Untrusted Wi-Fi Networks, Advice for All.

Nine words unpacked.

Here's the advice :

If you can use your personal Hostspot, you should.

Nice and simple, and if you're curious to why I say that, you can keep reading, but it's not for everyone, in-fact it'll be quite boring unless you care about this stuff.

We need to agree on some fundamental ideas, two that I care about are nothing to do with anything technical but are parentally more important to consider with all your population-level-cyber-advice debating, those are victim diversity and simple language, in my eyes these two things seem to be overlooked where they should be appreciated.

Victim Diversity

The concept of victim diversity, while somewhat self-evident, is often overlooked in discussions that are biased (In my own admittedly biased view). When considering individuals connecting to an untrusted network, it's important to recognize the varied spectrum of users. This diversity includes differences in technological knowledge, types of devices used, varying levels of security awareness, and differing degrees of urgency in their connectivity needs. Such diversity is not just a mere talking point; it fundamentally impacts the nature of cybersecurity threats.

For instance, the feasibility of an attack, its detectability, and the ability to defend against it are all influenced by this variety. While it's possible to implement measures targeting the average user, we must remember that cybersecurity is about addressing the realm of possibilities. For example, creating a fake access point with a captive portal that prompts users to log in using social media or email credentials is a plausible attack scenario. However, the response to such a scenario will vary: some users might readily use their credentials to authenticate, while others might be more cautious or even refuse to authenticate in this manner.

A captive portal 'phish' is a clean example of where poorly considered advice falls short, there have been a few people framing wireless security as improved, and it has, we've come along way from WEP and ever growing vendor specific defences too that can highlight or detect wireless tom-foolery... We have random MAC addresses available on most modern systems too... kinda, yeah, it's improving, always, and in the background cyber has been demonstrating and pressuring industry to move quicker at addressing issues (looking at you SensePost).

It's fine to prove that modern network systems and modern client devices are less likely to be exploited in wireless attacks, notably stealing handshakes (to get onto a trusted network) DoS clients (to prevent them network access) and various network related controls (client isolation, brute forcing admin interfaces, spoofing etc...) great, but it's not smart to give advice from contextually known good, you give advice from a common known bad, and if you want to extend the risks you would take, you follow up with that context.

Language & K.I.S.S.

The longer a nerd talks the less is absorbed and the more narcolepsy or sapio-sexual feelings are induced, considering your audience and how that information you give them may be passed on, think 'Chinese whispers' (Sorry Xixi), having simple language means less nuance,  less trying to explain to those that didn't ask, and more action for those that want to crack on, the curious can always ask, explorer for themselves, you can always provide them with good information should they want it, but give them the action if they don't want the details and just want to lean on you as a trusted 'advisor', your dentist doesn't explain everything they're doing and why it's the best thing for you does he, it's actions (we're doing this), and most the time we JFDI.

Let's look at some statements that degrade in attention retention:

If you can use your personal Hostspot, you should.
If you can use your personal hotspot, you should, because you never really know what access-point you're connecting too.
If you can use your personal hotspot, you should, because you never really know what access-point you're connecting too, and even if you do, or think you do, you dont know the configuration of it and how that might expose your system
If you can use your personal hotspot, you should, because you never really know what access-point you're connecting too, and even if you do, or think you do, you dont know the configuration of it and how that might expose your system to attacks on the local network, and if your computer has opportunities they may be taken advantage of
If you can use your personal hotspot, you should, because you never really know what access-point you're connecting too, and even if you do, or think you do, you don't know the configuration of it and how that might expose your system to attacks on the local network, and if your computer has opportunities they may be taken advantage of but realistically, the body of knowledge you would need to have the most confidence each time is very technical and not fair on the average user, it's more likely they wont attack your computer, but exploit the captive portals we're all familiar with from hotels, trains and cafés etc...

Because for example a Fake-AP is in principle a solicitation attack, just like a phish, once the person has decided to join that network, thats the hard bit is mostly over-with, the attacker controls the captive portal, what happens next (Pushing Payloads, Credential Harvesting, DNS manipulation etc...), this is the cleanest wireless attack in my opinion as you're not competing with a range of possible technologies, like a reverse proxy phish you're bringing the victim onto your territory, that's your network. but there are many things that can be gamed in the wireless security space and I'm avoiding that conversation because it's nuanced from the network to the client to the user, and talking about various scenarios is a waste of time especially with people who aren't malliable to the principles I've mentioned:

  • Network Attestation
  • Infrastructure Posture
  • End-User Device Posture
  • End-User Susceptibility

Now, there's an argument to be made about likelyhood, and those that are risk averse (perhaps those following NCSC guidance) are less-likely to join wireless networks they know they can't trust, because, while the network may be absent of attacker control it also could be, it's a Schrödinger, if we where to tongue-in-cheek do some awful math around likelyhood, generally it's based on two types of people saying 'wireless is fine' there are those that wouldnt know they where hacked from a wireless network, and there are those that would know they're being attacked from a wireless network (you'd like to think) so, let's say you spent 2 days connecting to every random wireless network you could in ... Edinburgh, well done, you're probably gonna get better adverts, you didn't get hacked ? well done!

