WiFi in Cars is Coming this Summer

I’ve written about it at work, but this was my first experience using it in real life.

For more details, read my column from February.

1 – it functions much like the Hotspot feature on a cel phone: car broadcasts WiFi > passengers connect to car > go online

Securing your car will be similar to securing your home WiFi.

2 – choose this option, WPA2
3 – don’t bother with WEP
4 – if you check this, please leave my blog

Because remember, you are legally responsible for Hotspot users.

Blog tag = WiFi Security

 

 

Why I Don’t Like Airport WiFi

For years from airports, I’ve tweeted as much:

During a recent trip, I had to send a file out, so was forced to connect.

This is what happened in Chicago O’Hare (ORD):

1 – Boingo is a recognized hotspot provider, okay, I’ll connect to that.

Nope, it’s not working. Oh no, this file needs to go… I have to connect to…

2_Free_ORD_Wi-fi  Based on the shady name of this network, I bet I’m about to be MITM’d

3 – Yes I was

***

The Attack

It’s called a Man-in-the-Middle (MITM) attack.

The WiFi network I connected to is likely not affiliated or provided by the airport. Instead, it’s probably an antennae poking out of someone’s backpack.

Using a clever WiFi name, the attacker poses as a legitimate network > I connect to it > now all my traffic is run through the attacker’s computer first, before going out to the internet >as it goes by, the attacker grabs passwords, reads stuff, etc.

(I’ll better explain a MITM attack in the near future)

The Defence

Don’t go online at the airport.  It’s one of the most hostile network in the world.  This environment provides nefarious characters anonymous access to sharpen their skills.

If you must go online, avoid entering passwords, accessing sensitive data, and certainly no online banking.

Okay? Okay.

NOTE – this could be because I was already connected to Google+ , then I automatically attempted to reconnect and I was associated to the captive portal yet, although I was getting a suspicious certificate error, it’s because I was being redirected to the captive portal for login first, and that new IP didn’t resolve to “plus.google.com” that is my browser saying woah. Possibly.

 

 

Why Airport WiFi is the Most Hostile Network

I’ve harped on you for years via social media, “stay off airport WiFi, it’s dangerous and even the best guys don’t connect to it”.

When I travelled to Arizona two weeks ago, sitting at the terminal I was like, “okay fine, I have to wipe my phone soon anyway, and should demonstrate why I keep harping”.

I connect to the terminal’s free network.

Using an app on my phone, I scan the network.

1 – there are 573 devices connected to the network

2 – the brand of each device is displayed

3 – I can choose to see what each device is doing

4 – I can pick one device and track it! I assign it the name, “Test”

1 – listed are the IP (like an address) and MAC address (like a serial number) of all connected devices

2 – let’s see what’s happening with THYSSENKRUP-PC

3 – that’s his IP and MAC address, of his Intel PC

4 – the numbers on the left are his ports, and what traffic is going in/out on each  

* – this traveller has his business card taped to his laptop.

The Attack

A business traveller has connected both his phone and laptop, he’s working away. The attacker notes his brand of device, the device’s name, MAC and IP address, and what is happening on which ports.  Added bonus is the business card taped to the laptop.

The attacker does some social media mining, then a week later, the traveller gets a phone call.

“Jimmy hi! Karl from IT here. Look, there’s a bit of a meltdown happening at HQ, sorry but this is urgent, you were at Pearson airport last Tuesday, right?

You’re on a Blackberry, MAC address 00:1F:3B:Bo:D2:D3, and were connected to our Microsoft Exchange server, right?  Yup, look, we have a compromise here, and I’m going to need your access to your laptop…”

***

An elaborate example, because really, someone skilled now has enough information to breach Jimmy’s system, with neither the laptop lid business card, or a phone call.

The Defence

Use your phone (via USB, not Bluetooth) to connect to the internet.  Reduce the attack surface.

The Better Defence

Just don’t.

If you must, avoid entering any passwords, and certainly no banking or credit card numbers.

(see also: Protecting your Phone in an Uncertain Environment)

 

SSID = WiFi Name

SSIDservice set identifier

Big mystery solved eh, eye roll.

It’s like, a snobby way of asking the WiFi network name… “oh Clarence, what’s your SSID dahling?” *tea cup pinky*

When securing your WiFi network use WPA2 (never WEP). Then hide the name, don’t broadcast it, “cloak your network”, practice security through obscurity.

How to do that, here: How to Change your Router Password

 

 

Be Cautious Using Hotel Lobby WiFi

Wanting to make it easy for guests, a hotel lobby WiFi network is usually left open and unsecured, no password required.

Avoid submitting passwords and credit card numbers
while using this network.

A lobby is a target rich environment – the people using hotel WiFi are often booking travel plans, making reservations, using their credit card. Plus, it’s easy to blend into a lobby, and not look out of place sitting for a long time with a laptop.