I would imagine a large amount of unencrypted access points are "guest APs", where you log in with a username and password after connecting, or perhaps no authentication at all (by design).
HALF of London has outdated Wi-Fi security, says roving World of War, er, BIKER
Wireless security across London remains flaky despite the well-known risks, according to an infosec bod who has been riding his bike all around town identifying insecure wireless networks and highlighting shoddy user behaviours that could be exploited by rogue hackers. James Lyne, global head of security research at Sophos, …
-
-
Monday 5th May 2014 12:58 GMT BristolBachelor
I was wondering that too. Considering that all the Starbucks or BTopenzone and the like have no protection, then it's no surprise.
What this guy should be saying is that the WiFi standards group are still completely crap if they cannot implement a standard that allows anyone to connect without needing a password, and then for the two devices to negotiate a secure connection between them.
The current standards either have no protection, or the requirement to enter a 140 bit key on an on-screen keyboard the size of a postage stamp, and no way to know what that key is unless people stick post-it notes up on every lamp-post.
As for honeypots; aren't they one of the reasons for VPN?
-
Monday 5th May 2014 15:58 GMT Daniel B.
PKI
We theoretically could solve the issue with PKI, but even "type down this password on your device" is too much of a hassle for non-techies. Interestingly, the one place where I've seen PKI used for "public" WiFi access is at DEF CON, but then that's because you know most people going there are going to be tech savvy to boot. And the one thing that was made to do this easily (WPS) has the stupid PIN method which can be cracked easily, thus the method being disabled by anyone tech savvy these days...
-
-
Monday 5th May 2014 13:21 GMT big_D
It is still bad practice. You should never connect to an access spot without a WPA2 passphrase. A VPN can go some way to mitigating that, but even so...
A business offering free wifi should set the password to their business name or have the password prominently displayed for their customers.
Our guest WLAN at work is WPA2 enctrypted and we have QR-Codes for smartphone and tablet users to set up the connection automatically and the password is available upon request for PC users.
-
Monday 5th May 2014 13:56 GMT Steve Knox
Security is like an onion
Our guest WLAN at work is WPA2 enctrypted and we have QR-Codes for smartphone and tablet users to set up the connection automatically and the password is available upon request for PC users.
So all I need are some stickers and I can mess up your guest WLAN, or worse, send your tablet/smartphone users to my malware-ridden network or site instead?
Hypothetically, of course.
-
-
Tuesday 6th May 2014 11:25 GMT Anonymous Coward
Why would anyone turn on encryption and require credentials on a consumer internet only connection anyway? It just slows down your traffic. I leave my WiFi connections open for anyone to use and turn off all logging - and i'm in a quite busy area - have done for years without any issues at all. I have a VPN account for any traffic I really care about, but in general checking that EV certificates are valid does me.
It also quite incidentally makes any accusations of say sharing copyrighted content quite deniable too.
-
Friday 9th May 2014 12:51 GMT Andus McCoatover
My WiFi is unsecured by design. Apartment block has a lot of elderly living here, and they want to use bank, Skype/FB for the family and relations. No problem.
Isn't it a bit posessive to protect your WiFi, if your computer is secured?
Farmer Giles: "GET ORF MY LAAAAN(D)!!!!" springs to mind....
-
-
Tuesday 6th May 2014 13:32 GMT rh587
"I would imagine a large amount of unencrypted access points are "guest APs", where you log in with a username and password after connecting, or perhaps no authentication at all (by design)."
That and decade old domestic broadband routers that have sat on the phone stand since they were delivered, only being replaced if the owner moved house and was sent a new router for their new line, or if it went on the fritz. My parent's Orange Livebox went on 5 years before a thunderstorm spiked the phone line and the router with it, and it's replacement has been going for the best part of a decade.
No reason they will replace it unless it dies or they get sent a shiny new box for a fibre connection, which won't happen because fibre isn't coming to their rural backwater. Ever.
On the plus side their old farmhouse has "proper" walls built of stone and brick, not plasterboard and wood, so the wifi barely makes it downstairs, much less outside the house or the mile to their nearest neighbour (who has no line of sight in any case). The odds of anyone sniffing that access point are somewhere approaching nil.
-
-
-
-
Monday 5th May 2014 18:25 GMT keithpeter
Re: Shhhh...
Just pop down to your local FE College or Arts Centre. All of the ones round here have open wifi with landing pages. My College blocks https and anything that isn't port 80 however. Full on UKERNA clean feed.
"Lyne used a little Raspberry Pi Linux computer in the bag slung under the crossbar, a powerful battery under the seat to provide power for the scanning rig for a whole day, a small GPS unit, small scanners wired into a little Raspberry Pi, and a scanner aerial strapped to the downtube."
