• One More Reason to Avoid the WiFi at Your Local Starbucks



    I've said it before and I'll say it again: if you use public WiFi networks you're putting your data at risk.

    Last week Intohand's Matthew Rollings posted a guide for transforming a humble Nexus 7 tablet into a "compact penetration testing toolkit". The same tools can be installed on a Nexus 5 and OnePlus One.

    So while you're sipping a latte at your favourite coffee spot you may be entirely unaware that someone else in the joint has successfully cracked the wireless network, capturing passwords and all sorts of other data from everyone on it.

    Amazingly, even WPA-protected networks are vulnerable to these tools.

    Two custom Android distributions make this possible: Kali Linux NetHunter and the unfortunately-named Pwnie Express tools. Hardware requirements include the following:

    • USB OTG Y-cable
    • USB Ethernet adapter
    • USB WiFi adapter


    Once set up the network cracker will have the following software tools at their disposal:



    If you're wondering how WPA networks can be compromised, it's a matter of capturing the "handshake" between device and network. The handshake is encrypted, to be sure, but it's entirely possible for a password to be brute-forced after the fact using a distributed dictionary attack. There are both free and paid services available for this type of thing.

    I should note that both the hardware and software described here are, to my knowledge, perfectly legal network auditing tools. But obviously, in the wrong hands they have the potential for harm. All this is to urge you to please think twice before you connect to any WiFi network that isn't yours!

    ---------
    This article was originally published in forum thread: One More Reason to Avoid the WiFi at Your Local Starbucks started by acurrie View original post
    Comments 11 Comments
    1. Ten Four's Avatar
      Ten Four -
      If you aren't doing banking or logging into something sensitive like that what harm is there? I could care less if someone can see that I am reading news stories or checking the weather.
    1. acurrie's Avatar
      acurrie -
      For starters there's your Google account password, along with Facebook, Instagram and whatever else. "Sensitive" is a very subjective term.
    1. secdroid's Avatar
      secdroid -
      Interesting article. Would the use of a VPN have protected an end user?
    1. j'vai's Avatar
      j'vai -
      a Linux b0x, tcpdump, / wireshark to dump the traffic with card in promiscuous mode, then nmap for further penetration on IP ranges, is all one needs..

      command wireshark to *follow IP address* & that would pick up all log-in details;

      want access deeper into a laptop itself, that's nmap..
    1. IsLand_BoY's Avatar
      IsLand_BoY -
      Quote Originally Posted by secdroid View Post
      Interesting article. Would the use of a VPN have protected an end user?
      Yeah, any idea about using a VPN?

      That said - I haven't used a public WiFi network in forever. I tether to my phone or just use my phone. My laptop has a built in HSPA+ modem so now I don't even have to tether to my phone, I have a data line on my plan for it. I really just don't trust public networks. Thankfully I have unlimited data so I really don't have a need for public WiFi.
    1. acurrie's Avatar
      acurrie -
      Quote Originally Posted by secdroid View Post
      Would the use of a VPN have protected an end user?
      You'd be less at risk for sure, but not 100% safe—at least according to this post I found on Hacker News:

      Assuming I wasn't a state actor and just a lowly hacker on a wifi connection, here's some things I can tell about your VPN'd connection:

      * The operating system used * Application-specific traffic patterns * Content-specific traffic patterns * The VPN provider and type

      First off, I know you're using a phone, because it matches mobile device tcp/ip fingerprints. Second, I can make a reasonable guess about what kind of VPN you're using, both based on the service itself and its traffic or connection pattern. Third, I can make a guess about what kinds of applications you're using, because you are using a phone and the traffic looks a certain way for certain network applications. Fourth, I can guess what kind of content you're looking at, since I have a good idea what kind of browser and application you're using. Fifth, if I can match up all those fingerprints each time, I can identify you as the sole user of that connection, meaning I can now track you whenever I see your traffic. Sixth, by manipulating your traffic in small ways I can also determine more about your host and application(s) by how they respond to network transmission problems.

      Based on all that, I can send you a phished e-mail that looks to exploit any of the services or hosts or applications you're using. I don't even need to know who to e-mail; I can just spam tons of addresses and check for results that match the fingerprinted services I discovered earlier.

      Another fun attack would be to actually kill every connection you tried to make over a VPN using a specific application and content provider; because it would never work over the VPN, you might eventually try it over your regular connection, giving me a new point of attack.

      Hacking is fun!
    1. secdroid's Avatar
      secdroid -
      Quote Originally Posted by acurrie View Post
      You'd be less at risk for sure, but not 100% safe—at least according to this post I found on Hacker News:
      Thanks for the link.

      I take from the linked article that my computing device would be trackable, I would suffer a partial loss of anonymity, but that the contents of my communications -- doubly encrypted via VPN and HTTPS/TLS -- would still not be visible to a skilled hacker at a public WiFi site. My logon credentials to secure sites would only be singly encrypted via the VPN.

      Still, as IsLand_BoY said, it would be safer to use your cellular radio via your own hotspot. Unfortunately, I don't have unlimited data.

      Lots of folks at my public library are using public WiFi with their own machines, along with lots more using public library computers. It turns out that my library's firewall blocks attempts to communicate with many VPN provider home pages, but one can use a VPN if it has been configured prior to using the library net.

