I’ve had this post sitting on the back burner for a few weeks because of other computer and website work I’ve been wrestling with. However after Tim Cook’s open let to the public about the FBI’s security request I thought now was a good time to cover the issue of network security as it pertains to us cruisers and liveaboards in regards to public WiFi.
Before I get too far into the oh-so-stimulating topics of technology and security, I think a little primer on how networks work is in order.The 10,000 foot view of the internet resembles something well like a spider web, hence the ‘Web’ moniker. Your computer connects to an access point or router that connects to an Internet service provider (ISP) that connects to the network backbone at which point your data joins the trillions of other data bytes of internet traffic. Now multiply that by a few billion users and corporations and you can kind of get a picture of the web.
NOTE:Technically there’s a lot more going here with things like sockets, ports, routers, switches, DHCP, DNS, NATs and such, but for this article we really don’t need to concern ourselves with all that I.T. juju. All we’re really concerned with is the connectivity path between you to the object of your internet desire.
A good rule of thumb to keep in mind is the farther you are from the internet’s backbone the less security you can expect, inherently the end point, that’s you by the way, is the weakest link.
For us sailors, cruisers, and liveaboards the most important point of interest is the wireless access point(WAP or WiFi) and it’s woefully insecure architecture. Most of us use wireless almost exclusively for our initial connection to the internet. Whether we are on the boat, at a coffee shop, a bar, or hotel and it’s the security this link in the chain I want to talk about.
Hold up there Todd, I have to enter a password to gain access to most WiFis, isn’t that secure?
In short “Nope” it’s not…
While there is some minimal level of security/cryptography going on with your connection(WEP/WPA) to the access point. The password is actually there to protect the access point and it’s owner, not you. The encryption inherent with that password is only designed to provide limited protection, pretty much a simulation of a wire. Yea that’s an eye opener, isn’t it.
So how do the bad guys get me at the access point? Good question. The bad guys use a technique called ‘Man in the middle’ to snoop your traffic and it works something like this:
- You turn on your laptop and you see a list of available WiFi networks
- The marina said their WiFi is named ‘Marine1’ sure enough you see it & you click on it.
- It asks you for the password, which the marina kindly supplied you at check-in.
- You enter the password and it churns for a little bit then says you’re connected
- and there’s the Google’s home page, everything looks great!
or is it?….
Unbeknownst to you a hacker is sitting at a table with some fancy hardware and software that makes his system look like the marina’s WiFi and you just authenticated with him instead of the real one at the marina, sneaky.
Since you authenticated with the hacker he can now view and store all your traffic as it’s passing through his fancy gadget. You think you are securely connected to the bank. In reality, the the hacker is securely connected to the bank as you and you are securely connected to the hacker. He is effectively “The Middle Man”.
And Poof! Just like that the hacker has all your information, two days later your bank account is emptied or you just bought a 60 inch flat panel TV from Amazon for your 30 foot boat, you have no idea how it happened.
I know what I just described sounds pretty sophisticated, surely this wouldn’t happen on a small island in the middle of the ocean. You’d be wrong. (especially in ports that accept cruise ships)
Hackers are by and large a lazy bunch and by lazy I mean extremely efficient. Once they crack something they will package it into an nice easy to use application for future use. Once they have enough of these tools they will take it one step farther and create a tool kit that only needs a few mouse clicks to manage all their nefarious activities.
The truly terrifying part of all this, is they also sell or give away these tool kits on the internet to anyone. Never assume a hacker is some socially awkward kid in his mom’s basement like Hollywood would have you believe. A lot of these guys have college degrees and are running their enterprises like a business.
Don’t believe me? Check out WIFI Pineapple and peruse the bullet items on the home page. I’ll wait here while you check it out……
A little spooky isn’t it, but don’t fret, this is a fluid cat and mouse game of spy vs spy. There are tools we can use to protect ourselves as well.
