Hotspot paranoia: try to stay calm

No-one's actually interested in your data

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Opinion OK, the fact that Professor Brian Collins is prepared to talk about public Wi-Fi hotspots with evil twins does mean it's worth taking seriously. I took it seriously enough to publish something about it myself - mainly, though, as a way of publicising the Science Museum's series of talks on crime. But out there, people are taking it VERY seriously.

A quick Google News search on "evil twin" produced 111 positive results - all mainly nonsense, written by people with little understanding of risk assessment.

As a result, everybody in the Wi-Fi access point business - and his uncle - has been on the phone all afternoon, offering to explain how they, with their software or systems management technology or location based services, can eliminate this hazard.

OK, confession time. I, too, have been hacked while connected to a Wi-Fi hotspot. The evil hacker was a colleague: Manek Dubash, much-respected editor of Network Weekly. The site: the excellent NetEvents seminar network, in Garmisch one winter, not long ago.

And the "exploit" was simple: I had file sharing turned on, and Dubash told me, in a clear voice that everybody could hear across the desk, what was on my hard disk. Nothing embarrassing, thank goodness! but a reminder of the fact that we weren't back at our Ziff-Davis offices any more (where we worked at the time on PC Mag UK).

Now, here's the important point: nothing.

Nobody did anything nasty to my disk, nobody installed a virus, or spyware, or changed my dialup connectoid to one which rings a premium number in Brazil, or stored twenty Gig of illegal images on my hard disk. Nobody was even interested.

Hacker exploits are, as Professor Collins rightly observes, possible. Yes, I could sit down at a public hotspot, give my PC the ability to act as a hotspot, and make its network ID code the same as the local hotspot's code. I could sit down at a hotspot called T-Mobile and give my PC the name T-Mobile. And I could use a simple Internet Connection Sharing link to mean that if you logged onto my PC, you'd get a share of my share of the T-Mobile internet connection.

Properly done (a little preparation for a skilled hacker) I could even make the logon screen look exactly like a Starbucks logon screen, which is where most T-Mobile hotspots are. And if you logged on with your credit card, I could get your details. And if you logged into your bank to do some financial work, I might get your password.

Now, why would I do all that?

"For the money, stupid!" is the obvious answer. Well, yeah, duh! and the question isn't answered. Because the question is not "why would I want your password?" - it's more profound. It is: "If I want your password, what's wrong with the internet?"

Internet-based exploits are safe, anonymous, quick, and harvest not just one or two card details, but thousands. Organised criminals sitting undetectably in unstable countries half way around the globe do this routinely, and nobody can find who they are, or where they are.

So, if this is possible, why would I pin-point myself for the network? The network will have my MAC address, and I'll have to make sure never to use the same one again. If I do, I can be easily found... I'll be really close - like, within 100 feet or so - to the hotspot I've logged on to. I'll be vulnerable - physically vulnerable, not just identifiable - to being seen, photographed, or even seized and attacked. And I'll get... a few credit card numbers. Maybe. Which I could perhaps use to get goods sent to the home address of the card-holder.

The risks are discouraging, the level of expertise needed is relatively high, and the rewards are not startling. Is this going to be a popular habit?

Well, no, it isn't, unless something changes radically. If you want credit card numbers, you need the PINs to go with them. An automatic teller machine with a "skin" that reads cash cards and stores the PIN is worth having, especially if you can duplicate the card. And you don't have to be there in person to operate it.

For the non-technical, the old methods are tried and trusted. "When he comes around the corner, hit his head with the rock." Take wallet, remove plastic and cash, and run.

So yes: there will be hackers setting up "evil twin" access points, but your chance of meeting one is pretty slim - they'll be students trying to prove they could do it. They'll have useful careers ahead of them, and middle-class aspirations, and after a couple of experiments, they'll either get caught, or get bored.

Everybody in the wireless LAN business knows this! They all talk a wonderful PowerPoint presentation on security, but if you say: "Look, this really isn't interesting - you know as well as I do that the actual risks are tiny" they say yes, of course they know that, but The Customers worry about it.

Anybody can make ignorant lay readers frightened. It's a normal trick of security consultants. And it's a good idea to know what the exploits can be - especially if you're a lawyer or a doctor and have seriously confidential information on your PC, which simply cannot be risked.

But in a world where most PC users still don't use spyware blockers and distributed denial-of-service attacks routinely use hundreds of thousands of compromised PCs to bring down major web servers, and where viruses and worms are distributed over ordinary dialup accounts, the risk of being hacked at a Wi-Fi hotspot is infinitesimal by comparison.

If you're going to get paranoid about hotspots, you're the sort of person who'd drive a $100,000 sports car into Times Square, and walk away leaving the windows and doors open, while fretting that perhaps someone may know the activation code for the radio.

Sensible precautions

  1. Turn off file sharing when in a public hotspot
  2. Password-protect your system
  3. Use secure connections before sending any financial information
  4. Turn on a software firewall
  5. Stop worrying! The information you're going to transmit at the hotspot is of no interest to anybody in the world except your Granny, to whom you're sending those photographs.

© NewsWireless.Net

Related stories

US slaps on the wardriver-busting paint
Michigan Wi-Fi hacker jailed for nine years
Business frets over wireless security

Boost IT visibility and business value

More from The Register

next story
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Canadian ISP Shaw falls over with 'routing' sickness
How sure are you of cloud computing now?
Don't call it throttling: Ericsson 'priority' tech gives users their own slice of spectrum
Actually it's a nifty trick - at least you'll pay for what you get
Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'
Network throws hat into ring with Linux-powered handsets
Fifteen zero days found in hacker router comp romp
Four routers rooted in SOHOpelessly Broken challenge
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
PwC says US biz lagging in Internet of Things
Grass is greener in Asia, say the sensors
Ofcom sees RISE OF THE MACHINE-to-machine cell comms
Study spots 9% growth in IoT m2m mobile data connections
O2 vs Vodafone: Mobe firms grab for GCHQ, gov.uk security badge
No, the spooks love US best, say rival firms
Ancient pager tech SMS: It works, it's fab, but wow, get a load of that incoming SPAM
Networks' main issue: they don't know how it works, says expert
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.