Accessing Public Wi-Fi: Security Issues

Sankar RoyDepartment of Computing and Information Sciences

Kansas State University

2

Acknowledgement

In preparing the presentation slides and the demo, I received help from• Professor Simon Ou• Professor Gurdip Singh• Professor Eugene Vasserman• Alex Bardas and Fengguo Wei

What is a public Wi-Fi?

• Provides a wireless access point (AP) via which your laptop or smart phone can connect to the Internet

• Wi-Fi hot spots are available in coffee shops, at airports, on KSU campus, in public libraries, etc.

More about a Public Wi-Fi Hotspot

• Note: Wi-Fi is a particular communication protocol (whose technical name is IEEE 802.11)

• The communication, is open in nature, i.e. any computer with an antenna in the region can communicate with the Access Point (AP).

AP

modem

Internet

Some Issues of the Public Wi-Fi

• Wireless communication is essentially a broadcast one– A neighboring attacker can sniff (eavesdrop) all the

data transmitted

AP

More Issues of the Public Wi-Fi

• Why no encryption is employed in a public Wi-Fi? – It will become complex from the admin perspective– It will hurt the current “plug and play” feature.– Encryption does not help if everybody shares the

password

• Why can’t you use a secure Wi-Fi protocol yourself?– The network admin has to make the protocol available– You (the user) do not have the admin access of the AP.

Attack 1: Eavesdrop Communication

• The attacker might be able to mine out secret information (e.g. a user’s emails, password, banking details, etc.) from the sniffed communication.

• Available attack-tools: airPcap, wireshark, driftnet, urlsnarf, etc.

8

Background Knowledge for Attack 2

• In some portals (e.g. Yahoo mail) the web session after successful login switches back to HTTP. The HTTP session is then authenticated only by a cookie.

• What is a cookie? – a login receipt containing the web session ID– The server can identify/authenticate the client’s session by

the cookie ID• Problem: client’s cookie can be stolen– (example) when the adversary does packet sniffing on the

Wi-Fi network where the client’s machine is• Outcome: the HTTP session can be hijacked (also called

sidejacked).

Attack 2: Sidejacking Web Sessions

Now the attacker can impersonate the user e.g. on LinkedIn or Yahoo email, etc. Attack Tools: Firesheep, Droidsheep, etc.

(1) After login, the victim sends requests to the web application using a cookie for authentication. (2) Because it is sent over HTTP, an adversary can eavesdrop it and capture the cookie. (3) the adversary uses this cookie to hijack the victim’s session. Acknowledgement: One-Time Cookies, GaTech.

Attack 3: Evil Twin

• It is basically a man-in-the-middle attack.• It can be launched by tools such as HermesAP and OpenAP.

The attacker node fools the user node to communicate with a fake AP, and hence redirects the traffic through itself.

AP Fake AP

Firesheep: One Web Session Hijacking Tool

• The attack scenario: – an innocent user Alice accesses her Yahoo email or LinkedIn

account using a public Wi-Fi at a hotspot (e.g. an airport)– a neighboring attacker Mallory (M) uses a Firefox add-on

(Firesheep) on a laptop and sniffs the user Alice’s communication

• Firesheep automatically grabs the cookie of each of Alice’s insecure web sessions (i.e. HTTP sessions)

• With the above cookies, Firesheep automatically hijacks Alice’s web sessions

Insecure Web Portal ExamplesAfter login is done, Yahoo email switch to HTTP connection, i.e. secure (HTTPS) connections are no longer used. Same problem with Facebook if its HTTP version is used.

How Firesheep Add-on Looks on Firefox?

Acknowledgement: Firesheep creator, Eric Butler

Attacker is Browsing Hijacked Sessions

Acknowledgement: Firesheep creater, Mr. Butler

A Demo: Web Session Hijacking

• We will use the attack tool called Droidsheep which runs on an Android tablet.

• The attack scenario: – Alice accesses her Yahoo email or LinkedIn account in a public Wi-

Fi hotspot – a neighboring attacker Mallory (M) is present there with an

Android tablet with Droidsheep tool running. • Droidsheep automatically grabs the cookie of each of Alice’s

insecure web sessions and shows the list of sessions.• Mallory can now hijack any of Alice’s web sessions just by a

simple “tap / click” on the list shown on the tablet screen.

