back to article HALF of London has outdated Wi-Fi security, says roving World of War, er, BIKER

Wireless security across London remains flaky despite the well-known risks, according to an infosec bod who has been riding his bike all around town identifying insecure wireless networks and highlighting shoddy user behaviours that could be exploited by rogue hackers. James Lyne, global head of security research at Sophos, …

COMMENTS

This topic is closed for new posts.
  1. KjetilS

    I would imagine a large amount of unencrypted access points are "guest APs", where you log in with a username and password after connecting, or perhaps no authentication at all (by design).

    1. BristolBachelor Gold badge

      I was wondering that too. Considering that all the Starbucks or BTopenzone and the like have no protection, then it's no surprise.

      What this guy should be saying is that the WiFi standards group are still completely crap if they cannot implement a standard that allows anyone to connect without needing a password, and then for the two devices to negotiate a secure connection between them.

      The current standards either have no protection, or the requirement to enter a 140 bit key on an on-screen keyboard the size of a postage stamp, and no way to know what that key is unless people stick post-it notes up on every lamp-post.

      As for honeypots; aren't they one of the reasons for VPN?

      1. Daniel B.

        PKI

        We theoretically could solve the issue with PKI, but even "type down this password on your device" is too much of a hassle for non-techies. Interestingly, the one place where I've seen PKI used for "public" WiFi access is at DEF CON, but then that's because you know most people going there are going to be tech savvy to boot. And the one thing that was made to do this easily (WPS) has the stupid PIN method which can be cracked easily, thus the method being disabled by anyone tech savvy these days...

        1. Anonymous Coward
          Anonymous Coward

          Re: PKI

          Upvote for identifying WPS as being stupid and ruining an otherwise good WPA2.

    2. big_D Silver badge

      It is still bad practice. You should never connect to an access spot without a WPA2 passphrase. A VPN can go some way to mitigating that, but even so...

      A business offering free wifi should set the password to their business name or have the password prominently displayed for their customers.

      Our guest WLAN at work is WPA2 enctrypted and we have QR-Codes for smartphone and tablet users to set up the connection automatically and the password is available upon request for PC users.

      1. Steve Knox

        Security is like an onion

        Our guest WLAN at work is WPA2 enctrypted and we have QR-Codes for smartphone and tablet users to set up the connection automatically and the password is available upon request for PC users.

        So all I need are some stickers and I can mess up your guest WLAN, or worse, send your tablet/smartphone users to my malware-ridden network or site instead?

        Hypothetically, of course.

    3. Anonymous Coward
      Anonymous Coward

      Why would anyone turn on encryption and require credentials on a consumer internet only connection anyway? It just slows down your traffic. I leave my WiFi connections open for anyone to use and turn off all logging - and i'm in a quite busy area - have done for years without any issues at all. I have a VPN account for any traffic I really care about, but in general checking that EV certificates are valid does me.

      It also quite incidentally makes any accusations of say sharing copyrighted content quite deniable too.

      1. Andus McCoatover
        Windows

        My WiFi is unsecured by design. Apartment block has a lot of elderly living here, and they want to use bank, Skype/FB for the family and relations. No problem.

        Isn't it a bit posessive to protect your WiFi, if your computer is secured?

        Farmer Giles: "GET ORF MY LAAAAN(D)!!!!" springs to mind....

    4. rh587

      "I would imagine a large amount of unencrypted access points are "guest APs", where you log in with a username and password after connecting, or perhaps no authentication at all (by design)."

      That and decade old domestic broadband routers that have sat on the phone stand since they were delivered, only being replaced if the owner moved house and was sent a new router for their new line, or if it went on the fritz. My parent's Orange Livebox went on 5 years before a thunderstorm spiked the phone line and the router with it, and it's replacement has been going for the best part of a decade.

      No reason they will replace it unless it dies or they get sent a shiny new box for a fibre connection, which won't happen because fibre isn't coming to their rural backwater. Ever.

      On the plus side their old farmhouse has "proper" walls built of stone and brick, not plasterboard and wood, so the wifi barely makes it downstairs, much less outside the house or the mile to their nearest neighbour (who has no line of sight in any case). The odds of anyone sniffing that access point are somewhere approaching nil.

