Skip to content ↓ | Skip to navigation ↓

With mobile phones in almost every pocket today, the payphone has lost its usefulness for perhaps everyone – except maybe Clark Kent. This is why New York City held a competition looking for the best ideas to make appropriate use of this valuable real-estate spread throughout the city.

About a year after the contest winner was announced, the city began transforming phone booths into free gigabit Wi-Fi hotspots through the LinkNYC project.

The impact of this project could be monumental for New Yorkers not just with reduced cellular data charges but also reduced security, depending on how they use the service.

Anyone familiar with the security risks of using open Wi-Fi networks might breathe a sigh of relief to hear that LinkNYC offers the option to use encryption. It is well-known that without proper encryption, anyone within radio range can potentially siphon private data out of thin air.

The use of unprotected wireless networks also exposes users to rogue access points like the Pineapple Wi-Fi that can simulate probed networks and lure devices onto an untrusted network.

Known as a KARMA attack, this technique leverages the way Wi-Fi clients broadcast a list of preferred networks. As devices look for familiar AP names, the rogue access point is designed to start advertising all of the preferred names. If any network profile does not use encryption, the device will most likely connect without question. This is why I always give the advice to stay away from open Wi-Fi access points or to at least, immediately delete the connection profile when done using the network.

NYClink

A variation of this problem may arise, however, depending on exactly how the encryption is being deployed for LinkNYC. The most basic form of modern Wi-Fi encryption is WPA2-PSK, which requires that a pre-shared key set on the router must be entered on all clients before a connection can be made.

The client and access point perform a 4-way handshake where both parties (the supplicant and the authenticator, as they are termed) confirm that they both know the same passphrase. If the devices have differing passphrases, they will not agree upon a session key and the connection will be aborted. This technique is nearly ubiquitous in home networks, as well as many smaller office networks but it only works as long as the passphrase is not known to anyone with malicious intentions.

Unlike the older WEP encryption, an attacker armed with a WPA2 pre-shared key cannot use the key to decrypt other users’ traffic. The handshake is appropriately secured such that someone observing the key exchange should not be able to derive the agreed upon session keys.

The problem with this technique, however, is that it does not provide strong assurances that the associated access point is authentic. With a widely shared passphrase and SSID, it is trivial for malicious users to bring up rogue access points that clients will trust. The attacker can even flood the airwaves with spoofed 802.11 deauth frames, effectively preventing anyone in the area from connecting to the real access point. In this way, WPA2 can actually give users a false sense of security.

If an attacker is able to spoof the official LinkNYC network, the safety and security of its users become imperiled. Information harvesting becomes a very real threat with so many mobile applications sending sensitive personal information over HTTP or via broken SSL implementations.

Many device-level attacks also become possible as attackers can replace downloaded files, inject JavaScript into connections, and through cache poisoning, even trigger attacks against other systems the victim device comes in contact with.

If the network is configured on enough devices, various SSL attacks – such as LogJam, FREAK, Lucky13 and SLOTH – become more cost-effective, making it more likely that criminals would invest in the infrastructure required to break weak SSL deployments.

The proper way to protect a citywide network is to use 802.1x certificate-based authentication. This method utilizes public-key cryptography, so that the client can verify that an access point is authentic. The downside to this technique is that, as with many security efforts, there is a trade-off of convenience.

Each user must first be registered with the service and install one or more certificates to their device before a truly secure connection can be established. If New York City does implement this strong encryption, I would encourage all LinkNYC users to take advantage, rather than using any open networks or WPA2-PSK networks with well-known passphrases.

It is unlikely that any major public wireless provider would restrict access to only 802.1x certificate based authentication, but with any luck, LinkNYC officials have had all of these discussions already and will roll out the service with tiered encryption options.

 

Title image courtesy of ShutterStock

Endpoint Detection & Response For Dummies
  • audibleblink

    Looks like they install 4 certificates, including a root certificate. http://blog.alexflor.es/post/137705262900/linknyc-secure-gigabit-hotspot

    • Craig Young

      Interesting… When I emailed LinkNYC, they said they couldn’t provide specifics on the security precautions.

      It’s good that they are informing users on the risks of going unencrypted, but I hope they are also advising users of the risk from not deleting the open wifi profile from their phone after setting up the encrypted profile.