26

I always feel scared to connect to hotel, airport Wi-Fi etc. I feel that if the Wi-Fi router is hacked, my personal information can be collected by a hacker. How can I determine if a Wi-Fi network is safe to connect to?

Also, what can an adversary do if he hacks the router I connect to? For example, can he obtain my browsing history? Can he obtain my login credentials if I log in to Gmail? Can he see the emails I sent using the network? Can he install malware onto my mobile? Can he disable the encryption somehow? Can he create some backdoor on my laptop/mobile and access it remotely?

Edit: I got some pretty good answers when the adversary doesn't have control over the router (like arp attacks, mitm attacks). What can an adversary do if he has control over the router?

black panther
  • 407
  • 1
  • 5
  • 7
  • 2
    A wireless network is _probably_ safe to connect to, if you own the network, and live alone at the bottom of the sea. Otherwise, I wouldn't consider wifi "safe". – Vermilingua Jul 06 '18 at 06:53
  • A WiFi is safe to connect to if it lets you establish a VPN connection. – Simon Richter Jul 06 '18 at 12:24
  • @SimonRichter Only relatively. A sufficiently-advanced attacker controlling your WiFi may be able to MITM that VPN connection. Yes, this requires that they impersonate the provider's certificates, but as we've seen in recent years, that's possible far more often than might be desirable. – Darael Jul 06 '18 at 14:20
  • 1
    My rule of thumb: If it's public accessible, a VPN is required for all traffic, and all inbound traffic is dropped via the PC firewall, or even better, via an IoT device or VM running a router OS (OpenWrt, pfsense, Sophos UTM, etc. _(An allow rule for ports 68 & 69 must be in place prior to connecting to the SSID, but once connected and assigned an IP, is deleted, at which all that should be left is a rule blocking all inbound traffic.)_ – JW0914 Jul 09 '18 at 22:48
  • @JW0914 I know blocking via PC firewall. Can you please explain more about blocking via IoT device or VM running a router OS? – black panther Jul 11 '18 at 02:19
  • @blackpanther An IoT device with a WiFi card would be flashed with OpenWrt, utilizing one vLAN for the WiFi card as WAN and the other vLAN as LAN. WAN vLAN would be connected to the Public WiFi, whereas the WiFi device would be connected to the LAN vLAN. Provided one has a VPN service, OpenWrt would be configured as an OpenVPN client, and the OpenVPN interface would be where all traffic is pushed through. A VM would be configured in a similar fashion. – JW0914 Jul 11 '18 at 13:25

3 Answers3

39

Can you tell if the network you're attached to, assuming you're just an average user, has a been compromised?

No

What can an attacker do if they're on the same network as you?

Regardless if you're connected to an open access point, an access point with WEP enabled (hopefully not) or an access point with WPA/WPA2 you can be attacked. Many public places have WiFi with WPA2 enabled and they just freely give out the password. You're still at risk.

An attacker doesn't need to compromise a router to attack you on a public network. It's very easy to arp spoof the entire network and pretend to be the router. Then all your traffic will pass through them. It'd be seamless to your experience

Once the arp spoof and ipv#_forwarding is configured it's trivial to sniff your traffic, inject malicious javascript into http traffic, etc etc etc.

The attacker doesn't even need to arp spoof you to attack your machine though. Just being on the same network as the attacker gives them the ability to scan your machine for open ports, vulnerable services running, start probing your machine.

Using tools such as nmap to first scan the network for potential targets and then port scanning each target, an attacker can quickly find you and identify any possible holes in your machine. Nmap even has some nifty passive scanning features where it won't even expose the attacker on the network because it just listens to who's transmitting instead of actively probing.

How can you mitigate risk?

Always use TLS and if you can, connect to a VPN whenever you're on a public wifi. Make sure that you don't have any unnecessary services running on your machine that are open to the network. Honestly, you probably shouldn't have any ports open. Any openings are potential access points. Also make sure your machine is fully patched and running all available firewall services.

Mind you this is all just mitigation. If you're connecting to public wifi points you have some accepted risk.

Some reference material for you:

If you want to dig in a little deeper into what can be done, how and with what tools, please look at these links below. To do what I've described above has a very low barrier of entry.

What is NMAP

What is Man in the Middle Attacks?

What is arp spoofing?

What are beef hooks?

What is MiTM Framwork?

What is SSLStrip?

Bonus:

How do you see what ports are open and listening on Windows?

  1. Open a command prompt
  2. Run netstat -ano | FIND /N "LISTEN"

The output will show you all the ports that are open and listening internally and externally. The one's marked with 127.0.0.1 you can ignore because those are only visible internally to your machine.

Anything marked as 0.0.0.0:Port will be visible to attackers on the network. Also anything marked with private addresses such as

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

will be visible.

