TAG | wifi
Kaspersky recently announced the discovery of a new Advanced Persistent Threat (APT) that they are calling DarkHotel. This is in the fine tradition of giving all newly discovered hackers or vulnerabilities clever and evil sounding names. In this case they have found something quite interesting.
For the last 7 years a group has been systematically targeting executives and government officials staying at high end hotels. They hack their computers and grab their files, sniff their keyboards, and install virus that can then spread within the victim’s organization. (more…)
Apple is getting taken to task for a couple of security issues.
First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to a WiFi network. This allows your phone to identify known networks and to use WiFi for enhanced location information without revealing your identity or allowing you to be tracked. Unfortunately the MAC only changes when the phone is sleeping, which is really rare with all the push notifications happening all the time. The effect is that the “random” MAC addresses are changed relatively infrequently. The feature is still good, but needs some work to be actually very useful.
Second, people are noticing their passwords showing up in Apples iOS 8 predictive keyboard. The keyboard is designed to recognize phrases you type frequently so it can propose them to you as you type, thus speeding message entry. The problem is that passwords often follow user names, and may be typed frequently. Research is suggesting that the problem is from websites that fail to mark their password fields. Apple is smart enough to ignore text in known password fields, but if it does not know that it is a password, then the learning happens. It is not clear that this is Apple’s fault, but it is still a problem for users. Auto-fill using the latest version of 1Password should protect against this.
An important decision just came down from the Federal 9th Circuit Court of Appeals about whether Google can be sued for intercepting personal data from open WiFi networks. The intercepts happened as part of the Street View program. In addition to capturing pictures of their surroundings, the Street View vehicles also collect GPS information (to correctly place the pictures) and the MAC addresses (unique hardware identifiers), SSIDs (user assigned network names), and until 2010 they captured some actual data from those networks. The purpose of the WiFi collection is to provide enhanced location services. GPS drains phone batteries quickly, and the weak signals may be unavailable indoors, or even under and significant cover. Nearly ubiquitous WiFi base stations provide another way of finding your location. The Street View cars capture their GPS coordinates along with all of the WiFi networks they can see. Your phone can then simply look at the WiFi networks around it, and ask the database what location corresponds to what it is seeing. WiFi is often available indoors, has short range, requires much less power, and is generally turned on in any case. Google claims that capturing the actual data was an accident and a mistake.
Unfortunately that data contained usernames, passwords and other sensitive information in many cases. A lawsuit was filed accusing Google of violating the Wiretap Act when it captured the data. There is no suggestion that the data has been leaked, misused, or otherwise caused direct harm to the victims.
The ruling was on a motion to dismiss the lawsuit on the grounds that Google’s intercepts were protected under an exemption in the Wiretap Act which states that it is OK to intercept radio communications that are “readily accessible” to the general public. The Act specifically states that encrypted or scrambled communications are NOT readily accessible, but the decision hangs on exactly what IS readily accessible. The court ruled that WiFi did not count as “radio” under the Act because several types of radio communications were enumerated, and this was not one of them. They then considered this case under the umbrella of “electronic communications”, which also has an exemption for readily accessible communications. On that, they decided that open WiFi is not readily accessible.
From a privacy perspective, this is good news. It says that people who intercept your information from your open WiFi can be punished (if you ever find out about it). This would clearly prevent someone setting up a business to automatically capture personal and marketing data from coffee shop WiFi’s around the world. It is less likely to have any impact on criminals. I am concerned that it will also lead to a sense of false confidence, and perhaps cause people to leave their WiFi open, rather than taking even minimal steps to protect themselves.
The hacker / tinkerer / libertarian in me has a real problem with this ruling. It is really trivial to intercept open WiFi. Anyone can join any open WiFi network. Once joined, all the the data on that network is available to every connected device. Easy, free, point and click software allows you to capture all of the data from connected (or even un-connected) open WiFi networks. If you are debugging your home WiFi network, you could easily find yourself capturing packets from other networks by accident. They are in the clear. There is no hacking involved. It is like saying that you can not tune your radio to a specific station, even though it is right there on the dial.
I think peeping in windows is a reasonable analogy. If I am standing on the sidewalk, look at your house, and see something through your windows that you did not want me to see, that is really your problem. If I walk across your lawn and put my face against the glass, then you have a cause to complain.
Open WiFi is like a window without curtains, or a postcard. You are putting the data out there where anyone can trivially see it. Thinking otherwise is willful ignorance. All WiFi base stations have the ability to be secured, and it is generally as simple as picking a password and checking a box. You don’t even need to pick a good password (although you really should). Any scrambling or encryption clearly moves the contents from being readily accessible, to being intentionally protected. If you want to sunbathe nude in your back yard, put up a fence. If you want to have privacy in your data, turn on security on your WiFi router.
