I’ve been encouraging everyone who will listen to me lately to take even greater care when they surf the web wireless. It makes for interesting conversations, particularly with those unaware of how their devices work.
Under the Hood
You may or many not know this, but your wireless-enabled devices are quite loud. We think they just keep track of networks we know and connect to them automatically within range - if only that were true. The reality is that your device goes around shouting at every other device within range, “ARE YOU MY NETWORK,” in hopes it can find a friend.
As you connect to a greater number of networks, your device broadcasts a greater number of beacon requests as it tries to visualize the network landscape and find the best connection possible for your Netflix stream.
Network security professionals use a variety of tools to track and visualize the networks in any given place at any one time. I have a device called a Pineapple that I use to test my own networks and make sure everything stays secure.
One of the most interesting features of this device is the ability to respond to any SSID being requested. While your iPhone is screaming, “ARE YOU ATTWIFI,” my Pineapple sites quietly on the desk and says “yes.” You automatically connect to my device, and, if you’re not tunneling through a VPN or browsing exclusively over SSL, I can see everything you do on the Internet.
What’s more, I can also inject arbitrary code into every request I intercept. This means I can change graphics on websites, dynamically re-write figures in investment reports,[ref]Imagine the outlash if a hacker could control the figures seen by high-volume investors before they submit trades on the stock market. Chilling, but entirely doable.[/ref] change conclusions in documents you’re posting online,[ref]Trojan Horse, an amazing book by Mark Russinovich, starts with the premise of a foreign nation hacking into the computers used by the IAEA to dynamically rewrite the conclusions and recommendations the committee was submitting to the UN. It might read like science fiction, but I assure you it’s entirely possible today.[/ref] or add a Harlem Shake script snippet to the page of my choice.
I consider myself one of the good guys, so I only ever do any of the above when I have permission, and I clearly document both what I’m doing and how so those affected can learn to protect themselves. That being said, there are thousands of others out there who have the same tech I do, the same knowledge I do, and in many cases, far more expertise than I do. Many of them are not the good guys and will use these techniques to steal your information.
I still frequently use public WiFi when I travel. It’s free, in many cases it’s quite fast, and it’s ubiquitous. I use Skype almost exclusively when I travel internationally, so I’m never out of phone service (and don’t have to pay exorbitant roaming fees). When I travel, though, I also always encrypt my traffic over a secure VPN - if anyone is intercepting my traffic, they can’t figure out what I’m saying or to whom.
As I write this post, I’m currently using the (paid) public WiFi provided by one of Southwest airline’s newer airplanes. The majority of my traffic today has been over VPN and further protected via SSL, but I turned off the VPN for a few minutes to gain back some bandwidth.[ref]The security is great, but since we’re a moving target at 38,000 feet, the geo-located VPN routing isn’t the best and my system kept routing traffic - quite slowly - through Eastern Europe. I’m not doing anything sensitive at the moment, so I can judiciously disable my VPN if needed.[/ref] I was in for a shock the next time I loaded an unencrypted page.
It appears that Southwest is trying to be a super helpful airline by injecting a flight status banner into the markup of the page. This is great for knowing how much longer I have to sit in a cramped cabin, but absolutely destroys the experience I have using any website with a top-level navigation bar.[ref]The UX guy in me is reeling at how awful the experience is right now on just about every webpage in existence.[/ref]
I don’t have any doubts that Southwest is trying to do a good thing here. I have no immediate concerns that they’re logging traffic or trying to steal any information sent over the wire.[ref]The fact that they have technology in place that both reads and modifies customer traffic before it reaches the browser, though, is terrifying. There is absolutely zero guarantee that Southwest’s network is secure, so even if they aren’t doing anything nefarious with your information, it doesn’t mean they’re the only ones with access![/ref] That being said, they’re being far more invasive in customers’ network interactions than even the NSA at this point - at least when the feds are intercepting traffic they aren’t modifying the server request before serving it back to you.
If you’re using a wireless connection, you absolutely need to make sure it’s safe and secure. Use encryption whenever and where ever possible.[ref]I often make the argument that if you can’t encrypt it, don’t use it in the first place.[/ref] Be super aware of your surroundings so you can keep track of who’s watching what.
And be ready to call people out when they’re doing shady things - like modifying traffic - even if they have the best intentions at heart.
Oh, and don’t do anything over a Southwest Airlines wireless connection unless you’re connected with a VPN.