TechWeb

Shoulder Surfing, Sniffing Worse Than "Evil Twin" Access Points

Jan 26, 2005 (09:01 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=57704059


You're more likely to have secrets ripped off at Starbucks from someone snooping over your shoulder or using wireless sniffing software than from sophisticated hackers deploying a so-called "Evil Twin" access point, a security analyst said Wednesday.

"Unless the Wi-Fi session is encrypted in some way, which by default it's not, then all of the traffic is available for perusal by anyone with a wireless-enabled laptop and the right software," said Jay Heiser, a U.K.-based research director with Gartner.

Heiser was reacting to an announcement last week by academic researchers in Britain who warned that rogue wireless access points -- dubbed "Evil Twin" -- posed a security risk to users in public places like coffee shops and airports where wireless Internet service is available.

"If you wanted to 'listen in' on wireless," said Heiser, "there are much easier ways to do it than to set up an Evil Twin."

The lowest-tech way to lose confidential data while at a public hotspot -- which by definition are not encrypted -- is to be a victim of "shoulder surfing," where someone simply peeks over the shoulder of the user to watch for passwords and login names.

One up from that, said Heiser, is the tactic of "sniffing" wireless sessions with software. "You can download software that not only allows you to sniff sessions, but also allows you to reconstruct those browsing sessions, so you can thumb through the history of what you sniffed."

Heiser likened it to the long-standing practice of people who use radio scanners to eavesdrop on neighbors' mobile phones and baby monitors. "There are 'hobbyists' today who eavesdrop on their neighbors' e-mail and Web sessions," he said.

Heiser experimented with such software, which sells for as little as $30 on the Internet, and it works. "You can literally watch what everyone does [on wireless] in the Starbucks," he said.

In comparison, going to the trouble of setting up an Evil Twin makes little sense, unless the hacker is after wireless traffic that was, for instance, being transmitted from a VPN (virtual private network) client, software that many businesspeople are required to carry on their laptops.

"This Evil Twin scenario would take a source of power for the wireless access point," Heiser noted. "Are hackers building Evil Twin systems into briefcases and carrying them around? Perhaps. I don't know, and the researchers don't seem to know either."

In fact, Heiser thought that any Evil Twin that stayed operational for long would be soon noticed by users or discovered by the operators of the real hotspot, which would show a dramatic decline in traffic.

The bottom line, he warned, is that anything transmitted via wireless in a public hotspot is vulnerable to theft, whether the technique is something down and dirty, like shoulder surfing, or more advanced, such as an Evil Twin.

"If you're just connecting through a wireless hotspot, you're vulnerable to being sniffed. Period. If you use a Web-based service that doesn't protect your password through SSL (and many do not), then that can be sniffed, too. That means your e-mail, your Web browsing, and until you hit the SSL-locked page in an e-commerce site, anything you transmit when you're buying online can be sniffed."