Sign in / up

back to article Naked and afraid: that's how Telstra's Wi-Fi security makes you feel

Sit down, open up the laptop, join the advertised SSID, and go online. Free Wi-Fi makes working at the cafe a breeze. Free Wi-Fi transformed Sydney’s libraries into some of the most sought-after spots in town. Cities blanket themselves in free Wi-Fi to encourage tourists and business and residents to spend more time - and …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. aberglas

    Is this technically accurate?

    Isn't Diffe Hellman or similar used to encrypt all Wi Fi even if there is no password? If not that would be a huge hole in the protocol.

    Sure, without a password or public key one would be subject to man in the middle attacks, but they are easier to detect -- you will have two different hot points broadcasting the same id.

    2 0 Reply
    1. NZ Journey Man
      Reply Icon

      re: Is this technically accurate?

      Wifi with no password is completely open, using something like Wireshark you can see everything. Go and get the Firesheep module for Firefox, if it is still available, and you will be gobsmacked at what you can see. But only do it on your own network... :)

      0 0 Reply
    2. NZ Journey Man
      Reply Icon

      Re: Is this technically accurate?

      It is accurate. I just setup an unprotected wifi in my home then logged into something on my media server using basic auth over http while capturing using wifi on my laptop. My laptop caught the lot, including username and password.

      0 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Is this technically accurate?

      This article is technically complete bullshit. If you use traditional encrypted WPA2 where the key is known, you the connection is indeed private as long as the eavesdropper stays passive. But unfortunately the bad guy can force a re-authentication and get the encryption key:

      https://security.stackexchange.com/questions/8591/are-wpa2-connections-with-a-shared-key-secure

      So a password has no use at all.

      The only exception is WPA2-Enterprise in which every user has their own password. with own I mean unique and strong. But networks with SSID "The password is XXXYYYZZZ" are the worst bullshit I've heard of. Its really a pity that people who don't understand even the basics can post articles on the register. I don't know whether its diffie hellman or other details, but I know that, and I'm very angry by this story. Please correct it.

      Also, everything your phone does should be encrypted via TLS. The only difference between (traditional WPA2-encrypted or unencrypted) Wi-Fi and usual cable based internet is the fact that more people can jam with your connection. So instead of just the NSA or your ISP also "an angry teen with wireshark" can access your connection. I don't know your standpoint, but personally I don't trust NSA more than "one angry teenager with wireshark and root access". There is HTTPS and everything, use it and trust that. And if you use shitty apps, you shouldn't cover that by using a "secured" Wi-Fi, but by complaining about that. I guess you havent set up secureimap for your mobile phone's mail, but still are using plain old unencrypted imap? Now you want to get a false sense of security by encrypting your internet connection. Complete bullshit.

      Lets come to the last part of my rant. Its a nonlinear rant, so this is the least weighting point. Why the hell do you add "root access" to wireshark?? Wireshark warns you when you run it as root. If you're an angry teen, DON'T DO IT. rather run it as an account that has access to monitor the interfaces. I know, to give your account that privilege, you need root, so you can read the statement in the article that way. Its one of the causes why this point is my weakest one.

      STILL COMPLETE BS! I'VE EVEN MADE THE EFFORT TO SIGN UP TO POST THIS COMMENT!!!

      Its so painstakingly wrong, I really think this article is a troll.

      2 0 Reply
  2. Invidious Aardvark

    Make your mind up

    "..., because HTTPS will encrypt all the traffic between web browser and server. Someone will still be able to snoop on all your metadata..."

    "Ironically, the Junkee.com essay penned by Australian Greens Senator Scott Ludlam, in which he makes a stirring call to #StopDataRetention, was transmitted in the clear. The site Ludlam used to publish his views on security has taken no steps to protect its users from metadata gathering."

    If HTTPS won't prevent metadata gathering why point out that Junkee.com is using HTTP?

    2 0 Reply
  3. JJKing

    "by the time this column reaches you, I’ll have fixed that."

    Oh no you haven't. :-))))

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      But you have been warned :)

      0 0 Reply
  4. solo
    Thumb Up

    Please post this article on every phonebooth (hotspots)

    Sometimes I really feel that Elon Musk should start endorsing articles.

    0 1 Reply
  5. Mark 65

    El Reg

    Always wondered why, despite showing countless stories about how user accounts were owned by the ability to MITM the login form, not only does El Reg not offer https but it likely also suffers from the unsecured login form details. Now, as good El Reg users, we all know to use long passwords that are site independent etc etc but still. Shouldn't the Reg be setting an example? Sent in the clear and read by 5 eyes before publishing.

    2 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: El Reg

      Good point. Looking at the page source, it's:

      <form method=POST action="http://account.theregister.co.uk/login/">

      Yep, clear text. :(

      1 0 Reply
  6. Wzrd1 Silver badge

    Honestly

    If I'm using a public access point, I really don't care about sniffing seeing what I'm looking at. I don't Conduct sensitive transactions over an open wireless network.

    If I were to read my e-mail, it'd either be over SSL or IMAP, with TLS carrying the encryption.

    My company e-mail is via a VPN connection, so again, not a problem.

    2 0 Reply
  7. Benno

    So don't use it then...

    "You can not tell your smartphone to stop anticipating your needs. When it logs onto WiFi it’s going to do all the things it knows it needs to do in order to keep you well fed and watered."

    Only if you connect in the first instance and then save the network on your device...

    It's not hard to lock a corporate computing asset (e.g. laptops) down to specific SSIDs, authentication/encryption schemes and even keys. Mobile devices should at least be managed via a written policy that forbids connecting to open networks, amongst other things.

    (I'm not an expert on software policy controls on iThings or 'driods).

    I appreciate that Joe Average isn't protected in this case, but for 'high flyers' there isn't really any excuse for being a douche.

