Wednesday, September 12, 2012

UD Students: Watch Out While Using UD's Public Wifi!

I've been using UD's wireless connection a lot lately, which drove me to think: "Is my internet activity, through this network, secure? Are my passwords and other information safe?"

Well, the answer may (or may not) surprise you.

The University of Dayton's public WiFi (aka UDwireless) is NOT secure.

Most of you should be aware of that, as when you connect to UDwireless, your computer complains that you are connecting to an "Open" network and that the "information sent over this network might be visible to others".
Have you ever taken the time to think about the risks of ignoring this message?

Don't blame your laptop for not warning you

In case you haven't, I hope that this blogpost would shed light on some of the risks associated with using UDwireless for accessing private info.

If you are too lazy/uninterested to read the whole thing, you could jump to end of the blogpost for some security tips.

First, let's clear up some common misconceptions.

Hackers aren't necessarily socially awkward computer geeks -- they aren't even necessarily that smart! Thanks to some easily downloadable point-and-click tools, even the "technologically-challenged" can "hack" into some stuff.
However, I guess that reaching this skill level would require lots of training

Therefore, I bet that you could easily find, in a university with 11,000 enrolled students, at least a dozen with some "hacking" knowledge.

The Risks of Using UDwireless

Ok, now to move on to the actual point of this blogpost.
When you access a website using a WiFi connection, you are communicating with the Access Point (such as a router) through wireless packets.
A hacker can, using a normal laptop, "watch" these wireless packets as they flow in the air.

Since UDwireless is unencrypted, then all the packets you are sending can be easily read by the hacker.
The hacker can now know what sites you are visiting, what pages you viewed, and so on.

More importantly, the hacker can steal your cookies (yes, the technical term is cookies).
Those cookies contain unique information pertaining to your logins.
For instance, when you login to, a set of "cookies" are stored on your computer so that next time you visit during the same session, your homepage would show up.

A professional hacker plotting for a cookie-theft attack

If a hacker steals your precious cookies, he/she would be able to trick into showing him/her YOUR homepage without requiring any login.

Therefore, no matter how strong you think your password is, your account is "hacked" once your cookies are stolen.

The above scenario is not a fictional one. Literally anyone with minimal computer knowledge is able to do this.

I went on and tested that same scenario using my own Facebook account.

I logged into facebook from one laptop (Victim), while I used another (Attacker) to monitor all the traffic going from/to the Victim laptop. Note that I could've easily been spying on the traffic flowing through the entire network; however, in respect for the law and other people's privacy, I didn't.

I watched as the Attacker laptop showed me all the pictures I was viewing on facebook, and all the chat conversations I was having with my friends.
Then, still on the Attacker laptop, I copied the captured "cookies", fed them to the browser, and accessed ... and as simple as that, I was able to bypass the facebook login and view my account on the Attacker laptop.

This could have easily been done to your account.

Take a moment to think of all the sites you have visited lately, and consider the number of things you don't want random individuals to be stealing from you while you are viewing these websites.
Quite a lot of private stuff, huh?

But but ... I don't want anyone going around stealing my cookies

To prevent anyone from spying on your internet traffic, make sure that you are using the HTTPS version of the website. For example, make sure you use instead of

When you surf websites using https, a hacker watching the wireless traffic can still see what domains you visited, but the actual content is encrypted. That is, the pages you visit and your cookies are hidden, or obfuscated.

If you are using Firefox or Chrome, I highly suggest you install the HTTPS Everywhere plugin. This plugin would force the browser to use -if available- the https version of the page you are accessing.

If you are a Windows user and are still using Internet Explorer, then do yourself a favor and switch to Mozilla Firefox or Google Chrome. Trust me, you won't regret it.

Is that it?

What I have discussed here is simply one of the risks involved while using the UDwireless public WiFi (or any other public WiFi). However, that is not the only danger.
Hackers sitting on your network might be able to redirect you, without your knowledge, from a legitimate webpage to fake ones and steal your passwords or even install malware on your PC. Hackers can also exploits flaws in your laptop by launching the payload via the wireless network.
These kinds of attacks are slightly more sophisticated, and UDwireless may or may not be vulnerable. I have not tested any of them as this would require permission from UDIT, and I will not discuss the attack vectors as I don't want to increase the risk of some potential so-called "hackers" making use of it to steal students' passwords and/or compromise their computers.

Bottom line, be smart while using UDwireless and double check that the website you are accessing is using "https" in its URL, especially if you are typing in important information such as passwords, credit cards, and so on.

To UDIT: Please consider using a more secure connection method. Thank you.

Extra Note for the Tech-Savy

If you're a technologically-inclined person, and are paranoid about your privacy while using UDwireless, then I would suggest you look into using a personal VPN.

No comments:

Post a Comment