Hack to School: Beware the open school wi-fi

Hack to School: Beware the open school wi-fi

Summary: Like a lot of public wi-fi systems, the ones in schools are usually unencrypted and require a login. Don't confuse the login with security of the connection.

SHARE:
TOPICS: Security, Wi-Fi
13

It's back to school time again and many of your kids (my 6th grader included) will be bringing electronics to school every day. Schools generally have rules about when and for what phones, tablets and notebook computers can be used - if they are permitted at all - and now many are offering wi-fi.

At my daughter's school you're only supposed to be using it for school purposes when authorized by a teacher, but in the high school here they can use it for their own stuff during breaks and study hall.

In our district - and I understand this is the usual way these things work - the wi-fi is open, i.e. it's unencrypted, but you have to enter login credentials to gain access. A lot of public wi-fi services, like Comcast's Xfinity Wi-fi, require some sort of similar login.

Don't confuse this login with security on the wi-fi connection. The network traffic on all these connections is unencrypted and anyone else connected to the same wireless access point can sniff your network traffic and, potentially, impersonate you on sites to which you are connected. I'll explain that a bit more below.

Some institutions spend some bucks to make the network more secure. My alma mater, University of Pennsylvania, uses Cloudpath's XpressConnect to secure all wireless connections on their campus wireless network with WPA2.

WPA2 is a standard for authentication and encryption of the actual network connection to wi-fi. In the simplest form, which you can do with any home wireless router these days, you set a password for the wireless network and anyone who wants to connect to that network needs the password. XpressConnect is certainly accessing a central directory of users and their individual credentials rather than giving everyone the same password.

In either case, the password is used to create an encryption key, probably using AES encryption.  Attackers sometimes get into protected wi-fi networks with dictionary attacks. This means they try to connect using a list of common passwords ('asdf', 'password', 'kitty', etc.) As long as your password isn't one of these trivial ones and is more than a few characters long, it's highly unlikely anyone is going to be able hack into it, and most attackers won't bother; they'll just move on to find an unprotected network.

But there's another advantage to WPA2 that often gets overlooked: session isolation. As I said before, on an open network, all the users can see everyone else's traffic. It's like basic Ethernet without a switch. WPA2 separates everyone's traffic from everyone else's. Because of this, if the provider of a public wi-fi network is interested in protecting their users, they should post a big sign on the wall with the network name and password on it. It doesn't matter if everyone knows the password; the proprietor wants them to get one. But with WPA2 the users will be far better protected from attack.

(Just to be complete, WPA is an earlier version of WPA2 which is not as secure; WEP is the earliest version of wi-fi encryption and is easily compromised.)

Wireless networks under Windows and their security
Wireless networks known by Windows and their security levels

 

But sometimes all you have is open wi-fi, and remember, just because you have to log in to the network in order to gain access to the Internet or local resources doesn't mean the network isn't open.

Security professionals have always known that open wi-fi is utterly insecure, but a few years ago an attack tool arrived which brought the problem more into the public consciousness. Firesheep is a Firefox plugin which searches the local network for other connections and allows the user to co-opt them; yes, the Firesheep user could, back when it came out, find other users on the network on Facebook and take over their Facebook session. The Firesheep user could then act as the hijacked user, posting whatever they pleased.

I switched into past tense in the last paragraph because this specific attack is not doable anymore. Firesheep created enough outrage that Facebook and many other large services switched to using SSL/HTTPS for all connections. When the service you're connecting to encrypts its own traffic, as an HTTPS session does, then it doesn't matter if others can see the session because the traffic on it is encrypted.

And even though Firesheep hasn't worked on Firefox for many versions, it's still possible for someone to find and install an old version on which it works. Or they can use many of the lower-level tools which allow session hijacking: Wireshark and Network Miner being 2 of the finest. These tools are primarily designed for defensive network analysis, but in order to be effective they are necessarily capable of being used for attack as well.

So what are you to do if you have to be on an open wi-fi and have to use an unencrypted service? There's still a solution, and it may be a good back to school gift: A VPN.

A VPN is an encrypted network tunnel. Instead of connecting unencrypted through the wi-fi directly to any service, all your connections are encrypted and go through the wi-fi to a VPN server; at the point they are unencrypted and continue on to their destination (your mail server, iTunes, whatever). Since the unencrypted traffic is not on the local network, nobody can sniff it.

There are many public VPN services. I'm a happy customer of HMA! Pro (HMA stands for Hide My Ass), but there are many others (like Hotspot Shield) and many are free for certain levels of service.

These services can often be used with phones as well. HMA works by using the native mobile OS VPN client but others, such as Hotspot Shield, have apps in the stores. Search in the stores for 'VPN' and you'll find others. I only have recent experience with HMA.

Some schools may block users connecting to a VPN because it is also a way to bypass many security policies, such as if the school is blocking certain web sites. But the VPN is not just for school, it's also for other open public wi-fi like Starbucks, hotels, and friends' houses.

