back to article HALF of London has outdated Wi-Fi security, says roving World of War, er, BIKER

Wireless security across London remains flaky despite the well-known risks, according to an infosec bod who has been riding his bike all around town identifying insecure wireless networks and highlighting shoddy user behaviours that could be exploited by rogue hackers. James Lyne, global head of security research at Sophos, went …

COMMENTS

This topic is closed for new posts.

Page:

I would imagine a large amount of unencrypted access points are "guest APs", where you log in with a username and password after connecting, or perhaps no authentication at all (by design).

12
0
Gold badge

I was wondering that too. Considering that all the Starbucks or BTopenzone and the like have no protection, then it's no surprise.

What this guy should be saying is that the WiFi standards group are still completely crap if they cannot implement a standard that allows anyone to connect without needing a password, and then for the two devices to negotiate a secure connection between them.

The current standards either have no protection, or the requirement to enter a 140 bit key on an on-screen keyboard the size of a postage stamp, and no way to know what that key is unless people stick post-it notes up on every lamp-post.

As for honeypots; aren't they one of the reasons for VPN?

4
0
Silver badge

It is still bad practice. You should never connect to an access spot without a WPA2 passphrase. A VPN can go some way to mitigating that, but even so...

A business offering free wifi should set the password to their business name or have the password prominently displayed for their customers.

Our guest WLAN at work is WPA2 enctrypted and we have QR-Codes for smartphone and tablet users to set up the connection automatically and the password is available upon request for PC users.

3
7
Silver badge

Security is like an onion

Our guest WLAN at work is WPA2 enctrypted and we have QR-Codes for smartphone and tablet users to set up the connection automatically and the password is available upon request for PC users.

So all I need are some stickers and I can mess up your guest WLAN, or worse, send your tablet/smartphone users to my malware-ridden network or site instead?

Hypothetically, of course.

7
0
Silver badge

PKI

We theoretically could solve the issue with PKI, but even "type down this password on your device" is too much of a hassle for non-techies. Interestingly, the one place where I've seen PKI used for "public" WiFi access is at DEF CON, but then that's because you know most people going there are going to be tech savvy to boot. And the one thing that was made to do this easily (WPS) has the stupid PIN method which can be cracked easily, thus the method being disabled by anyone tech savvy these days...

2
0
Anonymous Coward

Re: PKI

Upvote for identifying WPS as being stupid and ruining an otherwise good WPA2.

0
0
Anonymous Coward

Why would anyone turn on encryption and require credentials on a consumer internet only connection anyway? It just slows down your traffic. I leave my WiFi connections open for anyone to use and turn off all logging - and i'm in a quite busy area - have done for years without any issues at all. I have a VPN account for any traffic I really care about, but in general checking that EV certificates are valid does me.

It also quite incidentally makes any accusations of say sharing copyrighted content quite deniable too.

0
0
Bronze badge

"I would imagine a large amount of unencrypted access points are "guest APs", where you log in with a username and password after connecting, or perhaps no authentication at all (by design)."

That and decade old domestic broadband routers that have sat on the phone stand since they were delivered, only being replaced if the owner moved house and was sent a new router for their new line, or if it went on the fritz. My parent's Orange Livebox went on 5 years before a thunderstorm spiked the phone line and the router with it, and it's replacement has been going for the best part of a decade.

No reason they will replace it unless it dies or they get sent a shiny new box for a fibre connection, which won't happen because fibre isn't coming to their rural backwater. Ever.

On the plus side their old farmhouse has "proper" walls built of stone and brick, not plasterboard and wood, so the wifi barely makes it downstairs, much less outside the house or the mile to their nearest neighbour (who has no line of sight in any case). The odds of anyone sniffing that access point are somewhere approaching nil.

0
0
Silver badge

With Australia bringing in a three strikes law, poor to no wireless security gives you plausible deniability when the jackboot squad comes knocking.

0
0
Windows

My WiFi is unsecured by design. Apartment block has a lot of elderly living here, and they want to use bank, Skype/FB for the family and relations. No problem.

Isn't it a bit posessive to protect your WiFi, if your computer is secured?

Farmer Giles: "GET ORF MY LAAAAN(D)!!!!" springs to mind....

0
0
Silver badge
Joke

Shhhh...

Using Wifi that people have failed to secure keeps my phone data plan under its monthly limit.

