'Evil Twin' WiFi Scare Stories Make A Comeback
from the missing-the-point dept
A few years ago, when stories hyping up the security risks of WiFi were commonplace, articles about “evil twin” access points were a favorite. “Evil twins” were access points given SSIDs that made them appear legitimate, only they were controlled by a malicious actor rather than a real hotspot provider. The FUD was then that these malicious actors could steal anything that went across the access point — even though most sensitive information is transmitted with encryption, a point the articles never bothered to mention. It looks like the evil twin — or at least hype about it — is making a comeback, as the head of a trade group of IT security professionals says such attacks are on the rise. He says it’s due to the growth in the use of WiFi, but doesn’t offer up any real evidence that the attacks are a problem, just saying that they present a risk for people’s passwords that are sent as clear text, skipping over the fact that any service provider worth their salt doesn’t send passwords in the clear if they’re protecting any sort of sensitive information. Instead of harping on about a largely mythical “problem” with WiFi, wouldn’t this guy’s energy be better spent drawing service providers’ attention to the need to encrypt passwords, thereby cutting out the supposed problem?
Comments on “'Evil Twin' WiFi Scare Stories Make A Comeback”
Encryption should help
So Techdirt has added the part of event with encryption themselves?
Any well designed encryption scheme will authenticate both ends and protect against a man in the middle attack, so i am not sure I buy that part. Maybe with stupid users clicking ok certificate warnings, but I would hope that they wouldn’t do that before divulging very sensitive data.
passwords are only part of the story
Of course, encryption helps. But, face it, most web-based systems protect login and then send information in the clear. Encrypting passwords is only half the problem. Do you feel any better than your password is protected for your web-access email, but all your mail is sent in cleartext? Maybe a little better, but you shouldn’t feel comfortable.
Re: passwords are only part of the story
While the email analogy is somewhat true, it doesn’t really equate to wifi points. A wifi point requires the key to connect, but then encrypts the traffic between those connected so that eves dropping becomes virtually impossible (if they are setup correctly).
The technology is not the weak point in the equation, the stupid users who pick the wrong access point are… although the people who’s point they are attempting to connect with should be checking for such issues or at very least have a very specific name that people will be able to distinguish from illegitimate points.
Re: passwords are only part of the story
I think squik has read the same article I saw only a few days ago, and I’m surprised at Mike’s post: I’ve read some marginally hare-brained knee-jerkity stuff written by Mike, but this is borderline irresponsible.
With stories posted like this one, my mom’s gonna be wanting wireless now. Like Mike talk her down this time.
Protect Yourselves
Data thieves don’t hijack people’s data.
Data thieves hijack stupid people’s data.
Protect yourselves; don’t rely on others to do so. Especially since protecting yourself is reeeaally easy if you take the time to do it.
What are you two working for the CIA? No one cares about your WoW passwords or what your BigButtBabes.com password is… well nevermind, i take that one back… but in any case you get my point. Most people who send sensitive info are on a protected network as it is and anything sent wirelessly that’s worth a damn is encrypted.
neh
Who cares about email being in clear text.. Unless you’re sending sensitive info via email, it should not matter. I know I would NEVER send anything of any importance via email. It’s an open system. It’s hard to see many uses for this type of attack. There is very little someone can do to gather information while simply browsing through their gateway. Almost everything that is sensitive is encrypted before it’s sent.
I think this is a way for the phone companies to get people worried about using free Wi-Fi. They are some sneaky and immoral bastards (Take Verizon for instance)…
Re: neh
those “click here to reset your password” links are sent via e-mail and often times require no more authentication than the unique reset URL. this type of e-mail is read over public wifi, its just a matter of the frequency.
kind of an ironic post considering a few days ago we saw one about Time Warner allowing users to broadcast there networks as hotspots. interesting…….
