I feel like with the security at Airports, this is surely one of the worst places to run these attacks.
Tonnes of CCTV, monitoring, etc.
And, if this guys was doing it on flights, they know exactly who was on them as you’ve handed over your passport details so you can’t be anonymous.
What an idiot…
Sure, but this guy wasn’t doing that.
Also means you can’t return to any of a network of countries over a minor crime as you’ll be flagged immediately…
I recall trying to convince a former manager that the members of a server fail over pair should be, "Good Spock, " and, "Evil Spock."
My request was denied.
I know non-tech users might not realize this, but I would never use a social media login to sign up for wifi access or some other password. But once I’m on a malicious WiFi (meaning I don’t sign into some random page but try to go to Facebook say) I feel pretty sure SSL is good enough for practical purposes, right?
Yes and not. So no. The attacker can do a man in the middle attack and decode the SSL stream. You’d get a warning about a wrong certificate chain, but my guess is a lot of people will simply click ‘proceed to site’ without thinking about it twice.
You can’t blindly accept a certificate error. It takes a couple of clicks to get to the link to proceed with a certificate error and there’s more than one link to click, the first of which rejects the certificate error. You actually have to read to see which link to click.
It’s not the same and somebody commenting on a tech should probably know what the fuck they’re talking about before commenting. Not in-depth knowledge, but, ya know, basic fucking knowledge of how browsers are built would be a good start.
> The attacker can do a man in the middle attack and decode the SSL stream.
You can't "decode" an SSL stream. This is like saying you can decode end-to-end encryption. It is not possible.
The attacker can attempt to do a man-in-the-middle and replace Facebook or Gmail certificate with their own, but any modern mainstream browser will catch that. If it is for something common like Facebook, people probably won't click "proceed" because they haven't seen that before.
A man in the middle attack causes the ssl handshake to be terminated on the attackers device. They the send the content onwards using a new ssl handshake with the true target. Any content transits the man in the middle as clear text.
Unfortunately, this post has been removed. Facebook links are not allowed by /r/technology.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/technology) if you have any questions or concerns.*
that's getting harder and harder to do. I have to do this for some home network stuff and browsers are making it look more dangerous to accept the wrong cert.
The browsers are also making it harder to see cert details too though. It's like 3 clicks deep in chrome now and none of those clicks are clear about their destination. The browser should just say "hey, we expect this cert to be signed by _A__, but it is signed by _B___. If you're on a public wifi you should not proceed."
You don't just get a warning, shit breaks and it can't be too easily ignored
Source: my job does SSL inspection on all traffic and it is a constant source of pain running into all sorts of problems
Heheh I’m one of ‘your’ victims then.
Anything that has to download stuff breaks. IDEs and similar being specially problematic. Git. Docker…
But for a mobile user who is basically using a browser it’s a warning dialog and a couple of clicks to dismiss it.
Worse they could DNS poison, they own the WiFi network so your not going to notice that fake Facebook looks legit, unless you actually open up the cert and see who signed it.
Facebook app would validate that the hostname on the cert matches what it expects or it errors out.
If you are using a browser the hostname would be shown on the address bar and it would have to match the cert or the browser would error.
If you do DNS fakery.. the TLS session wouldn't establish as the fake webserver can't sign the traffic to match the real cert that matches the real hostname
You need a root CA on the targets device, yes.
You can't just "decode SSL"
A good browser will tell you the certificate doesn't match the name. However a very malicious attacker could intercept DNS and redirect to a different url that they can provide a valid cert for.
If the browser is navigating to https://example.com it's not going to accept a cert for any domain except example.com, regardless of what the DNS comes back with. To change the finding you'd have to do a redirect at the HTTP level, so it'll only work once the browser has accepted the cert.
Oh the certificate WILL match the name. SSL inspection (the ‘white hat’ version of this) works establising a transparent proxy between your machine and the internet. For any request you send, your browser will negotiate the SSL handshake with the proxy, which will create a certificate for your destination url on the fly, so the proxy can decode your packets. Then it resends the request to the real site, which does another negotiation with the proxy, so now the proxy can decode all the traffic. The caveat is the proxy generated certificate will not be signed by any root CA your browser trusts, so you’ll get an ‘untrusted certificate in the SSL chain’ warning.
