March 1, 2007 6:40 PM PST

Your Wi-Fi can tell people a lot about you

ARLINGTON, Va.--Simply booting up a Wi-Fi-enabled laptop can tell people sniffing wireless network traffic a lot about your computer--and about you.

Soon after a computer powers up, it starts looking for wireless networks and network services. Even if the wireless hardware is then shut-off, a snoop may already have caught interesting data. Much more information can be plucked out of the air if the computer is connected to an access point, in particular an access point without security.

"You're leaking all kinds of information that an attacker can use."
--David Maynor,
CTO, Errata Security

"You're leaking all kinds of information that an attacker can use," David Maynor, chief technology officer at Errata Security, said Thursday in a presentation at the Black Hat DC event here. "If the government was taking this information from you, people would be up in arms. Yet you're leaking this voluntarily using your laptop at the airport."

There are many tools that let anyone listen in on wireless network traffic. These tools can capture information such as usernames and passwords for e-mail accounts and instant message tools as well as data entered into unsecured Web sites. At the annual Defcon hacker gathering, a "wall of sheep" always lists captured log-in credentials.

Errata has developed another network sniffer that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more.

"You don't realize how much you're making public, so I wrote a tool that tells you," said Robert Graham, Errata's chief executive. The tool will soon be released publicly on the Black Hat Web site. Anyone with a wireless card will be able to run it, Graham said. Errata also plans to release the source code on its Web site.

The Errata sniffer, dubbed Ferret, packs more punch than other network sniffers already available, such as Ethereal and Kismet, because it looks at so many different protocols, Graham said. Some at Black Hat called it a "network sniffer on steroids."

Snoops can use the sniffer tools to see all kinds of data from wireless-equipped computers, regardless of the operating system.

For example, as a Windows computer starts up, it will emit the list of wireless networks the PC has connected to in the past, unless the user manually removed those entries from the preferred networks list in Windows. "The list can be used to determine where the laptop has been used," Graham said.

Apple Mac OS X computers will share information such as the version of the operating system through the Bonjour feature, Graham said. Bonjour is designed to let users create networks of nearby computers and devices.

Additionally, computers shortly after start-up typically broadcast the previous Internet Protocol address and details on networked drives or devices such as printers that it tries to connect to, Graham said.

"These are all bits of otherwise friendly information," Graham said. But in the hands of the wrong person, they could help attack the computer owner or network. Furthermore, the information could be useful for intelligence organizations, he said.

And that's just what the data snoops can sniff out of the air when a laptop is starting up. If the computer is then connected to a wireless network, particularly the unsecured type at hotels, airports and coffee shops, much more can be gleaned. Hackers have also cracked basic Wi-Fi security, so secured networks can't provide a security guarantee.

In general, experts advise against using wireless networks to connect to sensitive Web sites such as online banking. However, it is risky to use any online service that requires a password. The Errata team sniffed one reporter's e-mail username and password at Black Hat and displayed it during a presentation.

People who have the option of using a Virtual Private Network when connected to a wireless network should use it to establish a more secure connection, experts suggest. Also, on home routers WPA, or Wi-Fi Protected Access, offers improved security over the cracked WEP, or Wired Equivalent Privacy.

"The best solution is to be aware of the danger," Graham said. "Everyone doesn't need to work from a coffee shop."

See more CNET content tagged:
Black Hat, Bonjour, wireless network, access point, Wi-Fi

24 comments

Join the conversation!
Add your comment
Blackhats Should Be Skewered--at the least!
Or drawn and quartered at a minimum. To publicly dissimenate a tool like this with so brazen an attitude and to act they act so cocky about it in the process. They truly need to be humbled by some good old fashion torture techniques, IMHO, LOL. They are evil and vindictive to say the least. Fight fire with fire, I say!!

Now, where is that mace I bought last year.
Posted by WJeansonne (480 comments )
Reply Link Flag
They should be rewarded at the least!
Are you kidding me? These people are warning you that public wireless or even private wireless networks are not secure and just starting up your wifi leaks information. Guess what that is information the public needs. Do you think the people who make the wifi routers, access points and cards are going to tell you this?

