How safe is open WiFi?

[stanw]

I have a new Macbook Pro and use my Android to tether my unlimited data to my MBP, though I am thinking of getting the new iPhone, and by doing so, I will lose the ability to tether it.

I have the firewall and stealth mode set up on the MBP.

1. What if anything, can someone realistically do to the packets of data I send/download on open WiFi?

2. Can someone use open WiFi to get into my MBP?

Thanks in advance!

 

[Badrottie]

All I can think is NSA can snoop your MacBook Pro even if your security and firewall turned on.

 

[snaky69]

I have a new Macbook Pro and use my Android to tether my unlimited data to my MBP, though I am thinking of getting the new iPhone, and by doing so, I will lose the ability to tether it.

I have the firewall and stealth mode set up on the MBP.

1. What if anything, can someone realistically do to the packets of data I send/download on open WiFi?

2. Can someone use open WiFi to get into my MBP?

Thanks in advance!

iPhone is able to tether just as your Android phone can? It can act as a wireless router with WPA2 encryption. I'm not sure I'm following you here.

 

[christarp]

iPhone is able to tether just as your Android phone can? It can act as a wireless router with WPA2 encryption. I'm not sure I'm following you here.

maybe with paying for a ridiculous tethering contract..

 

[Peace]

Just visualize some hacking nerd sitting in an espresso shop.

I would never trust "open Wifi "

 

[bradleyjx]

I would recommend reading this article on Firesheep, as it exploited some of the quirks of open-access wifi networks. This points to your first question, as in an open wifi environment with no passwords, internet traffic between you and the router is unencrypted. (HTTPS URLs are still encrypted, as that's done in a different layer than the wireless) Firesheep exploited this by intercepting some of this unencrypted network traffic, retrieving tokens that identify other people to websites, and giving you the ability to use those tokens yourself. Note that this only works on unencrypted wifi; if the wifi requires a non-WEP password, then you're pretty much fine.

Wi-Fi can be a tricky thing, though, because there are a couple attack vectors that go just beyond simple encryption:

- When I connect to [network], how do I know that I'm connecting to the actual network and not someone running a different router named [network], just so that they can get in between you and the internet?

- When I connect to [network], is there anything stopping anyone between you and the broader internet from snooping on the connection? (this is a broader issue than just open internet access points, but it isn't as major a concern when you control most of the path between you and your provider)

Neither of these are things that I'd worry too much about, and they're relatively easy to mitigate. (use of a VPN or always using HTTPS connections will mitigate most of these)

---

#2, I wouldn't worry about someone getting into your machine just by you being on an open wifi network. The risk is mostly in someone intercepting the traffic that you're sending and receiving to websites, and leveraging that information in some way. Again, though, HTTPS solves a decent amount of this.

 

[scaredpoet]

If you are concerned about open wifi and the potential for data exposure (and you SHOULD be concerned about it), your best bet is to make use of a VPN. There are services like PrivateTunnel, which you can use to encrypt all your traffic and make sure that no packet sniffers can see what's going on.

And honestly, even with tethering, there's a lot of discussion going on now about what some three letter agencies have done with cell site spoofing and packet interception. So it might be time to start thinking about running a VPN connection full time.

 

[Heterosethual]

If you are concerned about open wifi and the potential for data exposure (and you SHOULD be concerned about it), your best bet is to make use of a VPN. There are services like PrivateTunnel, which you can use to encrypt all your traffic and make sure that no packet sniffers can see what's going on.

And honestly, even with tethering, there's a lot of discussion going on now about what some three letter agencies have done with cell site spoofing and packet interception. So it might be time to start thinking about running a VPN connection full time.

PrivateTunnel has a spelling error on their main homepage so I wouldn't go there. Ay other VPNs with flat rate maybe?

 

[scaredpoet]

PrivateTunnel has a spelling error on their main homepage so I wouldn't go there.

Privatetunnel is directly associated with OpenVPN, one of the major standards for VPN. It's unfortunate they have a typo, but I doubt that means you shouldn't use them. There are far shadier VPN providers out there with immaculately-spelled sites.

That said, WiTopia is another provider that's been around for a while. Maybe they've spell checked their site to your satisfaction?

 

[maflynn]

1. What if anything, can someone realistically do to the packets of data I send/download on open WiFi?

Yes, people can intercept unencrypted packets and see what you're sending. I'd rather not use an open wifi when connecting to any site that has my private details.