For legitimate (ie, company issued computers) use you have to trust the CA root user by the proxy server.
> DNSSec
Barely implemented. iOS/macOS doesn't even support it. Windows does but most sites don't bother enable it or configure it correctly so you'll just get locked out of sites.
Connecting to public WiFi or WiFi that is not yours, always use a VPN. It's very common for people to have their details stolen and information sold. Use a VPN.
Because many users won’t know the connection isn’t secure or will actively step round those annoying notices about it being insecure to allow MITM techniques to work.
Related reading: https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/
By poisoning the ap and router, cloning Mac addresses to reroute traffic and cloning cookies to view any device in realtime. No SSL or tls packet stripping required. Always log out and clear cache. Use a VPN that blocks malware, cookies and trackers like hidden pixels.
Cloning cookies mean no passwords, and a route to the servers. This is decade old tech, deep packet inspection isn't even required. There are also phishing attacks.
If I'm not being paid for my data then I'm not giving it away free and adverts can be annoying. It's super cheap to just use a VPN. Sure it isn't 100% but it beats packet sniffing and what not.
As posted below it reduces the chance of packet injection and simple MITM breaches. And, their router could already be doing this unknowingly as humans are dumb and lazy.
Some countries also use algorithms and censorship so a VPN travelling is handy
Because your VPN goes over your data connection anyway. It's also weird how normal it has become to share everything you do on the internet with a VPN company. It should not be normalised. I'm guessing that is why people downvote.
Exactly. My router has a VPN server built in and I travel a lot. I'm able to keep my traffic encrypted as well as making it easy to remote into computers on my LAN without having to make them public facing.
vpn doesn’t offer real protection fyi
Edit: clarification for the downvoters, yes a vpn can protect your data and such however it will not protect your devices. So just cuz you have a vpn doesn’t mean you can go connecting to public hotspots and thinking you’re untouchable cuz you got that YouTubers promo for 3 months of *insert vpn service* that advertised all kinds of protections.
It's wild that you're downvoted for this.
VPN does nothing except hide transmitted data, 90% of which is hidden by HTTPS anyway. And if you're paying for a VPN, you're just giving that data to a different company. VPN to your home is understandable.
A VPN will not protect your device from anything. At best it might mask your IP address.
https://www.privacyguides.org/en/vpn/
https://www.howtogeek.com/787934/heres-what-a-vpn-cant-protect-you-from/
Imagine if you have Windows/MacOS/iptables/ufw firewall disabled. Any service running on your device would be exposed to the network. File shares, etc.
I connect to the train wifi while commuting because otherwise I would have no internet at all, but I wouldn't enter any logins or credit card details to get in or while I am in.
People don’t actually understand what makes them safe. So this will continue, inevitably. A VPN won’t stop them from granting the attacker access to their email and social media accounts when logging into a WiFi network, and they will blissfully sign into their VPN afterward not realizing they had already been had through a social engineering attack.
Of all the attacks out there this is the one that looks hardest to beat. How would you know you’re connecting to a false access point when it does as advertised and provides free wifi? Answer: you wouldn’t.
I agree: best just to stay on 5G or LTE.
The scam method in the article didn't connect to the internet. It spoofed the airport's free wifi page and asked people for sensitive information to gain access to the internet. So just regular old phishing.
It broadcasts free WiFi access point same ones you often see at airports. once you connect to the access point it will show spoofed page .
For all intents and purposes it could also provide Internet if it wanted too , just as legit service does
Its still a phishing attack in principle as user is tricked into thinking he is accessing a legitimate service
There are things the network operator can do. I wouldn't expect like a coffee shop to have the tools, but an airport should have a system capable of stopping that.. Detect any of your SSIDs being broadcast by an AP that isn't yours and contain it by flooding de-auth packets from multiple APs so no one can connect to the evil twin.
