LASER_oneXM

Level 35
Verified
The U.S. Federal Bureau of Investigation recommends travelers to avoid connecting their phone, tablet, or computer to free wireless hotspots while traveling during the holiday season.
"This is an open invitation for bad actors to access your device," the FBI Portland field office said in its weekly Tech Tuesday press release.
"They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera."

Oversharing and location services are verboten

If there is no other choice and you must use a hotel's or airport's public WiFi network, you should make sure that you go through the provider's connection steps to steer clear of any hotspots set up by malicious actors.

When you must use an unsecured free hotspot, you should keep in mind that connecting to any of your accounts could allow hackers to snoop around on the same network to steal your user credentials or your banking info.
... ...
 

MacDefender

Level 5
Verified
On the bright side, these days most of the times everything you do is HTTPS encrypted and there's a lot less risk using an untrusted internet connection. Heck it would be a good practice to just assume every network is run by evil operators and make sure that your setups stand up to that.

With that said, the single worst thing you can do these days is attempt to go to an HTTPS site to pull up a captive portal, then click through the certificate warnings (on iOS the only option to click through a cert warning is to trust that CA). This often results in trusting the hotspot operator's CA which opens you up to more HTTPS interception and snooping. Note that Cisco and others have what they call "dynamic HTTPS interception" which gently tries to intercept and self-sign background HTTPS traffic from your devices, knowing that it either silently fails or succeeds. They use that to detect if you trust their CA, and that way they never generate browser warnings while attempting to intercept your traffic.

If your OS's hotspot detection isn't working, a handy tip is to visit NeverSSL - Connecting ... -- this URL is never HTTPS. Unfortunately there used to be popular sites (Yahoo, ESPN, Disney) that were non-SSL but those days are gone.
 

notabot

Level 15
On the bright side, these days most of the times everything you do is HTTPS encrypted and there's a lot less risk using an untrusted internet connection. Heck it would be a good practice to just assume every network is run by evil operators and make sure that your setups stand up to that.

With that said, the single worst thing you can do these days is attempt to go to an HTTPS site to pull up a captive portal, then click through the certificate warnings (on iOS the only option to click through a cert warning is to trust that CA). This often results in trusting the hotspot operator's CA which opens you up to more HTTPS interception and snooping. Note that Cisco and others have what they call "dynamic HTTPS interception" which gently tries to intercept and self-sign background HTTPS traffic from your devices, knowing that it either silently fails or succeeds. They use that to detect if you trust their CA, and that way they never generate browser warnings while attempting to intercept your traffic.

If your OS's hotspot detection isn't working, a handy tip is to visit NeverSSL - Connecting ... -- this URL is never HTTPS. Unfortunately there used to be popular sites (Yahoo, ESPN, Disney) that were non-SSL but those days are gone.
yeah WiFi's that ask you to install certificates are worrisome, though I've only seen this in enterprise environment.
There's also risk of DMA attacks when you connect to WiFi.

A little lifehack is to disable WiFi, get a TPLink nano router, connect to the nano via ethernet cable and let the nano device connect to WiFi. While this is still not 100% bulletproof, it stops most automated threat vectors.
 

shmu26

Level 84
Verified
Trusted
Content Creator
Forgive my ignorance but I don't understand the risk to a properly protected computer. Any signals leaving your computer will be encrypted, so bad actors need to get onto your system and intercept data before it is encrypted. If your computer has good security, and you don't do anything really stupid, I don't understand the risk.
 

MacDefender

Level 5
Verified
Forgive my ignorance but I don't understand the risk to a properly protected computer. Any signals leaving your computer will be encrypted, so bad actors need to get onto your system and intercept data before it is encrypted. If your computer has good security, and you don't do anything really stupid, I don't understand the risk.
Not everything that leaves your computer is encrypted. Yes most things are, but you'd be shocked at how frequently third party apps either aren't encrypted or instantiate their background fetching services with HTTPS but with bypassing of cert checks enabled. There was a torrenting app a while back that fetched software updates over this kind of fake HTTPS and it was actually used to deliver some of the very first ransomware for macOS. Similar mistakes can happen on any other platform.

There's other user-error factors too. One example is what I mentioned before. If your captive portal detection fails and triggers on the first HTTPS site you visit, a lot of users will begrudgingly click through the certificate warnings to get themselves online. On many OS'es that results in permanently trusting that cert.