I think that radio communications are clearly different than wired. With radio, you are putting your data on my property, or out into public spaces. There is no trespass of any kind involved to obtain it, and we have no relationship under which you would expect me to protect the information that you have inadvertently beamed to me. It would be like saying that I can’t look at your Facebook information that you made public because you accidentally forgot to restrict it.
Similar to provisions of the DMCA, which outlaw much research on copy protection schemes, this is likely to create accidental outlaws of researchers, and the generally technical and curious.
Welcome to Episode 11 of The Privacy Blog Podcast, brought to you by Anonymizer.
In this episode, I’ll discuss the shutdown of secure email services by Lavabit and Silent Circle. In addition, we’ll dive into the problem with hoarding Bitcoins and how you can protect yourself while using the increasingly popular online currency. Lastly, I’ll chat about whether teens actually care about online privacy and an ad agency’s shocking decision to use high-tech trash cans to measure Wi-Fi signals in London.
Please leave any questions or feedback in the comments section. Thanks for listening.
According to the Telegraph, the UK government is instituting a code of conduct for public WiFi which would require blocking of pornography to protect kids.
I see a couple of problems here.
1) Porn proliferates very quickly, so the blocking is likely to always be behind the curve, and kids are really good at getting around these kinds of blocks.
2) Some people will feel that things are allowed that should be blocked.
3) Inevitably legitimate websites will be blocked. A common example is breast feeding web sties, which frequently get caught in these kinds of nets.
4) Implementing this requires active monitoring of the activity on the WiFi which generally enables other kinds of surveillance.
Most home networks don’t have filtering on the whole network, so kids at home would be exposed to raw Internet. The standard is generally to filter at the end device. It seems to me that would be the best option here.
Parents could choose exactly the blocking technology and philosophy they want to have applied, and it does not impact anyone else.
In the March episode of The Privacy Blog Podcast, I’ll run down some of the major privacy news events of the last month. Learn how Facebook “Likes” can paint an extremely detailed and eerie picture of your real-life character traits. I’ll provide my take on Google’s Street View Wi-Fi sniffing controversy along with how “Do Not Track” flags are affecting the everyday Internet user. We’ll then touch on the implementation of the “Six Strikes” copyright alert system that was recently adopted by all five major ISP providers.
Stay tuned until the end of the episode to hear about Anonymizer’s exciting new beta program for Android and iOS devices. Thanks for listening!
CNET’s Declan McCullagh reports on Microsoft restricting access to their Wi-Fi geolocation database shortly after this CNET article describing how to track devices using such databases. I have written about these databases before here, here, and here. Specifically Microsoft is preventing users from querying for the location of a single Wi-Fi device by specifying just one MAC addresses. Prior to the change it was possible to track an individual phone or laptop by querying for the location of that device’s MAC address.
CNET describes a test where they were able to track a device as it moved around Columbus Ohio. This would indicate that the underlying database is updated in near real time, and that it is collecting on mobile devices as well as on the fixed Wi-Fi base stations it is supposed to catalog for enhanced location services.
Tracking mobile devices can only harm the accuracy of enhanced GPS location services because they move around and could potentially give misleading information. It would be easy to eliminate such devices from the database because the type of device is discoverable from the MAC address they are collecting.
While there is no reason to track mobile devices for enhanced GPS, there are all kinds of less savory reasons to gather and track this kind of information. I note that Microsoft’s solution is to prevent access to this individualized tracking information about mobile devices rather than to stop collecting it…..
This is really just an automation of something we demonstrated in the Anonymizer Labs section of our website a while back.
Reuters reports that the Google admits that its Street View vehicles captured much more WiFi data than previously reported. It appears that they managed to capture entire emails and passwords among other information.
People are vilifying Google about this, but I am not going to get on that bandwagon. The reality is that they did this accidentally, but the architecture of WiFi allows any bad guy to do the same thing intentionally. Google did not “hack” in to these WiFi communications, they simply configured their WiFi cards to accept all packets flying by them through the air in the clear. Anyone sitting in a Starbucks, driving around town with a laptop in the passenger seat, or in a thousand other ways could intentionally capture and maintain much more information and with it do significant damage.
The take away from this is that you need to take precautions when using open public WiFi. Full VPN technologies like Anonymizer Universal ensure that when (not if) someone sniffs your traffic they will not be able to get any of your personal information.
One of the reasons interception of insecure passwords is so scary is the tendency for people to use the same passwords for many accounts. While you might not care if someone hacks in to your social network or news account, if you use the same password attackers might use it to log in to your bank or email.