    5. Thorne

      With Australia bringing in a three strikes law, poor to no wireless security gives you plausible deniability when the jackboot squad comes knocking.

  2. NoneSuch Silver badge
    Joke

    Shhhh...

    Using Wifi that people have failed to secure keeps my phone data plan under its monthly limit.

    1. keithpeter Silver badge
      Windows

      Re: Shhhh...

      Just pop down to your local FE College or Arts Centre. All of the ones round here have open wifi with landing pages. My College blocks https and anything that isn't port 80 however. Full on UKERNA clean feed.

      "Lyne used a little Raspberry Pi Linux computer in the bag slung under the crossbar, a powerful battery under the seat to provide power for the scanning rig for a whole day, a small GPS unit, small scanners wired into a little Raspberry Pi, and a scanner aerial strapped to the downtube."

      Pictures or it didn't happen! Pure Iain Sinclair. Ctrl-F 'temperature traverses' on the page below. Excellent.

      https://www.nytimes.com/books/first/s/sinclair-territory.html

  3. Mage Silver badge

    Even the UK Police recently mentioned what I said over 6 years ago.

    Don't use ANY public WiFi without VPN. There is no way to know how trustworthy it is.

    HTTPS isn't secure from a "man in the middle" attack.

    1. Yet Another Anonymous coward Silver badge

      re: the Police

      Just remember to keep a copy of all the session keys that the VPN generates - you go to prison for 5years if you can't produce them

    2. Destroy All Monsters Silver badge
      Paris Hilton

      > HTTPS isn't secure from a "man in the middle" attack.

      U WOT M8?

      It is - if the certifcate chain has not been compromised. Don't use COMODO or DigiNotar shit. Preferably use your own CA.

      1. jonathanb Silver badge

        The website owner decides what CA to use. You could manually check every certificate you receive for an https site to see if you think it is valid, but you probably won't do a better job than your browser already has.

      2. Roland6 Silver badge

        >HTTPS isn't secure from a "man in the middle" attack.

        Yep, just like a VPN, HTTPS is vulnerable at initial connection establishment.

        To avoid the connection establishment (in public hotspot) vulnerability you could use a persistent session, but these are frowned upon by the security experts...

        1. paleking

          "Yep, just like a VPN, HTTPS is vulnerable at initial connection establishment."

          Care to describe this vulnerability in a bit more detail? Or with some evidence?

  4. DropBear

    Use WPA2? Fine, I won't argue with that - but where, pray tell, should the VPN be directed to connect? Definitely not all home routers currently in use come with that built-in (given the owner has any idea he does have it at all)? Who says there even is anything permanently 'on' on the home LAN - there might be no router at all? Heck, there might not be any home LAN at all for some people...!

    1. big_D Silver badge

      ProXPN and other VPN services? There are many out there.

      1. Jamie Jones Silver badge

        ....and trust a 3rd party VPN?

        Even if they are totally honest, I know where I'd concentrate efforts if I was a spy agency...

    2. talk_is_cheap

      My home router supports VPN, so I point myself back to my home environment - it limits my speed to my home up-link speed (so about 600kbits), but it works.

  5. Anonymous Coward
    Anonymous Coward

    Had to downgrade my wireless security at home, as the brand new Internet enabled TV I bought for my wife to watch in bed while convalescing only supports WEP!

    1. regadpellagru

      "Had to downgrade my wireless security at home, as the brand new Internet enabled TV I bought for my wife to watch in bed while convalescing only supports WEP!"

      Even if it is completely appalling in 2014, I'm not that much astonished. Most consumers products don't give a crap about implementing basic security.

      You have my sympathy.

      Even Nintendo with their bugged first WiiU firmware failed to have any security working at launch. Not even WEP. Had to go to clear text !

      1. Anonymous Coward
        Anonymous Coward

        Take it back

        Sale of goods act - selling goods that are not fit for purpose.

    2. Anonymous Coward
      Anonymous Coward

      re: Had to downgrade security as the TV supports WEP!

      If you had a spare wireless router (or even a Pi or netbook with a wifi dongle that can work in access point mode), you could have set it up to firewall the WEP-only devices from the rest of your network. Give them a free route out to the internet, but don't let them access anything else.

