Insecure Temp WiFi Networks

Introduction of Problem

After traveling to SF and connecting to numerous free WiFi networks, I have returned back to Pittsburgh and realized that my laptop still likes to connect to unsecured xfinitywifi over my normal house network. This would be the same deal if my laptop happen to see another insecure network named SFO-AIRPORT-FREE-WIFI or the hotel’s free WiFi network.

I understand that I could drop the connection priority of these insecure/free networks in the network manager, but it still exposes a human centric security flaw.

The concern is that, by default, the Gnome network manager places newly connected WiFi network at the top of the preferred networks priority list. So, if your laptop sees these newly connected networks in the same vicinity as your older home network, they connect to the temporary network instead of your trusted home network. This wouldn’t be a serious issue if it weren’t for the fact that these temporary networks do not require any authentication. Anyone can create a network with the same name and no authentication and BOOM, your laptop connects.

TL;DR

I will just jump right to my point. I feel you should have an easy option to specify an expiration for a WiFi network, on connection. The purpose would be to make sure your laptop will not connect to it after your trip or outing to Starbucks.

An even easier half-way solution, would be to automatically drop the priority of insecure networks to the very lowest. The hope is that you laptop would always prefer you secure authenticated networks over a rouge insecure network, although I suspect this may not always be the case.

Accidental Experiment

I have been more cognizant of this issue ever since my little accidental experiment.

While on campus, I configured a RaspberryPi to connect to my school’s insecure WiFi network named CMU. This was happening before the school offered their secure option called CMU-SECURE. I was never a fan of lugging around a monitor+keyboard, so I would interact with the Pi over ssh. I then returned home and realized that I hadn’t configured it with my home WiFi network. At the moment, I really didn’t feel like grabbing a monitor+keyboard or ripping out the SD card to write a new network. So, I simply created a guest WiFi network named CMU, so that it would just connect. The plan was to have it connect and then add my WiFi network to the wpa_supplicant.conf. It worked perfectly, but one might say that it worked a bit too well.

I found the RPi’s IP in the DHCP Lease log, but I also found tons of other mysterious devices that I hadn’t ever seen before. Since I live near many other CMU students, I immediately realized that my neighbors laptops had automatically jumped on my CMU network.

This obviously exposes an issue, where saved insecure networks can be used to grab traffic from unsuspecting devices. Not good! You might assume you traffic is broadcasted for anyone at Starbucks, but you assume it is safe(er) at your house.

We can fix this issue.

Call to action

Calling on all Gnome, Windows, Android, and OSX developers.

Please add an option to make WiFi networks temporary and have expiration dates. It would be nice to check a box and specify an expiration date during the first connect stage.

At the very least, please make insecure networks the automatic lowest priority. If this already has a solution that I am not aware of, please comment below.

Related

Previous
comments powered by Disqus