“Attack on Wi-Fi” at Barcelona Airport (MWC 2016) - much ado about nothing
In many thematic media news about the "attack" on Wi-Fi at the airport of Barcelona, conducted by Avast, is exaggerated.
The blogpost of less than one page contains amazing figures:
There is also a mysterious phrase "Avast was able to see identity 63.5% of devices and users." I deliberately do not translate identity, later it becomes clear why.
After that, there is a general quotation about how important security is and the proposal to pay attention to Avast's mobile VPN client, for which, obviously, everything was started. Naturally, the majority paid attention not to such an “elegantly disguised” sales-message, but to horrific figures . There were cries of “horror! horror! ”and the hamsters began to seethe. Let's still figure out what's what.
')
1. 50.1% had an Apple device, 43.4% - Android, 6.5% - Windows Phone
I was very surprised that there was no browser statistics, but, in principle, on mobile devices it is a bit predictable. OK, Avast opened OS Fingerprinting . There are hundreds of options.
The simplest: analysis of the User Agent line (which gives everything about the device at all, and which cannot be changed in any standard browser on mobile phones). Here is an example just in case: Mozilla / 5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit / 534.46 (KHTML, like Gecko) Version / 5.1 Mobile / 9B176 Safari / 7534.48.3 . This, note, is done by almost all hotspots and web servers / Just to understand which clients go to them and what they need to adjust to.
Next on the list is the analysis of DHCP packets , which cannot determine the browser, but you can often understand the OS and the type of device. Almost all serious access points deal with this and the NAC / NAP / RBAC systems released in the last few do not exist, and there is nothing difficult here.
Further, the techniques go into more subtle matters, such as the analysis of the TCP stack, the time delays during the forwarding / processing of different types of packets, etc. Using similar methods, all sorts of transparent proxies, firewalls and other network devices are usually calculated, although nothing prevents you from using this for analyzing mobile devices.
Those who wish to familiarize themselves with the complete list can recommend a document from a well-known organization SANS . At the same time pay attention to the date of publication. In fact, many of these methods were developed in the last century :)
I do not know which method was used in Avast, but obviously they didn’t discover anything new here.
2. Google, Gmail, Yahoo, Facebook, Twitter,Piglet and all-all-all.
Here the conversation is even more brief: well, if we can determine the type of OS in a bunch of different ways, can we really not determine the application by URL, DNS, or at worst Destination IP? Funny girls.
3. Why did I not translate the “identities” of those “63.5% of users”?
Because nicherta is not clear what they mean by this! E-mails? Surnames? Logins / usernames? Logins and passwords? What is device identity? MAC address? IMEI? If the MAC address - so what? Especially considering that all the latest versions of mobile OS have learned to somehow spoof it. If yuzernejmy - then what? To the main page of the portal, which they configured in unsecured HTTP, to show the numbers more terrible? In short, let the fog, as usual.
By the way, in most countries of Europe there is legislation obligating the provider to identify the user in public access (usually via e-mail or SMS). So here Avast, in fact, had to show all 100%.
The main question.
Finally, when you sit at home or at work on the Internet using your “safe” Wi-Fi, or even cable, your traffic passes through 100,500 hosts of routers, SORMs and other DPI and all the packages are in full view. How is this fundamentally different from open Wi-Fi?
Interestingly, the answer to this question is, and I wonder which reader will give the correct answer to it in comments .
[UPD] Conclusion.
According to the results of the analysis, it is still unclear what exactly the people from Avast “hacked”, what is so awful with what it caused a wave in the media ( in the comments they suggest that such is the work of the media - to force and inflate ), and what did the “hackers” get? which cannot be obtained in other ways.
Recently, we are tirelessly reminded of how dangerous open Wi-Fi is. Although using all the same measures as with the safe use of the Internet at home (antivirus / HIPS, VPN, patches, and a bit of education and common sense), open Wi-Fi is no worse than the open Internet.
It is worth remembering that the majority of sales in the field of security are built on the principle of FUD ( Fear, Uncertainty and Doubt - fear, uncertainty and doubts ), so you should not lose vigilance, check sources and not be like lemmings.
What do you think?
