- Feb 4, 2016
- 2,520
FBI Warns of Risks Behind Using Free WiFi While Traveling
- Thread starter LASER_oneXM
- Start date
- Nov 3, 2019
- 413
Using WiFi while traveling is like playing Russian roulette you wont know when you'll catch a cyber bullet
On the bright side, these days most of the times everything you do is HTTPS encrypted and there's a lot less risk using an untrusted internet connection. Heck it would be a good practice to just assume every network is run by evil operators and make sure that your setups stand up to that.
With that said, the single worst thing you can do these days is attempt to go to an HTTPS site to pull up a captive portal, then click through the certificate warnings (on iOS the only option to click through a cert warning is to trust that CA). This often results in trusting the hotspot operator's CA which opens you up to more HTTPS interception and snooping. Note that Cisco and others have what they call "dynamic HTTPS interception" which gently tries to intercept and self-sign background HTTPS traffic from your devices, knowing that it either silently fails or succeeds. They use that to detect if you trust their CA, and that way they never generate browser warnings while attempting to intercept your traffic.
If your OS's hotspot detection isn't working, a handy tip is to visit NeverSSL - Connecting ... -- this URL is never HTTPS. Unfortunately there used to be popular sites (Yahoo, ESPN, Disney) that were non-SSL but those days are gone.
With that said, the single worst thing you can do these days is attempt to go to an HTTPS site to pull up a captive portal, then click through the certificate warnings (on iOS the only option to click through a cert warning is to trust that CA). This often results in trusting the hotspot operator's CA which opens you up to more HTTPS interception and snooping. Note that Cisco and others have what they call "dynamic HTTPS interception" which gently tries to intercept and self-sign background HTTPS traffic from your devices, knowing that it either silently fails or succeeds. They use that to detect if you trust their CA, and that way they never generate browser warnings while attempting to intercept your traffic.
If your OS's hotspot detection isn't working, a handy tip is to visit NeverSSL - Connecting ... -- this URL is never HTTPS. Unfortunately there used to be popular sites (Yahoo, ESPN, Disney) that were non-SSL but those days are gone.
yeah WiFi's that ask you to install certificates are worrisome, though I've only seen this in enterprise environment.
There's also risk of DMA attacks when you connect to WiFi.
A little lifehack is to disable WiFi, get a TPLink nano router, connect to the nano via ethernet cable and let the nano device connect to WiFi. While this is still not 100% bulletproof, it stops most automated threat vectors.
- Jul 3, 2015
- 8,153
Forgive my ignorance but I don't understand the risk to a properly protected computer. Any signals leaving your computer will be encrypted, so bad actors need to get onto your system and intercept data before it is encrypted. If your computer has good security, and you don't do anything really stupid, I don't understand the risk.
Not everything that leaves your computer is encrypted. Yes most things are, but you'd be shocked at how frequently third party apps either aren't encrypted or instantiate their background fetching services with HTTPS but with bypassing of cert checks enabled. There was a torrenting app a while back that fetched software updates over this kind of fake HTTPS and it was actually used to deliver some of the very first ransomware for macOS. Similar mistakes can happen on any other platform.
There's other user-error factors too. One example is what I mentioned before. If your captive portal detection fails and triggers on the first HTTPS site you visit, a lot of users will begrudgingly click through the certificate warnings to get themselves online. On many OS'es that results in permanently trusting that cert.
You can also put your privacy at risk -- often times IPv6 addresses contain your MAC address and other non-randomized information about you. Heck just joining a network turns off almost every OS's anonymizing MAC address features, which allows location analytics software running on the wifi to monitor your movements and behavior. Target, for example, deploys two APs next to each other (look up at the ceiling next time at Target). One serves you free wifi, and the other is purely dedicated as a location sniffing radio to monitor where shoppers spend the most time.
With that said, I use free wifi all the time. I understand most of these risks and think I practice good enough computing habits that I don't feel affected by these risks, or I understand them and simply don't care. Heck one time I saved on laundry detergent at Target by following some instructions to open the app and stand by the detergent aisle for 5 minutes without moving anything on the shelves. Sure enough I got a coupon emailed to me. Creepy but I don't really care about my store tracking me if I get something in exchange
Some network operators turn on the "bypass captive portal auth" option. This prevents iOS and Android devices from opening up the sign-in sheet and instead the first website you try to visit just redirects you to their portal, which results in a certificate error. IMO this is an intentional ploy to get you to install their certificates.
Indeed enterprise networks do this all the time. The profile you download to enroll onto the network frequently carries a pack of root CAs with it. Not even sure many people realize that.
- Jul 3, 2015
- 8,153
Thanks for educating meNot everything that leaves your computer is encrypted. Yes most things are, but you'd be shocked at how frequently third party apps either aren't encrypted or instantiate their background fetching services with HTTPS but with bypassing of cert checks enabled. There was a torrenting app a while back that fetched software updates over this kind of fake HTTPS and it was actually used to deliver some of the very first ransomware for macOS. Similar mistakes can happen on any other platform.
There's other user-error factors too. One example is what I mentioned before. If your captive portal detection fails and triggers on the first HTTPS site you visit, a lot of users will begrudgingly click through the certificate warnings to get themselves online. On many OS'es that results in permanently trusting that cert.
You can also put your privacy at risk -- often times IPv6 addresses contain your MAC address and other non-randomized information about you. Heck just joining a network turns off almost every OS's anonymizing MAC address features, which allows location analytics software running on the wifi to monitor your movements and behavior. Target, for example, deploys two APs next to each other (look up at the ceiling next time at Target). One serves you free wifi, and the other is purely dedicated as a location sniffing radio to monitor where shoppers spend the most time.
With that said, I use free wifi all the time. I understand most of these risks and think I practice good enough computing habits that I don't feel affected by these risks, or I understand them and simply don't care. Heck one time I saved on laundry detergent at Target by following some instructions to open the app and stand by the detergent aisle for 5 minutes without moving anything on the shelves. Sure enough I got a coupon emailed to me. Creepy but I don't really care about my store tracking me if I get something in exchange
No worries. I might've spent a little too much time and money on setting up an enterprise-class network at home using Cisco hardware, and my first reaction was basically my jaw dropping to the floor. And Cisco doesn't even specialize in this kind of stuff -- there are a few vendors that specifically target K-12 schools and complying with web filtering requirements and that kind of software is even sneakier and more capable of invading privacy/security. I bet what you asked is what 99% of educated tech geeks think. Almost everything looks like it's HTTPS today, it almost feels like this should be a solved problem but alas it's not quite there yet.Thanks for educating me
It is and it's very invasive, unless nudged for the sake of good working relations, nobody should install certificates. Even then, I tend to ask for clarification if ,given that a certificate is installed, it used for interception - in most cases the answer has been no.
Not expected in an enterprise environment but for e.g. hotels DMA attacks are also a possibility, better to switch off WiFi entirely when not in a trusted home network.
- Jul 3, 2015
- 8,153
For light browsing, you can always use your smartphone's cellular connection as a hot spot.
The trouble with that is if you travel abroad, usually even those cell packages marketed as "unlimited in all continents" really mean up to ~20GB abroad.
- Jul 3, 2015
- 8,153
Similar threads
