Well, I saw a YouTube video, done by some "experts" discussing the safety of using Wifi at an RV site to do your sensitive banking, shopping, etc. I won' say who it was, but it was done late last year, if I recall.
First - I am NOT an internet security expert. I HAVE spent 35+ years programming, and being a sysadmin for Unix systems. So - while I do not consider myself an "expert" in security (my experience is that that job is really a 24x7 job, and highly specialized), I do know a thing or two about computer security in general, securing systems (*nix systems specifically), and hardening systems. I also spend at least 15-20 minutes a day going over what I term "aggregate" tech news sites, so I keep in touch with what's going on, new, etc. Making your living from technology means you can NEVER stick your head in the sand, and you NEVER know it all (my personal belief is that with the spread of technology, you simply can't "know it all" anymore). So, I stay up with what's going on. Especially as it relates to internet security.
Now, on the the subject matter at hand. I felt it important to simply let others (all of you) know that what the two in the YouTube video stated is not only wrong, it is flat-out wrong, and if you continue doing what they espouse - you ARE vulnerable, and your information will probably be gleaned from an MITM (Man In The Middle) attack. I'm not sure how those people stay up with what's going on - but it really seems they just don't. So, I'll break this up into two separate thoughts here:
First - we've been told for YEARS, and I mean YEARS that simply hooking up indiscriminately to wifi "hot spots" is a bad idea. Why? Well, I can take my Linux laptop, and with about 10 minutes of downloading some software and a bit of configuration, make my laptop appear as a hot spot, waiting for you to connect. Let's say the REAL hotspot name is "xyzRVCampground". I decide to name mine "xyzRVCampground2". "Gee, isn't this campground nice? They made TWO hotspots for me to connect to". Meanwhile, I simply make my laptop a "pass-through" device, so I connect to the REAL hotspot, you connect to me (because I've got a MUCH stronger signal), and I see EVERYTHING YOU SEND. Right now, you are thinking "oh you silly boy - that's what HTTPS is for - it's SECURE." Uh-huh. Since you aren't in the business, I'll forgive you for not knowing. Please Google "Heartbleed". Came out last year. It turns out that since it's inception, there's been a bug in SSL (the HEART of HTTPS), and it ain't so secure. In fact, once you know how to exploit it - it's a snap. And this was something that was on the SERVER side of the communication. At it's height, basically the entire world was vulnerable (it was at first thought that Windows was immune - however, turns out EVERY Operating System was affected). Nothing you could really do about it. It's been patched - however, there was a test just a month or so ago, still showed that about 30-40% of the web servers running STILL HADN'T BEEN PATCHED.
So - you weren't safe, I could read ALL of your HTTPS traffic with my "Man in the Middle" attack, sitting in my camper two sites away from you. See your account number, password, etc. Oh, and a new one emerged about a month ago. Turns out that all that encrypted traffic, that's supposed to have all these unique keys to encrypt the traffic - turns out that software on the servers took a lazy approach, and cached those encryption keys (the keys take a bit of processor overhead to generate each time), so they wouldn't have to work so hard. So, they used the same key. Turns out it was fairly simple to get that too, and use it - to YOUR disadvantage. Please note - that was a separate vulnerability from Heartbleed.
Now, on to the hardware itself - the actual router that is used by the kindly RV campground staff. First - please don't think I'm trying to paint any of them as evil, or out to get you. They are hard working people just like us. But remember, expect for extremely rare occasions, they aren't up on technology either. Not their bailiwick, so to speak. And, most of them simply get this installed by some local computer company, or their internet provider. I'm going to link to articles here (all I did was a quick Google search for "wifi router vulnerability"). Some of these are a few years old, some are extremely new. A few of the articles deal with "home" wifi routers. Please don't think that the RV sites are going to use the much more expensive business wifi routers. Some of these can go for several hundred dollars. I've got more high-end home routers, and they are $200 each. Most campgrounds (and what gets installed at most of these sites) are home-grade under $100 wifi routers. You read and decide for yourself:
Two new tools exploit router security setup problem
Top Wi-fi routers easy to hack, says study
Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014
Your Router's Security Stinks: Here's How to Fix It
Offline attack shows Wi-Fi routers still vulnerable
Flaw lets hackers break your WiFi router's security with one guess
Wi-Fi router security: Assessing the vulnerability of backdoor attacks
Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk
Ok - so what do you do?
