back to article GOP delegates suckered into connecting to insecure Wi-Fi hotspots

A Wi-Fi hack experiment conducted at various locations at or near the Republican National Convention site in Cleveland, US, underlines how risky it can be to connect to public Wi-Fi without protection from a VPN. The exercise, carried out by security researchers at Avast, an anti-virus firm, revealed that more than 1,000 …

  1. Anonymous Coward
    Anonymous Coward

    " When joining public Wi-Fi, consumers should utilize a VPN service [...]"

    Did they measure how many connections used a VPN?

    1. BebopWeBop

      Well given they gave percentages by the service they connected to, I am assuming (hoping) that at east the users they logged were not. But I suspect a vanishingly small number.

  2. simmondp

    Why? - Let's have some critical journalism

    This is a vendor produced survey - so surely a little more of the scepticism the Register is famous for?

    Last time I looked Gmail, Amazon, Sykpe, What'sApp all used HPPS and/or were Encrypted protocols.

    So what is actually the problem?

    And why do I need a VPN? Other than a vendor is trying to flog me one?

    1. Tom Wood

      Re: Why? - Let's have some critical journalism

      Avast obviously weren't being malicious.

      However.

      Let's say I can convince you to connect to a WiFi access point (AP) I control.

      Chances are you use the DHCP server in my AP to get an IP address *and DNS server address*.

      So I configure my AP to point you at a DNS server I also control.

      When you type www.facebook.com in the browser, I can deliver a DNS result that points you at a web server I also control, that provides a facebook lookalike login page.

      You don't look close enough to notice that this particular connection to Facebook isn't redirected to HTTPS, you log in, I get your facebook password.

      You can replace "facebook" for "most other secure websites", unless you've visited them before, and they use HTTP Strict Transport Security, and your browser supports it (Facebook actually do send HSTS headers, but many other secure sites, e.g. online banks, don't.

      1. Tom Wood

        Re: Why? - Let's have some critical journalism

        And actually, I don't need to control the DNS server, that just makes it easier. Since I can see and intercept all your traffic to my AP, I can look out for any initial non-HTTPS request and spoof a response, for example.

        This also works with secure access points, if there is a common password I can get hold of (e.g. WPA2-PSK). If there's a hotel or pub that has a known WiFi password they provide to customers (maybe they stick it up behind the front desk/bar), for example, I could easily set up an AP using the same SSID and password and chances are at least some of the time (e.g. if your device has a stronger signal from my AP than from the hotel's) you will end up connecting to my network.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why? - Let's have some critical journalism

      Google "Man in the middle attack" and "Proxy Server"

      When I'm at work my work Proxy Server is kind enough to remind me that it will be spoofing my connection to gmail so it can have a look at all the content before it gets sent as https to google. It also spoofs the stuff that's coming back i.e. it pretends to be me and then passes on the content to me. It does this because work doesn't want me downloading any attachments, well not at least until they have been virus checked, once they are checked (takes a few milliseconds) and cleared they are passed them on to me. This is all done transparently except for the initial page from the proxy server reminding me that it's going to be reading all the content. I work for a nice company, they just do this for virus checking, they aren't really interested in my personal emails and they don't keep a record of my login details, but they do warn me that they can see all of this stuff because I'm going through their Wireless access in the office and onto the internet.

      Man in the middle attacks do the same thing except you don't get a nice warning screen and they aren't looking to virus scan any attachments for you they are after all the content including of course your google username and password.

      1. bigbob

        Re: Why? - Let's have some critical journalism

        I suspect that your company will have installed into your browser a special company-only root certificate, to enable you to get an HTTPS connection to the proxy server. Because otherwise your browser will complain that it is not certified by Google.

        But if you're at the Republican Convention on an iPhone (i.e. browser supports HSTS) then I think it would refuse to connect to a proxy for GMail (or other sites with HSTS).

