Ethernet connections in a hotel room are not secure
I could write a whole blog about correcting computer articles in newspapers, pointing out mistakes and omissions. Many times I have corrected and expanded on articles in the Wall Street Journal by Walter Mossberg, but I've also griped about mistakes in the other newspaper I read regularly, my hometown New York Times. Back in May, on my previous blog, my comments on an article that David Pogue wrote in the Times about data cartridges for backing up computer files prompted a surprising rebuttal from Mr. Pogue.
Beats me why major newspapers don't hire computer techies to write about computer topics. Even worse, neither newspaper has the computer nerds on staff review articles for technical mistakes. Puzzling.
With that in mind, todays topic is an article about Wi-Fi security by Joseph De Avila that appeared on page D1 of the Wall Street Journal on Wednesday January 16th. See Wi-Fi Users, Beware: Hot Spots Are Weak Spots.
The vast majority of the article is well done, but not the last paragraph. It offers the following advice from someone named John King, who "... avoids Wi-Fi at hotels in favor of high-speed connections that plug into his laptop. He says he uses Wi-Fi to check email and stock listings if that's the only means available, but only if he's sure of the signal. 'I won't go on a wireless access point that I'm not confident in,' he says."
Who can argue with the main point being made here, that wired Internet connections are safer than wireless?
I can. Or, perhaps more to the point, Steve Gibson of GRC, SpinRite and the Security Now podcast would if he were writing this blog.
Before going into the technical aspects, let's start with the people. The Wall Street Journal describes Mr. King as "... a 46-year-old engineer from Livermore, Calif., [who] works for a company that mines computers for evidence in legal cases. He travels a lot for business..." Nothing about this description makes me think Mr. King is a networking security expert.
As for Steve Gibson, I have enough of a technical background in the subject and have listened to enough of his Security Now podcasts, to confidently state that he is a networking security expert. I doubt that any of my fellow nerds would disagree.
The Important Part
The critical point here is that a wired Ethernet connection is not necessarily a safe haven from the insecurity of Wi-Fi wireless networks.
Exhibit A supporting this claim is Episode #29, Ethernet Insecurity, of Steve Gibson's Security Now podcast. (transcript, 64K audio, 16K audio). This podcast, which explains the security problems inherent in a wired Ethernet network, was a huge eye-opener to me when I first heard it.
By way of background, Ethernet is a set of hardware and software rules/standards/protocols that computers on a Local Area Network (LAN) use to communicate. Ethernet used to have competition in the marketplace, but those days are over.
While the term LAN may invoke a small network, such as that in a house or apartment, a LAN can encompass an entire building, such as a hotel. When you plug a computer into an Ethernet jack in a hotel room, you are on the same network as all the other guest rooms. And that can be dangerous.
As Steve Gibson explained in the podcast, the Ethernet protocol was designed long ago. Before the Internet. Before security was on anyone's radar screen. "Essentially, there is absolutely no security with Ethernet. The assumption always was that it would be used in a LAN setting where you knew and trusted everybody on the network. You were one big happy company..." he said.
The explanation of the vulnerabilities gets somewhat technical and includes terms such as ARP, MAC addresses, IP addresses, malicious ARP replies, NICs, man-in-the-middle attacks, ARP Poison Routing, ARP spoofing, sniffing and promiscuous mode. In simple terms, a bad guy can get in the middle of all Internet conversations (us nerds call this "traffic"). Web pages, email messages and everything else coming and going to the Internet can be intercepted and logged.
As Steve put it "... one bad person in a hotel could arrange to, without much work, literally intercept all the traffic going to and from the hotel's gateway so that all of the email conversations, all of the traffic of any sort that is being transacted by every other hotel guest, they're able to monitor and intercept."
I don't think the danger can be overstated. Wired connections to the Internet in a hotel are not, by their very nature, more secure than wireless connections.
And Ethernet is not the only weak link in the security chain. The podcast describes software that can decrypt some normally encrypted data. "And in some cases, where you have weakly authenticator protocols, like Windows Remote Desktop that really doesn't provide any kind of authentication, man-in-the-middle and complete decryption attacks are easily performed. I mean, it is really bad." said Steve Gibson.
I first listened to this podcast episode while traveling to another city where I was planning on using a wired Ethernet connection in my hotel room. The podcast scared me to the point that I installed a VPN on my laptop. VPNs, while typically used by large corporations, are available to anyone and are the best protection from this sort of thing.
If anyone you know, ever intends to use a wired Ethernet connection at a hotel, then tell them to read this posting. And get a VPN.
You don't read PC magazine for mutual fund advice, and you shouldn't read the Wall Street Journal for computer advice.
Update. February 18, 2008: For more on this see Defending against insecure hotel networks with a VPN.
See a summary of all my Defensive Computing postings.
Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
- Tags:
-
VPN,
-
Steve Gibson,
-
GRC,
-
Security Now,
-
Ethernet,
-
Wi-Fi,
-
security
- Bookmark:
- Digg
- Del.icio.us
The biggest is that a person can sit in their car and grab every packet you are sending over wireless. They don't even have to be connect to the same access point, or any access point for that matter.
With Ethernet, an attacker has to physically connect to the network, which may or may not be easy. Not only that it almost always has to be on the same LAN, with may not be the case if you plug into the lobby so you can try and get packets from guests in their rooms.
Most public access points don't even use WEP(which takes 5 minutes to break, regardless of how strong the password is), and they rarely use WPA, or WPA2. So that means anyone can grab their unencrypted packets with a simple tool like Wireshark. It is simply a radio signal, so the attacker never needs to connect to an AP.
I won't even discuss the impossibility of a 802.11 network stopping most DoS attacks. The 802.11 standard is extremely flawed.
Ethernet is inherently more secure, because an attacker needs to physically connect somewhere along the path of the packets. Granted, if you think you are more secure, you are foolish.
It doesn't change the fact that attacking a wireless AP is considerably easier then a wired network.
The security problems with Wi-Fi almost go without saying at this point. The Wall Street Journal article did a reasonable job covering this. My point here though, was to make people aware that an Ethernet connection in a hotel room can also be extremely insecure.
Michael Horowitz
I have a VPN which I use while traveling.
Which VPN's do you recommend?
I have dealt with both hotspotvpn.com and witopia.net (their Personal VPN product). Leo mentioned at the end of the podcast that he uses hotspotvpn. Hotspot is more expensive, but offers technical support. I can't really recommend either though because they are too techie. You almost need to be a nerd just to understanding what the products are. There is probably a huge market opportunity for a company that can provide this service but explain it so normal people understand what they are paying for and why.
Also, there are three different technologies involved with VPNs, PPTP, IPSec and SSL. Everything I've read points to SSL being the best, but I can't, on a technical level, explain why.
Michael Horowitz
Nice summary on this. I first heard that episode of SN about 1.5 years ago, and it prompted me to look very far into the state of security in hotels, be they using wired, wireless, or other networks. Fortunately, I've stuck with the research, and am now writing an academic paper.
If you're interested in being a part of this in some way (that is, if you'd allow me to ask you a couple questions and quote you), please do shoot me an email to jdo24 at cornell dot edu within the next two days.
Thanks for considering!
Layer your security run a strong firewall program, keep your Operating System up to date, disable file sharing and remote desktop when on public networks...
Lets face it you are at risk when you connect to an open network...not doubt about it. Not trying to be an alarmist but you should really think twice about sending unencrypted sensitive data on an open network such as coffee shops, hotels, etc.