I’m not a network security expert and for this reason I will only be discussing practical risks which may lead to identity theft and fraud. Identity theft together with fraud is a proven risk whenever you’re using a public Wi-Fi connection, especially at your favourite cafeteria.
There are two major privacy risks in public wireless networks; evil twinning and the more evil act of Wi-Fi router impersonation. Evil twinning occurs when someone sets up a fake Wi-Fi hotspot and gives it an appealing name (e.g. Cafeteria X Free Wi-Fi). Unsuspicious victims will then attempt to connect to such networks using their smart-phone or laptop.
Once connected, the attacker can use special software to harvest personal information (e.g. passwords) as well as behavioural patterns. Some caution from us users will generally help avoid such attacks. However router impersonation is less visible to the user and can prove to be much more damaging. To prove my point I will explain an experiment I conducted a few days ago.
On a sunny Monday afternoon, my victim and I were enjoying a cappuccino after a day’s work. My victim had his laptop on and was looking up the daily news. I told him that I will be attempting to steal private information off his laptop, and obviously, without his consent. The challenge was on, and in agreement with the cafeteria’s owner, we were all sitting in a glorified lab setup were all the actions were performed under the name of science. Every participant was a volunteer in this experiment, and so this helped in avoiding any breach of data protection law and any possible national/international computer misuse law.
My victim was connected to a public Wi-Fi, generously offered for free by the cafeteria owner. I got some inexpensive (actually free) software on my laptop, and started to push some buttons. To cut a long story short, I managed to take over the session my victim had between his laptop and the cafeteria’s wireless router. I impersonated my laptop as being the router, and made the victim’s laptop believe that all the data needs to be directed to me.
All I needed to do to remain invisible in this attack was to redirect all the data received back to the router itself. The victim would thus never guess that he’s being attacked. So the victim is happily browsing, while I was cunningly sniffing all the data passing over this newly created network. Amongst other activities I could have stolen passwords, hijacked e-mail accounts and gathered data for fraudulent purposes (e.g. instant messaging sessions).
This experiment took about two minutes to set up, and if I were a real malicious attacker, I would generally switch my attention onto other Wi-Fi users to see if they have any interesting data to share (say, credit card details). For a fraudster, this kind of attack can provide a mine of relevant personal information.
The technology abused behind router impersonation is address resolution protocol (ARP). ARP helps in translating device IP addresses into MAC addresses (each Ethernet-capable device has one, like your PC or the router to which we connect). An ARP spoofing attack is when one PC (the attackers’) sends a message to the victim’s machine telling it that it is the legitimate router to which it should be connected. This way, all the messages sent by the victim’s machine will first pass through the attacker’s machine.
I urge public Wi-Fi point owners to make sure they make their Wi-Fi network name (ID) publicly visible to all patrons. Furthermore, ARP spoofing attacks can be prevented by introducing anti-ARP attack tools available online at no cost.
To common users (that’s us) I take a quote from the Identity Theft Handbook (by M. T. Biegelman). Whenever you’re using a public Wi-Fi hotspot always behave as if someone is watching over you. Do not handle sensitive information over non-trusted connections (e.g. in an airport or cafeteria). Make sure that you connect to the right Wi-Fi network (you can always ask) and when you do so, use it cautiously. If you have to work with sensitive data, make sure that you are connected over an HTTPS connection and that the server certificate is valid.