First - assume you will be hacked. Sorry to say it - it's GOING to happen. No matter who you are, no matter if you only have $50 in your account, etc. At some point, you will be hacked. So - assume it. All the time.
Second - do what you can to protect yourself. Honestly - it's doggone little these days. BUT, you can at least attempt to obscure your traffic. Use a PROFESSIONAL VPN SERVICE. I'm not going into the details of a VPN, or explain it, but you look it up and decide if it's for you. Services don't cost a lot - but the professional ones DO cost.
Instead of a VPN - you might use TOR. www.torproject.org. Now, before you jump on the bandwagon here - realize that TOR still generally seems "safe", but because of it's known properties, it is used by terrorists and criminals. SO - using TOR might make you "a person of interest" to the FBI/NSA/whoever else. And no, I'm not kidding - so consider that before you download and install it. Also - you really need to pay attention to what the TOR site tells you to do to be safe. That means a lot of what you might normally do - you shouldn't do with TOR, since it "exposes" you.
Third - wait until all the vulnerabilities are fixed, and it's safe to go "back in the pool again". This goes back to the "Red Book" of security. It means you physically secure your computer (like in Fort Knox), you remove all floppy drives, networking, bluetooth, USB ports, etc. NO CONNECTIONS TO THE OUTSIDE WORLD. NO POSSIBILITY TO LOAD ANYTHING OR COPY ANYTHING OFF THE COMPUTER. Simply put - this ain't gonna happen. Ever.
So - what to do? You can't stop using (you junkie, you), generally speaking, in today's world. So, here's some friendly advice:
Now, other than sounding the alarm (in case you weren't until after you read this), I'm NOT GOING TO ADVISE YOU. Again, I don't consider myself an expert, but I do consider myself knowledgeable and very well-read on the area. I leave it to you to read some sources for yourself (most of those links do have links to other sources), and to do some research. If you can't update your home/RV wifi router - you might give SERIOUS consideration into purchasing a new one (I have NO stock in any tech company, unless my little bit of money market account does. I mostly go for "indexed" stuff these days). And DO YOUR RESEARCH to make sure that the router you purchase is supported by some alternative software (Tomato, DDWRT, etc.) that gives you the ability to keep it updated when the vendor decides not to any longer (about 3 weeks after you buy it...)
So - please use this as a more common-sense approach than that espoused on the YouTube video. It's dangerous out there. Quite frankly, if I were one of the "black hat" type guys, I'd seriously consider targeting some of those RV sites "down south" for those snowbirds that live there 6 months out of the year. Get close to some of those Class A rigs, "bus" conversions, etc.
Please be careful - always think "they're out to get me" (even paranoid schizophrenics sometimes actually have people out to get them), keep in touch - some of those sites I listed above are "aggregate" sites, that have lots of tech news/articles from a variety of sources. And, treat the internet like one of those dark alleyways in (pick the crime-ridden city of your choice).
Be safe.
First - I am NOT an internet security expert. I HAVE spent 35+ years programming, and being a sysadmin for Unix systems. So - while I do not consider myself an "expert" in security (my experience is that that job is really a 24x7 job, and highly specialized), I do know a thing or two about computer security in general, securing systems (*nix systems specifically), and hardening systems. I also spend at least 15-20 minutes a day going over what I term "aggregate" tech news sites, so I keep in touch with what's going on, new, etc. Making your living from technology means you can NEVER stick your head in the sand, and you NEVER know it all (my personal belief is that with the spread of technology, you simply can't "know it all" anymore). So, I stay up with what's going on. Especially as it relates to internet security.