      Once you learn how to configure this sort of thing, it has a variety of uses. Over the last few years I've had a DMZ (home ftp server receiving requests directly from the net, but firewalled from all my other machines), a separate "guest" wireless network (like your WEP-only scenario) and more recently I set up fail-over networking (tethering to my phone) for when the main broadband goes down. I guess I should also use VPN for when I'm connecting to public wifi with my phone, but that doesn't happen regularly enough for me to worry about it.

      1. AMBxx Silver badge

        Re: re: Had to downgrade security as the TV supports WEP!

        I have a second SSID on my wifi router that has no security, but only allows specified MACs to connect. Not doing anything more than downloading ebooks, so fine. Everything else goes over WEP2.

        1. Mage Silver badge

          Re: re: Had to downgrade security as the TV supports WEP!

          You can spoof MACs

        2. channel extended
          Pirate

          Re: re: Had to downgrade security as the TV supports WEP!

          Using the MAC provides absolutely NO!! security. Using aircrack-ng and other software I can clone the MAC and crack WEP from over 500 ft. away. The only security for a home network is a good pass phrase.

        3. James_Lyne

          Re: re: Had to downgrade security as the TV supports WEP!

          Indeed, I just finished doing the same scan in Las Vegas and there are a huge number of networks with exactly that setup. Their SSID is easily identifiable as it shares the SSID followed by _guest or alike. Of course, a lot of them are open and while the intended user (the household) may not expect to do anything to sensitive others might. Also, seemingly innocuous downloading and browsing can allow for insertion of nasty JavaScript, social engineering pages or other manipulation. It sounds like you aren't going to be falling for it, but I doubt everyone in our study behaves the same way ;-)

        4. James_Lyne

          Re: re: Had to downgrade security as the TV supports WEP!

          By the way, is it a new TV? Devices which only support WEP are negligent IMHO.

        5. Jamie Jones Silver badge
          Thumb Up

          Re: re: Had to downgrade security as the TV supports WEP!

          "Everything else goes over WEP2."

          WPA2 you mean :-)

          [ That maybe the reason for the downvote, but it wasn't from me! ]

    3. Jason Hindle

      In my experience, smart TVs

      Work best with a bit of Ethernet cable.

      1. keithpeter Silver badge

        Re: In my experience, smart TVs

        @Jason Hindle

        I was actually about to suggest home plug system.

    4. Alan Brown Silver badge

      "brand new Internet enabled TV...only supports WEP!"

      Name and shame please.

  6. MJI Silver badge

    He is NOT a biker

    He is a cyclist

    Cross bar gave it away.

    A biker rides a motorcycle.

    1. Yet Another Anonymous coward Silver badge

      Re: He is NOT a biker

      And bikers dress in black leather and big boots while cyclists dress in skin tight lycra

      1. Destroy All Monsters Silver badge
        Devil

        Re: He is NOT a biker

        It was Putin's own biker gang (Night Wolfes) wot done it!

    2. Old Handle
      Trollface

      Re: He is NOT a biker

      So you're telling us that people who ride BIKES are CYCLISTS and BIKERS ride motorCYCLES?

      That's highly illogical!

      1. Diogenes
        Headmaster

        Re: He is NOT a biker

        BIKE riders ride BiCYCLES not Bikes

        1. Roland6 Silver badge

          Re: He is NOT a biker

          >BIKE riders ride BiCYCLES not Bikes

          The exception is the "Think Bike" road safety campaign where they have been keen to associate 'Bike' with motorbike...

        2. Yet Another Anonymous coward Silver badge

          Re: He is NOT a biker

          Or unicycles

      2. MJI Silver badge

        Re: He is NOT a biker (not illogical)

        Ask anyone and they will tell you a biker rides a motorbike, and a cyclist rides a bicycle.

        BTW I work with a couple of cyclists!

  7. Longrod_von_Hugendong
    Facepalm

    Why a large battery?

    Wouldn't be better to charge from the act of peddling the bike, would also make a much better project as well.

    As for insecure networks... I hope this helps to raise the awareness of this problem. Its no too good in this day and age.

