Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Wireless Networking

Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot (softpedia.com) 197

An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.
This discussion has been archived. No new comments can be posted.

Airport Experiment Shows That People Recklessly Connect To Any Free Wi-Fi Spot

Comments Filter:
  • by invictusvoyd ( 3546069 ) on Monday February 22, 2016 @09:47PM (#51564233)
    But I always carry a concealed weapon
    • by KGIII ( 973947 ) <uninvolved@outlook.com> on Monday February 22, 2016 @10:16PM (#51564393) Journal

      Here's the actual announcement from Avast:
      https://press.avast.com/en-us/... [avast.com]

      That has all you might need. No need to hitch off this softpedia site. They're not adding any value over reading the press release and they don't even include a link (or I didn't see it in their layout) to the original press report. It's the internet, linking is kind of important. Maybe they want to pretend it's exclusive content or real journalism? I dunno... Screw it, avoid entering the unknown and go to a verified source - like the message of the article.

  • by xaosflux ( 917784 ) on Monday February 22, 2016 @09:48PM (#51564243) Homepage

    Why should anyone expect some random WLAN to be "safe" - they are trying to get to the Public Internet, this is just another Public inter-Network along the way.

    • by greenfruitsalad ( 2008354 ) on Tuesday February 23, 2016 @06:46AM (#51565701)

      why should i expect it to be unsafe? email is via ssl/tls, chat apps are client-to-server encrypted, all eshops use ssl/tls, google search is by default via ssl/tls, cloud storage i encrypted in transit, so what could they have possibly gained by this devious man in the middle circus? list of websites i access and my http data?

      • s/i encrypted/is encrypted

      • so what could they have possibly gained by this devious man in the middle circus

        Maybe they were hoping that you were a Windows weenie who'd compulsively click away any dialog that appeared, even though this this time it happened to be a warning about a mismatched certificate? In which case you would be the clown in that circus...

    • Yes, especially after watching Doctor Who [wikipedia.org]. :-)

  • by turkeydance ( 1266624 ) on Monday February 22, 2016 @09:49PM (#51564249)
    1. know very little about the road. 2. is it safe? (Marathon Man ref) who knows? 3. who's running it? Feds/State/local/private/etc? WiFi is asphalt for smartphones. full speed ahead.
  • by PSXer ( 854386 ) <psxer@msfirefox.com> on Monday February 22, 2016 @09:50PM (#51564255) Homepage

    Or do their devices automatically do it for them?

    • by mjwx ( 966435 )

      Or do their devices automatically do it for them?

      The only time I've ever had my Wifi connect to a strange access point without me asking it to were one's named "Linksys" and this was back in 2006. Seemed my old Windows XP lappy would interpret any open AP named Linksys as one I've connected to before because I had connected to one callled Linksys before.

      I'm pretty sure modern OSes dont do this any more.

      Yes, stop snickering, I called Windows "Modern".

      • by sims 2 ( 994794 ) on Monday February 22, 2016 @10:24PM (#51564421)

        Umm no... That's still standard practice. It's actually one of the only ways I've found to get devices to correctly roam between APs. Works on APs with and without encryption set.

        Best way to solve it? Set a key on the AP you connect to then if another has the same name your computer won't be able to connect to it because the AP doesn't have the right key.

    • Devices by default do not connect to open access points that are unfamiliar. Actually not just default, I don't know any way to set any of my devices to allow this course of action. All my devices announce the presence of the network, but none will connect.

  • by xxxJonBoyxxx ( 565205 ) on Monday February 22, 2016 @09:56PM (#51564285)

    seems like avast missed the point when google, gmail, and youtube went 100% https

    the bit about "detecting" devices is also retarded: just serve up a page to new connectors and log the agent and you should get stats on browsers/oses

    • by msauve ( 701917 )
      "seems like avast missed the point when google, gmail, and youtube went 100% https"

      What about people who use browsers which don't force an ssl connection to those URIs? Or, an IMAP email client, similarly. Users would still be subject to DNS hijacking.

      And, you only mention Google services. There's way more to the Internet than that.
      • by unrtst ( 777550 )

        "seems like avast missed the point when google, gmail, and youtube went 100% https"

        What about people who use browsers which don't force an ssl connection to those URIs?

