78

For a few days, my mobile device has been able to catch Wi-Fi signals that are within its radius. It's not asking for a password to use the service. So, I'm using the Wi-Fi service whenever I need to.

Is there any chance to hack my email and other accounts which I'm opening using this service? Are there any other security issues with this type of access?

Mahesh.D
  • 871
  • 1
  • 7
  • 8
  • There is always a threat if you login to untrusted WiFi connection even with WPA. The question is different: How someone is determined to get your data. In case of open network the attacker needs less resources. – Lukasz Madon Apr 24 '13 at 14:50
  • 2
    I don't understand your context. Is your mobile memorizing your password and doing the login automatically or about wifi's that do *not* have a password at all? ["Off Topic",funny, side note: in some countries open networks are illegal: i.e. Italy.] – Bakuriu Apr 24 '13 at 14:56
  • I'd suggest you to use [HTTPS Everywhere](https://www.eff.org/https-everywhere) plugin. While it is [_not_ a complete protection](https://www.eff.org/https-everywhere/faq#threats), it makes your browser use HTTPS for many major websites (including Google search). – Petr Apr 26 '13 at 06:53
  • Yes, very high risk. If you have connected to any services not using https, vpn or ssh (i.e. encrypted), your credentials (passwords) have been sent plain text any any user on that wifi could see them. Update your passwords. – Tim X Apr 27 '13 at 00:52

7 Answers7

83

Unprotected Wifi networks, particularly in public places, are most certainly a threat. This is because you are connecting to a network without knowing who else could be on the network.

'Free Wifi' provided by cafes, restaurants, etc serve as excellent places for harvesting passwords.

The attacker will perform a Man in the Middle attack, typically by employing ARP Cache Poisoning. At that point, the attacker can read all plaintext passwords, including unsecured email (Email that does not use TLS), unencrypted ftp, websites without SSL, etc. Not to mention they can see all your google searches, all domains that you visit (encrypted or not) and so forth.

And they got to this point without putting in any real effort, ARP Cache Poisoning and Packet Sniffing are easy. A more advanced attacker might set up an active proxy on his machine to perform attacks such as SSL Stripping, which would give him access to all sites you visit, including HTTPS. This means he now has your PayPal, Facebook and Twitter passwords.

Moving on, an attacker might target your machine directly, if you have not updated your software in a while, is it likely that he can spawn a shell with Metasploit and download all your files for later analysis. This includes any saved browser passwords, authentication cookies, bank statements etc.


TL;DR: When connecting to a network, you are exposing your device and all your traffic to all other users of that network. In an open WiFi this includes the girl sat across the street in the back of a van with a Kali laptop and a GPU array. Update your software and don't log into anything sensitive without using a VPN.

lynks
  • 10,646
  • 5
  • 29
  • 54
  • 10
    Didn't Google switch to https by default now? Furthermore, I visit my https links directly from bookmarks, or from google searches (which is also https). And when visiting important https links from unsecured wifi, I have the habit of checking what the status text of the browser says. I.e. when I log using unsecured wifi, I still take precautions, even without using VPN. Unsecured wifi works only when you are ignorant about security anyway. – sashoalm Apr 24 '13 at 12:23
  • 15
    _"they can see all **pages** that you visit (encrypted or not) and so forth."_ Don't you mean domain names? – Adi Apr 24 '13 at 17:14
  • 1
    Another addition: if the router is unsecured, it's entirely possible that the router is also using default passwords for the admin. Depending on the router model, this could allow the hacker to pursue his activities while connected via VPN. – nicbou Apr 24 '13 at 19:57
  • 4
    Could someone explain how a VPN would help if someone was doing SSL stripping? What would happen, and how would you detect if someone was doing it? – user3490 Apr 24 '13 at 21:44
  • 2
    @user3490 SSL stripping doesn't break SSL itself, it just modifies traffic sent over HTTP to only point to other HTTP pages, even when the original site had a link to an HTTPS page. Think about going to `amazon.com` (HTTP) and then clicking the 'sign in' button and how you're sent to an HTTPS page... SSL Stripping would change the original page's link to use an HTTP (not S!) version of the login page. – Kitsune Apr 25 '13 at 00:45
  • 2
    @user3490, SSL stripping works by taking advantage of the first unencrypted connection. If you use VPN, everything is encrypted, so there is no first unencrypted connection for the attacker to take advantage of. – Pacerier May 25 '15 at 07:23
  • Good answer so far. I'd like to upvote when you add the fact that such a WiFi account might pass off as another account (replace it) increasing the trust somebody spends, plase. :) – try-catch-finally Sep 19 '15 at 16:58
17