Now, on the the subject matter at hand. I felt it important to simply let others (all of you) know that what the two in the YouTube video stated is not only wrong, it is flat-out wrong, and if you continue doing what they espouse - you ARE vulnerable, and your information will probably be gleaned from an MITM (Man In The Middle) attack. I'm not sure how those people stay up with what's going on - but it really seems they just don't. So, I'll break this up into two separate thoughts here:
First - we've been told for YEARS, and I mean YEARS that simply hooking up indiscriminately to wifi "hot spots" is a bad idea. Why? Well, I can take my Linux laptop, and with about 10 minutes of downloading some software and a bit of configuration, make my laptop appear as a hot spot, waiting for you to connect. Let's say the REAL hotspot name is "xyzRVCampground". I decide to name mine "xyzRVCampground2". "Gee, isn't this campground nice? They made TWO hotspots for me to connect to". Meanwhile, I simply make my laptop a "pass-through" device, so I connect to the REAL hotspot, you connect to me (because I've got a MUCH stronger signal), and I see EVERYTHING YOU SEND. Right now, you are thinking "oh you silly boy - that's what HTTPS is for - it's SECURE." Uh-huh. Since you aren't in the business, I'll forgive you for not knowing. Please Google "Heartbleed". Came out last year. It turns out that since it's inception, there's been a bug in SSL (the HEART of HTTPS), and it ain't so secure. In fact, once you know how to exploit it - it's a snap. And this was something that was on the SERVER side of the communication. At it's height, basically the entire world was vulnerable (it was at first thought that Windows was immune - however, turns out EVERY Operating System was affected). Nothing you could really do about it. It's been patched - however, there was a test just a month or so ago, still showed that about 30-40% of the web servers running STILL HADN'T BEEN PATCHED.
So - you weren't safe, I could read ALL of your HTTPS traffic with my "Man in the Middle" attack, sitting in my camper two sites away from you. See your account number, password, etc. Oh, and a new one emerged about a month ago. Turns out that all that encrypted traffic, that's supposed to have all these unique keys to encrypt the traffic - turns out that software on the servers took a lazy approach, and cached those encryption keys (the keys take a bit of processor overhead to generate each time), so they wouldn't have to work so hard. So, they used the same key. Turns out it was fairly simple to get that too, and use it - to YOUR disadvantage. Please note - that was a separate vulnerability from Heartbleed.
Now, on to the hardware itself - the actual router that is used by the kindly RV campground staff. First - please don't think I'm trying to paint any of them as evil, or out to get you. They are hard working people just like us. But remember, expect for extremely rare occasions, they aren't up on technology either. Not their bailiwick, so to speak. And, most of them simply get this installed by some local computer company, or their internet provider. I'm going to link to articles here (all I did was a quick Google search for "wifi router vulnerability"). Some of these are a few years old, some are extremely new. A few of the articles deal with "home" wifi routers. Please don't think that the RV sites are going to use the much more expensive business wifi routers. Some of these can go for several hundred dollars. I've got more high-end home routers, and they are $200 each. Most campgrounds (and what gets installed at most of these sites) are home-grade under $100 wifi routers. You read and decide for yourself:
Two new tools exploit router security setup problem
Top Wi-fi routers easy to hack, says study
Asus, Linksys router exploits tell us home networking is the vulnerability story of 2014
Your Router's Security Stinks: Here's How to Fix It
Offline attack shows Wi-Fi routers still vulnerable
Flaw lets hackers break your WiFi router's security with one guess
Wi-Fi router security: Assessing the vulnerability of backdoor attacks
Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk
Ok - so what do you do?