        This used to be a problem, because users might type in "google.com", and the browser would first go to "http://google.com" (ditto for other sites).
        Along came HSTS: https://en.wikipedia.org/wiki/... [wikipedia.org]
        That shouldn't be a problem anymore, so long as the users browser supports that, and the server is sending it (which many do these days, because of all the SSL kerfuffle).

        Or, an IMAP email client, similarly.

        This may actually be worse. In many cases, clients connect to the clear text port and then issue STARTTLS (or similar) if the server had said it

        • by msauve ( 701917 )
          "That shouldn't be a problem anymore, so long as the users browser supports that..."

          LOL. The fallacy is obvious.
          • by unrtst ( 777550 )

            HSTS support across browsers: https://www.owasp.org/index.ph... [owasp.org]
            Current usage stats: http://caniuse.com/#feat=stric... [caniuse.com]

            IE: 11 (windows 7 and 8.1+)
            Edge: all versions
            Firefox: 4+
            Opera: 12+
            Safari: 7+ Mavericks (Mac OS X 10.9)
            Chrome: 4.0.211.0

            That will cover the majority of users.

            Regardless, there is still no fallacy. Users can easily protect themselves from that situation by using a browser that supports HSTS, which simply means using a system that has been updated within the past several years. It also greatly r

  • by mjwx ( 966435 ) on Monday February 22, 2016 @09:57PM (#51564291)
    Lets face it, people are dumb.

    People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.

    However airports are strange. A lot of people are stuck there for some time with little to do. So free Wifi is a godsend, I admit, despite being quite security aware, that I've been a bit free and loose with connecting to airport Wifi when bored out of my skull at various airports (mostly Australian ones who didn't have free Wifi until recently).

    Free Wifi isn't inherently unsafe, but must be treated with suspicion. However most people wont, so back to my original point... People are dumb.
    • by Austerity Empowers ( 669817 ) on Monday February 22, 2016 @10:00PM (#51564309)

      Not always easy to know what the name of the freewifi service is in an airport you are not familiar with too. All you really know is you're not going to PAY for one, so it's either free or you're tethering. But which one is the free one?

      • by mjwx ( 966435 ) on Monday February 22, 2016 @10:06PM (#51564329)

        Not always easy to know what the name of the freewifi service is in an airport you are not familiar with too. All you really know is you're not going to PAY for one, so it's either free or you're tethering. But which one is the free one?

        That's kind of my point.

        How are you to know the difference between a legit and non legit network if they're both named "LAX Public Wifi".

        You should really be suspicious of any Wifi network you dont control or at the very least, know the owners on a personal level. I use free wifi for browsing /. but not for doing banking or anything else that could potentially harm me, but as a sysadmin, I'm mindful of such things where as the average Joe isn't.

        • by toonces33 ( 841696 ) on Monday February 22, 2016 @10:33PM (#51564451)

          For random browsing of the news, it might be fine. But the other problem with free WiFi in places like airports is that kids will start streaming music and videos and it will be dog slow.

          In reality, I am not sure if there is much difference between free WiFi at an airport and free WiFi at a hotel or a coffee shop. They are all effectively the same thing from an insecurity perspective.

        • by Shawn Willden ( 2914343 ) on Monday February 22, 2016 @10:47PM (#51564517)

          I use free wifi for browsing /. but not for doing banking

          That's backwards. Your bank's web site is authenticated, so your browser can fairly strongly verify that it's legitimate, and the data is encrypted and authenticated so it can't be modified. Browsing /. (or any non-TLS web site), on the other hand, is dangerous because the Wifi operator can inject whatever they like into the stream. Exploits that target your browser, drive-by downloads, ads, tracking cookies (for any site)... whatever they like.

          Unless your bank has screwed something up, you can safely do your banking on a hostile network, but browsing /. is risky.

          • by mjwx ( 966435 )

            That's backwards. Your bank's web site is authenticated, so your browser can fairly strongly verify that it's legitimate, and the data is encrypted and authenticated so it can't be modified. Browsing /. (or any non-TLS web site), on the other hand, is dangerous because the Wifi operator can inject whatever they like into the stream. Exploits that target your browser, drive-by downloads, ads, tracking cookies (for any site)... whatever they like.

            Here's the thing, I dont really care about something as triv

            • by DamonHD ( 794830 )

              Rouge? I suppose that HSBC's logo is red, yes... B^>

              (We had a product at work that we delighted in calling RougeWave, is if a cosmetics explosion...)