The command and results are almost the same on Linux

netstat -ano | grep LISTEN

How to identify what services are running on your listening ports

From an elevated command prompt run netstat -a -b and look for ports marked as listening. You'll see the name of the service in brackets.

Final Note

I use this attack pattern all the time to test devices on my home network for weaknesses. My favorite is testing my phone apps for random things they're sending over the internet. Anyone with a live boot of kali or parrot os can have this attack up and running in about 5 minutes. Last year I even wrote a tool that does most of this for you and injects javascript miners into public networks. You can find my article about it here

DotNetRussell
  • 1,441
  • 1
  • 19
  • 30
  • 1
    "connect to a VPN whenever you're on a public wifi." But attackers can't intercept the request content of HTTPS sites with HSTS enabled. – noɥʇʎԀʎzɐɹƆ Jul 05 '18 at 23:16
  • @noɥʇʎԀʎzɐɹƆ they can strip out HTTPS with `sslstrip` there's a great blackhat presentation on this here https://www.youtube.com/watch?v=MFol6IMbZ7Y – DotNetRussell Jul 05 '18 at 23:20
  • Even if the site is on HSTS preconnect? I think you might be overblowing the risk. VPNs are expensive for lower-middle class types like me. – noɥʇʎԀʎzɐɹƆ Jul 05 '18 at 23:49
  • @noɥʇʎԀʎzɐɹƆ I didn't make assumptions in the answer. Just best practices. You can find a great vpn for about $40-$60 a year. Check out cryptostorm https://www.cryptostorm.is/ That's who I use. – DotNetRussell Jul 05 '18 at 23:59
  • 1
    @noɥʇʎԀʎzɐɹƆ one more quick comment on this before I'm off here for the day. Even sites that enforce https often have ads on them. Those ads OFTEN don't enforce https at all. So if you navigate to a secure site like CNN or MSN you'll get a secure connection to their server but then when your browser beacons out for the ads to load you get http connections that can be injected into. I've done this a ton. It's very common – DotNetRussell Jul 06 '18 at 00:24
  • 3
    @AnthonyRussell: If it's active mixed content, modern browsers will (eventually, when the WHATWG gets around to it) [remove the padlock](https://w3c.github.io/webappsec-mixed-content/#requirements-ux) if not [block it outright](https://w3c.github.io/webappsec-mixed-content/#blockable-mixed-content). No idea on the timeline for that, though. – Kevin Jul 06 '18 at 01:37
  • Is it a serious problem if an adversary knows my open ports or applications running on my device? What can he do with only this information? I guess scanning for ports is helpful to determine which packet is from which application. I couldn't understand any other use of it. – black panther Jul 07 '18 at 12:13
  • 1
    @blackpanther if I can see what ports you have open then I can figure out what services you have running. If I can see what services are running I can "Banner grab" and determine the version. If I can determine the version I can google " exploit" and get every exploit ever written for that service. Checkout https://www.exploit-db.com if you want a better idea on what this looks like. – DotNetRussell Jul 07 '18 at 12:16
  • By using arp attack, an adversary can redirect our packets through their device. But the application layer encrypts the data right! How can he decrypt it? Are there any applications which don't encrypt data and easily fall for this attack? I see that a mitm attack might be possible. If possible, can u please elaborate on how an adversary can modify the packets and mislead me into using wrong information without being caught? – black panther Jul 07 '18 at 12:19
  • @blackpanther no, all your data isn't encrypted. Please look at the references I posted in my answer. There's everything you need to understand this attack pattern there. It's very easy and only takes about 5 minutes to setup. – DotNetRussell Jul 07 '18 at 12:21
  • @AnthonyRussell sure. I will go through the links. From your earlier comments, I understand that ads are something a man in the middle can easily modify without being caught. The adversary can display a wrong add with malicious Java script that runs when any of its buttons are pressed by the user. An adversary can install malware into my laptop usng this. Am I right? – black panther Jul 07 '18 at 12:32
  • How does using VPN mitigate risk? From what I know, a VPN redirects my packets through a radom node owned by the VPN service. This would hide our actual IP address from destination. How does this mitigate arp attack? Is it because VPN enforces an additional layer of encryption/authentication? Doesn't an mitm attack work when using VPN? – black panther Jul 07 '18 at 12:38
  • 1
    You can do a lot more than show a button. I can redirect you to other pages without your interaction. Install key loggers. Heck if your browser runs activeX objects I could open a shell on your machine without your knowledge. That last example is rare these days but what's not rare is tricking you into installing a shell for me, keylogging, session stealing, and redirection. – DotNetRussell Jul 07 '18 at 12:47
  • 1
    Or as I mentioned in my post, drop a crypto miner on your machine with the tool I wrote – DotNetRussell Jul 07 '18 at 12:49
  • @blackpanther if this answers your questions, please don't forget to checkmark it – DotNetRussell Jul 13 '18 at 14:37
1

We can break your concerns into below cases to elaborate more easily.

