Stop using those daft WiFi capture portals

Published: 2020-04-08

Let's talk about public WiFi, shall we? It's been a while since having a WiFi network in a public place has become somewhat standard in the places I've lived. Especially if the place is in the hospitality business like a cafe. Sometimes you're lucky and the network has a password that you must either ask for or they have up in the room somewhere. However, more often than not these days, the WiFi will be an open unencrypted one and when you connect to it a browser with a login portal opens up. It's become common enough that nobody will bat an eye at it. This. Needs. To. Stop. And in this blog post, I'm going to explain to you why.

It's bad for security

First things first, these portals are very bad for security. First of all, because, before, during and after the authentification process the WiFi is public, passwordless, and unencrypted, the users of that network are completely unprotected.

If you're not in CyberSec I don't think you grasp how easy it is to hack people without proper protection. If your WiFi network is unencrypted, I can just come in, set up a WiFi Pineapple and listen in on everyone's traffic. Some applications have propper man-in-the-middle attack protection, but by no means, enough of them do to not have to worry about this. This is why people tell you to never-ever-ever-ever-ever do important tasks that require authentification over a public unprotected WiFi network.

Even if you don't, using unencrypted networks can still be a problem. With the networking gear that comes with almost any Linux distribution and a little bit of know-how, I can find out a surprising amount about everyone in who's on that network. One time I was helping a friend, who shall remain anonymous for obvious reasons, with their wifi at their office. I tried to log into their router to configure some things, only to discover that I'd accidentally found and entered their NAS without them having told me the password! I had access to all of their client data! (don't worry I've made sure that hole has been thoroughly plugged since.) The point I'm trying to make is that if your security isn't top-notch and you use unencrypted networks, you're at a big risk, even if you don't do anything important on it.

Inviting hackers

Very often those networks are called something along the lines of BTHub-Tj5Qr_ or KPN-39AVD or whatever kind of naming scheme your default provider has. First of all, this is just a bad look, it looks unprofessional. But second of all, it makes you a prime target for hackers. Nothing screams 'password to the admin account is probably admin' like a WiFi network that isn't renamed. Let me tell you friend, 50% of hacking is knowing how to pick your target and that unaltered WiFi name is basically an advertisement to come and try the first three things that come to mind if you're a hacker. If it didn't have a decent chance of landing me in hot legal water I probably would have tried some basic penetration-testing techniques and wherever I get in rename the network to something like "Looks like X didn't configure their wifi securely enough".

It teaches actively bad security practices

The use of these portals actively tampers with good security and teaches users bad security practices. Things like SSL and TSL, which are security protocols your devices use to secure your traffic behind a password, are designed to be tamper-proof, i.e. prevent all of the stuff I mentioned above. They detect when someone in the middle modifies the data you're sending and flashes big bright red warning signs if they do. This is with good reason! So every time you go to a website that uses https, which is thankfully increasingly common thanks to things such as Let's Encrypt, the router and your device will both throw a hissy-fit because their intentions are misaligned.

However, that is exactly what these portals do. They capture your traffic, alter the connection and address that gets returned and ask you to provide copious amounts of information (we'll get back to the information bit in a second). The point is that this is probably exactly what a hacker would do, so you are training people to do exactly all the things you don't want them to do and also ignore basically every possible warning sign!

Incidentally, if you struggle with this, some very nice internet folks taught me that you can pretty reliably find the portal by going to one of these websites: example.org, neverssl.com, detectportal.firefox.com. Since those websites will never use https they will just redirect you to the correct page without throwing up warning signs, it's worked so far in my experience.

It disrupts applications that don't have an entire browser attached

Additionally, it provides a problem for applications that don't have their own browser inbuild. This is much more common than you would think, even on laptops. For example, if I am working on some code and not using the web for anything else, many applications still have to access the internet for brief periods. For example Cargo, Rust's package and compiler manager, pulls a dependency tree from Crates.io every time I compile something. Obviously, neither cargo nor the router that's making the login portal was designed to handle this case. And it is surprisingly difficult to actually find the damn portal if it doesn't redirect you properly.

One of those things that don't work properly with those portals, are Virtual Private Networks (VPN).These are things that you can use to both encrypt and anonymise your internet traffic, as I do whenever I'm out and about. However, as previously mentioned, the wifi portal acts just like a hacker would, so obviously, my VPN doesn't like that. However the router won't let me do anything else, so if you encounter one of these while the VPN is on, which it usually is, then you enter a state where they both continuously try to redirect you to their own sources making the internet essentially unusable until you resolve the situation. I don't think that I have to explain how having to turn off a security feature to use some infrastructure is a bad thing.

It's bad for privacy

The login portals that I have seen come in three main varieties:

  1. The tracker
  2. The collector
  3. The completely redundant one

I'll address them in reverse order.