Demonstration

How to Counter the Attacks: the Basic Idea

• The user Alice establishes a secure communication channel with the remote end (R) of the communication (e.g. email server, bank server, etc.)

• The communication between Alice and R is encrypted.• The attacker Mallory (M) cannot decrypt Alice’s data through sniffing.• M cannot launch sidejacking attack; Evil Twin does not have any impact.

R: email server

Alice

Mallory

AP

A Wi-Fi hotspot with a user and an attacker

Secure comm. channel

Solution 1: Browse Secure Web Only

• We can avoid the above attacks if we access only the HTTPS-enabled web sites (e.g. Gmail but not the Yahoo email)

• Many web portals (e.g. Facebook, Tweeter) provide both HTTPS and HTTP options; you have to choose the HTTPS option.

• We discussed how to use HTTPS web browsing in the previous class.

Choose “Secure Browsing” in Facebook

Fortunately, now the default option is HTTPS

Choose “Secure Browsing” in Tweeter

Fortunately, now the default option is HTTPS

Solution 2: VPN (Virtual Private Network)

• Alice uses VPN to create a secure “tunnel” between her machine and the remote target (e.g. KSU)

• Alice’s machine needs to have a VPN client; target network also needs to have a VPN server e.g. vpn.net.k-state.edu for KSU

S: VPN server

Alice

M

AP

A Wi-Fi hotspot with a user and an attacker M

VPN tunnel

R: target server

The KSU network Internet

General Scenario: Multiple Target Servers

• Caution: VPN (split mode ) does not redirect your communication with all of the servers (e.g. Yahoo email server) through the VPN server.

• In split mode, only the traffic destined to the VPN server’s network will be protected from the attacker M at the public Wi-Fi hotspot.

KSU VPN server Alice

M

AP

A Wi-Fi hotspot: user Alice is with Split Mode VPN

VPN traffic R1: target server (e.g. KSU email)

R2: target server(e.g. Yahoo)

regular traffic

General Scenario: Multiple Target Servers

• VPN (full mode ) redirects your communication with all of the servers (including Yahoo email server) through the VPN server.

• In full mode, all the traffic destined to all the target servers will be protected from the attacker M at the public Wi-Fi hotspot.

KSU VPN server Alice

M

AP

A Wi-Fi hotspot: user Alice is with full mode VPN

VPN traffic R1: target server(e.g. KSU email)

R2: target server(e.g. Yahoo)

VPN traffic Alice is atKSU

Setting up a VPN connection to KSU

• Install the Cisco VPN client in your machine from the ITS website (www.ksu.edu/its/security/vpn)

• Connect the VPN client with the KSU VPN server by providing your KSU eID and password.

• In both the full and split VPN options– VPN tunnel encrypts your traffic between your computer

and the VPN server. – But, the traffic between the VPN server and the target

server will NOT be encrypted, unless you are using SSL-enabled applications.

Installing the KSU VPN Client on Windows

Starting the KSU VPN Client – Part I

Starting the KSU VPN Client – Part II

Running the KSU VPN Client in Split Mode

Running the KSU VPN Client in Split Mode

Running the KSU VPN Client in Split Mode

Running the KSU VPN Client in Full Mode

Running the KSU VPN Client in Full Mode

Installing the KSU VPN Client on Mac

Installing the KSU VPN Client on Mac

Getting Statistics of the VPN Client on Mac

Managing Common Wi-Fi Settings

• Your laptop (or smartphone) may get connected automatically to a public Wi-Fi network if you have used the same network before

• The above can also happen if you have used a different network with the same name (SSID) before.

• How to avoid: change the default wireless network access policy of your laptop or smartphone

Similar Attacks to a Wired Network?

• Wired Ethernet network can be eavesdropped– If it is a network with a “hub”, then it builds a broadcast

channel like a Wi-Fi network. So, sniffing is easy– If it is a network with a “switch”, then the attacker needs

some additional step before being able to sniff• So, similar attacks can be launched in a wired

network where users access Internet via Ethernet cables in a public place.

• Note: this even applies to cable Internet connections at home.

38

Summary

• We discussed common security threats of using a public Wi-Fi hotspot

• We presented a few standard countermeasures to mitigate the risks

• Remainder:– the next homework is due before the next class (1pm

on February 14) – the next class will be held in Room 127