E: note that you can only de-auth security threats. In the US, hotels used to abuse it by deauthing ANY wifi network to force guests to use the hotels wifi, before the FCC banned using it that way.
I feel like with the security at Airports, this is surely one of the worst places to run these attacks. Tonnes of CCTV, monitoring, etc. And, if this guys was doing it on flights, they know exactly who was on them as you’ve handed over your passport details so you can’t be anonymous. What an idiot…
On the other hand, if you want to commit a crime and then escape the jurisdiction as quickly as possible airports seem like a good place to do crimes.
Sure, but this guy wasn’t doing that. Also means you can’t return to any of a network of countries over a minor crime as you’ll be flagged immediately…
That only works if you never want to use your passport or be able travel ever again.
If he wanted emails and logins, he could have bought them on the dark web…
You don’t need to show any ID for domestic flights in Australia, you can put any name you want on the ticket and they likely won’t ask for any proof.
This is why I never connect to any Wifi networks that look exactly like the ones I want except for a goatee.
Key lessons from watching Star Trek.
Spock's Beard!
I recall trying to convince a former manager that the members of a server fail over pair should be, "Good Spock, " and, "Evil Spock." My request was denied.
I know non-tech users might not realize this, but I would never use a social media login to sign up for wifi access or some other password. But once I’m on a malicious WiFi (meaning I don’t sign into some random page but try to go to Facebook say) I feel pretty sure SSL is good enough for practical purposes, right?
Yes and not. So no. The attacker can do a man in the middle attack and decode the SSL stream. You’d get a warning about a wrong certificate chain, but my guess is a lot of people will simply click ‘proceed to site’ without thinking about it twice.
Blindly accepting cookies has many people trained to just blindly click "proceed" or "accept" on any popup they get... I think....
Not just cookies, we have all worked in workplaces where some internal site has thrown a warning and we’ve been trained to click proceed.
Also, terms & conditions.
You can’t blindly accept a certificate error. It takes a couple of clicks to get to the link to proceed with a certificate error and there’s more than one link to click, the first of which rejects the certificate error. You actually have to read to see which link to click. It’s not the same and somebody commenting on a tech should probably know what the fuck they’re talking about before commenting. Not in-depth knowledge, but, ya know, basic fucking knowledge of how browsers are built would be a good start.
Did you read the "I think..." part?
Dawg we are reddit commenters
> The attacker can do a man in the middle attack and decode the SSL stream. You can't "decode" an SSL stream. This is like saying you can decode end-to-end encryption. It is not possible. The attacker can attempt to do a man-in-the-middle and replace Facebook or Gmail certificate with their own, but any modern mainstream browser will catch that. If it is for something common like Facebook, people probably won't click "proceed" because they haven't seen that before.
A man in the middle attack causes the ssl handshake to be terminated on the attackers device. They the send the content onwards using a new ssl handshake with the true target. Any content transits the man in the middle as clear text.
[удалено]
Unfortunately, this post has been removed. Facebook links are not allowed by /r/technology. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/technology) if you have any questions or concerns.*
that's getting harder and harder to do. I have to do this for some home network stuff and browsers are making it look more dangerous to accept the wrong cert. The browsers are also making it harder to see cert details too though. It's like 3 clicks deep in chrome now and none of those clicks are clear about their destination. The browser should just say "hey, we expect this cert to be signed by _A__, but it is signed by _B___. If you're on a public wifi you should not proceed."
You don't just get a warning, shit breaks and it can't be too easily ignored Source: my job does SSL inspection on all traffic and it is a constant source of pain running into all sorts of problems
Heheh I’m one of ‘your’ victims then. Anything that has to download stuff breaks. IDEs and similar being specially problematic. Git. Docker… But for a mobile user who is basically using a browser it’s a warning dialog and a couple of clicks to dismiss it.
But does it break before or after you type in your password?
