Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Photographing the Giant Squid |
| "The Family Guy" on Airport Security »
January 8, 2007
New York Times blog post on how easy it is to eavesdrop on an open Wi-Fi session:
Turns out there was absolutely nothing to it. John sat a few feet away with his PowerBook; I fired up my Fujitsu laptop and began doing some e-mail and Web surfing.
That's all it took. He turned his laptop around to reveal all of this:
* Every copy of every e-mail message I sent *and* received.
* A list of the Web sites I visited.
* Even, incredibly, the graphics that had appeared on the Web sites I had visited.
None of this took any particular effort, hacker skill or fancy software. Anyone could do it. You could do it.
Nice to see this getting some popular attention.
Posted on January 8, 2007 at 6:20 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I did think about setting up a VPN service for this situation, acting as a trusted third party for laptop users at public wifi hotspots. I suspect it'd be fairly lucrative, and can imagine companies like BT (in the UK) who provide commercial hotspots offering it as a premium service before long.
The sad thing is how much of a surprise this still is to many people - you only have to run a monitoring tool on your laptop during a routine commute to/from work to see how many nodes are wide open (of course some use other methods, like overlay vpn, but most typically dont) - and while many are obviously home access points, theres plenty operated by companies who are paying good money to people (internal or external support) who should know better! Unfortunately good press isnt enough, there needs to be a cost in some form before people pay attention, usually the first time they are aware theyve been compromised ...
Of course, this session appears to have involved no application-level encryption. It's a scandal how many ISPs don't force the use of IMAPS instead of IMAP (or mandate TLS in SMTP). There is no reason for anyone's e-mail to be visible to third parties, even on a wireless connection.
Also, I assume no secure websites were considered as part of this test. Presumably web-based banking at legitimate bank sites would have also been obscured from eavesdropping.
This was on of the reasons I setup my own mail server. Any inbound or outbound email goes via SSL.
I get the whole idea of "do it all in a web browser" for the road warriors. What I don't get is why any of that stuff is running on port 80 anymore.
I understood that it was all too easy to crack WiFi "security" (WEP) anyway. If having a key on your WiFi doesn't stop concerted hackers, why bother. My neighbours are hardly likely to even think about sniffing my wireless networks.
Of course, I use SSL for email, and VPN for work.
The lack of encryption on home networks might have something to do with how buggy WEP and WPA seem to be on a lot of inexpensive routers. I had WEP set up on the Linksys router at my parents' house but it screwed up so often, even when no settings were being changed, that I just turned it off rather than be called upon to fix it all the time.
The convenience of both attacking and defending has huge security implications, when you are talking about basically untargeted attacks being launched by relatively unskilled individuals.
///* Every copy of every e-mail message I sent *and* received.
Would using a service like Mail2web in the SECURE LOG-IN mode prevent this?
You can still access your outlook, but via this service.
Or how about using the updated gMail to access your pop3 email?
Being able to see handshakes at the data link layer can cause some problems even for secure protocols if there's no client-side certificate - which is almost always the case.
OTOH, I wonder if anything that was in the clear actually merited encryption - like this post, for instance, or the fact that I had to look at Bruce's mug again this morning, just like every other morning. Most people's unencrypted web traffic is less useful than the details on their business card.
In case anyone doesn't already know this- many google services (calendar, gmail, reader, etc) can be obfuscated to hackers by going to the location bar, changing "http" to "https", and the pressing enter. It's not a perfect solution, but it makes me feel safer reading my personal and business gmail in a cafe.
"I understood that it was all too easy to crack WiFi "security" (WEP) anyway. If having a key on your WiFi doesn't stop concerted hackers, why bother. My neighbours are hardly likely to even think about sniffing my wireless networks."
If you can collect enough sample data it is possible to crack WEP, but this was not the point of the article. Cracking WEP, while simply in the abstract, is more technically difficult in practice.
The fact is that *any* casual computer use is all one needs to instantly see this sort of traffic.
Whether or not you trust your neighbours is not the issue (though you don't say if your neighbours have snoopy kids, or might move without telling you). Think about what real bad guys could do with a few days of wardriving in the right neighbourhoods.
Of course no one cares if all that is happening is that your web site visits are trivial to determine. If that was _all_ that was going on, no one would care that much.
The problems it that the bad guys, with very little work, can collect huge amounts of data that is similar to the types of information they use for identity theft and other nefarious purposes. And there is no way to determine how, why or who. Think warrantless searches. Think someone coming into your house and checking the pile of mail on your hall table and listening to your phone messages.
There are a lot of people I'd trust with this sort of information. There are more people I wouldn't.
The sky isn't falling, but are you sure you have not passed one password in the clear over the last few days?
It's always the same with wireless connections.
