HOME

Thursday, July 4, 2013

Here's what an eavesdropper sees when you use an unsecured Wi-Fi hotspot

You’ve probably read at least one story with warnings about using unsecure public Wi-Fi hotspots, so you know that eavesdroppers can capture information traveling over those networks. But nothing gets the point across as effectively as seeing the snooping in action. So I parked myself at my local coffee shop the other day to soak up the airwaves and see what I could see.
My intent wasn't to hack anyone's computer or device—that's illegal—but just to listen. It’s similar to listening in on someone’s CB or walkie-talkie radio conversation. Like CBs and walkie-talkies, Wi-Fi networks operate on public airwaves that anyone nearby can tune into.
As you'll see, it’s relatively easy to capture sensitive communication at the vast majority of public hotspots—locations like cafes, restaurants, airports, hotels, and other public places. You can snag emails, passwords, and unencrypted instant messages, and you can hijack unsecured logins to popular websites. Fortunately, ways exist to protect your online activity while you’re out-and-about with your laptop, tablet, and other Wi-Fi gadgets. I'll touch on those, too.

Capturing webpages

I opened my laptop at the coffee shop and began capturing Wi-Fi signals, technically called 802.11 packets, with the help of a free trial of a wireless network analyzer. The packets appeared on screen in real time as they were captured—much more quickly than I could read them—so I stopped capturing after a few minutes to analyze what I had vacuumed up. Note: You can click on any of these screenshots to view larger versions that are easier to read.
My own website, captured via the hotspot packets and reassembled for viewing.
I first searched for packets containing HTML code, to see which websites other hotspot users were browsing. While I did see activity from other patrons, I didn’t capture anything interesting, so I visited my own website—www.egeier.com—on my smartphone.
This is a copy of the email I sent (and subsequently received) using my smartphone connected to the hotspot.
The raw packets with HTML code looked like gibberish, but as you can see above, the trial network analyzer I used reassembled the packets and displayed them as a regular webpage view. The formatting was slightly off and some of the images were missing, but plenty of information still came through.
I didn’t find anyone else sending or receiving emails during my visit, but I did discover the test messages I sent and received via my smartphone while it was connected to the hotspot. Since I use an app to connect to my email service via POP3 without encryption, you could have seen my login credentials along with the message (I've blurred the username and password in the screenshot).
This is all the information someone would need to configure their email client to use my account and start receiving my emails. They might also be able to send emails from my account.
And these are the packets that went over the network when I sent an instant message using Yahoo Instant Messenger.
I also used Yahoo Messenger to send a message while I was capturing Wi-Fi signals. Sure enough, the tool plucked that information out of the air, too. You should never use an unencrypted instant-messaging service with any expectation of privacy.

Capturing FTP login credentials

If you still use FTP (File Transfer Protocol) to download, upload, or share files, you should avoid connecting to them over unsecured hotspots. Most FTP servers use unencrypted connections, so both login credentials and content are sent in plain text, where any eavesdropper can easily capture them.
These captured packets reveal the username and password securing my FTP server (I've blurred them in this screenshot).
While using my laptop to connect to my own Web server’s FTP server, I was able to capture the packets containing my login ID and password—details that would have enabled any nearby eavesdropper to to gain unfettered access to my websites.

Hijacking accounts

Computers aren’t the only devices susceptible to eavesdropping. I also ran an app called DroidSheep on my spare rooted Android smartphone. This app can be used to gain access to private accounts on popular Web services, such as Gmail, LinkedIn, Yahoo, and Facebook.
DroidSheep looks for and lists any unsecure logins to popular websites. While it doesn’t capture the passwords to those sites, it can exploit a vulnerability that allows you to open the site using another person’s current session, giving you full access to their account in the process.
As you can see from the screenshot below, DroidSheep detected Google, LinkedIn, and Yahoo logins from other people who were connected to the hotspot, as well as the Facebook login I made on my other smartphone.
DroidSheep detected other users' log-ins, which means those accounts were vulnerable to hijacking.

.
I couldn’t legally access other people’s logins, of course, but I did open my own Facebook login.
Using DroidSheep, I was able to access my own Facebook page without providing a user ID or password. I could have done the same with any other patron's accounts if they were logged in.
Once I’d done that, I could magically access my Facebook account on that rooted Android phone (see the screen at lower right) without ever providing my username or password from that device.

How to use Wi-Fi hotspots securely

Now that you’ve seen just how easy it is for someone to eavesdrop on your Wi-Fi, here's how you can use a public hotspot with some degree of security:
  • Every time you log in to a website, make sure that your connection is encrypted. The URL address should start with https instead of http.
  • You also need to make sure that the connection stays encrypted for all of your online session. Some websites, including Facebook, will encrypt your log-in and then return you to an unsecured session—leaving you vulnerable to hijacking, as discussed earlier.
  • Many sites give you the option of encrypting your entire session. You can do this with Facebook by enabling Secure Browsing in the Security settings.
  • When you check your email, try to login via the Web browser and ensure that your connection is encrypted (again, look for https at the beginning of the URL). If you use an email client such as Outlook, make sure your POP3 or IMAP and SMTP accounts are configured with encryption turned on.
  • Never use FTP or other services that aren’t encrypted.
  • To encrypt your Web browsing and all other online activity, use a VPN, or virtual private network (this article will show you how).
  • Keep in mind that private networks have similar vulnerabilities: Anyone nearby can eavesdrop on the network. Enabling WPA or WPA2 security will encrypt the Wi-Fi traffic, obscuring the actual communications, but anyone who also has that password will be able to snoop on the packets traveling over the network. This is particularly important for small businesses that don’t use the enterprise (802.1X) mode of WPA or WPA2 security that prevents user-to-user eavesdropping.

No comments: