How to Prevent a Coffee Shop Wi-Fi Attack
The world just got a bit riskier for us “road warriors.” You
see, there’s this perfect storm of risks lined up to make
our lives a little more dangerous. Here’s why, and here’s
what we can do to fight back.
In the last couple years, a new breed of mobile user has
sprung up. Thanks in large part to the iPhone (and the
iPhone-wannabees), the world now has a lot more mobile
devices hungry for a live (and free) Wi-Fi connection. Sure,
we’ve been using Wi-Fi for years, but at least for many of
us, what was once the casual and even occasional laptop
login has become a more convenient and far more frequent
quick check for email, stock reports, headlines, etc.
We’re using our hyper-mobile devices all the time now.
Standing in line at the coffee shop, we quickly fire up our
pocket-sized devices to see what’s going on in the world.
Now, here’s where the risk storm comes in.
When you point your Wi-Fi interface at a local wireless
access point (WAP), you’re implicitly trusting it. Say, for
example, you’re in your favorite coffee shop and turn on
your mobile device and see there’s a Wi-Fi net present—say,
something like “Acme-wireless.” You see it’s not using WEP,
so you blindly and courageously take the leap of faith and
connect to it.
Once on the wireless, you bring up your browser and try to
connect to a Web site. Looks fine, so you login to that web
site, perhaps providing your login credentials (or a
browser-stored cookie containing your login credentials).
Away you go—and away your login credentials go. You’ve just
fallen for the oldest trick in the book, the dreaded “man in
the middle attack,” and your attacker now has your
credentials/cookie.
How could that have happened, you ask? Well, when you signed
onto “Acme-wireless,” you trusted that it was indeed
“Acme-wireless” and that it is operated by an honest
business. The only proof you had that it was indeed
“Acme-wireless” was that it said so.
You’ve been duped.
Yes, it’s easy to do. It would be absolutely simple to
configure a laptop PC to masquerade as “Acme-wireless” and
then to collect login credentials from unsuspecting mobile
users seeking a free Wi-Fi fix. After all, the Wi-Fi
standard provides no mechanism for the user to authenticate
the server. None. Nada. Zip.
And that’s just one kind of Wi-Fi-based attack. It gets
worse. When you connect over Wi-Fi, a lot of relatively
sensitive information (e.g., passwords, session IDs,
cookies) is routinely passed unencrypted and is thus open to
being trivially sniffed by anyone else on the same Wi-Fi
site. That person sitting next to you in the coffee shop
could well be running a sniffing tool like Wireshark and
collecting anything sensitive that your browser or email
client emits.
Now, combine all that with the fact that our hyper-mobile
devices are getting smaller and smaller, while at the same
time becoming more and more capable as powerful computing
devices. Further, we’re starting to trust them more and more
for connecting to sensitive network services, including
financial services and such. That is to say that they are
without a doubt becoming serious targets by the miscreants
of the world who want to liberate your money from your
wallet.