      Also, librarians may value civil liberties and patron privacy, but most know nothing about online security.
    1. j'vai's Avatar
      j'vai -
      "I take from the linked article that my computing device would be trackable, I would suffer a partial loss of anonymity, but that the contents of my communications -- doubly encrypted via VPN and HTTPS/TLS -- would still not be visible to a skilled hacker at a public WiFi site"

      true, but a very determined crAker would -

      "Another fun attack would be to actually kill every connection you tried to make over a VPN using a specific application and content provider; because it would never work over the VPN, you might eventually try it over your regular connection, **giving me a new point of attack.**"

      the new point of attack would / could be forged certificates of domains you'd connect to, creating a MITM, dam hard to forge a cert signed by CA, to fool the vpn connection, but it's possible / probable.. -

      VPNs vulnerable to MiTM because ANY certificate goes


      but, let's be real, if a person should target you this way in a public wifi place, & go thru the trouble of **this**, then it's quite close & personal, & not random; they would have to be out to *get you*..
    1. secdroid's Avatar
      secdroid -
      Quote Originally Posted by j'vai View Post

      VPNs vulnerable to MiTM because ANY certificate goes

      ...but, let's be real, if a person should target you this way in a public wifi place, & go thru the trouble of **this**, then it's quite close & personal, & not random; they would have to be out to *get you*..
      Interesting link, thank you. I stumbled upon another article with an attack vector I had not considered.

      Having SSL Certification doesn't mean that the website you are visiting is not a bogus website. SSL certificates protect web users in two ways, it encrypts sensitive information such as usernames, passwords, or credit card numbers and also verify the identity of websites.

      But today hackers and cyber criminals are using every tantrum to steal your credentials by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and even bank website....

      When you will visit a bogus website from any popular web browser; having self signed fake SSL Certificate, you will see a foreboding warning in the web browser, but the traffic originates from apps and other non-browser software fail to adequately check the validity of SSL certificates.

      http://thehackernews.com/2014/02/Fak...M-Attacks.html
      More, from McAfee:

      Validation of SSL Certificates in Android OS

      Every OS has its own keystore, which contains all the trusted CAs. If a user wants to add a proxy tool CA into the trusted
      zone, he has to add the proxy tool’s signing certificate into the trusted zone of the certificate manager. This is difficult on
      Android OS since it does not allow non-trusted CA certificates to be added into the keystore.

      Android OS has the trusted CA root certificate stored in a keystore at the following location:
      /system/etc/security/cacerts.bks

      Android does not allow addition of custom certificates to its keystore. We could try to forcibly insert a certificate into
      the Android keystore. Android has to be restarted to cause it to accept the inserted certificate as a trusted one. Upon
      restarting, however, the Android OS deletes all the user-added certificates. This behavior of the Android OS is a major
      challenge to routing HTTPS traffic through a proxy tool because there is no way for the proxy tool’s root certificate to be added to the trusted zone.

      Routing HTTPS Traffic via a Proxy

      Given the discussion above, our best way forward appears to be to skip the SSL certificate check in the Android application
      that is being installed. To do so, we will have to overwrite the code that performs the SSL certificate verification so that no
      exception is thrown while accepting a certificate signed by a non-trusted CA

      http://www.mcafee.com/us/resources/w...validation.pdf
      McAfee goes own to show how to do this with apps for which source code is available as well as apps for which no source code is available.

      That also made me rethink the wisdom of using a banking app, as opposed to using a good browser to perform online banking.

      I take this to mean that I should be very careful in my choice of VPN providers. Cheap/free might not be wise, particularly those who make one access the VPN via app.
    1. acurrie's Avatar
      acurrie -
      If anyone's interested, the author has published part 2, wherein all your WPS are belong to us:

      Nexus 7: A hackers toolkit. Part 2 - WPS hacking

      This likely isn't an issue for you at Starbucks, but interesting reading nonetheless...
    1. flipping's Avatar
      flipping -
      Sniff mobile data(3g/2G) is possible too
  • Sponsored By

  • Facebook

  • Recent Reviews

  • Recent Forum Posts

    ecs0013

    Famous last words - I got the bonus data this...

    Famous last words - I got the bonus data this morning, called in to the port department and I think I lost the promo. I sort of assumed that Cricket->AT&T would be as easy as AT&T->Cricket in the...

    ecs0013 Today, 09:16 AM Go to last post
    acurrie

    Sprint Accounts Breached via Samsung

    163359

    Some potentially bad news for some Sprint customers today:


    Hopefully no one reading this was affected by the incident.

    Source: ZDNet via The Verge

    acurrie Today, 09:11 AM Go to last post
    RichG

    Most comprehensive IMEI checker?

    Is there a site that's considered the most comprehensive checker of IMEIs?

    RichG Today, 09:10 AM Go to last post
    elecconnec

    Seconded. Mine shows AT&T mostly. Sent from my...

    Seconded. Mine shows AT&T mostly.

    Sent from my moto x4 using Tapatalk

    elecconnec Today, 09:09 AM Go to last post
    elecconnec

    Have you checked your usage online to look for...

    Have you checked your usage online to look for any incoming calls? (Just out of curiosity!)

    Call customer service and they'll likely remove the charge in any case.

    Sent from my moto x4 using...

    elecconnec Today, 09:05 AM Go to last post