12
1
Bronze badge
Windows

Re: Shhhh...

Just pop down to your local FE College or Arts Centre. All of the ones round here have open wifi with landing pages. My College blocks https and anything that isn't port 80 however. Full on UKERNA clean feed.

"Lyne used a little Raspberry Pi Linux computer in the bag slung under the crossbar, a powerful battery under the seat to provide power for the scanning rig for a whole day, a small GPS unit, small scanners wired into a little Raspberry Pi, and a scanner aerial strapped to the downtube."

Pictures or it didn't happen! Pure Iain Sinclair. Ctrl-F 'temperature traverses' on the page below. Excellent.

https://www.nytimes.com/books/first/s/sinclair-territory.html

0
1
Silver badge

Even the UK Police recently mentioned what I said over 6 years ago.

Don't use ANY public WiFi without VPN. There is no way to know how trustworthy it is.

HTTPS isn't secure from a "man in the middle" attack.

5
0
Silver badge

re: the Police

Just remember to keep a copy of all the session keys that the VPN generates - you go to prison for 5years if you can't produce them

2
3
Silver badge
Paris Hilton

> HTTPS isn't secure from a "man in the middle" attack.

U WOT M8?

It is - if the certifcate chain has not been compromised. Don't use COMODO or DigiNotar shit. Preferably use your own CA.

1
6
Silver badge

The website owner decides what CA to use. You could manually check every certificate you receive for an https site to see if you think it is valid, but you probably won't do a better job than your browser already has.

2
0
Bronze badge

>HTTPS isn't secure from a "man in the middle" attack.

Yep, just like a VPN, HTTPS is vulnerable at initial connection establishment.

To avoid the connection establishment (in public hotspot) vulnerability you could use a persistent session, but these are frowned upon by the security experts...

0
0

"Yep, just like a VPN, HTTPS is vulnerable at initial connection establishment."

Care to describe this vulnerability in a bit more detail? Or with some evidence?

0
0
Silver badge

Use WPA2? Fine, I won't argue with that - but where, pray tell, should the VPN be directed to connect? Definitely not all home routers currently in use come with that built-in (given the owner has any idea he does have it at all)? Who says there even is anything permanently 'on' on the home LAN - there might be no router at all? Heck, there might not be any home LAN at all for some people...!

4
0
Silver badge

ProXPN and other VPN services? There are many out there.

0
0
Silver badge

....and trust a 3rd party VPN?

Even if they are totally honest, I know where I'd concentrate efforts if I was a spy agency...

1
0

My home router supports VPN, so I point myself back to my home environment - it limits my speed to my home up-link speed (so about 600kbits), but it works.

1
0
Anonymous Coward

Had to downgrade my wireless security at home, as the brand new Internet enabled TV I bought for my wife to watch in bed while convalescing only supports WEP!

7
1

"Had to downgrade my wireless security at home, as the brand new Internet enabled TV I bought for my wife to watch in bed while convalescing only supports WEP!"

Even if it is completely appalling in 2014, I'm not that much astonished. Most consumers products don't give a crap about implementing basic security.

You have my sympathy.

Even Nintendo with their bugged first WiiU firmware failed to have any security working at launch. Not even WEP. Had to go to clear text !

0
0
Anonymous Coward

re: Had to downgrade security as the TV supports WEP!

If you had a spare wireless router (or even a Pi or netbook with a wifi dongle that can work in access point mode), you could have set it up to firewall the WEP-only devices from the rest of your network. Give them a free route out to the internet, but don't let them access anything else.

Once you learn how to configure this sort of thing, it has a variety of uses. Over the last few years I've had a DMZ (home ftp server receiving requests directly from the net, but firewalled from all my other machines), a separate "guest" wireless network (like your WEP-only scenario) and more recently I set up fail-over networking (tethering to my phone) for when the main broadband goes down. I guess I should also use VPN for when I'm connecting to public wifi with my phone, but that doesn't happen regularly enough for me to worry about it.

4
3

Re: re: Had to downgrade security as the TV supports WEP!

I have a second SSID on my wifi router that has no security, but only allows specified MACs to connect. Not doing anything more than downloading ebooks, so fine. Everything else goes over WEP2.

1
2

In my experience, smart TVs

Work best with a bit of Ethernet cable.

