Stop using those daft WiFi capture portals

Published: 2020-04-08

Let's talk about public WiFi, shall we? It's been a while since having a WiFi network in a public place has become somewhat standard in the places I've lived, especially if the site is in the hospitality business like a cafe. Sometimes you're lucky, and the network has a password that the staff will tell you. However, more often than not these days, the WiFi will be an open, unencrypted one and when you connect to it a browser with a login portal opens up. It's become common enough that nobody will bat an eye at it. This. Needs. To. Stop. And in this blog post, I'm going to explain to you why.

It's bad for security

First things first, these portals are very bad for security. First of all, because, at every step of the authentification process, the WiFi is public, passwordless, and unencrypted, the users of that network are entirely unprotected.

If you're not in CyberSec, I don't think you grasp how easy it is to hack people without proper protection. If your WiFi network is unencrypted, I can just come in, set up a WiFi Pineapple and listen in on everyone's traffic. Some applications have propper man-in-the-middle attack protection, but by no means, enough of them do not have to worry about this. This vulnerability is why people tell you to never-ever-ever-ever-ever do essential tasks that require authentification over a public unprotected WiFi network.

Even if you only use public WiFi for trivial matters, using unencrypted networks can still be problematic. With the networking gear that comes with almost any Linux distribution and a little bit of know-how, I can find out a surprising amount about everyone in who's on that network. One time I was helping a friend, who shall remain anonymous for obvious reasons, with their WiFi at their office. I tried to log into their router to configure some things, only to discover that I'd accidentally found and entered their NAS without them having told me the password! I had access to all of their client data! (don't worry I've made sure that hole has been thoroughly plugged since.) If your security isn't top-notch and you use unencrypted networks, you're at significant risk, even if you don't do anything significant on it.

Inviting hackers

Very often those networks are called something along the lines of BTHub-Tj5Qr_ or KPN-39AVD or whatever naming scheme your default provider has. First of all, this is just a bad look; it looks unprofessional. But second of all, it makes you a prime target for hackers. Nothing screams 'password to the admin account is probably admin' like a WiFi network with the default network name. Let me tell you friend, 50% of hacking is knowing how to pick your target, and that unaltered WiFi name is an advertisement to come and try the first three things that come to mind if you're a hacker. If it didn't have a decent chance of landing me in hot legal water, I probably would have tried some basic penetration-testing.

It teaches actively bad security practices

The use of these portals actively tampers with adequate security and teaches users lousy security practices. Things like SSL and TSL, which are security protocols your devices use to secure your traffic behind a password, are designed to be tamper-proof, i.e. prevent all of the stuff I mentioned above. They detect when someone in the middle modifies the data you're sending and flashes big bright red warning signs if they do and with good reason! So every time you go to a website that uses HTTPS, which is thankfully increasingly common thanks to things such as Let's Encrypt, the router and your device will both throw a hissy-fit because their intentions are misaligned.

However, that is precisely what these portals do. They capture your traffic, alter the connection and address that gets returned and ask you to provide copious amounts of information (we'll get back to the information bit in a second). The point is that this is probably exactly what a hacker would do, so you are training people to do exactly all the things you don't want them to do and also ignore every possible warning sign!

Incidentally, if you struggle with this, some charming internet folks taught me that you could pretty reliably find the portal by going to one of these websites: example.org, neverssl.com, detectportal.firefox.com. Since those websites will never use HTTPS, they will redirect you to the correct page without throwing up warning signs; it's worked so far in my experience.

It disrupts applications that don't have an entire browser attached

Additionally, it provides a problem for applications that don't have their browser inbuild. Applications like that are much more common than you would think, even on laptops. For example, if I am working on some code and not using the web for anything else, many applications still have to access the internet for brief periods. For example, Cargo, Rust's package and compiler manager, pulls a dependency tree from Crates.io every time I compile something. Neither Cargo nor the router that's making the login portal was designed to handle this case. And it is surprisingly difficult to find the damn portal if it doesn't redirect you properly.

One of those things that don't work correctly with those portals are Virtual Private Networks (VPN). These are things that you can use to both encrypt and anonymise your internet traffic, as I do whenever I'm out and about. However, as previously mentioned, the WiFi portal acts just like a hacker would, so obviously, my VPN doesn't like that. However, the router won't let me do anything else. So if you encounter one of these while the VPN is on, then you enter a state where they both continuously try to redirect you to their sources making the internet virtually unusable until you resolve the situation. I don't think that I have to explain how having to turn off a security feature to use some infrastructure is a bad thing.

It's terrible for privacy

The login portals that I have seen come in three main varieties:

  1. The tracker
  2. The collector
  3. The completely redundant one

I'll address them in reverse order.

