Thursday, October 14, 2010

Home WiFi Network Security Failings Exposed

"The shocking state of home wireless (Wi-Fi) network security in the UK has been revealed by a life assistance company study. CPP used an 'ethical hacker,' Jason Hart, to test thousands of Wi-Fi networks across six UK cities, including London. He found that many didn't even have a password and roughly half of home UK Wi-Fi networks could be hacked in less than 5 seconds."

Lets face it, yeah, wi-fi routers can be hacked, yeah, a lot of people don't have secure wi-fi, but in all honesty does it matter to most people? Credit card information already should be encrypted with HTTPS so that wouldn't be sniffed, most sites let you use security to log in, etc.

Because on MOST home setups, access to the network is raw access to the machines. Access to the router setup (compromise and redirect EVERYTHING, bypass IE security zones, etc.), access to the local printers, access to the filesharing ports on the computers, etc. It's a bit more serious than just "could theoretically read all incoming/outgoing unencrypted data".

There is rarely a firewall for a wirelessly connected user (because it's seen as a trusted network once you're on it), thus a simple "net use \\ip address\share" will join you to their hard drive if they've ever enabled file sharing (local user passwords aside - if they didn't bother to set a WPA key, chances are they don't use passwords more complicated than "dad"). That's complete, utter, 100% compromise of the machine because it's trivially easy to then just replace critical system files and thus instant key-logger compromises even secure websites.

Beside that, the amount of stuff that flows over an unencrypted HTTP connection is actually quite scary - most UK ISP's use the same login for ADSL and thus do for email, and use plaintext SMTP or POP3 authentication. Even PPTP is inherently insecure if you can record a single conversation over it. If you ever see someone log into their POP3 account, then you have access to their ISP billing, all their email accounts, their home router and again you've hit total compromise.

I never understand the apathy towards this, or towards malware in general. Yes, these people are idiots and get what they deserve but why just say "Oh, it's only a virus, don't worry" or "Oh, someone just got into your wireless". If someone said those things about your body or your home, you'd be extremely nervous and scared about what could have been. If you NEVER use your devices for anything that you wouldn't do on national television, then sure, it's fine. Most people however would be shit-scared to even have their photographs deleted, let alone posted online for all to see, not counting that "passwords.doc" file, or the letters they wrote to their boss complaining about their inept co-workers, etc.etc.etc. If you can happily say that you would just upload the contents of your computers to a public FTP site, then sure, don't worry. Most people, if not all, can't afford such luxuries.

Yes, in practice, most of these compromised users will never know and never have anything bad done to them. However, even a small percentage of such a large number of people is an awful lot of people to be taken to the cleaners, have their bank accounts compromised, have rogue people installing things on their computer etc. Hell, even a teenager deleting your hard drive for a laugh has brought grown people to tears before now because they've lost something they needed for work / some family photos / etc. Yes, backup, backup, backup but that doesn't help after the event.

I work in schools as an IT manager. My first job when I joined my current workplace was to educate people. If you bring me a laptop that "might have a virus or something" and I see a SHRED of evidence of malware, it gets disconnected (even in the middle of a class) and wiped back to factory settings. There is no compromise, or negotiation, because just a few network hops away is the program that pays the entire staff wages from the school's bank account automatically each month. If I see a single piece of software that doesn't belong on any computer, it gets wiped (and all your "unofficial" programs with it, and your music if it's iTunes). When a computer is under my domain, it WILL be clean and that means absolutely STERILE. Every time you take it home and bring it back in, if I spot something, I will just keep wiping it until you learn. So far, 2+ years and nothing more than a fake antivirus banner ad in Firefox across 150 machines because of that policy - but an awful lot of people have learned that they should always back up everything twice (well, I *DID* backup their stuff before I wiped any potentially infected laptop but I only told the senior staff that, who were shocked at the lack of backups these people were performing of supposedly "critical" files to their jobs - amazing how much I was able to "recover" later when they admitted they hadn't backed up that stuff EVER even though it was critical data). Before I arrived, it was apparently commonplace to have infections every week or so on average.

At home, yeah, you do what you like. If you expect me to provide you with VPN or with a laptop, that's my domain and you will be killed if you present a risk to my networks. And if you ask me to clean your computer, I used to link my rates not to the amount of time to clean things up, but to the amount of effort you put into stopping them in the first place (people who knew nothing about computers but had done everything "right" often got it done for free). Don't come to me and ask "My laptop has a virus that I think I caught from my wireless because it has no password", because that kind of stupidity gets VERY expensive even for a small job.

Apathy is fine. Until you expect sympathy. Most people expect sympathy and almost all have things on their computer that they do NOT want to lose / have made public knowledge.


No comments:

Post a Comment