Mitigating risks associated with WiFi – Part 1

By Matthew C. Jones, CPA, CISA, OSCP on November 28th, 2011

Use of wireless technology has grown exponentially in use in recent years as can be evidenced by performing a quick scan using your WiFi enabled smartphone from just about anywhere. More often than not you are in range of some wireless network. However, before you start surfing from that coffee shop’s WiFi network, you need to understand some basic concepts about wireless networking and the risks associated with it. This is the first of a four part series of articles dealing with WiFi security for the non-technical user.

Part 1 – Where does the data go?

Since traffic is carried over radio waves through the air there is no traffic cop to point a data packet to a specific destination. In a standard wired network, switches are generally used to take each data packet and push it across a single wire directly to the destination computer. This design makes it much more difficult for an attacker to be able to intercept a data packet that is not intended to go to their computer. In the case of a wireless network, all data carried over the network is broadcasted and visible to all connected wireless clients – it is up to the client computer to determine whether each packet is destined for them (in which case the packet is received) or destined for another computer (in which case the packet is dropped).

Wireless cards are designed to only accept packets intended for them, however a card can be forced into “promiscuous mode” which means that it accepts all packets being transmitted over the network. Once a series of data packets have been gathered (known as “sniffing”) the packets can be reassembled by a traffic analyzer and each data transmission can be read. Unless the data stream is encrypted at the transport level (for example using https://www.gmail.com/ (https://www NULL.gmail NULL.com/) instead of http://www.gmail.com/ (http://www NULL.gmail NULL.com/)) then anybody on the network can essentially read everything that comes across your screen…including the username and password that you type in to access your gmail account!

A related technique known as “sidejacking” takes the sniffing process one step further by analyzing traffic streams for tracking cookies, which identify a user’s session with a website. Once this cookie has been intercepted, an attacker can use this cookie to impersonate your session and log into your account without knowing your login credentials. While this sounds complicated, tools like the Firesheep plugin for Mozilla Firefox (or the related DroidSheep app for Android phones) make these complicated hacking techniques easily accessible to even the most non-technical users. An attacker simply runs the program and a list of all captured session cookies appears on his screen – clicking on one of the list items will log the attacker into the site as the unsuspecting victim! (TJS Disclaimer – use of these tools to intercept traffic without the consent of the other party is illegal and they should not be used outside of a lab testing environment).

The following practices will help to prevent you from falling victim to traffic sniffing and sidejacking:

1. Avoid using open / unsecured wireless networks such as public wifi, coffee shop networks, etc. where possible. Even if you do not intentionally log into your email account or facebook page, you may have a program or app running in the background on your computer that is transmitting login or other sensitive data without your knowledge.
2. If you do use an open WiFi network, avoid logging in to sensitive sites such as internet banking sites, email accounts, or social media sites.
3. Use the HTTPS protocol by explicitly typing https:// before the URL of any website you visit (https://www.gmail.com (https://www NULL.gmail NULL.com/) instead of http://www.gmail.com (http://www NULL.gmail NULL.com/)) – using the https protocol will encrypt the data transmitted between your machine and the website you are visiting so that the packets cannot be reassembled into any meaningful information
4. Use a VPN tunnel . All traffic that is transmitted through the tunnel is encrypted between your computer and the VPN device by the tunnel, regardless of the type of data

Comments are closed.