The first issue is the completely redundant one. These portals do nothing except make you tick a box that essentially says "I won't do anything illegal". While I am in no way a legal expert, I think that there must be a clause in the law stating that you can't be held responsible if someone does something illegal with your infrastructure without your knowledge. OR, it is something that isn't dismissed with such an easy-to-fool measure. Just stop it.

Who cares? It's just a date of birth.

Secondly, there is a collector. This one collects some basic info about you like name, date of birth, gender and email. I will momentarily take off my CyberSec hat and put on both my data science engineer hat and my privacy advocacy hat, to tell you that this is dangerous. You might think that's over the top of me to say but stick with me for a moment.

I don't think many people realise how incredibly sensitive something like your date of birth is. First of all, which should be fairly obvious, is that it's non-renewable. You can't get a new one if it gets compromised. But you might say "who cares if someone knows my date of birth?". If that is you, I have one thing to say to you: Caption: "You can't do anything with my date of birth" followed by the "that's where you're wrong kiddo" meme

I can do an enormous amount with your date of birth. Here's the thing, maybe on its own it's not that useful, but it's a critical piece of connecting information. The reason they tell you never to reuse passwords is that if some website that has lousy security gets compromised, everything gets compromised. The first thing hackers do when they find your password is to go and try it on pretty much any service they can find you. This process works similarly with data, except that you can't renew your data. Imagine two data breaches have separate information. I can use your date of birth, together with some other statistics that are very widely available, to link that data together, and the more information I have, the easier it gets to guess more data correctly.

To give you an idea of how easy this would be to do, I was assessing a company where I wanted to work as a data scientist a couple of months ago. The company shall remain unnamed, but the assessment was "here are some fairly mundane data about a bunch of people, build a model that identifies this person". I had a week to do this. So, yes, your date of birth getting compromised is a big deal.

And for what?

So here's the thing about all of this data. First of all, I'm 90% sure that 80% of the places that ask you for this kind of information to use their WiFi don't have proper security in place to ba handling data like this. I am not a legal expert so I don't know how the GDPR deals with this, but I smell more non-compliance than you'd think.

Second of all, they don't need it. They plainly don't need it. There is no good reason for them to have to know your date of birth, your gender, your name or anything to give you WiFi access. I'll get to the ones that use it to track you next, but suffice it to say that WiFi worked just five before these portals became standard. Having functioning WiFi is (or should be) and expected part of doing business these days. If you offer a service in your place of business, I am allowed to expect that it adheres to proper safety standards, just like hygiene.

Some people might say, "well they use it for marketing", to which my answer is "no, they don't". If these places can't be bothered to rename their WiFi network, I'm almost sure that they don't have the proper infrastructure or know how to set up a half-decent marketing campaign. One other option for them would be to sell the data at which point I'd like to refer you back to the date-of-birth argument above.

Lastly, I don't want to turn this into a gender/race discussion necessarily. Still, I do think it is worth to point out that this puts up unnecessary barriers to people who have conditions including but not limited to:

  1. Being non-binary
  2. Preferring a different name or pronouns
  3. Having a name you can't spell with ASCII encoding (having proper UTF-8 handling is shockingly rare)

Finally, there is the last kind of portal, which is the tracker. This one goes through some effort to identify you, usually by asking for a valid email, social media account or even in some cases, a phone number. These are the only ones that give me some kind of assurance that they know what they are doing. I still think they have no darn business snooping around in my life just so I can check my email, but at least they seem to show they have some security savviness. Very often these are big chains like Costa, or O2 which brings with it it's own host of privacy concerns. Have I talked to you yet about dates of birth and how big a deal they are?

At this point for me, usually, one of two scenarios plays out. First of all, if the network allows identification through email, I fat-finger everything. Very often they'll try and force you to link a social media account but if you look around there usually is an email option. I can't tell you how many times I've been Ms alvnq;/aef20 fjoiv2 born 01-01-1904 with email none-of-your-damn-business@temp-mail.org. Disposable email services are surprisingly easy to use once you know about them, and there's not a good way around them for the portals since those serviced do accept email properly. If that's not an option, I usually leave. I like working in cafes, but not enough to put up with that kind of invasiveness.

Now, after reading all this, you might say "But Sam! they are just serving coffee, they can't be expected to know all this!" to which is say "yes, you're right!". I don't expect baristas or even business holders to be security experts or be able to hire one just to set up shop. But there is a straightforward way to solve this, which is to follow these three simple steps:

  1. Rename your WiFi network
  2. Use a WPA2 password
  3. Stop using those daft WiFi capture portals
#WiFi, #security