It looks like Wi-Fi hotspots remain a significant weakness in the overall security landscape. A year ago Firesheep was released and showed how easy it is with a notebook to spy on other users of non-encrypted public Wi-Fi networks and even use the stolen session credentials to do things like sending Tweets and Facebook messages. Some companies have reacted in the meantime by introducing or expanding the use of secure HTTPS sessions to protect their users but many services such as LinkedIn, eBay and others remain vulnerable to some degree to this day.
But security researchers haven't stopped there. Now, Firesheep has moved on to mobile devices in the scape of DroidSheep. All that's required is a rooted Android phone and the network is literally in the hands of an attacker. DroidSheep goes one step further than Firesheep and even has an ARP spoofing functionality so all traffic of the Wi-Fi hotspot is redirected to the mobile device before it traverses the router to the Internet. This allows spying on others even in encrypted networks (if the WPA password is known of course) which otherwise prevents Firesheep and Droidsheep from working due to individual session keys generated from the single password everyone uses.
To see what Droidsheep can do I tested it out myself in a private test network at home. Without much effort the program worked as advertised and it showed pretty much every site I was going to which was not using https. To my great astonishment I saw that the Facebook mobile app running on another Android device communicated with Facebook servers without any encryption! With Droidsheep I could take over the account in seconds and could write to the wall and do other things with the Facebook account I was using on my other device. In the settings, the app even admits that encryption is currently not supported as shown in the picture on the left.
For Wi-Fi hotspots to become an integral part of a cellular network offload strategy, these security issues have to be tackled. The solution that comes to my mind is to automatically start a VPN once a Wi-Fi hotspot is used and prevent any user traffic to be transferred while the VPN is not in place or has dropped due to an attack that takes down the VPN tunnel. Above all, the use of the VPN, blocking unencrypted data traffic and restarting the VPN must be fully automatic so it is fully transparent to the user. Otherwise it won't find widespread acceptance and use.
Excellent note, so scary…
I tried Droidsheep a while back but didn’t get it to work for some reason. But I had noticed that the Facebook app is not secure.
That’s one reason why I started using the SSHTunnel app on my (rooted) phone to automatically route all traffic over an SSH tunnel when connected to a wireless network. It’s not perfect, but it works pretty well.