Do you think the people who have malicious intent are going to let you know? They aren't. The Blackhat conference is doing us a great service.

I plan on downloading that tool and seeing what my laptop leaks out when I start it up and if my network is truly secure.
Posted by ballssalty (219 comments )
Link Flag
A few simple counter-arguments
1. Being ignorant of the personal information your computer is spewing onto the airwaves doesn't make it stop.
2. Don't assume everyone is as ignorant as you are. The "bad people" already knew how to get this information.
3. You really don't do much for your credibility by putting "IMHO, LOL" in the middle of your post. It makes you sound like a third grader.
4. What is a third grader doing with mace? You should be ashamed of yourself.
Posted by pete_the_pirate (2 comments )
Link Flag
No, no, no!
Sir,

You are very misguided. Security research is very important in order to protect everyone. Should law enforcement or the healthcare industry stop doing their research as well? Should they also be tortured and killed for finding things that make us uncomfortable?

It may seem like exposing this information is a bad thing, but I can assure you that without this information the world would be far worse off.
Posted by 0x90 (15 comments )
Link Flag
Blackhats: Pillory the scoundrels
I agree. These people, under the banner of "we're here to help you" are merely perpetuating their own commercial self-interests while helping the malcontents in their efforts. I call it the neo-electronic criminal eco-system.
Posted by Schratboy (122 comments )
Link Flag
Head in the sand
Head in the sand, ass in the air.
Not much a defensive posture there genius.
BTW
For all the public exploits many others that have never been disclosed also exist.
Also ANY of the current encryption schemes can be decrypted given enough time and effort.
So the advise given here should be taken very seriously, with huge helpings of thanks.
Posted by CapoNumen (19 comments )
Link Flag
WTF?
Uhm, network sniffers are nothing new, they are more useful to whitehats and network professionals than they are to hackers. Yes, they can be used for nefarious reasons, but are an extremely valuable tool. This tool isn't really any different from other sniffers, (from what I can tell so far), other than it starts to capture what you send out as the OS boots up.

There is nothing wrong at all with releasing tools like this to the world, and it will help me make some important determinations regarding wifi in my place of employment.
Posted by bemenaker (438 comments )
Link Flag
Useful information
Both the article and the information/sniffers mentioned are useful
for anyone who uses Wi-Fi for pretty much anything. What one
gleans from this is that unprotected Wi-Fi use is much riskier than
most people realize--and that even "secure" use isn't really secure.
Unfortunately, the problem is likely to get worse before it gets
better. Freedoms are more often given away than taken.
Posted by Cato42 (25 comments )
Reply Link Flag
Disable WiFi, Use Software Firewall
Seems like the sensible thing to do is disable your wireless device before booting up, boot, let your laptop's software firewall start up, then start your WiFi. Stealth your wireless network with port blocking. And for god sakes, don't use file sharing over WiFi. Unbind File and Print Sharing from your wireless adapter. If you can, unbind Microsoft's networking protocol too.

The key to security is simplicity, simplicity, simplicity. But what do we get with products like Vista? Complexity, complexity, complexity. Unnecessary complexity at that. How many new services does Vista add? One dozen? Two dozen? Three dozen? Must be a hackers dream.
Posted by Stating (869 comments )
Reply Link Flag
How has WPA2 been holding up?
I don't know of any properly configured WPA2 networks getting owned, can anyone else comment on this?
Posted by Dachi (797 comments )
Reply Link Flag
WPA2
WPA2 can form an unassailably secure network.
But that is not the problem.
Most open sites cannot be WPA since there is no way to share the
key...and most people wouldn't care to make any extra step beyond
what they do now.
Posted by internetmarine (2 comments )
Link Flag
"experts" say don't use wireless for banking??
Who are these experts that are saying not to use wireless networks for internet banking? Those are the sites that are SAFEST to use over wireless because they use SSL encryption! Check your e-mail, you give up your login credentials, but if you check your bank account, you're safe. Silly misinformation!
Posted by turls (1 comment )
Reply Link Flag
Riiiight...
I completely agree with you. Let's meet up in a coffee shop somewhere, get on the Internet, and talk about it some more.