    1. Steve Aubrey

      Re: Why a large battery?

      Pedant alert.

      Peddling his bike would give him some cash in pocket, but would not make a better project.

      Pedaling his bike to generate the electricity would be cool, though.

    2. Jason Bloomberg Silver badge

      Re: Why a large battery?

      Why go to all the expense and aggravation of adding a means for charging the battery when it doesn't enhance the intended project ?

      The usage drain is likely more than can be put back in so the battery is probably going to have to be charged overnight anyway.

    3. James_Lyne

      Re: Why a large battery?

      Ha! We actually did that in the first prototype run but it turned out to be entirely unnecessary given the kit we were using. I also used a solar panel, but the equipment is so efficient now it doesn't make sense. However for geek appeal, to your excellent point, we did both dynamo and solar BECAUSE.

      1. Jamie Jones Silver badge
        Pint

        Re: Why a large battery?

        2 days cycling across London? Rather you than me!

        You deserve a pint (or 3) for that!

      2. MJI Silver badge
        Pint

        Re: Why a large battery?

        Anyway well done for all this testing and treat yourself to a pint

    4. MJI Silver badge

      Re: Why a large battery?

      A properly defined biker would use his bike battery!

  8. Arachnoid
    FAIL

    only allows specified MACs to connect

    MAC Blocking is not a security method to rely on.

    As for the original story Id be more impressed by the report if they had actually tried to access some of the insecure systems and proved the point rather than relying on supposition.

    1. Ole Juul

      Re: only allows specified MACs to connect

      As for the original story Id be more impressed by the report if they had actually tried to access some of the insecure systems and proved the point rather than relying on supposition.

      That's what I thought too. I'm not entirely sure that there is much to be learned for the information provided.

      As for MAC blocking that is not secure, as you say, however it does mean that only "hackers" will get in. Nevertheless, if one only allows one connection at a time then the worst that someone could do is read the stream which is generally of no consequence.

    2. atlatl265

      Re: only allows specified MACs to connect

      As regards 'MAC spoofing", I use WPA2, block my SSID transmission and specify only the MAC's on my network. Seems pretty secure when used in this combination. BTW, my "smart TV has WPA2, but now that I think about it, I am Not so sure about my BluRay DVD player. The industry seems to be pushing to make the BluRay DVD player, the Internet connection for your Home Entertainment center.

      atlatl

      1. Alan Brown Silver badge

        Re: only allows specified MACs to connect

        Blocked SSIDs still leak and MACs are easily tweaked.

        At least some of the kit I've used happily shows the SSID of "cloaked" APs.

        WPA2 is only secure when used in conjunction with a decent password, as otherwise a snoop session can deduce the password over a few hours without issuing any packets (or it can bother the AP for more data, faster)

  9. Don Jefe

    Labor Intensive

    It seems like working out a deal with cab companies in the target cities would be a lot easier and deliver a considerably more robust data set that evolves over time. You could also develop targeted awareness campaigns for dense trouble spots. You could probably even talk banks into paying for the exercise.

    There's an apartment building in Alexandria, VA where an interested tenant put a flyer on everyone's door with basic info about open networks and put his email address and phone number there with an offer to help secure their networks for free. A month later there are zero open networks in the building. People didn't even get too mad about the flyers he wasn't supposed to be posting.

    What I'm getting at, is that traditional awareness techniques have obviously penetrated as far as they are going to go. People that aren't aware aren't going to be aware unless they are informed in a new way and you need to find those people, and track the effectiveness of the new message delivery vehicle(s). A tech guy doing a tech thing being covered on a tech site has a rather small audience that isn't aware of open network risks.

  10. Anonymous Coward
    Anonymous Coward

    Streetview cars

    Isn't this exactly what Google got busted for? Double standards....

    1. Jon 37
      Boffin

      Re: Streetview cars

      Streetview was sniffing and recording actual WiFi traffic, including some things that people might consider private. For example, they recorded fragments of unencrypted HTTP requests and responses.

      Sophos only looked for the SSID broadcasts, which are *meant* to be received by any WiFi device in range.

  11. DavidON

    VPN's are safer...but are they safe?