              Rgds

              Damon

            • Here's the thing, I dont really care about something as trivial as a /. account. To expend efforts on securing that against all manner of threats wastes resources.

              You missed the point, completely. It's not that someone may snoop on your /. browsing or credentials, it's that someone will inject arbitrary other content into what you're retrieving from the /. server, which can be used to compromise your machine, extract credentials from your browser, etc.

              Also TLS is not immune to MITM attacks. It makes it harder, sure but not immune.

              Unless the attacker has compromised a CA, and barring bugs in your TLS stack (which used to be a big problem, but has recently gotten cleaned up), yes it is immune to MITM attacks.

              Besides this you've got the traditional methods of social engineering, for example, a user goes to hsbc.co.uk and the rouge access point is configured to send them to hsbc.malice.com which looks identical to HSBC's internet banking site.

              Unless you look at your browser window

        • but as a sysadmin, I'm mindful of such things

          Are you really? You talk about public WiFi as if private WiFi can be trusted. Your home connection goes to a third party that is in bed with the NSA, do do people who you know on a personal level. Your data is whisked away and routed across the internet through any number of points completely unencrypted.

          Why would you be mindful of a public WiFi connection but not of the rest of the network?
          Also why would you not use an encrypted and verified SSL connection but feel comfortable doing general browsing?

        • I don't browse anything through a public WiFi hotspot. Not even at a hotel. I VPN to my home network and RDP into a box whose sole purpose is to allow me to browse the web remotely from my own network.
      • Beware! It reminds me of a Doctor Who episode [imdb.com]
    • by Wycliffe ( 116160 ) on Tuesday February 23, 2016 @12:07AM (#51564783) Homepage

      People would still take candy from strangers if we didn't drill it into them from a young age. Stupidity isn't limited to Wifi, it pervades everything people do.

      This "drilling" does very little to actually stop abductions. First off, most abductions are not strangers but rather someone they already know. Secondly, they've done experiments and kids will readily go with someone with a puppy/kitten if they tell them they have more in the back of their van.
      The "don't talk to strangers" is completely silly. The one safety tip I try to teach my kids is that if they get lost to immediately walk up to the first stranger they see and ask for help. Don't wait for a stranger to come to you. If you pick the stranger then the odds of picking a bad person are slim to none but if they pick you then the odds of them being a bad person are significantly higher.

      • by Xenna ( 37238 )

        "The one safety tip I try to teach my kids is that if they get lost to immediately walk up to the first stranger they see and ask for help. Don't wait for a stranger to come to you. If you pick the stranger then the odds of picking a bad person are slim to none but if they pick you then the odds of them being a bad person are significantly higher."

        Let them pick a mother stranger to further reduce the risks.

        • Comment removed based on user account deletion
        • by b0bby ( 201198 )

          I agree, I told my kids to ask a mother or female for help first. It's sexist, but it's also playing the odds. Admittedly the chance of a random male wanting to harm your kid is minuscule, but a random female is even more minuscule. And just the fact that they are given some guidance may make them more likely to ask for help in the first place.

    • LMOL ok Potsy. NO OPEN WIFI IS SAFE. Got it. That's the point. You can't trust any wifi because you don't no if it's secured,safe or has been hacked, regardless if the source is trusted. But what most people use it for like Youtube, it's fine. Just don't do banking from your phone on a public wifi.
  • False security (Score:5, Insightful)

    by HeadSoft ( 147914 ) on Monday February 22, 2016 @09:59PM (#51564297)

    Always assume all networks are insecure. You're always correct.

    • Always assume all networks are insecure. You're always correct.

      True, but some are more "secure" than others and people don't pay attention to this, which is the point of this little social experiment.

      Actually, IMHO the security issue of open WiFi needs attention at two points. First, you need a really good and effectively configured firewall on your device. Second, those providing services over the web need to secure all data in transit. It's helpful if the users are aware of the risks, but in today's day and age I don't see your average users able to comprehend th

  • by blahbooboo ( 839709 ) on Monday February 22, 2016 @10:00PM (#51564299)

    So if you use HTTPS or SSL secured connections, how are these connection types vulnerable on unsecured wifi?

    • So if you use HTTPS or SSL secured connections, how are these connection types vulnerable on unsecured wifi?

      Virtually all browsers contain root certificates which have been shown to be untrustworthy. It isn't really safe to trust SSL for your security anymore. You need a reliable Internet provider.