The blogpost of less than one page contains amazing figures:
- 50.1% had an Apple device, 43.4% - Android, 6.5% - Windows Phone
- 61.7% searched Google or checked Gmail
- 14.9% visited Yahoo
- 52.3% of devices had a Facebook application, and 2.4% - Twitter
There is also a mysterious phrase "Avast was able to see identity 63.5% of devices and users." I deliberately do not translate identity, later it becomes clear why.
After that, there is a general quotation about how important security is and the proposal to pay attention to Avast's mobile VPN client, for which, obviously, everything was started. Naturally, the majority paid attention not to such an “elegantly disguised” sales-message, but to horrific figures . There were cries of “horror! horror! ”and the hamsters began to seethe. Let's still figure out what's what.
')
1. 50.1% had an Apple device, 43.4% - Android, 6.5% - Windows Phone
I was very surprised that there was no browser statistics, but, in principle, on mobile devices it is a bit predictable. OK, Avast opened OS Fingerprinting . There are hundreds of options.
The simplest: analysis of the User Agent line (which gives everything about the device at all, and which cannot be changed in any standard browser on mobile phones). Here is an example just in case: Mozilla / 5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit / 534.46 (KHTML, like Gecko) Version / 5.1 Mobile / 9B176 Safari / 7534.48.3 . This, note, is done by almost all hotspots and web servers / Just to understand which clients go to them and what they need to adjust to.
Next on the list is the analysis of DHCP packets , which cannot determine the browser, but you can often understand the OS and the type of device. Almost all serious access points deal with this and the NAC / NAP / RBAC systems released in the last few do not exist, and there is nothing difficult here.
Further, the techniques go into more subtle matters, such as the analysis of the TCP stack, the time delays during the forwarding / processing of different types of packets, etc. Using similar methods, all sorts of transparent proxies, firewalls and other network devices are usually calculated, although nothing prevents you from using this for analyzing mobile devices.
Those who wish to familiarize themselves with the complete list can recommend a document from a well-known organization SANS . At the same time pay attention to the date of publication. In fact, many of these methods were developed in the last century :)
I do not know which method was used in Avast, but obviously they didn’t discover anything new here.
2. Google, Gmail, Yahoo, Facebook, Twitter,
Here the conversation is even more brief: well, if we can determine the type of OS in a bunch of different ways, can we really not determine the application by URL, DNS, or at worst Destination IP? Funny girls.
3. Why did I not translate the “identities” of those “63.5% of users”?
Because nicherta is not clear what they mean by this! E-mails? Surnames? Logins / usernames? Logins and passwords? What is device identity? MAC address? IMEI? If the MAC address - so what? Especially considering that all the latest versions of mobile OS have learned to somehow spoof it. If yuzernejmy - then what? To the main page of the portal, which they configured in unsecured HTTP, to show the numbers more terrible? In short, let the fog, as usual.
By the way, in most countries of Europe there is legislation obligating the provider to identify the user in public access (usually via e-mail or SMS). So here Avast, in fact, had to show all 100%.
The main question.
Finally, when you sit at home or at work on the Internet using your “safe” Wi-Fi, or even cable, your traffic passes through 100,500 hosts of routers, SORMs and other DPI and all the packages are in full view. How is this fundamentally different from open Wi-Fi?
Interestingly, the answer to this question is, and I wonder which reader will give the correct answer to it in comments .
[UPD] Conclusion.
According to the results of the analysis, it is still unclear what exactly the people from Avast “hacked”, what is so awful with what it caused a wave in the media ( in the comments they suggest that such is the work of the media - to force and inflate ), and what did the “hackers” get? which cannot be obtained in other ways.
Recently, we are tirelessly reminded of how dangerous open Wi-Fi is. Although using all the same measures as with the safe use of the Internet at home (antivirus / HIPS, VPN, patches, and a bit of education and common sense), open Wi-Fi is no worse than the open Internet.
It is worth remembering that the majority of sales in the field of security are built on the principle of FUD ( Fear, Uncertainty and Doubt - fear, uncertainty and doubts ), so you should not lose vigilance, check sources and not be like lemmings.
What do you think?
Source: https://habr.com/ru/post/278305/
All Articles