First up is the completely redundant one. This is the one that does nothing except make you tick a box that essentially says "I won't do anything illegal". While I am in no way a legal expert, I think that either, there is a clause in the law stating that you can't be held responsible if someone does something illegal with your infrastructure without your knowledge, OR, it is something that isn't dismissed with such an easy-to-fool measure. Just stop it.

Who cares? It's just a date of birth

Secondly, there is a collector. This one just collects some basic info about you like name, date of birth, gender and email. This is where I will momentarily take off my CyberSec hat and put on both my data science engineer hat and my privacy advocacy hat, to tell you that this is dangerous. You might think that's over the top of me to say but stick with me for a moment.

I don't think many people realise how incredibly sensitive something like your date of birth is. First of all, which should be fairly obvious, is that it's non-renewable. You can't get a new one if it gets compromised. But you might say "who cares if someone knows my date of birth?". If that is you I have one thing to say to you: Caption: "You can't do anything with my date of birth" followed by the "that's where you're wrong kiddo" meme

I can do an enormous amount with your date of birth. Here's the thing, maybe on its own it's not that useful, but it's a critical piece of connecting information. The reason they tell you to never reuse passwords is that if some website that has bad security gets compromised, everything gets compromised. The first thing hackers do when they find your password is to go and try it on pretty much any service they can find you. This works similarly with data, except that you can't renew your data. Imagine there are two data breaches that have separate information. I can use your date of birth, together with some other statistics that are very widely available, to link that data together, and the more data I have, the easier it gets to guess more data correctly.

Just to give you an idea of how easy this would be to do, I was doing an assessment for a company where I wanted to work as a data scientist a couple of months ago. The company shall remain unnamed, but the assessment was "here are some fairly mundane data about a bunch of people, build a model that identifies this person". I had a week to do this. So, yes, your date of birth getting compromised is a big deal.

And for what?

So here's the thing about all of this data. First of all, I'm 90% sure that 80% of the places that ask you for this kind of information to use their WiFi don't have proper security in place to ba handling data like this. I am not a legal expert so I don't know how the GDPR deals with this, but I smell more non-compliance there than you'd think.

Second of all, they don't need it. They just plain don't need it. There is no good reason for them to have to know your date of birth, your gender, your name or anything to give you WiFi access. I'll get to the ones that use it to track you next, but suffice it to say that WiFi worked just five before these portals became standard. As far as I'm concerned, having functioning WiFi is (or should be) and expected part of doing business these days and if you offer a service in your place of business, I am allowed to have the expectation that it adheres to proper safety standards, just like hygiene.

Some people might say, "well they use it for marketing", to which my answer is "no they don't". If these places can't be bothered to rename their WiFi network, I'm almost sure that they don't have the proper infrastructure or know how to set up a half-decent marketing campaign. One other option for them would be to sell the data at which point I'd like to refer you back to the date-of-birth argument above.

Lastly, I don't want to turn this into a gender/race discussion necessarily, but I do think it is worth to point out that this puts up unnecessary barriers to people who have conditions including but not limited to:

  1. Being non-binary
  2. Preferring a different name or pronouns
  3. Having a name you can't spell with ASCII encoding (having proper UTF-8 handling is shockingly rare)

Finally, there is the last kind of portal which is the tracker. This one actually goes through some effort to identify you, usually by asking for a valid email, social media account or even in some cases, a phone number. These are the only ones that give me some kind of assurance that they actually know what they are doing. I still think they have no darn business snooping around in my life just so I can check my email, but at least they seem to show they have some security savviness. Very often these are big chains like Costa, or O2 which brings with it it's own host of privacy concerns. Have I talked to you yet about dates of birth and how big a deal they are?

At this point for me, usually, one of two scenarios plays out. First of all, if the network allows identification through email, I fat-finger everything. Very often they'll try and force you to link a social media account but if you look around there often is an email option. I can't tell you how many times I've been Ms alvnq;/aef20 fjoiv2 born 01-01-1904 with email none-of-your-damn-business@temp-mail.org. Disposable email services are surprisingly easy to use once you know about them and there's not a really good way around them for the portals since those serviced do accept email properly. If that's not an option I usually just leave. I like working in cafes, but not enough to put up with that kind of invasiveness.

Now, after reading all this you might say "But Sam! they are just serving coffee, they can't be expected to know all this!" to which is say "yes, you're absolutely right!". I don't expect baristas or even business holders to be security experts or be able to hire one just to set up shop. But there is a very easy way to solve this, which is just follow these three simple steps:

  1. Rename your WiFi network
  2. Use a WPA2 password
  3. Stop using those daft WiFi capture portals
#WiFi, #security