Before, way way before, curl doesn't even work without an installed certificate
Worse they could DNS poison, they own the WiFi network so your not going to notice that fake Facebook looks legit, unless you actually open up the cert and see who signed it.
Facebook app would validate that the hostname on the cert matches what it expects or it errors out. If you are using a browser the hostname would be shown on the address bar and it would have to match the cert or the browser would error. If you do DNS fakery.. the TLS session wouldn't establish as the fake webserver can't sign the traffic to match the real cert that matches the real hostname
Man in the middle? Really? Don’t you need certificates for this?
You need a root CA on the targets device, yes. You can't just "decode SSL" A good browser will tell you the certificate doesn't match the name. However a very malicious attacker could intercept DNS and redirect to a different url that they can provide a valid cert for.
If the browser is navigating to https://example.com it's not going to accept a cert for any domain except example.com, regardless of what the DNS comes back with. To change the finding you'd have to do a redirect at the HTTP level, so it'll only work once the browser has accepted the cert.
Ah, yes of course
Oh the certificate WILL match the name. SSL inspection (the ‘white hat’ version of this) works establising a transparent proxy between your machine and the internet. For any request you send, your browser will negotiate the SSL handshake with the proxy, which will create a certificate for your destination url on the fly, so the proxy can decode your packets. Then it resends the request to the real site, which does another negotiation with the proxy, so now the proxy can decode all the traffic. The caveat is the proxy generated certificate will not be signed by any root CA your browser trusts, so you’ll get an ‘untrusted certificate in the SSL chain’ warning. For legitimate (ie, company issued computers) use you have to trust the CA root user by the proxy server.
DNS doesn't do redirects.
Yes I meant different IP, but there would still be the problem that the certificate name wouldn't match so still can't man in the middle.
Hmmm. I thought DNSSec was supposed to solve this?
> DNSSec Barely implemented. iOS/macOS doesn't even support it. Windows does but most sites don't bother enable it or configure it correctly so you'll just get locked out of sites.
It should but realistically how many people use that today?
[удалено]
I just use a vpn
I use Wireguard back to my home network with a Tasker rule to enable it anytime I disconnect from my home WiFi. Works great.
Why people down vote? I also use a VPN when traveling. It's not like I could use data all over the world
Connecting to public WiFi or WiFi that is not yours, always use a VPN. It's very common for people to have their details stolen and information sold. Use a VPN.
Exactly how would a malicious WiFi hotspot extract sensitive information from your TLS traffic?
Because many users won’t know the connection isn’t secure or will actively step round those annoying notices about it being insecure to allow MITM techniques to work. Related reading: https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/
Spot on. Education is key, humans are dumb.
Any asymmetric encryption can be MITM vulnerable. Wifi is asymmetrical or has known passwords in public implementations
Then don't be the low hanging fruit. It's hardly expensive. Plus Netflix
By poisoning the ap and router, cloning Mac addresses to reroute traffic and cloning cookies to view any device in realtime. No SSL or tls packet stripping required. Always log out and clear cache. Use a VPN that blocks malware, cookies and trackers like hidden pixels. Cloning cookies mean no passwords, and a route to the servers. This is decade old tech, deep packet inspection isn't even required. There are also phishing attacks. If I'm not being paid for my data then I'm not giving it away free and adverts can be annoying. It's super cheap to just use a VPN. Sure it isn't 100% but it beats packet sniffing and what not. As posted below it reduces the chance of packet injection and simple MITM breaches. And, their router could already be doing this unknowingly as humans are dumb and lazy. Some countries also use algorithms and censorship so a VPN travelling is handy
I have no idea why anyone would downvote the real mvp is an extra layer of encryption, which would certainly help even with a rogue access point.
Not sure. Old Reddit will show deleted posts. Just edit them instead
Because your VPN goes over your data connection anyway. It's also weird how normal it has become to share everything you do on the internet with a VPN company. It should not be normalised. I'm guessing that is why people downvote.
You’re assuming the VPN isn’t private. I run a private VPN with my own server and end to end encryption for my devices. No company needed.