    0 0 Reply
    1. Unicornpiss
      Reply Icon
      Flame

      Re: So don't use it then...

      "I appreciate that Joe Average isn't protected in this case, but for 'high flyers' there isn't really any excuse for being a douche."

      While I agree with you in principle, experience has taught me that the "high flyers" are often the least savvy in computing and security. It does sometimes make you wonder how people attain such high-level jobs without needing the common sense that a high school drop out would take for granted. Maybe it's just that once you attain that lofty plateau, that you just don't have to think as hard any more, and the only real-world skills retained are in bullshitting. Most of the grunt work once you "arrive" is done by administrative assistants. (secretaries) I recently ran across an executive that was leaving to be a CEO somewhere else and needed my assistance to figure out how to drag n' drop files to a folder so he could take his personal data with him. Which just made me incredibly sad and my liver took a beating that evening.

      4 0 Reply
  8. rjmx

    Telstra unaware?

    > Although Telstra makes their money mostly from mobiles, they - and many others - seem to be unaware how these devices work, or why people need secure connections - especially in public.

    Knowing Telstra (having worked for one of their predecessors), I think you're giving them too much credit here. More likely they just don't care.

    1 0 Reply
    1. Steve Brooks
      Reply Icon

      Re: Telstra unaware?

      Basically Telstra couldn't give a shit! The last bill I saw from telstra for where I work basically had a link on the page that said, "click here to log into your account and pay your bill," despite years of warning to not click on links in emails. Not even a suggestion to go to the website and log in, how easy is that?

      The last time I received a phone call from Telstra they asked for my username and password so they could be sure they were talking to the right person. The drone on the other end of the phone must have fallen off her chair when I asked her to authenticate herself as a telstra employee and not a scammer after my un/pw. I asked for a name or employee number so that I could call back on Telstra's public number to be sure I was talking to them, nope I had to give them un/pw with no way to verify they actually were from telstra.

      They are so far behind the security 8 ball it looks like a 2 ball to them, basic security measures the intelligent IT aware person adopts routinely are arcane knowledge to their CSR's, we are doomed I tells ya, DOOOMED!!!

      0 0 Reply
  9. Pu02

    El Reg users are almost all mobile, almost all surfing multiple hotspots daily, many use pwd managers to submit secure credz transparently, yet El Reg (stil) refuses to allow (let alone require) https traffic via its 'modern, interactive' website. https everywhere aboard this pirate ship, and those that know all know that too. Maybe El Reg techs have been having trouble getting their services to encrypt for a few years now, whilst the dark overlords were fiddling the toggles to ensure they can keep the keys.

    Or was it someone in accounts not coughing up or so for an SSL CA? There are freebs like startssl.com you know!

    So much for modernity, the ludites are set in thick around here...

    0 0 Reply
  10. Joel 1

    False security

    If you are connecting to a public wifi hotspot, wifi encryption only secures you as far as the base station. You could be connecting to a fake base station (using the same publically known password), or being monitored on the wire when it connects to the router, or monitored at the ISP or anywhere else.

    If you want security, use end to end encryption. Don't rely on the false security of an encrypted wifi network. Better to be unsecured and use end to end encryption. Everyone can snoop my packets, but anything important is encrypted. Use https when needed. Use imaps. Use ssh.

    Oh, and if you login to el Reg from a secure network (ie your home) then you can stay logged in using cookies. But of course, you use disposable account details for your commentard account anyway. If someone wants to post as me, not the end of the world. And if something libellous gets posted? Well, plausible deniability...

    0 0 Reply
  11. Nebulator
    Stop

    And another thing....

    Also, if you are using open wifi not only can others see where you are going they can attack you by injecting packets to your requests sending you malware, poison iframes and other nasty stuff.

    2 simple attacks:

    1. Sniff the open wifi and inject fake DNS responses to their legitimate requests for websites to send the user to malicious webpages.

    2. Pretend to be the free Wifi and with a good 4g dongle you can be faster. The user relies upon the WiFi SSID as the indication he is in the wrong place. Get an Alfa WiFi card (ebay) and you are the strongest AP in the room and the clients WILL join you. Then you can do to them what you want. Check out Karmetasploit or the commercial product WiFi Pineapple to see what is possible.

    Defence - don't use free WiFI - ever.

    1 0 Reply
  12. Nebulator
    FAIL

    Get the facts right

    Some basics here - Diffe-Helman is not used in WPA or WPA2. The only protection on a PSK (Pre Shared Key) or password protected wifi is the password. So if you have an SSID of "Cafe WiFi password is XXXXX" you have given a false sense of security to all the users.

    In WPA and WPA2 the session key is derived from the users Mac address, the Access Points Mac address, the PSK (wifi password) and two random values, one from the AP and one from the client. Everything bar the password is transmitted in clear in the first 4 packets between a client and an Access Point. This happens at the start of the session and every 65k packets later. So an attacker needs only to capture the packets and then break the session key (aircrack-ng or coWPAtty will do this) after the exchange and he can decrypt everything after that as the password can be added to wireshark and it will decrypt the packets in realtime (https, ssh etc are higher layer protocols and would need to be broken separately).

    So having the password on the wall, the till or the SSID is complete pants security. In fact you are better leaving it unencrypted as then the user is more likely to take some precautions (aka personal VPN).

    A technically poor and incorrect article, I expect better from the Register.

    Then again I also expect logins to be encrypted, so rather than bitching about everyone else's security, El Reg, why not implement some of your own.

    1 0 Reply
  13. Anonymous Coward
    Anonymous Coward

    Let it go...

    If everyone follows the poor security practices mentioned by the author, or the poor security practices suggested by the author, I'll have more to plunder on my lunch break.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like