Well you are sending everything over untrusted channel. All communication protocols you use on the internet which do not provide an SSL interface (or similar) which also checks for validity (attackers love to perform MITM on free wireless hot spots) can therefore be sniffed and captured. So the minimum what they would be able to see is what websites you are visiting at which periods in time.

If you are using an unencrypted protocol like plain HTTP, POP3 or IMAP, then yes they will be able to obtain your credentials. While this issue isn't restricted to open WiFi access and can be done on any network, it becomes a lot easier for other people to monitor the wireless network.

So yea it might not be the best idea if you aren't sure everything sent over the network is encrypted and that there is a strict authentication between you as a client and the endpoint when setting up the encryption tunnel.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
10

Just to state it simply, a common way to hack people is to go to a public place (airport) with a wifi hotspot leave it open or simply impersonate a valid one and wait for people to connect. They can simply listen for any unencrypted data. This basically means you need to be super careful when using a public hotspot...SO careful that it is nearly impossible for the layman, if someone has malicious intent.

The best way is to setup a VPN and once you connect to the public network connect to your VPN, this is of course more complicated then most laymen want to do.

Chris Stephens
  • 211
  • 1
  • 5
8

In addition to what other have said, I think it's worth making clear that if you connect to a WiFi with security other than WPA/WPA2-Enterprise, you are vulnerable to sniffing, because all users share the same key (or no key at all if it is unsecured).

That goes against a common misconception that I found many users to have, who believed that using WPA/WPA2 PSK prevented sniffing because it uses a different link key for each user. The problem here is that it's trivial to recover that link key from the handshake, and from then on you can sniff without any problem.

So if you connect to any WiFi with non Enterprise security to which untrusted users may connect (say a cafe, restaurant, etc.), then use a secure VPN.

serans
  • 191
  • 1
  • 4
8

Yes, it is a threat. Not just with open networks, any network owned by someone you don't trust (like mall networks which are secured but provide a password) There are many things they can do:

Read all your unencrypted traffic

Anything you send over an http connection can be read by them. Passwords, usernames, credit card numbers, the works. All of these are sent in plaintext and can be easily logged.

Many apps run on unencrypted connections as well. There's a lot of important information that can be snooped from those.

Phish all your encrypted traffic

Usually it's hard to spoof HTTPS because you need a valid certificate for that to work. However, many times you type in an HTTP URL in the address bar and it redirects you to the HTTPS equivalent. For example, when you type http://mail.google.com in the address bar, you get the following (it's a redirect):

<html>
  <head>
    <meta http-equiv="Refresh" content="0;URL=http://mail.google.com/mail/"/>
  </head>
  <body>
    <script type="text/javascript" language="javascript">
     <!--
       location.replace("http://mail.google.com/mail/")
     -->
    </script>
 </body>

What if this wasn't there? While apps which directly access GMail will still work (they know about https), anything you type in the address bar that is not explicitly https can be phished. They can redirect you to a fake GMail, where you will log in and they will steal your credentials. While two-factor authentication helps, it does not prevent them from stealing your cookies, which will give them access to your account until you log out.

The reverse is also possible. They can use a 301 Moved Permanently redirect to serve you HTTP when you ask for HTTPS, and they'll give you something which says http://mail.google.com in the URL but really points to a completely different server. Both mobile and desktop browsers seem to allow 301 redirects without a fuss.Desktop browsers make a fuss when there's an unauthorized HTTPS redirect, but mobile browsers don't.

On modern desktop browsers, it is easy to identify when this is happening, for example, Chrome shows this:

enter image description here

when on an https connection. If you are alert, you'll notice if the HTTPS is replaced with HTTP on a desktop browser(since the icon is no longer green), but most mobile browsers don't seem to have any way of indicating a secure connection.

This problem can be solved (on the site side) by using HSTS, and on your side by using bookmarks and keeping browser history.