Pictures or it didn't happen! Pure Iain Sinclair. Ctrl-F 'temperature traverses' on the page below. Excellent.
https://www.nytimes.com/books/first/s/sinclair-territory.html
-
-
Monday 5th May 2014 13:01 GMT DropBear
Use WPA2? Fine, I won't argue with that - but where, pray tell, should the VPN be directed to connect? Definitely not all home routers currently in use come with that built-in (given the owner has any idea he does have it at all)? Who says there even is anything permanently 'on' on the home LAN - there might be no router at all? Heck, there might not be any home LAN at all for some people...!
-
-
Monday 5th May 2014 13:25 GMT regadpellagru
"Had to downgrade my wireless security at home, as the brand new Internet enabled TV I bought for my wife to watch in bed while convalescing only supports WEP!"
Even if it is completely appalling in 2014, I'm not that much astonished. Most consumers products don't give a crap about implementing basic security.
You have my sympathy.
Even Nintendo with their bugged first WiiU firmware failed to have any security working at launch. Not even WEP. Had to go to clear text !
-
Monday 5th May 2014 14:29 GMT Anonymous Coward
re: Had to downgrade security as the TV supports WEP!
If you had a spare wireless router (or even a Pi or netbook with a wifi dongle that can work in access point mode), you could have set it up to firewall the WEP-only devices from the rest of your network. Give them a free route out to the internet, but don't let them access anything else.
Once you learn how to configure this sort of thing, it has a variety of uses. Over the last few years I've had a DMZ (home ftp server receiving requests directly from the net, but firewalled from all my other machines), a separate "guest" wireless network (like your WEP-only scenario) and more recently I set up fail-over networking (tethering to my phone) for when the main broadband goes down. I guess I should also use VPN for when I'm connecting to public wifi with my phone, but that doesn't happen regularly enough for me to worry about it.
-
-
Monday 5th May 2014 17:38 GMT James_Lyne
Re: re: Had to downgrade security as the TV supports WEP!
Indeed, I just finished doing the same scan in Las Vegas and there are a huge number of networks with exactly that setup. Their SSID is easily identifiable as it shares the SSID followed by _guest or alike. Of course, a lot of them are open and while the intended user (the household) may not expect to do anything to sensitive others might. Also, seemingly innocuous downloading and browsing can allow for insertion of nasty JavaScript, social engineering pages or other manipulation. It sounds like you aren't going to be falling for it, but I doubt everyone in our study behaves the same way ;-)
-
-
-
-
-
Monday 5th May 2014 17:38 GMT James_Lyne
Re: Why a large battery?
Ha! We actually did that in the first prototype run but it turned out to be entirely unnecessary given the kit we were using. I also used a solar panel, but the equipment is so efficient now it doesn't make sense. However for geek appeal, to your excellent point, we did both dynamo and solar BECAUSE.
-
-
Monday 5th May 2014 19:41 GMT Ole Juul
Re: only allows specified MACs to connect
As for the original story Id be more impressed by the report if they had actually tried to access some of the insecure systems and proved the point rather than relying on supposition.
That's what I thought too. I'm not entirely sure that there is much to be learned for the information provided.
As for MAC blocking that is not secure, as you say, however it does mean that only "hackers" will get in. Nevertheless, if one only allows one connection at a time then the worst that someone could do is read the stream which is generally of no consequence.
-
Tuesday 6th May 2014 16:15 GMT atlatl265
Re: only allows specified MACs to connect
As regards 'MAC spoofing", I use WPA2, block my SSID transmission and specify only the MAC's on my network. Seems pretty secure when used in this combination. BTW, my "smart TV has WPA2, but now that I think about it, I am Not so sure about my BluRay DVD player. The industry seems to be pushing to make the BluRay DVD player, the Internet connection for your Home Entertainment center.
atlatl
-
Tuesday 6th May 2014 19:54 GMT Alan Brown
Re: only allows specified MACs to connect
Blocked SSIDs still leak and MACs are easily tweaked.
At least some of the kit I've used happily shows the SSID of "cloaked" APs.
WPA2 is only secure when used in conjunction with a decent password, as otherwise a snoop session can deduce the password over a few hours without issuing any packets (or it can bother the AP for more data, faster)
-
-
-
Monday 5th May 2014 16:30 GMT Don Jefe
Labor Intensive
It seems like working out a deal with cab companies in the target cities would be a lot easier and deliver a considerably more robust data set that evolves over time. You could also develop targeted awareness campaigns for dense trouble spots. You could probably even talk banks into paying for the exercise.
There's an apartment building in Alexandria, VA where an interested tenant put a flyer on everyone's door with basic info about open networks and put his email address and phone number there with an offer to help secure their networks for free. A month later there are zero open networks in the building. People didn't even get too mad about the flyers he wasn't supposed to be posting.
