Naked and afraid: that's how Telstra's Wi-Fi security makes you feel
All it takes is 1 angry teen with Wireshark and root access
Sit down, open up the laptop, join the advertised SSID, and go online.
Free Wi-Fi makes working at the cafe a breeze. Free Wi-Fi transformed Sydney’s libraries into some of the most sought-after spots in town. Cities blanket themselves in free Wi-Fi to encourage tourists and business and residents to spend more time - and money - in their precincts.
How great is free Wi-Fi?
If everyone sitting in the library knew that everything they sent and received over their connection could be read by anyone else on the library’s free network, would they close their clamshells and run off screaming? Would they understand the risk of one angry teenager with Wireshark and root access?
A free Wi-Fi network almost never has a password. That makes it easy to log on - and easy to read the network traffic of everyone using that ‘open’ network. Transmitted in the clear, every packet of data can be read right off the airwaves.
When Telstra recently announced that its soon-to-be-introduced public Wi-Fi hotspots (read: repurposed redundant phone booths) would offer a free trial period to the public, they indicated these Wi-Fi hotspots would be open. No need for a password to log on.
When some pointed out that this meant all the people using these hotspots would be transmitting all of their network traffic in the clear, Telstra indicated they’d put some warnings on the login screen, informing users not to perform sensitive tasks while connected. All well and good, right?
Maybe not so much.
Our smartphones these days are terrifically smart. They do all sorts of things without asking, such as checking the weather forecast, grabbing the latest batch of emails, downloading a podcast, etc. We like our smartphones to have the things we want when we want them, and that has made them proactive.
You can not tell your smartphone to stop anticipating your needs. When it logs onto Wi-Fi it’s going to do all the things it knows it needs to do in order to keep you well fed and watered. It’s going to do that in full view of hundreds of others. Including that script kiddie with Wireshark and root.
Although Telstra makes their money mostly from mobiles, they - and many others - seem to be unaware how these devices work, or why people need secure connections - especially in public.
I am not paranoid about security. I know plenty of folks who are (the world needs more like them), but I am willing to assume some risks. Requiring WPA2 authentication to access a public Wi-Fi network isn’t a panacea - if you really need to be secure, you probably shouldn’t be using Wi-Fi at all - but it’s infinitely better than sending all network traffic in the clear.
The urge to create unsecured Wi-Fi networks is entirely understandable. Many people fumble over their own Wi-Fi passwords. Putting a password on a public Wi-Fi hotspot will limit the number who use it. But just as people learned how to lock their cars when they park them in a public lot, we now need to learn how to use shared electronic resources. The people and organizations offering these resources must consider the safety of their users. Open networks represent an unacceptable and unnecessary risk.
Whenever you see an open network, consider asking those providing that service if they honestly meant to make all of their patrons’ data visible to the world. Most would have no idea that’s what they’ve done - and might even be horrified by the risky environment they created. Suggest they secure the network with an SSID named something like "Cafe password is XXXXXXXXX", in order to make it as easy as possible for users to chart the safer course.
On a recent visit to the Qantas Club, I realised their Wi-Fi network - used almost universally by everyone in the Club - was wide open. If someone came in and sniffed that network for a few hours, what kinds of corporate secrets could they gather?
Most Qantas Club Wi-Fi users sit with tablets or laptops, surfing the web. If you’re surfing to a secure website - such as Google, Facebook or Twitter - that’s not quite as risky, because HTTPS will encrypt all the traffic between web browser and server. Someone will still be able to snoop on all your metadata - what sites you visited, and when - but not the content of that traffic. Not great, but better than letting the whole world read your Gmail.
When I fanned through my open browser tabs, I could see which websites provided secure HTTPS authentication and encryption - and which hadn’t bothered. Ironically, the Junkee.com essay penned by Australian Greens Senator Scott Ludlam, in which he makes a stirring call to #StopDataRetention, was transmitted in the clear. The site Ludlam used to publish his views on security has taken no steps to protect its users from metadata gathering.
Finally, my own website at markpesce.com also fails this test. I’m hanging my head in shame, and - with luck - by the time this column reaches you, I’ll have fixed that.
It’s a little complicated to create an authenticated and secured HTTPS website, but generally no more than a few hours of work.
The Internet of 2014 is full of known threats. We can not continue exposing people to unnecessary risks. ®
Bootnote: Yes, The Reg belongs on the naughty list when it comes to HTTP. The devs have been alerted.
Sponsored: Becoming a Pragmatic Security Leader