How to: Surf Safely with your Mobile Device
August 07, 2008
Learn how to protect yourself when logging on to open networks in public places, such as coffee shops or airports.
In the last couple years, a new breed of mobile user has sprung up. Thanks in large part to the iPhone (and the iPhone-wannabees), the world now has a lot more mobile devices hungry for a live (and free) Wi-Fi connection. Sure, weve been using Wi-Fi for years, but at least for many of us, what was once the casual and even occasional laptop login has become a more convenient and far more frequent quick check for email, stock reports, headlines, etc.
Were using our hyper-mobile devices all the time now. Standing in line at the coffee shop, we quickly fire up our pocket-sized devices to see whats going on in the world.
Now, heres where the risk storm comes in.
When you point your Wi-Fi interface at a local wireless access point (WAP), youre implicitly trusting it. Say, for example, youre in your favorite coffee shop and turn on your mobile device and see theres a Wi-Fi net presentsay, something like Acme-wireless. You see its not using WEP, so you blindly and courageously take the leap of faith and connect to it.
Once on the wireless, you bring up your browser and try to connect to a Web site. Looks fine, so you login to that web site, perhaps providing your login credentials (or a browser-stored cookie containing your login credentials). Away you goand away your login credentials go. Youve just fallen for the oldest trick in the book, the dreaded man in the middle attack, and your attacker now has your credentials/cookie.
How could that have happened, you ask? Well, when you signed onto Acme-wireless, you trusted that it was indeed Acme-wireless and that it is operated by an honest business. The only proof you had that it was indeed Acme-wireless was that it said so.
Youve been duped.
Yes, its easy to do. It would be absolutely simple to configure a laptop PC to masquerade as Acme-wireless and then to collect login credentials from unsuspecting mobile users seeking a free Wi-Fi fix. After all, the Wi-Fi standard provides no mechanism for the user to authenticate the server. None. Nada. Zip.
And thats just one kind of Wi-Fi-based attack. It gets worse. When you connect over Wi-Fi, a lot of relatively sensitive information (e.g., passwords, session IDs, cookies) is routinely passed unencrypted and is thus open to being trivially sniffed by anyone else on the same Wi-Fi site. That person sitting next to you in the coffee shop could well be running a sniffing tool like Wireshark and collecting anything sensitive that your browser or email client emits.
Now, combine all that with the fact that our hyper-mobile devices are getting smaller and smaller, while at the same time becoming more and more capable as powerful computing devices. Further, were starting to trust them more and more for connecting to sensitive network services, including financial services and such. That is to say that they are without a doubt becoming serious targets by the miscreants of the world who want to liberate your money from your wallet.
How can we protect ourselves? Fortunately, there are a few relatively simple things we can do to make things safer.
Start by being a little paranoid. If it seems too good to be true, it probably is, right? Additionally, here are a few more things you can start doing today to improve your wireless risk exposure:
When youre in a location you havent been to before and you want to use their Wi-Fi, look (or ask) for instructions on how to connect to their SSIDs. This is no guarantee, of course, but its a good start, as youre more likely to find legitimate WAPs this way.
If you use a Wi-Fi service that requires you to enter your account information before you can connect, double check that youre actually connected to your provider before entering the information. More than likely, the login screen that your browser automatically takes you to will be SSL encrypted over HTTPS. Take a moment to view the SSL certificateif your mobile device lets youand the URL to double check that youre talking to your Wi-Fi provider and not a rogue web site set up to collect your credentials. That is, dont trust the login page until you know it is legitimate.
Especially if you didnt heed my warning regarding VPN usage above, you really want to ensure all your sensitive information is being encrypted while it transits the local Wi-Fi net. That means SSL typically. To the extent possible, make sure all applications that send/receive sensitive information, login credentials, etc., are configured to use SSL for all sessions. And, as in the case of the Wi-Fi provider login page, take a moment to validate SSL server certificate validity whenever you connect to an SSL-based service.
Free Public Wi-Fi
Its not uncommon to see a Wi-Fi connection dubbed Free Public Wifi. It is in fact neither. Instead, its due to a Windows bug and should simply be avoided.
These tips are just a starting point, of course. The main message is to be a little apprehensive when using your hyper-mobile device. A little bit of mistrust here will go a long way to protecting you.
- For more how-to's and tips on safe surfing at hotspots, read "When "Free Public Wi-Fi" Is Bad," "'Free Wi-Fi' May Not Be What It Seems," and "Travelers Beware: Survey Exposes Airport Wi-Fi Vulnerabilities."
- See also, "Hotspot Safety for Business Users," "Wi-Fi Planet Guide to Hotspot Safety," and "How to: Protect Your Hotspot."
Article adapted from Datamation.