Forbes, a respectable business magazine, writes about wireless security in the issue of 26 March 2007:
Computer security firm Authentium in Palm Beach Gardens, Fla. warns about an emerging Wi-Fi fraud aimed at air passengers. What road warriors sitting in a departure lounge think is a free authorized Internet connection turns out to be an “ad hoc” network broadcasting from the laptop of a scamster sitting nearby. Besides collecting passwords and credit card numbers, the crook might even install software that will later forward other private data. One tip-off: The wireless connection window the unwary traveler often sees labels the tainted free site a “computer-to-computer network”.
Threats from rogue wireless access points aren’t new – I wrote about disabling Windows firewall and exploiting Intranet zone using those a while ago. However, this Forbes article highlights two important problems with communicating technology issues to the businesspeople: wrong assessment and wrong advisory. I am under strong impression that by using executive summary language, consultancies, research companies and the press fail communicating real issues to the decision makers. That’s because they often those translating the original information into executive summaries and press releases, often are saying what their audience want them to say – and without much understanding of the information in question. And if quality of the original research is substandard (which I think is the case with Authentium’s Wi-Fi alert), the things only get worse.
Another evidence – IDG’s PC World’s take on the same Wi-Fi issue:
The next time you’re at an airport looking for a wireless hot spot, and you see one called “Free Wi-Fi” or a similar name, beware — you may end up being victimized by the latest hot-spot scam hitting airports across the country.
You could end up being the target of a “man in the middle” attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen, end up with a spyware-infested PC and have your PC turned into a spam-spewing zombie. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge.
If you’re a Windows Vista user, you’re especially susceptible to this attack because of the difficulty in identifying it when using Vista…
The problem is that it’s not really a hot spot. Instead, it’s an ad hoc, peer-to-peer network, possibly set up as a trap by someone with a laptop nearby. You can use the Internet, because the attacker has set up his PC to let you browse the Internet via his connection. But because you’re using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other Web sites.
In addition, because you’ve directly connected to the attack PC on a peer-to-peer basis, if you’ve set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.
Such a pile of rubbish – as usually, with a twist of Vista-bashing.
Now, let’s analyse:
- Positioning the rogue AP attack as happening mostly in airports is wrong. We get those rogue access points everywhere now, the last one I saw in the lobby of Westin hotel in Seattle. Municipal Wi-Fi projects will set expectation for wireless service being available not just in select spots, but in entire business districts;
- Name of the service/access point, or the fact that the service is free, is irrelevant. Title of the article in Forbes – You Get What You Pay For – falsely attributes the attack to free services. In fact, paying customers of T-Mobile access points (found in Starbucks all over the States – I’m using one in SFO airport right now), and other commercial operators, are perfectly susceptible to the attack;
- It’s not only computer-to-computer networks that may exploit unsuspecting users – access points are equally dangerous;
- There is no “free authorized Internet connection” that is mentioned by Forbes. The word “authorized” doesn’t make sense here.
Keeping your system locked down, and using SSL or VPN for sending credentials and accessing private information will make the man-in-the-middle attack much harder if possible at all – and Vista does help here. I challenge black and white hats of the world to compromise my laptop using a rogue wireless connection. I’m afraid, fixing communications around information security issues will be at least as difficult.