ELIMINATING THE MAN-IN-THE-MIDDLE
Well, per the security research group Pentura Labs the answer is straight-forward: You can’t!
“The best possible advice is – if you do not trust the WiFi AP, turn off WiFi and use your 3G/4G connection on your mobile or 3G/4G modem!”
And Tex agrees! Until next time, see you all on the Forum!
In this article I want to arm my fellow TTP’ers with the real reasons why using public Wi-Fi is so dangerous, and as with all of these reports dispel a lot of common myths and misinformation you may have heard about.
How many of you have seen this or a similar message when at a Starbucks or after logging into your hotel Wi-Fi?
To understand this, we need a primer on the main method communications are encrypted and “protected” on the Internet. You may have heard of something called “SSL”, or to look for the padlock on your browser to know if you’re “secure”.
In the end, it’s all about trusting (and validating) that when the website or service you are connecting to presents its proof that it is indeed the system you intended to use, this “proof” hasn’t been tampered with. This evidence comes in the form of a security “certificate” that is sent to your device.
A real-world analogy is when you need a document notarized by a Notary Public. Let’s say this document is a list of basic information about who you are, such as your name, address, phone number, etc., but before you present this document to others you need to provide a third-party’s attestation that the information is accurate.
In this scenario, you present your government-issued ID and whatever other papers are needed to prove you are you. The Notary Public then stamps the document with a tool only a legitimate notary should have in their possession. They then also sign it for further assurance, so that anyone that might want to challenge the authenticity of the document to have a point of contact.
In the computer world, this system is known as a Public Key Infrastructure (or PKI). The “notary” in this case is called an Issuing Certificate Authority (or Issuing CA), and the government agency that granted the person Notary Public status is called a Root Certificate Authority (or Root CA).
As in the physical world, there are a finite number of legitimate and universally trusted agencies (i.e. Root CAs) that can designate someone as a notary (i.e. an Issuing CA). If someone tried to present themselves in a back alley as a notary, and their “proof” they were legitimate was a document they forged and issued to themselves or one a friend printed pretending to be the government of a non-existent county:
Would you trust them? Or anything they signed?
“Ok, Tex, but what does all that have to do with using Wi-Fi at my local Starbucks? We all enjoy a good latte, don’t we?”
Yes, we do all enjoy a good latte. Perhaps not at a libtard institution like Starbucks, but that’s the subject for another article. The bigger issue is that $5 coffee may cost you a whole lot more, because if you click “OK” on those warning messages trusting that back-alley notary is exactly what you’re doing.
Using various techniques and tools (discussed in a bit), an attacker has intercepted the communications between your device and your bank, email server, etc. and terminated the protection (encryption) on a system they control instead of the system you thought you are talking to. This family of attacks is known as:
So, if you looked behind the scenes by clicking on the “View Certificate” button as shown in the earlier screenshot, you’d see something like this:
In the example on the left, it’s the equivalent of the back-alley notary “self-signing” his own document and presenting it as his proof. The hacker is impersonating the destination with his own system.
In the other example, a trusted authority (VeriSign – there are many others) acting like the “government agency” certified that the www.verisign.com CA (aka the “notary”) was legitimate. This “notary” (the Issuing CA) signed off and issued a certificate for in this case an Oracle system. In this process, IT personnel at Oracle had to prove their identities to VeriSign.
“Well, getting a back-alley notary is not good, Tex. How can this happen?!”
Unfortunately, there are many ways and they are easily found by a simple search. For example, here’s a website that sells a neat little device called a “Pineapple”, complete with video tutorials and support, that can perform multiple forms of attacks on a wireless network: https://www.wifipineapple.com/
Or this one from a university: https://witestlab.poly.edu/blog/conduct-a-simple-man-in-the-middle-attack-on-a-wifi-hotspot/
A few methods used by hackers include:
- The attacker can compromise the actual Wi-Fi access point, as in:
- They can present a fake one with the same name, which is the primary attack used by the Pineapple.
- Redirect traffic from your device to theirs while on the same network as you, as in the university security “lab” and in this diagram:
- While connected to the same Wi-Fi network as you, the attacker launches attacks on your PC, Mac, or device directly from their system.
“So, Tex, if I don’t use a browser and use my banking app, am I safe?”
Unfortunately not, because the scary thing is some apps in the name of a “better user experience” simply suppress any warnings something may be amiss!
If you use an app that does present a message, the only advantage with an app vs. a browser is that in most cases it will block you from using it on that network (i.e. the user can’t click to connect anyway, protecting the user from themselves).
“Ok, Tex, so now that you’ve scared me (again), what can the average person do?”
First, the easiest front-line defense against this is to no longer use any public Wi-Fi. Ever.
Or at least if you plan on reading your email, banking, or any other activity you’d like to keep private. Adopt the philosophy of “BYON”: Bring Your Own Network
Most modern mobile phones come with the ability to use them as a “Mi-Fi” device, also known as a mobile hotspot. If your phone doesn’t have this feature, or you’d like to save its battery life, your cellular provider should sell Mi-Fi’s, which are small devices that use your cellular data plan.
Like anything in security, this isn’t fool-proof. A person in the hotel could see your hotspot, create one with the same name, and redirect you to them. But, if you’re observant you can see on your hotspot that your device is no longer connected to it.
Second, use a reputable VPN service, with locations overseas that can also bounce your communications to multiple systems to help with privacy. A great article (that clearly was channeling Tex!) can be found below. It explains precisely what a VPN can do for you, but more importantly what it can’t protect against:
In our public Wi-Fi attack scenarios, even if the attacker intercepts your traffic, an encrypted “tunnel” has been created all the way from your device to the VPN service. If they attempt a Man-in-the-Middle (MiTM) attack, the worst case is the connection will continue to disconnect; a clear indicator something naughty might be going on. The most likely case is they’ll move on to someone else enjoying their latte or their hotel room that isn’t protecting their traffic.
Finally, don’t think that any of the following “mitigations” you might have heard about provide any value mitigating these Wi-Fi attacks:
- Using a corporate, enterprise Wi-Fi. These systems do mitigate other forms of attack, in that an attacker should not be able to connect to it and access the corporate network. But nothing stops them from setting up their own “CorpWifi” network and fooling your system into talking to it.
- “SSL”, or Secure Sockets Layer and its modern incarnation of Transport Layer Security (TLS) do nothing to protect you in this (or any) scenario if you decide to just click “OK” and browse anyway. Many corporate IT departments wisely set a policy on managed computers preventing the user from making this dangerous choice.
- Using a “secured” device that only runs trusted software. Even though in my first article A Clean Start I detailed why keeping your device clean is so important, and in my second article Antivirus is Dead I discussed the importance of limiting what can run on your system, these attacks are one of the ways hackers can attempt to compromise and make your system dirty.
- “But Tex, I’m running a firewall!” That’s a good thing, but it only mitigates the scenario where someone on the same network is trying to attack your device directly. The firewall on your device “should” block these attempts, but all the other methods are grabbing data after it has left your system, making the firewall moot.
To close, protect your personal information with “BYON”, use a trustworthy VPN service, and never click that “OK” button when your system is trying to tell you something.
Until next time, see you all on the forum!
Tex Manchester is TTP’s world expert on cybersecurity. He travels the world advising Fortune 500 security executives and professionals on how not to be on the news. However, he is even more passionate about helping everyday people protect themselves in today’s connected world.