What I'm getting at, is that traditional awareness techniques have obviously penetrated as far as they are going to go. People that aren't aware aren't going to be aware unless they are informed in a new way and you need to find those people, and track the effectiveness of the new message delivery vehicle(s). A tech guy doing a tech thing being covered on a tech site has a rather small audience that isn't aware of open network risks.
-
-
Monday 5th May 2014 20:00 GMT Jon 37
Re: Streetview cars
Streetview was sniffing and recording actual WiFi traffic, including some things that people might consider private. For example, they recorded fragments of unencrypted HTTP requests and responses.
Sophos only looked for the SSID broadcasts, which are *meant* to be received by any WiFi device in range.
-
-
Monday 5th May 2014 17:38 GMT DavidON
VPN's are safer...but are they safe?
I've been a long-timer user of VPN's on my laptops, primarily to allow me to safely use public networks. So, when I finally got an Android phone, this was one of the first things that I set up on it.
However, despite constantly seeing VPN's quoted as the cure-all for public networks, I have been unable to adequately protect my (unrooted) phone, as I can't find a VPN/app which blocks traffic before it's connected. I've spoken to a number of leading VPN providers and they have all, eventually, admitted this as a problem - the "best" response I got was the company who said they were working on a solution.
Does anyone who, unlike me, knows something about Android, know of a solution to this?
Thanks,
David.
-
Monday 5th May 2014 23:59 GMT Don Jefe
Re: VPN's are safer...but are they safe?
There are always going to be tradeoffs with any type of security. It doesn't matter if it's data, gold bullion or hostages. Usability and security are two sides of the same coin. Once something is absolutely secure it becomes a Schrodinger's Cat sort of thing. Is the thing you're protecting really still in there? The only way to know for sure is to look, but then your thing is no longer secure.
But you've got the traditional valuation problem. If the thing you're tying to protect is so valuable that making it inaccessible, thus truly secure, is the thing really that valuable? Only you can decide that. Museums have been tossing that problem around for a good century or so now. They go back and forth on the issue every few years. Most organizations and individuals with the means eventually say fuck it, and just insure the hell out of whatever it is. You still practice the security fundamentals, but the value of something is reduced by the value of time and resources you put into protecting it,
But to answer your question, there's no pre-connect blocking VPN for Android. My wife uses Android and she hasn't been able to find an OTS solution either. She just doesn't do anything involving potentially dangerous personal info with those devices.
-
Thursday 8th May 2014 02:35 GMT Aslan
Re: VPN's are safer...but are they safe?
The solution is just get root already you really should have posted your phone model here so you could be helped with that, and then install Cyanogenmod. If you're a nervous Nelly about getting root access through some security hole your phone manufacturer has allowed to persist for the last year (on Windows these are the updates that get a critical label), the buy a Nexus 5 phone which allows you to easily and officially take root privileges. https://www.google.com/nexus/ or if you're really serious there's always https://www.blackphone.ch/
Basically any VPN that blocks traffic before there is a VPN connection is going to be hacking your phone as bad as anything that give you root privileges unless something changes in a future version of Android.
-
-
Tuesday 6th May 2014 07:35 GMT Anonymous Coward
Ah yes, here we have
The revelation that everyone and his dog who get a router delivered from an ISP is a tech guru that could not be bothered to recode in Unix or Perl their entire router firmware to the utmost security level.
On the bus to work each day, my phones tell me "wifi access found, connect?"
most people will say "yes, don't ask again" same as they store passwords in browsers.
the masses are not even aware they have wifi let alone unsecured else all the war drivers, wifi hackers, spammers n scammers would be out of business
In other news water discovered to be wet!!!
-
Tuesday 6th May 2014 12:50 GMT Anonymous Coward
Surprisingly
I live in one of the less salubrious bits of east London, but to my surprise, every one of the wifi points I can see in the area (30+ from my house, about 100 between here and the station) are now WPA2, with the exception of the odd BT public wifi, and a few BT-FON connections (I assume those also work with a landing page). There's not a single WEP or WPA to be seen.
The area has a fairly transient population, and so I'd assume a high rate of turnover with ISPs, and I'm wondering if the reason is that ISPs have now largely 'got it', and are sending out new routers pre-configured to WPA2. BT in particular got badly bitten on wifi security a couple of years ago, so maybe they actually learned the right lesson for a change.
-
Tuesday 6th May 2014 15:32 GMT bod43
"29.5 per cent were using either the insecure Wired Equivalent Privacy (WEP) algorithm, or no security encryption at all ... A further 52 per cent of networks were using Wi-Fi Protected Access (WPA)"
I find that very hard to believe. In the places that I go there are no WEP WiFis at all. Everything is WPA2, or is deliberately open. FON, BTOpenview etc. I have occasionally made a point of noticing.
For years all new home routers have been set up for WPA2. Many people seem to change their ISP quite regularly and have new routers.