The point isn't that banks are less safe than online email accounts (some of which use SSL), it's that you care a lot more about the theft of that $3.50 in your checking account than you do about someone reading your email. Why not avoid the additional risks from public wireless networks and wait until you get home to check your bank account?
Posted by pete_the_pirate (2 comments )
Link Flag
SSL does not make you safe
Uhh.. SSL doesn't make you safe.

At least not always. While it is mostly true (barring an SSL MITM) that information sent between your computer and a bank site is mostly secured, a successful attack on a wireless system could own your machine. There evil twin attacks, DHCP or ARP spoofing, WEP attacks, root exploits on adpaters, etc. And that is not even beginning to address all of the web app security woes that SSL will NEVER prevent found on bank apps. I can personally attest to having found 100s of vulnerabilities in online bank apps. I'm just glad that the SSL was there to help encrypt my attacks.
Posted by 0x90 (15 comments )
Link Flag
This doesn't have to be...
A simple and free solution to the perils of this article is a VPN called "HotSpotShield" available from a company called "AnchorFree" (www.anchorfree.com). I'm amazed that more people are not aware of it. I've been using it with open and protected WiFi sites for about 6 months.
Posted by dovad (5 comments )
Reply Link Flag
Not the greatest solution
So now instead of schleping a laptop around to overpriced coffee shops, crackers can just focus on breaking into this "AnchorFree" outfit where all of the traffic is being concentrated. And there's always the possibly that "AnchorFree" themselves are crackers. What a great way to set yourself up in the middle of Internet traffic: offer a "free security service" that sends all traffic through you.
Posted by solrosenberg (124 comments )
Link Flag
David Maynor
So David Maynor's back in the news after faking that Mac OS X exploit. Now he's peddling something that sounds like what dsniff's been able to do for almost a decade now. Yawn.
Posted by solrosenberg (124 comments )
Reply Link Flag
WOW!!!... This info is so... ???
WOW!!! This info is so old...

I don't see anything really new in this article than I've known for quite some time... ever since wireless devices came out.

About the only new thing is the tool which allows not only you to see, but will also fall into the wrong hands and allow everybody else to see other's information too.

Too many times, tools made for a good purpose have turned out to also be quite usable for bad purposes...

This happens to be one of them. Rather than spending the time to show people what kind of info they're spewing out... they need to make a tool that will go in and tweak WiFi settings such that the leaked information is minimal and to warn/prevent users who try to do anything that WILL LEAK their information to others!

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
Confused...
==> The Errata sniffer, dubbed Ferret, packs more punch than other network sniffers already available, such as Ethereal and Kismet, because it looks at so many different protocols, Graham said. Some at Black Hat called it a "network sniffer on steroids."


Uhh... what? Ethereal, tcpdump, snoop... they all do the same thing: look at _any and all traffic_ coming across the interface you choose. When I say all/any, I do mean all/any.

The analysis of the underlying protocol isn't necessary, because the packets are already there on your screen and you can work with them however you see fit.

Therefore, I'm confused why this utility is somehow different. If anything, it seems more limited, since it picks apart all traffic and looks for 25 specific protocols -- versus normal sniffers which pick up everything.
Posted by katamari (310 comments )
Reply Link Flag
How is ErrataSec any different from SandStorm Enterprises
Ferret appears to be very similiar to SandStorm Enterprises tools ""tools with sharp edges". NetIntercept and LANWATCH is a commercial product that has been around for a while, co-founded by someone older than Mr Maynor. Hacker mentality, wasn't this covered at a BlackHat Talk in 1997 basically stating, hackers should stop trying to break things and start fixing things, otherwise security issues will only become worse.

I know Mr. Graham knows better, maybe he is being influenced by the Apple Wi-Fi fame of Dave Maynor..
Posted by mhteicher (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.