Unauthorized access to device

Depending on your sharing settings (and what you set the network as -- always, always use "Public" for networks you don't trust), it may be possible to access your Windows filesystem. Unless you have ssh or telnet set up (and if you do, I assume you know how to keep it secure), Linux is generally safe from this. Most phones are as well.

Manishearth
  • 8,257
  • 5
  • 35
  • 56
  • HSTS and site pinning solves a bit of the phishing issue. – SLaks Apr 24 '13 at 21:22
  • 1
    @SLaks: How would HSTS solve the issue? That's a server side thing, in this situation the real server never comes into the picture. – Manishearth Apr 24 '13 at 21:33
  • If you've been to that site on a trusted connection earlier, HSTS will help. – SLaks Apr 24 '13 at 21:41
  • @SLaks: Ah, I see :) – Manishearth Apr 24 '13 at 21:42
  • 1
    "The reverse is also possible. They can use a 301 Moved Permanently redirect to serve you HTTP when you ask for HTTPS" I'm pretty sure that's wrong. If you request a page using HTTPS, the 301 redirect would have to be served over that HTTPS connection, so an attacker can't use that method to redirect you. (Though the site owner could.) – Ajedi32 Jul 07 '15 at 17:48
  • HSTS has a "STS preloaded list" which lives on the browser instructing it to only use SSL for any domains on the list. This prevents the initial HTTP 301. Unfortunately adoption has been *very* slow. – user2320464 Sep 19 '15 at 16:39
  • "Most mobile browsers don't seem to have any way of indicating a secure connection," I don't think this is still true, 3 years in the future. At least, Chrome and Firefox on Android both show a lock icon, which you can tap for certificate info similar to a desktop browser. – Ben Jun 13 '16 at 13:48
0

Along with everything that's been mentioned, you're also vulnerable to attacks such as NIGHTSTAND:

An active 802.11 wireless exploitation and injection tool for payload /exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible.

Being on a wireless network removes the ability to secure physical access. In this context, anyone within range can intercept communications and send traffic to your device. That traffic could target a vulnerability in how your OS handles certain protocols or even how the driver for your wireless card handles protocols. For this reason many security professionals will completely forego WiFi and instead use the internet connection from their tethered cell phone which goes over GSM/CDMA.

As pointed out by @schroeder, this vulnerability exists in all WiFi implementations not just open WiFi. However secured WiFi will encapsulate traffic in a secure protocol such as SSL. This greatly minimizes the attack surface from the perspective of NIGHTSTAND as there are fewer protocols to target. With an open WiFi system the connections are usually not encapsulated. The attacker then has visibility to see traffic sent to all destinations. For example, misconfigured SSL, clear text protocols, and interesting alternative protocols. This level of access into the network communications provides a much larger attack surface since any one of those protocols can now be targeted. It also greatly aides the attacker when trying to fingerprint the host.

user2320464
  • 1,832
  • 1
  • 16
  • 18
-3

Anyone with a wireless card under the signal's radius can join your wireless network. There are many tools that they can use to sniff and even manipulate traffic in your network. Usinf tools like Ettercap, anyone can launch Man In The Middle (MITM) attack where all traffic goes through hacker's laptop/computer before it reaches your devices.

They can use keyloggers to log any keystroke on your keyboard. And they can use softwares like wireshark to see everything thats going on in your network.

In worst case scenario, a hacker can use your computer to launch attack on other computers and even on a government systems. Since all traffic is coming from your network, you will be on chopping block when FBI knocks on your door.

Did you known their is a fine for people who have open unsecured home network :)

Couple suggestions:

  • Use WPA2 encryption with very strong and long password
  • Limit your wireless signal to your room or atleast inside the house so no one can drive up to your parking lot and get the wireless signals.
Damon
  • 1
  • 2
    You should clarify your answer in regards to the "fine" you note. This may only be in some countries (i.e., India). In addition, the OP notes he is connecting to a insecure network, not setting one up. – Eric G Apr 24 '13 at 17:33
  • I know. He is still susceptible to same attacks when joining a unsecure network. I I added suggestion just in case if someone reading this post wants to know how to properly secure them. – Damon Apr 24 '13 at 18:25
  • A keylogger isn't a vulnerability to open wireless systems. Its a utility leveraged on a system after access has been obtained. – user2320464 Sep 19 '15 at 16:44