Awareness: yes - but only after a thoroughly performed "hacking" demonstration.
Responsive actions: no way - not even after a thoroughly performed "hacking" demonstration.
There's a recent case of a police raid in Germany where the police suspected an older man to surf porn sites illegally (without paying). It turned out that the guy never used his wifi connection but didn't turn it off. Obviously an unknown person in reach of the wifi signal was it using to surf illegally.
It's so easy to setup a reasonable safe wireless network with hardware that costs less than 60 Euros. I use a Linksys WRT54GL like this:
Comments welcome. It's setup in less than 30 minutes.
Internet providers that handout wifi devices to their customers should be forced by law to pre-configure those devices in a safe way, preferably disable the wireless device by default and force the customer to read the documentation. If they don't, they should be held liable for any damages.
>If having a key on your WiFi doesn't
>stop concerted hackers, why bother.
A burgular can break a window.
Most people still lock their house door each morning.
Case in point, about a year ago I demonstrated the same thing to a buddy of mine. This was while studying for my MBA, we were both in a hotel conference room with hotel provided WiFi. I was bored so I started to sniff around to see what everybody else was doing.
This guy was not really doing anything but his computer was checking his email server and logging in every 5 minutes or so. Bored as I was I asked him if (gave him the password) meant anything to him.
This guy has his own businesses (many) and a lot of money yet his emails were in the clear and so was the password. He though I was some kind of haxxor hacker (or whatever the kids do today). Not much to it. I think he changed email providers but I am not sure.
It's fine to use encryption when connecting to your SMTP or POP servers, to prevent local eavesdropping, but isn't transmission of emails between SMTP servers on each of its hops to the final mail system unencrypted? I guess you would be safe emailing people on the same domain. Couldn't someone even just use a man in the middle attack between 2 SMTP servers and modify emails being transmitted.
"Couldn't someone even just use a man in the middle attack between 2 SMTP servers and modify emails being transmitted."
Of course, but that is not the point here. OpenPGP would provide that kind of end-to-end security.
However, securing your email with PGP/GnuPG would not prevent your POP3-password to be transmitted into the air when accessing your mailbox over WiFi.
@Matt from CT: "A burglar can break a window."
IANAL, but I presume that the law, or at least your home insurance, differentiates between forced entry (breaking a lock or window) vs. just walking into an open door.
@Josh O: "isn't transmission of emails between SMTP servers [...] unencrypted?"
Yes, and that is worrisome, but it's far easier to intercept your WiFi connection than it is to gain access to general internet traffic. That's mostly an insider threat, not available to your general crook who just hopes to stumble upon your credit card number. Even tapping your phone line or splicing into your TV cable is too much effort for the overwhelming majority of wannabe crooks, also because it risks exposure.
Not only is this incredibly easy and possible, when I was at the Web 2.0 Summit in SF back in November, there were three or four ad hoc wireless networks setup by people with "Free Wifi" and "Web 2.0 Free Network" to entice people to logon. Capturing data funneled through your own laptop sucks stuff even easier and provides access more fundamental.
Curiously, I recall contacting the folks at TechTV's Screensavers to do a session on this topic since they were reaching a fairly large audience of early adopters.
Sadly, I see people DAILY at coffee shops by the dozens nakedly on the Wifi connection.
I *assume* anything I sent over the internet not using a layer 5 or higher encryption technology can be read by anyone. If someone can read it at layer 1 & 2...more power to them. If the data/payload is encrypted at a higher layer...it won't be much use to them.
Just my .02.
"This post has generated much more controversy than I expected. Yes, it's in very poor taste. No, I don't agree with the sentiment in the words. And no, I don't know anything about the providence of the lyrics or the sentiment of the person who wrote or sang them.
I probably should have said that, instead of just posting the link.
I apologize to anyone I offended by including this link. And I am going to close comments on this thread."
Why are you still linking to it?
"Why are you still linking to it?"
Because I think it is wrong to go back in time and change history.
Although I will delete racist jokes, and eventually ban people who insist on posting them.
Fine. But that whole link is racist. By the way, I'm not the real supersnail. I just didn't like his post.
So, don't get mad at him when he comes back.
>The sky isn't falling, but are you sure you
>have not passed one password in the clear
>over the last few days?
Whichever way you look at it, whether you use WEP or not, your wireless network is insecure. Nefarious types who want to get in can.
I don't see why I should prevent my neighbours from having a free web surf when I'm not stopping people who could actually do something bad with my data.
>A burgular can break a window.
>Most people still lock their house door
My insurance company wouldn't pay me if I hadn't locked my door.
If I wanted to be controversial, I'd point out that your bank's insurance already covers you for identity theft, whether you use SSL, WEP, or shout your PIN number down the street :-).
