2

The scenario is: John is out of home and, using his smartphone, he need to send some messages from Whatsapp, use Facebook's app and do some bank operations.

Since I have read this and this topics, I'm thinking about what is the safer option between 3g/4g (imsi-catcher threat) and public wifi (sniffers threat).

If John have both options, which one should he choose, and why? And what precautions should he have (tools are permited, but without root)? Consider John as a non-technical user.

Mycroft
  • 747
  • 3
  • 8
  • 23
  • Actually I forgot to accept your answer, but since you asked, just to conclude: about 3g/4g, john just needs to be lucky to not connect to a rogue towers or a imsi-catchers? – Mycroft Apr 06 '19 at 15:11
  • Pretty much. If John's adversary is remote and sophisticated and wants to target him specifically or everyone in a given radius, then they'll be able to perform MITM attacks with the proper hardware. – forest Apr 07 '19 at 03:10

1 Answers1

2

If John have both options, which one should he choose, and why?

This depends on your threat model. Modern public hotspots do not use encryption or authentication whatsoever, allowing absolutely anyone with basic consumer hardware to sniff and modify unencrypted traffic. Cellular networks, on the other hand, do use encryption and at least a certain level of mutual authentication. Attacking it requires specialized hardware and often specialized cryptographic knowledge. While it may be possible to break 3G and 4G encryption, it's going to be far harder than just setting up Wireshark on a public network, which can be done on pretty much any laptop.

However, cellular networks are also very long-range, meaning that the data, potentially encrypted only weakly, is traveling very long distances. Compare this to Wi-Fi where the effective distance is quite limited. In fact, due to latency requirements in the protocol, there is a hard limit for active connections enforced by the speed of light. Passive monitoring must also be done locally due to the relatively low-power wireless transmissions made by Wi-Fi routers and computer wireless cards.

Overall, if your adversary, positioned on the airwaves with a transmitter and receiver with the intent of monitoring your wireless traffic, is local and unsophisticated, then Wi-Fi is dangerous. If your adversary is remote and sophisticated, then cellular networks are more dangerous. Note that WPA3, an upcoming encryption feature for Wi-Fi, will allow public networks to provide encryption even without a password.

And what precautions should he have (tools are permited)?

Use of a VPN to a trusted endpoint will protect from any relevant wireless attacks. A VPN creates an encrypted tunnel between you and a server, and that server connects to the websites you visit on your behalf. While VPNs are often advertised (incorrectly) as anonymity tools, they are actually only useful in this scenario for encryption. A VPN will ensure that an attacker who is able to monitor your wireless traffic will not see what sites you visit or the data you send to or receive from said sites. If you do not wish to pay for a commercial VPN or configure one yourself, Tor is a free alternative.

Assuming it's not possible to use any kind of encrypted tunnel, the next best thing is to only connect to websites that use TLS (HTTPS sites). Someone monitoring your wireless traffic will be able to see the website you connect to, but not what page on that website you are visiting, nor what you upload.

is there some sort of infection that spread by just being in the same network of a infected device?

It is possible in theory, and vulnerabilities in Wi-Fi chips have been found that allow for remote arbitrary code execution, but they are unlikely to be used as an infection vector for a worm. It is more likely to be used by a sophisticated attacker targeting one or a few specific individuals. If the Wi-Fi chip itself is compromised, it can often (but not always) compromise the computer's operating system. This can be partially mitigated by enabling an IOMMU. I believe Windows does this by default, to a limited extent. On Linux with an Intel CPU, you can enable this by adding intel_iommu=on to your boot parameters.

forest
  • 64,616
  • 20
  • 206
  • 257
  • With _remote_ and _sophisticated_ do you mean governments? John is just a common guy, remember this – Mycroft Apr 02 '19 at 01:47
  • @Mycroft Governments or well-funded groups. In a pinch, it could also be a clever wireless engineer. Because I don't know anything about John or where he's living (Saudi Arabia? Sweden? North Korea?) or exactly what his adversaries want (credit card numbers? Confidential corporate data from the company he works at?), I can't tailor to his complete threat model. – forest Apr 02 '19 at 01:50
  • You said about windows and linux boot parameters, but remember that in this scenario John is using a smartphone – Mycroft Apr 02 '19 at 01:57
  • @Mycroft I _think_ smart phones use something similar, but it likely varies by hardware. However it still would require a sophisticated adversary targeting John or a group he associates with specifically, which I would _imagine_ is not a risk for him. A tech-savvy thief or script kiddie who wants to steal banking credentials from John is not going to use a wireless NIC 0day on him. They might even be able to sell that 0day for more money than John has in his account! – forest Apr 02 '19 at 01:58
  • Also, regarding cellular network interception, you might like to check out [Android IMSI Catcher Detector](https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector/wiki). – forest Apr 02 '19 at 02:00
  • I think this app is not working anymore – Mycroft Apr 02 '19 at 02:04
  • @forest: Nice answer. Maybe add that it is practically impossible for the average user to distinguish between a "proper" valid public hotspot and a rouge one, i.e. there is not much effort and costs involved for an attacker in creating a hotspot with a nice name like 'CityWifi' where many users will gullibly connect to. While this is possible with 3G/4G too this is much harder and more costly. – Steffen Ullrich Apr 02 '19 at 05:28
  • @SteffenUllrich Good point, but I was thinking more along the lines of passive interception and active MITM, which doesn't even require intentionally connecting to a rogue hotspot. You can connect to a legitimate one and then be transparently forced into a MITM, so even if you _could_ distinguish between the two, it wouldn't matter and you'd still get pwned. – forest Apr 02 '19 at 06:54