    3. Kevin McMurtrie Silver badge

      Re: Why? - Let's have some critical journalism

      Upvote for this. How is a fake WiFi AP any more dangerous than other public forms of Internet?

      Most people have their apps and browsers remember logins, and that isn't fooled by a fake encrypted site. Downgrading to HTTP would disable automatic login and likely present an insecure form warning. Mobile apps and firmware are digitally signed to prevent tampering.

      The one exception is sites not using HTTPS for login. No respected site would do that, right Reg?

  3. Efros

    Yahoo! mail!

    jeez the Republicans have moved on, I thought they would be AOL, you know Assholes On Line.

    1. cd

      Re: Yahoo! mail!

      That was the old days, now they're all yahoos. Maybe Yahoo sent them install CD's.

  4. Baldy50

    Stating the bloody obvious

    John Leyden sir, this is a pretty tech savvy site do you really need to tell us Avast is an antivirus firm?

    1. DJO Silver badge

      Re: Stating the bloody obvious

      Really, I always thought they made CPU stress test software, the AV stuff is surely just a by product of winding the CPU up to 100%

  5. Paul Shirley
    Flame

    Wow! 1.5% Windows Phone

    Looks like we're all wrong, WP is alive,well and positively thriving.

    1. Mr.Mischief

      Re: Wow! 1.5% Windows Phone

      [quote]Looks like we're all wrong, WP is alive,well and positively thriving.[/quote]

      Well dinosaurs use dinosaur phones after all

  6. James 51

    I have pureVPN on my phone (paid for version) but it has never worked great on vodafone and is almost never works on three.

    1. Paul Crawford Silver badge

      Interesting. Wonder if those networks deliberately interfere with VPNs, or maybe VPN traffic is just less tolerant of shitty networks?

      1. James 51

        The pop up on the app says the network may be interfering with traffic but it's hard to tell.

  7. Rich 11

    • 0.24 per cent visited pornography sites like Pornhub.com

    While at the convention hall itself?

    The toilet stalls must have been full of wankers.

    1. Anonymous Coward
      Anonymous Coward

      Well the convention hall was anyway....

      1. Anonymous Coward
        Anonymous Coward

        Try harder. 1 out of 800 delegates visiting a porn site at least once during the convention seems rather low. I wonder what percentage the Democrats would ring up?

        Not that this sort of scrutiny will be needed for Democrats, mercy!

        1. Anonymous Coward
          Anonymous Coward

          Sorry, brain fart time. The ratio is actually 1:400, twice as smutty as I stated before.

          Still, that's more like it! :-D

        2. Mark 85
          Paris Hilton

          Must be just one or two lonely types or someone doing "research". Rumor has it the party conventions are rather notorious for their randiness. A bit yelling, shouting, music to get people hyped up and they hit the night spots as soon as evening's events are over. Then their main event for being there starts...

          Paris.. well because....

    2. Anonymous Coward
      Anonymous Coward

      GOP Convention Spikes Demand for Male Escorts

      https://nypost.com/2016/07/21/male-escorts-are-making-crazy-money-at-the-rnc/

  8. Anonymous Coward
    Anonymous Coward

    Not really a valid study since this was at the Republican National Convention, so by definition everyone there is an idiot.

  9. Shades

    Pokemon Go

    That will probably be the due to the guy running Stephen Colberts Condiment Cam on Facebook.

  10. Dick Knuckle

    Yes yes

    But hiw many of them bought a coffee?

    Starbucks et al are basically rain shelters and wifi providers these days arent they?

  11. veti Silver badge
    WTF?

    Shurely shome mishtake

    More people shopped on Amazon than played Pokemon Go?

  12. Mike 16

    A.C.: I work for a nice company,

    Until the guys with the most stock sell said "nice company" to Attila the takeover artist, and one way to pay off the resultant huge debt load is to sell all the skimmed info (employees and customers) on the open market. Or the company goes bankrupt and the trustee does the same.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like