If you’ve ever connected to a free WiFi hotspot (and that’s most of us), there was some worrying news from security researcher Charl van der Walt at SecureData’s UK Cyber Security Summit yesterday.
You know the pop-up page that often appears asking you to enter an email address or a phone number before you can go online? Think about it – that page and the content on it has to come from somewhere. It’s being foisted onto your computer by the WiFi hotspot provider, who at that moment are the conduit for all of your machine’s attempts to access the internet.
The problem is, the WiFi hotspot provider doesn’t just temporarily receive your machine’s internet traffic – it can potentially manipulate it as well, and that can cause some serious security headaches.
Employees who connect their laptops to their employer’s internal network will often be able to directly access a lot of the office equipment: so if you want to print a document, your laptop can simply send it to “printer123”, instead of having to type out the printer’s whole internet address. If you want to look at a shared server you can simply go to “worksharedserver/documents”.
But a WiFi hotspot provider can change all that. When you connect to the hotspot, if it sees your laptop trying to connect directly to some office resource, like “printer123”, the WiFi hotspot can be programmed to add a website name to the end.
The real-world example van der Walt used was a WiFi hotspot that would add “domain.com” to the end of the requests. So when someone connected to the hotspot, if their laptop was trying to find “printer123”, the hotspot would instead send their traffic to “printer123.domain.com” (there was no suggestion this particular hotspot was malicious, it seemed to have chosen “domain.com” at random, as a suitable place to send the traffic).
It gets worse. It’s not just printers that your laptop tries to access directly. If you have a shared server at work that you have to log into using a username and password, then your laptop will be trying to access it directly through the WiFI hotspot, which can add a website name to the end. So instead of “sharedserver123”, you’ll end up sending messages to “sharedserver123.domain.com”. And those messages will include your username and password…. Ooops.
Of course, the password will almost certainly be in scrambled (or “hashed”) form – but as van der Walt pointed out, it’s often possible to unscramble those passwords (he claimed SecureData, even with off-the-shelf equipment, could unscramble about 80% of the passwords they tried).
Theoretically, a WiFi hotspot provider could set up a website, and merrily divert swathes of your laptop’s traffic towards it, including your usernames and encrypted passwords, which could be decrypted later.
It gets even worse. Many workers will use a VPN to avoid exactly these kind of shenanigans. It sets up an encrypted tunnel between your laptop and your employer’s servers, so that no-one can intercept, surveil or fiddle with your internet traffic. Problem is, the VPN only kicks in AFTER you’ve got online. And of course, the WiFi manipulation detailed above occurs BEFORE you connect.
To be clear – van der Walt didn’t have evidence of this type of attack being used “in the wild”, but it’s another reason to be concerned about “free” WiFi hotspots, and van der Walt’s pay-off was striking: businesses (and presumably the rest of us too) should use the cellular network rather than WiFi.