      • by guruevi ( 827432 ) on Monday February 22, 2016 @10:20PM (#51564409)

        Who do you trust as a reliable Internet provider? You're better off just deleting all root certificates (if you're that kind of paranoid) and make exceptions for every single site you visit.

        OR you could just do like me: you don't store information that matters in places you don't have full control over.

      • by KGIII ( 973947 )

        A friend of mine recently sent me these two links:
        http://www.vpngate.net/en/ [vpngate.net]
        http://www.vpnbook.com/feature... [vpnbook.com]

        I've played with them both, they're not bad backups. They're as trustworthy as they are but they're free. They seem to be fairly legit. If I were just browsing at an airport, I'd be okay with that. I wouldn't do banking on 'em or anything like that. As I recall, the second one was better than the first as far as throughput and reliability. I played with 'em for a few days.

      • Neverthless, clickbaity summary is clickbaity. All the article mentioned was that traffic had analysed which sites users had visited, NOT that any of them had been compromised.

        Does one trust the findings of a paranoid article at face value pimping avast and various VPN services?

        That's not to say indiscriminate public wifi is legit but I don't think it's telling us anything we didn't already know.

      • Virtually all browsers contain root certificates which have been shown to be untrustworthy. It isn't really safe to trust SSL for your security anymore. You need a reliable Internet provider.

        Yea, go find that reliable Internet provider that connects you to the same untrustworthy Internet.

  • Logging=hacking? (Score:4, Informative)

    by fred911 ( 83970 ) on Monday February 22, 2016 @10:08PM (#51564347) Journal

    "logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. "

    Logging is a long way from poisoning an arp table, serving tainted SSL and recording packets plain text.

  • by hawguy ( 1600213 ) on Monday February 22, 2016 @10:08PM (#51564349)

    The bigger question is, why shouldn't it be safe to connect to any random Wifi hotspot? Literally everything should be using https by now, SSL certs are even available for free, so there's no excuse not to. I often connect to public Wifi hotspots (and use a VPN since I know that everything is *not* secured with SSL) and there's really no other option (other than "never use public wifi hotspots") since there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.

    • there is no way to know whether the "Starbucks" or "Starbucks - SFO" or "Starbucks - Public" SSID is the legitimate one.

      And there's no way to know what these "legitimate" hotspots are doing with your data either. Treat everyone as the attacker and your options become far clearer.

    • When I'm traveling, I always connect to public WiFi in the airport. It is usually pretty easy to tell which is the "official" airport one but whatever. I just fire up my VPN and go about my business. I know it isn't encrypted, isn't secured, etc. However getting things encrypted is cheap and easy as you say.

      • Heck, I just do that no matter what WiFi I'm connected to out of habit. Even at the in-laws house where I'm the designated network administrator (the guy who configures the router and gets called when something breaks) I use the VPN to home for all my network traffic. About the only time I don't use VPN is when I'm at home and need to use the printer...

  • by Nicopa ( 87617 ) <nico@lichtmaier.gmail@com> on Monday February 22, 2016 @10:30PM (#51564441)

    Please, continue this research and expand it to every airport! And make it a permanent thing!

    Seriously: Avast is a "security" company that sells security to those feeling "insecure". So it's in their best interest to keep that feeling, seeing threats where there are none. In this case... why should a public WiFi network be more trustworthy than any other network in the middle of the big Internet? You should be doing SSL/TLS, SSH, etc. by now everywhere and that's it.

  • Simple countermeasure! Just boot up your old Aspire One netbook with XP 'beast', an obsolete alternative distribution of XP where anything that stunk of bloat was omitted or disabled or covered with Hazmat stickers or XOR'd out and ridiculous excess like print spoolers are absent, and nothing is guaranteed but things just might load at all, eventually. This screaming monster only takes three times as long to boot as you'd expect. Then the many Atheros Wifi drivers which do not work fail to load successively

  • Always assume wifi is untrustworthy and you'll be fine. You don't need to pay companies like Avast to cover your behind. Most websites these days with sensitive information use https/SSL. Slashdot does not. But I care little about my Slashdot account.

  • by gweihir ( 88907 ) on Monday February 22, 2016 @11:12PM (#51564627)

    In most circumstances you cannot recognize or verify that a given public WiFi network is safe. What you do instead is assume it is non-safe and use secure communication technologies, like SSH, VPN links, etc. This has been known for ages.

