Firesheep, Blacksheep, and protecting your Wi-Fi data
- 11 November, 2010 07:42
Despite the convenience, free public Wi-Fi networks like those found in hotels, Starbucks, and McDonald's are also a serious risk when it comes to your data and personal information. A new Firefox plug-in makes it even easier for tech novices to snoop wireless traffic, making it even more crucial than ever that users understand the risks and take precautions when using Wi-fi hotspots.
The Firesheep plug-in was developed by security researchers to highlight how insecure public Wi-Fi networks can be. Mission accomplished. Unfortunately, the tool works quite well, and its public availability now places a relatively powerful snooping tool that requires virtually no hacking skills or exceptional tech knowledge in the hands of anyone.
Another Firefox plug-in called Blacksheep was developed as a Firesheep alarm. It won't secure your wireless data, and it won't prevent your information from being snooped by Firesheep per se, but it will alert you when Firesheep is in use on the network you're connected to so that you're aware.
Bottom line, wireless networks are not as secure as their wired counterparts, and Wi-Fi hotspots open to the general public are even less secure. If your laptop can connect to a wireless router 100 feet away, then so can any other device in a 100-foot radius of that wireless router--which is why the router should have encryption enabled and require a password of some sort to gain access.
The issue is mainly a function of public Wi-Fi hotspots which generally have a completely open, and unencrypted wireless network available for patrons to join. In some cases, such as hotels, the Wi-Fi may actually use a password to prevent abuse by users who aren't actually staying at the hotel, but those are only slightly more secure because the password is shared with everyone who stays there, and is rarely changed so acquiring it is a trivial matter.
Chet Wisniewski, a senior security advisor with Sophos, implored establishments such as Starbucks and McDonald's to improve security by adopting an encrypted network with a default shared password. The sentiment is admirable, and the solution offered would provide better protection than no encryption at all--and prevent snooping by the current version of Firesheep--but, in the grand scheme it's not much better.
A comment on the Sophos blog explains, "I'm not really sure "free" as password is a great idea, since a password in WPA2 is nothing but a pre-shared secret, which in turn is then used to create a unique key. The problem is, when everyone uses the same password, everyone will end up with the same key, which will be in intended use client and access point, but if someone else knows the password he will be able to come up with the same key."
The commenter concludes with, "You might say now it's better to have some encryption instead of none, but I think that's even more dangerous, because people now will actually think they are secure, and will therefore feel at ease to do more dangerous stuff, while a black hat will actually have just little more inconvenience to decrypt it first based on the password he knows. In fact, a black hat might even be more attracted to such hot spots because he knows people feel more at ease to do dangerous things there."
Public hotspots are convenient. It is nice to be able to kick back and surf the Web while sipping a pumpkin spice latte at Starbucks. Just realize that the Wi-Fi is insecure and limit your activities. Go ahead and read the headlines at CNN.com, but don't check your bank balance, or do anything else that requires entering a username, password, or account number.
If you want or need to do more sensitive tasks over the public Wi-Fi, use a VPN connection of some sort so that there is an encrypted tunnel between your laptop or tablet and the destination you are connecting to.