    I've been a long-timer user of VPN's on my laptops, primarily to allow me to safely use public networks. So, when I finally got an Android phone, this was one of the first things that I set up on it.

    However, despite constantly seeing VPN's quoted as the cure-all for public networks, I have been unable to adequately protect my (unrooted) phone, as I can't find a VPN/app which blocks traffic before it's connected. I've spoken to a number of leading VPN providers and they have all, eventually, admitted this as a problem - the "best" response I got was the company who said they were working on a solution.

    Does anyone who, unlike me, knows something about Android, know of a solution to this?

    Thanks,

    David.

    1. Don Jefe

      Re: VPN's are safer...but are they safe?

      There are always going to be tradeoffs with any type of security. It doesn't matter if it's data, gold bullion or hostages. Usability and security are two sides of the same coin. Once something is absolutely secure it becomes a Schrodinger's Cat sort of thing. Is the thing you're protecting really still in there? The only way to know for sure is to look, but then your thing is no longer secure.

      But you've got the traditional valuation problem. If the thing you're tying to protect is so valuable that making it inaccessible, thus truly secure, is the thing really that valuable? Only you can decide that. Museums have been tossing that problem around for a good century or so now. They go back and forth on the issue every few years. Most organizations and individuals with the means eventually say fuck it, and just insure the hell out of whatever it is. You still practice the security fundamentals, but the value of something is reduced by the value of time and resources you put into protecting it,

      But to answer your question, there's no pre-connect blocking VPN for Android. My wife uses Android and she hasn't been able to find an OTS solution either. She just doesn't do anything involving potentially dangerous personal info with those devices.

    2. Aslan

      Re: VPN's are safer...but are they safe?

      The solution is just get root already you really should have posted your phone model here so you could be helped with that, and then install Cyanogenmod. If you're a nervous Nelly about getting root access through some security hole your phone manufacturer has allowed to persist for the last year (on Windows these are the updates that get a critical label), the buy a Nexus 5 phone which allows you to easily and officially take root privileges. https://www.google.com/nexus/ or if you're really serious there's always https://www.blackphone.ch/

      Basically any VPN that blocks traffic before there is a VPN connection is going to be hacking your phone as bad as anything that give you root privileges unless something changes in a future version of Android.

  12. Anonymous Coward
    Anonymous Coward

    Ah yes, here we have

    The revelation that everyone and his dog who get a router delivered from an ISP is a tech guru that could not be bothered to recode in Unix or Perl their entire router firmware to the utmost security level.

    On the bus to work each day, my phones tell me "wifi access found, connect?"

    most people will say "yes, don't ask again" same as they store passwords in browsers.

    the masses are not even aware they have wifi let alone unsecured else all the war drivers, wifi hackers, spammers n scammers would be out of business

    In other news water discovered to be wet!!!

  13. Anonymous Coward
    Anonymous Coward

    Surprisingly

    I live in one of the less salubrious bits of east London, but to my surprise, every one of the wifi points I can see in the area (30+ from my house, about 100 between here and the station) are now WPA2, with the exception of the odd BT public wifi, and a few BT-FON connections (I assume those also work with a landing page). There's not a single WEP or WPA to be seen.

    The area has a fairly transient population, and so I'd assume a high rate of turnover with ISPs, and I'm wondering if the reason is that ISPs have now largely 'got it', and are sending out new routers pre-configured to WPA2. BT in particular got badly bitten on wifi security a couple of years ago, so maybe they actually learned the right lesson for a change.

  14. bod43

    "29.5 per cent were using either the insecure Wired Equivalent Privacy (WEP) algorithm, or no security encryption at all ... A further 52 per cent of networks were using Wi-Fi Protected Access (WPA)"

    I find that very hard to believe. In the places that I go there are no WEP WiFis at all. Everything is WPA2, or is deliberately open. FON, BTOpenview etc. I have occasionally made a point of noticing.

    For years all new home routers have been set up for WPA2. Many people seem to change their ISP quite regularly and have new routers.

  15. Aslan

    Free Wifi for all

    My connection is unencrypted and open to all it's rare I have to block a MAC address for using to much bandwidth. Internet should be free to anyone who wants it.

This topic is closed for new posts.

Other stories you might like