You can also put your privacy at risk -- often times IPv6 addresses contain your MAC address and other non-randomized information about you. Heck just joining a network turns off almost every OS's anonymizing MAC address features, which allows location analytics software running on the wifi to monitor your movements and behavior. Target, for example, deploys two APs next to each other (look up at the ceiling next time at Target). One serves you free wifi, and the other is purely dedicated as a location sniffing radio to monitor where shoppers spend the most time.

With that said, I use free wifi all the time. I understand most of these risks and think I practice good enough computing habits that I don't feel affected by these risks, or I understand them and simply don't care. Heck one time I saved on laundry detergent at Target by following some instructions to open the app and stand by the detergent aisle for 5 minutes without moving anything on the shelves. Sure enough I got a coupon emailed to me. Creepy but I don't really care about my store tracking me if I get something in exchange :)
 

MacDefender

Level 5
Verified
yeah WiFi's that ask you to install certificates are worrisome, though I've only seen this in enterprise environment.
There's also risk of DMA attacks when you connect to WiFi.
Some network operators turn on the "bypass captive portal auth" option. This prevents iOS and Android devices from opening up the sign-in sheet and instead the first website you try to visit just redirects you to their portal, which results in a certificate error. IMO this is an intentional ploy to get you to install their certificates.

Indeed enterprise networks do this all the time. The profile you download to enroll onto the network frequently carries a pack of root CAs with it. Not even sure many people realize that.
 

shmu26

Level 84
Verified
Trusted
Content Creator
Not everything that leaves your computer is encrypted. Yes most things are, but you'd be shocked at how frequently third party apps either aren't encrypted or instantiate their background fetching services with HTTPS but with bypassing of cert checks enabled. There was a torrenting app a while back that fetched software updates over this kind of fake HTTPS and it was actually used to deliver some of the very first ransomware for macOS. Similar mistakes can happen on any other platform.

There's other user-error factors too. One example is what I mentioned before. If your captive portal detection fails and triggers on the first HTTPS site you visit, a lot of users will begrudgingly click through the certificate warnings to get themselves online. On many OS'es that results in permanently trusting that cert.

You can also put your privacy at risk -- often times IPv6 addresses contain your MAC address and other non-randomized information about you. Heck just joining a network turns off almost every OS's anonymizing MAC address features, which allows location analytics software running on the wifi to monitor your movements and behavior. Target, for example, deploys two APs next to each other (look up at the ceiling next time at Target). One serves you free wifi, and the other is purely dedicated as a location sniffing radio to monitor where shoppers spend the most time.

With that said, I use free wifi all the time. I understand most of these risks and think I practice good enough computing habits that I don't feel affected by these risks, or I understand them and simply don't care. Heck one time I saved on laundry detergent at Target by following some instructions to open the app and stand by the detergent aisle for 5 minutes without moving anything on the shelves. Sure enough I got a coupon emailed to me. Creepy but I don't really care about my store tracking me if I get something in exchange :)
Thanks for educating me :)
 

MacDefender

Level 5
Verified
Thanks for educating me :)
No worries. I might've spent a little too much time and money on setting up an enterprise-class network at home using Cisco hardware, and my first reaction was basically my jaw dropping to the floor. And Cisco doesn't even specialize in this kind of stuff -- there are a few vendors that specifically target K-12 schools and complying with web filtering requirements and that kind of software is even sneakier and more capable of invading privacy/security. I bet what you asked is what 99% of educated tech geeks think. Almost everything looks like it's HTTPS today, it almost feels like this should be a solved problem but alas it's not quite there yet.
 

notabot

Level 15
Some network operators turn on the "bypass captive portal auth" option. This prevents iOS and Android devices from opening up the sign-in sheet and instead the first website you try to visit just redirects you to their portal, which results in a certificate error. IMO this is an intentional ploy to get you to install their certificates.

Indeed enterprise networks do this all the time. The profile you download to enroll onto the network frequently carries a pack of root CAs with it. Not even sure many people realize that.
It is and it's very invasive, unless nudged for the sake of good working relations, nobody should install certificates. Even then, I tend to ask for clarification if ,given that a certificate is installed, it used for interception - in most cases the answer has been no.

Not expected in an enterprise environment but for e.g. hotels DMA attacks are also a possibility, better to switch off WiFi entirely when not in a trusted home network.