Meanwhile I can walk around any major city in North America and get free wireless almost anywhere from random strangers. I walk around in Britain and all the access points have WEP enabled because that's how they arrive. Which situation do you think makes life more pleasant?
If you depend on WEP then anyone you hand the WEP key to or who cracks your WEP key can *still* read all your emails and view all your porn. It's a false sense of security, much like the security theatre in airports it leads to weaker security *and* sacrifices quality of life -- the worst of both worlds.
I am always fascinated reading your blog. Keep up the great work.
@gerg: "Hello? Is anyone listening? How often do we have to go through this?"
Are all access points set to the same default password, or do they arrive with a randomized password?
A default password wouldn't be much better than having no encryption in the first place, really. It might just give some folks a false sense of security: "but it said that encryption was enabled!"
Use Tor on untrusted networks. Film at 11.
well of course you can do all that without fancy software; what you need the fancy software for is replacing every web image that is browsed with the image from goatse.cx (well not that fancy since, iirc, that's also been done).
this exploit is one of the reasons that I use gmail w/a POP client since they do use SSL for downloading and uploading e-mail. going to gmail directly it's all over plain'ol http, no https. of course, plenty of other issues w/using google for POP e-mail ;)
none of this particularly bothers me; pretty much all my roadwarrior computing is ssh+screen
Wifi networks NEVER should be used for servers...
You would be amazed at how often this happens.
Anyone can drive up with a microwave oven and DoS the whole network.
WEP/WPA1/WPA2/VPN/SSH/SSL, it does not matter.
@ Matt from CT
"Most people still lock their house door each morning."
Whoa. Big change from the other day, eh? Suddenly you're an advocate for people using and respecting a common definition of boundaries? I thought you would call anyone with a locked door too "Politically Correct".
Agreed. The funny thing about people coming to your door is that if you open it, you have effectively invited them into your house. Although, there seem to be a number of definitions of "invitation" (http://caselaw.lp.findlaw.com/data/constitution/amendment04/04.html).
Anyway, while you can passively observe packets bouncing off your antenna(e), I don't see how you can passively enter someone's house, so the analogy is virtually backwards.
@kiwano - "none of this particularly bothers me; pretty much all my roadwarrior computing is ssh+screen"
"The funny thing about people coming to your door is that if you open it, you have effectively invited them into your house."
Other opinions exist. I accept that stopping a determined, experienced police officer from going after you could be tricky but it's best to know the rules before the game starts. If any reader is a regular pot smoker then you really should have a look at this.
Warning: this link goes to a 110MB FLV video file. You need broadband and you need to put aside some time to download it and think about.
While people say "cracking WEP is easy, blah blah blah" and go off on how insecure it is.. I just feel the need to point out that WEP is, like anything else for home use, a deterrant against the casual attacker or eavesdropper.
I've yet to see a single case of WEP being cracked out of a desire to see or attack a system behind the encrypted network.
"Whoa. Big change from the other day, eh? Suddenly you're an advocate for people using and respecting a common definition of boundaries? I thought you would call anyone with a locked door too "Politically Correct"."
"If any reader is a regular pot smoker..."
Er, interesting point, but I was thinking more along the lines of a reader who might be into the "political correctness" of the Bill of Rights and those who fought against the British Writ of Assistance in the 1760s. I mean remember how those liberty-minded American settlers decided to promote the right to be secure against unreasonable search and seizure?
Wi-Fi would be great for television.
It would be like the old days, when TV was free.
"If any reader is a regular pot smoker..."
I threw in that comment specifically because the ACLU chose to use it as an example in two out of three of their scenario discussions. Personally, I am not into any kind of drugs and agree with your sentiments. I'd hazard a guess that a substantial proportion of the readers of this blog aren't either (no feedback please). I suggest that even if you are a model citizen who has never said 'hello' to the police before, the video is worth a look.
I had a stroke of genius about WEP the other day.
Since it's so easy to crack automatically, why bother? Well, because you don't want your neighbor reading your mail.
If you're trying to protect against a well-funded dedicated cracker, you're pretty much screwed, anyway.
It was at this point that I realized that the 40 hex characters that I can't seem to remember are just as arbitrary as any other 40 hex characters that I *can* remember.
For instance, A1(20 times) is just as effective against nosy neighbors as that bizarre string of numbers that the WAP spits out when I click the 'generate' button. Except, this way, the next time my brother-in-law shows up at my house, I don't have to read a terrible string before he can use the network. I can simply tell him my two character key for him to type 20 times.
Or, is that seriously flawed logic?
Is there a Windows Equivalent for this Eavesdrop program he used? Ive seen Wireshark but could not make much sense of it and certainly never saw any pictures. Please let me know what I need to look out for on the Windows side of things.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.