2. Can someone use open WiFi to get into my MBP?

Only if you have it set to do so. File sharing, firewall settings off etc.

I tether my phone and use my phone's LTE when I have my laptop and want to ensure that data is safe as possible.

 

[simonsi]

maybe with paying for a ridiculous tethering contract..

Why not use the same contract that you are using with your Android phone....just swap over the SIM (or worst case, if the phones take different SIMs, just order a new SIM for the iPhone on the same contract and number....)

 

[m98custom1212]

I use https://www.privateinternetaccess.com/ Around $50 a year well worth it.

 

[2984839]

It is possible for an attacker on the network to intercept your traffic as if his computer is the wireless access point. On an open network, this traffic is unencrypted between your computer and the WAP. On a network with WPA2, this traffic would be encrypted.

However, if make an SSL/TLS connection to a site, the traffic is encrypted from your computer to the site, thus thwarting anyone on the network from reading it, even though it's an open network.

The danger here though is that they are in a perfect position to perform a man-in-the-middle attack on your SSL connection. They will typically present your browser with a fake certificate. This pops up the invalid cert warning, which most people ignore anyway. Now they can intercept your traffic, read it, and pass it through to the site you're going to, assuming you clicked through the warning.

The more dangerous version of this would be if they got their hands on a valid cert, which has happened before. In that case, your browser would trust it implicitly and you would see no warning.

There are also attacks they can perform on your machine from the network, such as attempting to connect to open ports and running exploits against services listening on open ports. This can be solved with a firewall and shutting down internet facing services you don't need.

It is also possible for an attacker to exploit your web browser by fooling it into associating to their computer (similar to the MITM attack above), then crafting malicious packets that attempt to exploit some known vulnerability. In some cases, this can cause your browser to execute the attacker's arbitrary code on your device--with possibly dire consequences. This would require you to be running a browser that has a vulnerability in it. Keeping your browsers updated is the best way to solve this, but web browsers are horribly complex with millions upon millions of lines of code. There are always exploits out there that the developers don't know about and that are sold to criminals, so an up to date browser is no guarantee of safety.

One tool for this attack is called Airpwn and their site has a very good description of this attack here

 

[christarp]

Why not use the same contract that you are using with your Android phone....just swap over the SIM (or worst case, if the phones take different SIMs, just order a new SIM for the iPhone on the same contract and number....)

The point is android can sideload software that wont make it into the app store such as tethering apps. Then you can do it for free on a non tethering contract

 

[TechGod]

The point is android can sideload software that wont make it into the app store such as tethering apps. Then you can do it for free on a non tethering contract

Wait, you guys have tethering contracts? WTF! Here data includes tethering and if a company attempted to provide data without tethering, they would be laughed out of the competition.

But the iPhone has tethering option in the settings so why not use that by keeping the same plan and SIM?

 

[christarp]

Wait, you guys have tethering contracts? WTF! Here data includes tethering and if a company attempted to provide data without tethering, they would be laughed out of the competition.

But the iPhone has tethering option in the settings so why not use that by keeping the same plan and SIM?

the option is disabled on phones unless you sign up for an asinine extra $10-20 a month for the "feature" Since apple doesn't allow tethering apps on the app store there generally isn't much of a way to tether without paying an extra $10-20 a month for it. You can download apps that will do it if you jailbreak, or like said, if you have android you can sideload an app that will do it without the tethering contract.

It's absolutely ridiculous.

 

[TechGod]

the option is disabled on phones unless you sign up for an asinine extra $10-20 a month for the "feature" Since apple doesn't allow tethering apps on the app store there generally isn't much of a way to tether without paying an extra $10-20 a month for it. You can download apps that will do it if you jailbreak, or like said, if you have android you can sideload an app that will do it without the tethering contract.

It's absolutely ridiculous.

It's not Apple's fault it seems to be the carriers fault since over here Apple doesn't disable tethering.

 

[christarp]

It's not Apple's fault it seems to be the carriers fault since over here Apple doesn't disable tethering.

yes it is the carrier's fault, but you can work around the carriers easier with an android phone.

 

[TechGod]

yes it is the carrier's fault, but you can work around the carriers easier with an android phone.

Fair enough.