First - assume you will be hacked. Sorry to say it - it's GOING to happen. No matter who you are, no matter if you only have $50 in your account, etc. At some point, you will be hacked. So - assume it. All the time.
Second - do what you can to protect yourself. Honestly - it's doggone little these days. BUT, you can at least attempt to obscure your traffic. Use a PROFESSIONAL VPN SERVICE. I'm not going into the details of a VPN, or explain it, but you look it up and decide if it's for you. Services don't cost a lot - but the professional ones DO cost.
Instead of a VPN - you might use TOR. www.torproject.org. Now, before you jump on the bandwagon here - realize that TOR still generally seems "safe", but because of it's known properties, it is used by terrorists and criminals. SO - using TOR might make you "a person of interest" to the FBI/NSA/whoever else. And no, I'm not kidding - so consider that before you download and install it. Also - you really need to pay attention to what the TOR site tells you to do to be safe. That means a lot of what you might normally do - you shouldn't do with TOR, since it "exposes" you.
Third - wait until all the vulnerabilities are fixed, and it's safe to go "back in the pool again". This goes back to the "Red Book" of security. It means you physically secure your computer (like in Fort Knox), you remove all floppy drives, networking, bluetooth, USB ports, etc. NO CONNECTIONS TO THE OUTSIDE WORLD. NO POSSIBILITY TO LOAD ANYTHING OR COPY ANYTHING OFF THE COMPUTER. Simply put - this ain't gonna happen. Ever.
So - what to do? You can't stop using (you junkie, you), generally speaking, in today's world. So, here's some friendly advice:
- NEVER connect to any wifi router, without confirming it's the one provided by the hotel/RV campsite, etc.
- Even though it was hacked (now mostly fixed), use HTTPS whenever you can. NEVER DO ANY TRANSACTIONS OF ANY KIND (buying, banking, etc.) WITHOUT IT.
- Make sure your system is FULLY PATCHED, INCLUDING YOUR BROWSER. If you are still using Windows XP or Vista - UPGRADE! Yes, I know Windows 8.x sucks (I left Micro$oft after using DOS/Windows for over 25 years and went to Mac)
- KEEP YOUR PERSONAL WIFI ROUTER UPDATED AS WELL. If there are no further updates from the manufacturer, check into some alternatives - Tomato router, etc. Several alternative embedded operating systems to install on those little boxes - but not ALL those little boxes.
- Seriously consider a professional VPN service - and use them - along with HTTPS, and your fully patched computer AND browser.
- Oh, did I mention KEEP YOUR SYSTEM PATCHED AND UP TO DATE - everything. Your browser, etc.
Now, other than sounding the alarm (in case you weren't until after you read this), I'm NOT GOING TO ADVISE YOU. Again, I don't consider myself an expert, but I do consider myself knowledgeable and very well-read on the area. I leave it to you to read some sources for yourself (most of those links do have links to other sources), and to do some research. If you can't update your home/RV wifi router - you might give SERIOUS consideration into purchasing a new one (I have NO stock in any tech company, unless my little bit of money market account does. I mostly go for "indexed" stuff these days). And DO YOUR RESEARCH to make sure that the router you purchase is supported by some alternative software (Tomato, DDWRT, etc.) that gives you the ability to keep it updated when the vendor decides not to any longer (about 3 weeks after you buy it...)
So - please use this as a more common-sense approach than that espoused on the YouTube video. It's dangerous out there. Quite frankly, if I were one of the "black hat" type guys, I'd seriously consider targeting some of those RV sites "down south" for those snowbirds that live there 6 months out of the year. Get close to some of those Class A rigs, "bus" conversions, etc.
Please be careful - always think "they're out to get me" (even paranoid schizophrenics sometimes actually have people out to get them), keep in touch - some of those sites I listed above are "aggregate" sites, that have lots of tech news/articles from a variety of sources. And, treat the internet like one of those dark alleyways in (pick the crime-ridden city of your choice).
Be safe.