Case 1: You are connecting to open WiFi like somewhat you get in airports/public locations: There is no guarantee for any security on this case and that’s why most of the people not recommending to use Open WiFi network. Please refer: https://www.makeuseof.com/tag/3-dangers-logging-public-wi-fi/

Case 2: Trusted network/SSID with authentication and WPA2: Much better security in terms of secured and authenticated wifi network with WPA2. How to ensure you are connected to WPA2 enabled WiFi network with a pre-shared key:

Check your connected WiFi/Wireless network properties to ensure you are connected to WPA2 enabled network.

enter image description here Please refer this link for more details on WPA2 and possible configuration options (like WPA2 + AES, WPA2 + TKIP, etc): https://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-both/

Case 3: Trusted/SSID with authentication but not WPA2 in use: Connecting to other wireless protocols (other than WPA2) could be more dangerous as there are known vulnerabilities around those.

So, Case 1 is not secured at all – basically you are jumping into a river where you know nothing about the depth and creatures live there.

On Case 3, even it could be a genuine network but due to concerns on the non-secure protocols in use may lead to attacks.

The Case 2 could be the most secure and guaranteed network out of all above scenario.

Now to answer your second part of the question on possible ways of attack, please refer below list:

  • Man-in-the-middle - Tapping into insecure connections
  • Attack of the clones - Diverting traffic to hacker's sites
  • One password to rule them, rule - Stealing your email/password which you may be using common on most of your logins
  • Other users/devices may be infected
  • Rogue WiFi Network - Entire network could be fake and all your traffic could be monitored

Hope this clarifies...

Sayan
  • 2,033
  • 1
  • 11
  • 21
  • 1
    Note that WPA2 is known insecure as of a few months ago, and depending on the device may be no better than an open network. See https://www.krackattacks.com for details. – Austin Hemmelgarn Jul 06 '18 at 01:10
  • Yes, that's y indicated as better in these 3 cases. Thanks. – Sayan Jul 06 '18 at 01:14
  • 1
    @AustinHemmelgarn, nonsense. First, even with a "broken" WPA2 implementation, you are far more secure with WPA2 than any connection in the clear. Please check your own link for details as to why that is the case. Second, note that there has still been no known in the wild incident of KRACK being exploited (i.e. non-research), nor do I expect to ever see one. Please see [my answer here](https://security.stackexchange.com/a/171755/24467) for more on why this is unlikely to happen. – YLearn Jul 06 '18 at 03:28
  • @YLearn Not entirely true. If your using a device with wpa_supplicant version 2.6, it's just as insecure as no encryption, because a key reinstallation attack results in those devices installing a known key (specifically a null key). Quite a few Android devices are still affected by this. – Austin Hemmelgarn Jul 06 '18 at 12:59
  • @AustinHemmelgarn, true. However, to actually exploit this, an attacker needs to perform a successful MitM attack (with its associated challenges) or there is no communication between client and AP. Additionally, if the infrastructure (i.e. the AP) is patched, then this would only apply to direct device to device connections. It is **significantly** easier to capture clear text (which requires almost no knowledge)than to set up a successful MitM and perform KRACK (which requires a fair amount of knowledge and the correct circumstances). – YLearn Jul 06 '18 at 13:20
  • @YLearn It's also significantly easier to capture cleartext than it is to bypass WEP. WEP is still considered worthless though. Key reinstallation attacks are nowhere near as easy as the attacks on WEP, but if you're being pragmatic, you should still be treating WPA2 as only marginally better than no encryption. – Austin Hemmelgarn Jul 06 '18 at 13:42
  • @AustinHemmelgarn, WEP is broken so deep in its core, that it remains broken for 100% of the clients using it (with no vendor proprietary extensions, which require support from both infrastructure and all clients to use). It requires no special circumstances/positioning, only marginally more knowledge than capturing packets, and *every* device using it is vulnerable to a working exploit in the wild for over a decade. Compared to only a small percentage of client devices being vulnerable, only on unlatched infrastructure, where an attacker needs to be closer to the victim than the AP, – YLearn Jul 07 '18 at 14:55
  • knowledge enough to perform a wireless MitM, knowledge to perform KRACK (with no known in the wild exploit available), and that the most vulnerable devices are *mobile* devices (making the positioning more difficult). Let me stress, *with no known exploit in the wild*, rather only severely controlled, worst case conditions enforced in a research setting. How is that even close to being put in the same class of vulnerable? – YLearn Jul 07 '18 at 15:00
  • But to your point, yes, WEP is better than in the clear, which most will acknowledge. However, it is only marginally better due to its well documented and easy to use/widely available exploit tools. WPA2 has no such vulnerability. – YLearn Jul 07 '18 at 15:03
0

Use VPN, by doing so you will tunnel all your communications via encrypted connection, therefore the attacker won't be able to hurt you. Good luck!

dop3mine
  • 19
  • 1