphone into a WiFi or Bluetooth-accessible WAP. With the personal umbrella  you can always get online with all your devices as long as you stay in your home country or region of reasonably-priced telecommunications. You can get online even if there’s no public WiFi at all. You don’t have to risk uncertain WAPs.
• When travelling internationally, reduce your Internet addiction: Plan to be able to work if necessary on files cached in your device. Let your contacts know that you may be less available. Don’t get onto to every public WiFi of dubious provenance that you see just because you can.

When you really NEED to use a public WiFi (and this will be often) but don’t have a VPN, here’s what to do:

• Trust (a little) but verify. Don’t just connect to any public WiFi you see, ask your facility hosts (waiter, homeowner, service staff) what is the right SSID to connect to. This isn’t completely foolproof but its a lot better than nothing.
• Don’t trust too much: Don’t use any services over public WiFi that you wouldn’t want to be observed using. Keep an eye on that address bar – don’t log into sites unless you see “https://” there. When you log into, or exchange data with an HTTPS-protected service, view the supposed site’s SSL certificate and ensure it is for the expected URL of the service. Unfortunately, some devices/browsers don’t support this. 

To the extent you don’t (or can’t) check the SSL certificates when you use public WiFi be extra-skeptical of your password security. Use a password manager or something to generate different passwords for every site. Change the passwords from time to time. Consult my reference on easy ways to use two factor authentication.