You may be thinking that this isn't a realistic security concern for a school kid. I'm not sure. Sniffing the school wi-fi sounds like exactly the sort of prank I might have tried in high school (decades before wi-fi). Are you actually sure nobody in your kids' school would do such a thing?

Topics: Security, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Treat All Public Wi-Fi As Hostile

    Always use VPN, if blocked then don't use the Wi-Fi.
    Alan Smithie
    • Even with WPA2?

      I might use a VPN on WPA2, but it seems like belt-and-suspenders stuff.
      larry@...
      • Yes VPN even w/ WPA2

        Because you're still vulnerable to a man in the middle attack by the operator of the access point. Especially if the access point is mimicking a legit access point.
        Johnklac
      • VPN is essential

        ...even when using WPA2 on a wireless, or are using a wired connection or 3G or LTE--at least when you are dealing with sensitive data.

        WPA2 does not secure your data at all past the wireless router. On public networks the next hop is often (perhaps usually) a proxy and/or firewall--like Bluecoat/Fortigate/etc. Public networks mostly use these devices for content censoring (for example to keep people from surfing porn in McDonalds). Not a big deal in and of itself but censoring by its nature requires these devices to scan all traffic going through them.

        That content filtering technology could be abused--some of the makers of these applicances even got access to certificates so they can scan encrypted HTTPS traffic. So, 99% of the time they are used for "good" but they are still fully capable of being used in "man in the middle attacks"--the admin of the public wifi (even if it uses WPA2) could be a bad person and collect banking passwords and credit cards at the point past the WPA2 encryption. So if you don't know who runs the public wifi can they be trusted?

        A proper VPN on the other hand encrypts the data with your OWN certificates/keys then tunnels that traffic through a KNOWN VPN gateway/server. The public wifi only sees a bunch of encrypted packets going to the VPN server-- they don't have your certificates/keys to decrypt and to MITM attacks and they do not know the REAL destianation of ANY of your data (whereas without the VPN they can figure out packets are going to your bank even if they are encrypted).

        So, this is a good article in that it reminds us to insist on WPA2 for wifi but it only solves the immediate threat posed by fellow patrons sharing that wifi. If privacy on a public network is REALLY essential a VPN is a more thorough solution.
        Mark Hayden
        • Well, VPN Is the Solution Recommended by the Article as Well

          It is not apparent in the first few paragraphs, but the article also comes to the conclusion that you should be using a VPN for your traffic on a public wi-fi access point. It does mention that it's possible that a school network will block external VPN's to prevent policy bypasses though.

          A school hosted VPN with individual logins for students would be a way for schools to improve their own wi-fi security.
          CFWhitman
  • Deploy VPN over https if available

    There are some vendors (MS's TMG is one) that offer vpn via https - this allows users to get around those enforcement Nazis (included more than a few hotels at which I've stayed).
    Johnklac
  • writers/journalists are the worst...

    "Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years"

    If that's true, he would know it's not called hacking. Nobody uses that term correctly anymore. It's become a Hollywood media generic term for something completely unrelated.
    Turismo
    • 'Hacking'

      It's the common usage, technically correct, or not. Get used to it, the language changes. In my 70 years, I have seen US English change almost as much as communications technology. Keeps one running full speed, just to keep up.
      rphunter1242
      • It Still Depends on Context

        Actually, though, the original definition of "hacking" is still widely used. It's true that the initially mis-used definition has become commonly accepted, and there's nothing that can really be done about it at this point. However, since the original definition is still in wide use, you now have to rely on context to know which definition of "hacking" is currently being used. It's unfortunate that it leads to confusion, and even some people equating the two meanings (which misunderstanding may have led to the new definition in the first place).
        CFWhitman
      • Well you convinced me...

        I'll start calling a moped a car. I mean, if we all start that trend, it will make it true.

        Who's with me?
        Turismo
  • Open shool wi-fi

    I spent 5 years as a substitute teacher in 3 different school districts in Texas, and I was not able to use the wi-fi in ANY of them. All were secured by passwords, and locked up tight, even to substitute teachers.
    rphunter1242
  • And don't forget PUBLIC network setting

    Don't forget to set the public network as Public network in Windows. That won't protect your communications but Windows will close all ports on your computer so nobody can access your shared drives, media server, etc if you have any.

    HOME or WORK settings (Vista/Win7) which is now only called PRIVATE in Win8 opens up ports to share stuff with others on your home/office network. Never use this setting on public networks.

    You can check this setting in Network and Sharing Center in Windows Vista/7/8.
    lepoete73
  • Would a Bridge help?

    Larry, I have access to an open WiFi signal. I purchased an inexpensive pocket router ( http://www.tp-link.com/en/products/details/?model=TL-WR702N ) and it has the ability to "Bridge" to the open signal and then rebroadcast as a new Access Point that does have a password and encryption. My question is, if I use the "Bridge" which is setup with encryption and a password, is it being protected (since it is being "Bridged" to the open network)?

    Thanks for anyone's feedback on this.
    zdnet.com@...