> as the head of a trade group of IT security professionals
> just saying that they present a risk for people’s
> passwords that are sent as clear text
The FUD he is spewing is laughable, but it’s pretty scary that this person
is in the ‘security’ industry. I wonder if this just goes to show that
anyone can call themself a ‘security professional’ , after all, there
are no credentials or experience required.
select infrastructure only
While evil-twin access points may largely be urban legend, it still seems like a good idea to set the default connect for infrastructure only. Easy to set up in Windows XP.
infrastructure
its also pretty easy to sit in an appt building across from the starbucks with a dup ssid and pick up the idiots who do not know better.- directional antenna optional.
free security
JiWire has a free security client that helps users avoid the “evil-twin” scare. http://www.jiwire.com/hotspot-helper.htm
I would bet that a large number of people (at least non-tech people) would click on a cert popup without paying it much attention if they think they are at the correct website. Also, if the man in the middle is using a cert from a trusted authority then there’s not even a popup for most people.
I know quite a few people who use neighbors wifi points because they dont have to pay for internet that way. Also, I still see quite a few network thats are security free, and those are subject to arp poisoning attacks which would provide the same access as an “evil-twin” access point.
I’m sure it’s not common enough to warrant the scare coverage, but here’s a scenario that is regularly ignored when the assumption is that “all sensitive data is generally sent encrypted”.
Most folks have a POP3 e-mail account that does not require (or even allow) encryption to login. And most people fail to realize that an identity is generally as secure as that user’s e-mail account.
Process to rip off a user via an “Evil Twin” (or by simply monitoring an unencrypted or weakly encrypted wireless network):
1) Harvest POP3 authentication, use a script to analyse a packet dump to correlate user ID, password and account name.
2) Monitor the POP3 account for e-mail from sites of interest (retailers, banks, credit card companies)
3) Visit said site, attempt to login with password used for e-mail account. If that fails, click the “Forgot my Password” link. Chances are good the password will be sent to the comprimised e-mail account without asking a “validation” question (and even that could probably be guessed).
I don’t have a problem with an occasional scare story. I like it when my mother calls and asks questions now that someone in “the news” told her what I’ve been telling her for years.
For technical and security minded people these stories are an overreaction. I don’t use the same password on more than one site. I don’t use e-mail services that require “in-the-clear” login. And when I’m working on an open AP, I use an SSH tunnel to my home PC as added protection (I’d rather the guy on the other side of Panera with the Kismet screen up not read my Instant Messages)
While you’re generally right, most sensitive data is sent encrypted, *some* isn’t, and for many users it only takes one unencrypted authentication to give up their “universal password”. And that e-mail client that’s checking for new messages every 5 minutes creates traffic that is an easy target.
I can’t tell you of a single person outside of my line of work that has more than three different passwords, knows that their home wireless AP is “wide open” or is even concerned that someone could be collecting their traffic while they’re working at a coffee shop.
It’s a scare story, yes, but, alot of credit card fraud does happen pre-ssl. You get a guy that sits there with his laptop in the cafe, sits around with ethereal or packet capture program of your choice, waits for someone to hit up say paypal.com, then starts ARP poisening, fakes DNS and issues a false SSL certificate. It’s not hard, and the tools come as a precompiled package on linux available through rpm.
Is it a problem? Yeah – don’t manage your banking from starbucks, but, not that big of an issue. It’d be better to tell people common sense things then to have weird security freakouts, but, security experts always have and will have the need to feel technical.
It is somewhat excessive to use a different password for every site, ratehr all that is necessary is to have a password for each thing you care about, and a few passwords for things that you don’t give a damn about if they get hacked (Wikipedia accoutns, the tenth gmail accoutn, that sort of thing.)
They Ask For Billing Info Via SSL
I’ve heard of (but not observed) WiFi captive portals which advertise hourly internet access at a reasonable price. The user enters their data via SSL (including Credit Card # and Billing info) and viola, they are scammed! Encryption only makes sense if you know the endpoint you’re communicating with.