10
0
Silver badge

Re: re: Had to downgrade security as the TV supports WEP!

You can spoof MACs

6
0
Bronze badge
Pirate

Re: re: Had to downgrade security as the TV supports WEP!

Using the MAC provides absolutely NO!! security. Using aircrack-ng and other software I can clone the MAC and crack WEP from over 500 ft. away. The only security for a home network is a good pass phrase.

4
0

Re: re: Had to downgrade security as the TV supports WEP!

By the way, is it a new TV? Devices which only support WEP are negligent IMHO.

0
0

Re: re: Had to downgrade security as the TV supports WEP!

Indeed, I just finished doing the same scan in Las Vegas and there are a huge number of networks with exactly that setup. Their SSID is easily identifiable as it shares the SSID followed by _guest or alike. Of course, a lot of them are open and while the intended user (the household) may not expect to do anything to sensitive others might. Also, seemingly innocuous downloading and browsing can allow for insertion of nasty JavaScript, social engineering pages or other manipulation. It sounds like you aren't going to be falling for it, but I doubt everyone in our study behaves the same way ;-)

2
0
Bronze badge

Re: In my experience, smart TVs

@Jason Hindle

I was actually about to suggest home plug system.

2
2
Anonymous Coward

Take it back

Sale of goods act - selling goods that are not fit for purpose.

1
1
Silver badge
Thumb Up

Re: re: Had to downgrade security as the TV supports WEP!

"Everything else goes over WEP2."

WPA2 you mean :-)

[ That maybe the reason for the downvote, but it wasn't from me! ]

1
0
Silver badge

"brand new Internet enabled TV...only supports WEP!"

Name and shame please.

0
0
MJI
Silver badge

He is NOT a biker

He is a cyclist

Cross bar gave it away.

A biker rides a motorcycle.

13
1
Silver badge

Re: He is NOT a biker

And bikers dress in black leather and big boots while cyclists dress in skin tight lycra

6
0
Silver badge
Devil

Re: He is NOT a biker

It was Putin's own biker gang (Night Wolfes) wot done it!

0
0
Silver badge
Trollface

Re: He is NOT a biker

So you're telling us that people who ride BIKES are CYCLISTS and BIKERS ride motorCYCLES?

That's highly illogical!

8
0
Bronze badge
Headmaster

Re: He is NOT a biker

BIKE riders ride BiCYCLES not Bikes

1
0
MJI
Silver badge

Re: He is NOT a biker (not illogical)

Ask anyone and they will tell you a biker rides a motorbike, and a cyclist rides a bicycle.

BTW I work with a couple of cyclists!

1
0
Bronze badge

Re: He is NOT a biker

>BIKE riders ride BiCYCLES not Bikes

The exception is the "Think Bike" road safety campaign where they have been keen to associate 'Bike' with motorbike...

0
0
Silver badge

Re: He is NOT a biker

Or unicycles

0
0
Bronze badge
Facepalm

Why a large battery?

Wouldn't be better to charge from the act of peddling the bike, would also make a much better project as well.

As for insecure networks... I hope this helps to raise the awareness of this problem. Its no too good in this day and age.

0
0

Re: Why a large battery?

Pedant alert.

Peddling his bike would give him some cash in pocket, but would not make a better project.

Pedaling his bike to generate the electricity would be cool, though.

11
0
Bronze badge

Re: Why a large battery?

Why go to all the expense and aggravation of adding a means for charging the battery when it doesn't enhance the intended project ?

The usage drain is likely more than can be put back in so the battery is probably going to have to be charged overnight anyway.

3
0

Re: Why a large battery?

Ha! We actually did that in the first prototype run but it turned out to be entirely unnecessary given the kit we were using. I also used a solar panel, but the equipment is so efficient now it doesn't make sense. However for geek appeal, to your excellent point, we did both dynamo and solar BECAUSE.

3
0
Silver badge
Pint

Re: Why a large battery?

2 days cycling across London? Rather you than me!

You deserve a pint (or 3) for that!

3
1
MJI
Silver badge

Re: Why a large battery?

A properly defined biker would use his bike battery!

1
0
MJI
Silver badge
Pint

Re: Why a large battery?

Anyway well done for all this testing and treat yourself to a pint

1
0

Page:

This topic is closed for new posts.

Forums