from Hacker News

What we give away when we log on to a public Wi-Fi network

by ricksta on 10/18/14, 6:48 PM with 110 comments

  • by jMyles on 10/18/14, 11:32 PM

    Here's what I wrote last time this was posted (https://news.ycombinator.com/item?id=8457167), with some edits to respond to other comments made in this thread:

    An interesting read, but sparse enough on details to be basically useless. Additionally, there's nothing that I can discern to be new here. The following is demonstrated, all of which are known (and in fact obvious) to people with even an elementary understanding of how wifi and TLS work:

    * That wifi probes are public

    * That wifi devices, by default, expose reasonably reliable evidence about their type and origin via their MAC address

    * That many OS's automatically connect to 'trusted' wifi networks, regardless of their apparent physical location

    * That many websites don't have TLS by default (or at all)

    * That, if a user connects to a network you control and requests a URL not beginning with "https," it is trivial to present them with a fake page looking like the one to which they thought they were browsing (of course they won't see a lock) --(note: if the website has HTTP Strict Transport Security enabled and the user has previous visited that website with a supporting browser, then this part is non-trivial)

    * That, if a user transmits unencrypted plain text over a wifi network to which you have access, it's trivial to glean the content of their transmission.

    None of this is news, and it's all that this article seems to point out. Even more bizarre is that, almost without exception, it merely leaves these items implied, failing to describe the mechanism of action.

  • by sktrdie on 10/18/14, 8:55 PM

    How was the hacker able to get Facebook credentials? Facebook uses HTTPS and so does Live.com. Even if I'm connected to a malicious router, only me and Facebook know about the data we're sending each other.

    Am I missing something or should the author of this article provide more evidence on the type of attack?

  • by ambrop7 on 10/19/14, 5:57 AM

    Most people don't understand the WPA PSK security model and its insufficiency for anything but private networks where every device is trusted. When you give someone the PSK, you give them the capability to impersonate the access point.

    That being said, is there any better solution for public networks? One where giving someone a password doesn't let them impersonate you. I'm not sure how good support for EAP-TLS is on common client devices. To actually make it secure the device would not only need to support it but also validate the AP's public key some way.

  • by tunap on 10/19/14, 2:49 AM

    Interesting but dated info for techies. I was hoping for something more along the lines of how retailers triangulate & track your movements inside their brick & mortar sites. Or how public providers scrape your browsing habits whilst on their net. I was even more interested in learning what other tricks they employ that I am not yet aware of.

    With the ubiquity of broadband mobile I recommend avoiding public wifi whenever possible because the items listed in TFA are ubiquitous at most Starbucks, airports and other hi-profile public spots. I also highly recommend disabling any equipments' wifi by default, the world is full of liars, cheats & thieves smarter than myself. When you go for "free", what you get never is.

  • by fredsted on 10/18/14, 8:49 PM

    Are my devices really broadcasting the SSIDs they have been connecting to?

  • by ris on 10/19/14, 11:12 AM

    Hm. So are there any 802.11_ proposals for cryptographically "signed" SSIDs? Using public key cryptography, this is surely doable in a way that is "anonymous" too, right? (i.e. doesn't reveal the identity of the AP you're probing for)

  • by xamolxix on 10/18/14, 9:01 PM

    Considering how ridiculously cheap an anonymous VPN service is these days I am surprised how many people do not use them.

  • by byoung2 on 10/18/14, 9:52 PM

    All names in this article are fictitious, except for Wouter Slotboom’s

    I thought for sure that name was fake!

  • by z92 on 10/19/14, 5:21 PM

    Login into a public WiFi and turn on your VPN. Problem solved.

    VPN accounts are cheaper than ever before. You can also install one on a cheap DO box.

  • by VexXtreme on 10/19/14, 4:25 PM

    I see a lot of comments here presenting HSTS as some kind of silver bullet for preventing MITM attacks. While it does help, it's not impenetrable. If a website hasn't been preloaded into the STS preloaded list, then the HSTS header can be stripped on the first visit and the client will never upgrade to SSL.

    The only foolproof way to make sure you're not being MITMd is to visually verify that the domain checks out and that you are indeed connected using SSL.

  • by tiatia on 10/19/14, 1:03 PM

    Don't like your MAC? get a new one...

    import random

    import os

    mac=''

    # os.system('/etc/init.d/networking stop')

    os.system('ifconfig wlan1 down')

    os.system('ifconfig eth1 down')

    for i in range(0,3):

    r=random.randint(16, 256)

    mac=mac+":"+str(hex(r))[2:]

    mac="00:07:E9"+mac

    print mac

    os.system('ifconfig wlan1 hw ether '+mac)

    os.system('ifconfig eth1 hw ether '+mac)

    os.system('ifconfig wlan1 up')

    os.system('ifconfig eth1 up')

    # os.system('/etc/init.d/networking stop')

    os.system('/etc/init.d/networking start')

    os.system('ifconfig')

    print "echo 'MAC changed..."

    print "new random MAC "+mac

  • by JoshGlazebrook on 10/19/14, 12:15 AM

    I've read about this kind of thing before, so when I'm in public, or even at school I prefer to fire up my phone's personal hotspot instead of using any public wifi available.

  • by tetraodonpuffer on 10/19/14, 4:25 PM

    why aren't 'know networks' gps-geofenced on smartphones? You have GPS, if your previous 'known network' (say, home) was in location X, it should not automatically connect (or even try to connect) to it at X + 20 miles.

    This way you should be able to keep your phone from connecting automatically to (or even looking for) a network that shouldn't be there in that location in the first place, and if you always tether to it it would work for your laptop too...

  • by tcdent on 10/18/14, 8:59 PM

    How is he able to get them to trust the network? Is it common for software to connect to known SSIDs without verifying any other information?

  • by goblin89 on 10/18/14, 10:09 PM

    I wonder if it's true that iOS 8 only randomizes device's MAC when the SIM cart is not installed[0]. Was stoked to learn about this feature, too bad it apparently doesn't work as you'd expect it to.

    [0] http://9to5mac.com/2014/09/26/more-details-on-how-ios-8s-mac...

  • by yuhong on 10/18/14, 8:22 PM

    I wonder if anyone has tried to use CloudCracker to sniff MS-CHAPv2 VPN traffic.

  • by ColinWright on 10/18/14, 7:11 PM