But when the absence of evidence for or against someting is unobtainable, all you should really work with is the art of the possible

  • Can I be sure the network is good ? (generally, no)
  • Can I be sure the network is bad? (generally, no)
  • Can I be sure my personal hotspot grants me more security (yes)

If we where to suggest there are a modest 50,000 untrusted-public networks in the UK, and by that I mean, it might say Starberks, Starbucks, Free-WiFi, Free-Palistine, whatever, you want some internet access and it's not asking you for a password... and we spent 25 minutes on each of them, 1,250,000 minutes (868 hours(28 months (nearly 2 and a half years))) ... not including travel, and that would be point in time, it could change in a day, month, week, year - and that might not include attacker AP's.

I don't mind having a conversation with anyone about the improvements made in the wireless security space from clients to networks and configurations providing they acknowledge this that i'm speaking about isn't difficult, impossible and sites in the realms of 'could happen' from teenagers learning and showing off to GRU in Belgium with hek5 pineapples.

We've all heard the adage 'You're not important enough to be hacked' often framed as a patronising 'check your self' , while the tone isn't useful, it's probably true, but it's a misplaced sentence here, you're not important enough for a targeted attack, but ... what does your spam folder look like, what ? it's full of spam, still trying to get phished ? that's craaaazy that people would harvest access or hack following the WDADLIB model (Why Does A Dog Lick it's Bollocks - because it can.)

I've also seen statements like, 'why would hackers bother when you can just buy identities off DarkNet Access Brokers',  you only need to expand on what that involves to know why some people wouldn't want to ... pay criminals for shared access to victims, what are you paying them with? your own identity? your own money ? no, so you need a new identity and anonymous money, geeze this is getting boring and introducing complexity. while there is a time and a place for access brokers, I find it lazy to sweep other attacks under the 'why would you? pile, easy likeable tweet but from my experience, addressing the art of the possible holds much more water than often unqualified, poorly considered likelihoods.

But what if I cant

What if I can't use my personal hotspot ?

Well, enter the nuance, Can it wait ? are you with a friend? No, fine... I personally would probably take a chance, I have good visibility over my system, I'm well versed at system management, computer defence and bullshit, I have my preferred DNS client running and I tend to tunnel out of networks that arent mine anyway, but I'm left with the residual risk of things trying to interact with my computer or things trying to manipulate traffic, for me it would be a semi-informed finger in the air, but I wouldn't be naive enough to extend that thinking to people not in my position, on networks I haven't seen amongst systems I don't know,  so If you can't use your personal hotspot, you can take a risk, wait, if it wasn't clear by now, haha... my advice is to use the hotspot if possible as a first choice as a excellent reductive measure.


Attack Notes :

Sampling a network here and there is a great conversation starter, but really once you've gotten over 'it was fine at the time of testing' or 'this particular WiFi is secure', or even, 'I might be able to blah, but it would be illigal' it's as useful as a yougov pol claiming all brittains are happy with brexit, with a footnote that teh sample groop was 7 out of 8 pepople in the Smith Square region, notably the Rees-Mogg household.


https://github.com/wifiphisher/wifiphisher – still works, easy to modify

GitHub - artembrening/Create-NordVPNMobileConfig: Gatters all NordVPN IKEv2 servers via the API and creates .mobileconfig files with own credentials
Gatters all NordVPN IKEv2 servers via the API and creates .mobileconfig files with own credentials - GitHub - artembrening/Create-NordVPNMobileConfig: Gatters all NordVPN IKEv2 servers via the API…
Malicious profiles – one of the most serious threats to mobile devices
Learn more about how attackers install malicious configuration profiles that bypass intended security restrictions.
GitHub - paulmillr/encrypted-dns: DNS over HTTPS config profiles for iOS & macOS
DNS over HTTPS config profiles for iOS & macOS. Contribute to paulmillr/encrypted-dns development by creating an account on GitHub.

If anyone was interested in training, modern training, not books from 8 years ago, I'd point you in the direction of Orange Cyber Defence's offerings (Ye Old SensePost). - https://www.orangecyberdefense.com/fileadmin/general/2023/SensePost_Trainings_Wi-Fi.pdf