    Incidentally, logging traffic is not "hacking".

  • Geez. I think folks are getting a little too big for their britches. Who gives a shit about an erasable phone? If you are that afraid to surf some wireless signals then turn the damn thing off. This sort of shows that a lot of people don't care and they shouldn't care.
  • VPN Difficulties (Score:5, Interesting)

    by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Tuesday February 23, 2016 @02:15AM (#51565089)

    You know, I see constantly people advising that you use a VPN when connecting with pubic wifi, without anyone ever acknowledging the difficulty of this problem.

    You see, between when I click "Connect" on the public wifi click-through, and when I have time to connect my VPN client, probably 50 different applications on either my laptop or my mobile phone HAVE ALREADY likely detected a positive connection and reached out to the internet. Any or all of these connections could already be compromised, BEFORE I can even get my VPN connected.

    Until OS vendors like Microsoft, Apple, and Google recognize this problem and allow you to create a rule like "Never connect to non-local addresses over a route that traverses unencrypted wifi", this will continue to be a problem. I wish more people were discussing it, because I see no solution in sight. The closest thing to a solution is with Android you can use Tasker to automate connecting your VPN as soon as it can see the VPN server, but even at this point, at best it's a race against all the other processes on your phone firing up as well.

    • by AmiMoJo ( 196126 )

      On Windows you just configure the firewall to block all apps from accessing the wifi (only allow connections to the VPN's TAP connection), except for a browser you keep installed specially just to access the wifi login page.

      Presumably the same thing would work on Linux. On Android you can do it if you have root and install something like iptables for your firewall.

    • I use Cloak on iOS, and it supports this functionality. I configure it to allow unencrypted traffic on specific trusted networks, and the VPN auto-connects on any network that I haven't approved, blocking other traffic until the VPN comes up. It seems to use the enterprise features Apple has provided to do this via a VPN profile, and it works very well. I have no idea what features it supports on Android and/or Windows Phones, but I'm very happy with it on Apple devices.

    • by crtreece ( 59298 )
      I use openVPN Connect on Android, and it has a setting where it takes control of all network connections, and blocks traffic when the VPN connection is not up.
      • by brunes69 ( 86786 )

        RIght, I know about this option. But since you likely do not want to use VPN when not on unencrypted wifi - because it eats CPU for breakfast - this is still not the answer.

    • You know, I see constantly people advising that you use a VPN when connecting with pubic wifi,

      The last time I tried this, she slapped me.

  • I once (recently) had a Windows Phone for work - recently enough to be on the beta of Windows Phone 10 (as in in the last 3 months). It automatically connects to any WIFI hotspot, if Wifi is enabled and it's as annoying as hell. Windows Phone 8.1 and 10 both do it.

    So I would be in a shopping centre and my phone would auto connect to the wifi (which was of course open but without internet unless you punch in some code you get on your receipt when you buy something). I'd then try to check my mail and find i
  • Some airports have the worst wifi ever! People who are just passing through won't connect to roaming data services which are beyond expensive but will look for a working wifi anywhere. Passed through Toronto Pearson Airport late January 2016: Possibly the worst wifi ever. Hard to connect, frequent drops, basically no actual network connection. I was basically looking for *anything* to get connected and would most likely have jumped on any open network...

  • So, a security company that makes a living creating software to protect the stupid and ignorant from the dangers of the internet, somehow needs to perform yet another test to prove just how stupid and ignorant consumers are about security.

    Sorry, but it doesn't matter if it's political or technical. I grow very tired of pointless surveys proving how stupid consumers can be. It's pointless because consumers don't care. That's not going to change, and we have the statistics to prove it.

    Consumers are ignora

  • I use Project FI, and on my Nexus phone google already automatically VPNs my data when using public wifi. So the only monster with my data is the same monster I already trust with my data, google.

  • by Afty0r ( 263037 ) on Tuesday February 23, 2016 @08:23AM (#51566103) Homepage
    If I want my packets sending to other hosts on the internet, I connect to wifi to do it. Or my ISP. Or my friends ISP. Or my works network. They're just packets being routed - if people are sending *sensitive* packets IN THE CLEAR on anybody's network - including their own internet connection at home or at work - then that is the problem. Not the network, which you shouldn't trust anyway.

Technology is dominated by those who manage what they do not understand.

Working...