Wi-Fi's dirty secret of evil twins

I recently read that Comcast is offering non-customers free access to their XFINITY Wi-Fi network, from Memorial Day to July 4th. In and of itself, not particularly blog worthy - other than the instructions for accessing a Comcast Wi-Fi hotspot.

The instructions are pretty simple, you look for a Wi-Fi network called "xfinitywifi" and click on a link for non-Comcast customers. 

What Comcast doesn't say however is huge: the name of a Wi-Fi network tells you nothing.

Nada. Zilch. 

Assuming that an available wireless network called "xfinitywifi" actually belongs to Comcast is a leap of faith. A big part of Defensive Computing is being aware of what is guaranteed to be true and what is not.  

When someone calls you on the phone, the calling number that caller ID displays may or may not be true. The return address on an envelope in your mailbox is usually true, but it's not guaranteed. The same applies to the FROM address of an email message. Likewise, while the name of a Wi-Fi network is usually an indicator of its owner, nothing insures this. 

Bad guys can easily create a Wi-Fi network called "xfinitywifi" in the hope of attracting victims that don't have a nerd whistleblower in their family. Anyone who connects to a scam Xfinity Wi-Fi network can have all the data coming and going from their computing device watched and logged by a bad guy. If they are lucky. Unlucky victims will have their data traffic actively manipulated. Things don't get much worse than that. 

WiFi in a subway

Comcast customers, in particular, that connect to a wireless network identified as "xfinitywifi", have to enter their Comcast email address and password. I leave it to your imagination what a bad guy could do with that information (or, see this). 

This is not to pick on Comcast. Time Warner, for example, offers almost identical instructions for logging on to their Wi-Fi networks. And both are way a head of Starbucks.

One page on their website says the Wi-Fi network is called "STARBUCKS", another page says the network name is "attwifi" and a third Wi-Fi page doesn't even bother mentioning the name of their network.

The critical point however, is that nothing prevents a bad guy from giving his network a name that people in the area expect to see.  

So, how can we tell a legitimate Wi-Fi network, run by a reputable company, from an evil twin (the official term for this sort of thing)? 

We can't. 

What to do?  

OVER THE SHOULDER

My first suggestion is psychological rather then technical. While connected to any public Wi-Fi network assume a bad guy is standing over your shoulder watching everything you do and act accordingly. Feel free to catch up on the latest news at CNN, but anything sensitive is best done elsewhere. 

This may sound like familiar advice, but the warnings that have been written millions of times to date, are inevitably about open Wi-Fi networks. That is, non-techies are only warned about wireless networks that don't require a password and these are typically referred to as "open" and/or "public" networks. But, when I used the term "public" in the previous paragraph, I was referring to any network that you don't control. 

Being aware of evil twin networks means not trusting networks even if they require a password. In the case of Comcast, it means not trusting networks that require both an email address and a password to login. 

VPN 

The best technical defense is a VPN (Virtual Private Network).

Many companies offer VPN services to individuals, which is separate and distinct thing from the VPNs used by large companies. VPN services targeted at consumers provide encrypted communication between your computing device (laptop/tablet/smartphone) and a server run by the VPN company. This protects you from eavesdropping by anyone in your immediate vicinity. 

Using a VPN after it has been configured is normally simple. Getting to that point however, is not. 

To use a VPN, you first connect to the Internet, then connect to the VPN company. If all goes well, everything subsequently coming into and out of your computing device is encrypted. 

Perhaps the most popular operating system at public Wi-Fi networks is Apple's iOS version 6. To connect to a VPN server on an iOS 6 device, go to Settings and move the VPN slider from OFF to ON*. It couldn't be much easier. This assumes, however, that the VPN provider offers a type of VPN supported by iOS 6. 

Dealing with the various types is the first pain point when setting up a VPN for yourself. To begin with, there are four popular types, each with its pros and cons. For example, the oldest type of VPN, PPTP, is known to be the least secure.

Many VPN companies fail to support all four types and the same is true for most (if not all) operating systems. Like a dating service, you need to match up the types of VPNs supported by your operating system with those offered by any particular VPN company. 

To that end, below is a list of the assorted types of VPNs natively supported by some popular operating systems. 

  • iOS versions 5 and 6 offer built in support for L2TP, PPTP and IPSec
  • Windows 7 does PPTP, L2TP/IPSec, SSTP and IKEv2
  • Windows XP did PPTP and L2TP IPsec
  • OS X Mountain Lion does L2TP over IPSec and PPTP    
  • OS X Snow Leopard does L2TP over IPSec, PPTP and Cisco IPSec
  • Android 2.3 does PPTP, L2TP and L2TP/IPSec with either a pre-shared key or a certificate
  • Android 4.1 does PPTP, L2TP/IPSec PSK, L2TP/IPSec RSA, IPSec Xauth PSK, IPSec Xauth RSA and IPSec Hybrid RSA VPNs

If an operating system doesn't support a particular type of VPN that a company offers, then chances are the VPN company will provide software that adds support for their type(s) of VPN. This would not be my first choice however.  

There are some free VPN providers, but security and privacy strike me as services worth paying for.

Personally, I pay $70/year for VPN service from Witopia. They are neither the cheapest nor the most expensive. At this price, Witopia offers four types of VPNs: PPTP, L2TP, IPSec and OpenVPN SSL (for whatever reason, half the world refers to this type of VPN as "SSL" while the other half refers to it as "OpenVPN"). 

VPN AT HOME

You can avoid ongoing charges for VPN service by running VPN server software on your home router. Then, whenever you are away from home, you can establish an encrypted connection to your home router and use that as a basis for surfing the net.

Setting this up, however, is not for the faint of heart, which is why I think it's an option best left to techies. I have yet to try it.

One of the cheapest routers capable of functioning as a VPN server is the Asus RT-N56U which retails for around $100. Consumer routers, such as the RT-N56U, typically support only PPTP type VPNs. For other types of VPN, expect to pay significantly more for the router.

asus.vpn_.jpg

3G/4G 

Another option is avoiding public Wi-Fi altogether and using 3G/4G Internet access from a cellphone company. 

I pay my cellphone company an extra monthly fee so that my smartphone can act as a Wi-Fi hotspot providing Internet access to any nearby tablet or laptop. Needless to say the hotspot from the phone is WPA2-AES protected with a long password. 

This is actually double-dipping in the Defensive Computing world as the Wi-Fi hotspot from my phone can also serve as backup Internet access at home should the wired connection fail (lesson learned the hard way).  

Any article on this topic would be remiss without mentioning the use of encrypted HTTPS web pages. I'm not impressed with the security HTTPS offers (see my last blog and this) and can't recommend it as your only defense. That said, it is a good second line of defense after connecting to a VPN or while connected to a 3G/4G data network. 

Perhaps some day evil twin Wi-Fi networks could be a plot point for a movie. Someone is being framed for a crime they didn't commit. The police seize their laptop and it shows they connected to the network of Joe's Diner at 9PM, placing them in the vicinity of the crime. But, was it the real Joe's Diner network, or another network with the same name all the way across town?  

Just as we shouldn't judge a book by its cover, so too, we shouldn't judge a Wi-Fi network by its name.

*Out of the box, iOS 6 devices do not have a VPN option on the settings menu. The first time you configure an iOS 6 device to use a VPN, you need to go from Settings, to General to VPN. However, after a VPN is configured, the main settings menu has a VPN category added to it, right near the top.  

Update: June 15, 2013. Updated to reflect the fact that iOS changes the Settings menus after a VPN has been configured the first time. 

Join the discussion
Be the first to comment on this article. Our Commenting Policies