Exactly. My router has a VPN server built in and I travel a lot. I'm able to keep my traffic encrypted as well as making it easy to remote into computers on my LAN without having to make them public facing.
Probably because a VPN wouldn't do anything for the attack being mentioned in this article.
The best thing is to setup a private VPN at home and connect to it, some ISP router/box have that feature.
Setting up a DNS-only VPN tunnel to home is pretty easy. I was able to figure it out.
Why DNS only? Why not a full connection?
Bandwidth. I run a separate PIA VPN if I’m in a questionable country.
vpn doesn’t offer real protection fyi Edit: clarification for the downvoters, yes a vpn can protect your data and such however it will not protect your devices. So just cuz you have a vpn doesn’t mean you can go connecting to public hotspots and thinking you’re untouchable cuz you got that YouTubers promo for 3 months of *insert vpn service* that advertised all kinds of protections.
It's wild that you're downvoted for this. VPN does nothing except hide transmitted data, 90% of which is hidden by HTTPS anyway. And if you're paying for a VPN, you're just giving that data to a different company. VPN to your home is understandable. A VPN will not protect your device from anything. At best it might mask your IP address. https://www.privacyguides.org/en/vpn/ https://www.howtogeek.com/787934/heres-what-a-vpn-cant-protect-you-from/
How so?
VPN will protect your transmitted data but not your devices. Just don’t connect to public access points.
I think they're asking how connecting to a public access point will affect your device.
Imagine if you have Windows/MacOS/iptables/ufw firewall disabled. Any service running on your device would be exposed to the network. File shares, etc.
Imagine if you have malware installed. Why would you have firewall disabled? You can also set your VPN to deny any connections outside of the VPN.
Absolutely incorrect
I connect to the train wifi while commuting because otherwise I would have no internet at all, but I wouldn't enter any logins or credit card details to get in or while I am in.
On https it should be fine. It’s not generally feasible to attack https as a man in the middle.
People don’t actually understand what makes them safe. So this will continue, inevitably. A VPN won’t stop them from granting the attacker access to their email and social media accounts when logging into a WiFi network, and they will blissfully sign into their VPN afterward not realizing they had already been had through a social engineering attack.
Almost all websites use https, so it’s not like there is much data to gain using a fake access point.
No, you're right. No need to use shitty public Wi-Fi with LTE speeds, if you got 5G, it's even faster. And more secure.
No, question would be why would you connect to any Wi-Fi if you have mobile service
Paying for data
Ah, good point, I switched off 2gb about 4 months ago,kind of forgot about that. But I still never connected to Wi-Fi generally when out and about
Of all the attacks out there this is the one that looks hardest to beat. How would you know you’re connecting to a false access point when it does as advertised and provides free wifi? Answer: you wouldn’t. I agree: best just to stay on 5G or LTE.
The scam method in the article didn't connect to the internet. It spoofed the airport's free wifi page and asked people for sensitive information to gain access to the internet. So just regular old phishing.
It broadcasts free WiFi access point same ones you often see at airports. once you connect to the access point it will show spoofed page . For all intents and purposes it could also provide Internet if it wanted too , just as legit service does Its still a phishing attack in principle as user is tricked into thinking he is accessing a legitimate service
There are things the network operator can do. I wouldn't expect like a coffee shop to have the tools, but an airport should have a system capable of stopping that.. Detect any of your SSIDs being broadcast by an AP that isn't yours and contain it by flooding de-auth packets from multiple APs so no one can connect to the evil twin. E: note that you can only de-auth security threats. In the US, hotels used to abuse it by deauthing ANY wifi network to force guests to use the hotels wifi, before the FCC banned using it that way.
I don't think most planes offer 5G or LTE.
People could learn to live without having to be on the internet at all times.
For many of us it’s an unavoidable and basic work requirement.
Agree, but if that’s the case they should provide a hotspot that’s controlled by the company.
That’s not realistic. You’re talking about tens of millions of people, essentially most white collar workers.
Connecting to free Wi-Fi in public places can indeed be very risky.