The simplest solution is probably a wired connection – this eliminates the whole WiFi security all together. A lot of marinas I’ve been to have a captains lounge or media room and there’s usually a network jack in there. I always have a patch cable in my laptop’s bag so I can jack in Johnny Mnemonic style. Once you’re physically connected to the marina’s network the odds of a man in the middle attack fall off exponentially.
Next up is The Onion Router(TOR) you’ve probably heard of it in the news being used by dark web users(it got a lot of media attention during the silk road sting by the FBI) it’s gotten a bad rap by the media. Technically it’s not a hacking tool. It’s a United States Navy tool that SeALs use to access the internet securely and anonymously to get intel back to command from anywhere in the world. Talk about being trained to live off the land!!
The TOR 1 browser uses high grade encryption and node hopping technology to protect the user and does a really good job. There’s absolutely nothing illegal about normal everyday users using it to protect themselves. You can actually download a copy of it from here for free. I have a copy on my system for just-in-cases.
There are some trade offs you need to be aware of with TOR.
- The TOR servers are run by volunteers so stability is an issue
- It’s slow! It was never intended for large traffic like streaming..
- Many of the larger well known and commercial sites are aware of TOR and sometimes block you. Google for example hates TOR because it can’t apply it’s telemetrics 2 to a TOR user.
- Banks also know TOR and I have yet to find one that will allow any type of on-line banking from a suspected TOR node.
However in a pinch, TOR can get the job done. I personally think it’s a good idea to keep it installed on your laptop for emergencies. As a sailor I like my backups to have backups, especially when they’re free!
The best solution by far is a Virtual Private Network(VPN). This creates a very secure connection between you and the internet regardless of the infrastructure and it defeats Man in the Middle attacks.
Corporations use this technology for business traffic that travels across the public highways of the internet. This is also my primary solution for secure connectivity while afloat.
There are multiple solutions for VPN and I’ll touch on them below. Each one has has it’s pros and cons. It will be up to you to research and decide which one best fits your needs.
First up is a free VPN service, there are some companies out there who offer limited VPN access through their networks free of charge. The catch is there is some suspicion that while they’re not snooping your traffic directly or doing anything illegal, they’re collecting metadata 3 on their users that they can sell to marketers. In my opinion I think you’re trading one devil for another. I’d be careful with free VPNs.
Just like TOR if you’re limited in funds or in a pinch this could be a life saver. It wouldn’t hurt to have an account activated and on standby, just in case.
The next option is OpenVPN this is a community based open source software solution for VPN. The catch with this solution is that there’s no support. It’s all up to you to configure, setup, and maintain. It also requires you to have a VPN server somewhere in the world to link to.
OpenVPN is the solution I’ve chosen mainly because it fit my needs perfectly. For my VPN server solution I converted my wireless router at home to be a self contained OpenVPN server via a firmware hack from DD-WRT. Once configured all my network traffic no matter where I am in the world goes back to my house and then on to my trusted ISP.
NOTE: Even it you don’t have a land based network while at sea. You could configure a wireless router like a linksys or D-Link and give it to a friend who has broadband. Your own VPN server ready to go with no monthly bill.
The third VPN option and probably the most practical solution is to pay for a VPN service. There are a lot of them out there they range in prices from over $20/month to less than $10/month. The catch here is to look for any bandwidth limitations that might affect you. The best part of this solution is that you will normally be dealing with a first world company and all the consumer protections that affords you, like support.
Unlike the free service there will also be a contract and/or end user license agreement that protects you and the company, similar to your cell phone.
To wrap things up, that super convenient WiFi you use is not very secure. Depending on what you’re accessing on the internet you should take steps to protect yourself. If you can, I strongly recommend a VPN solution for the best protection. I would also highly recommend having a back up plan in case your VPN service goes down and you need access. And lastly never under estimate the usefulness of a 6 foot Ethernet patch cable!
I hope this information was helpful…
[update] I just came across this news clip on Foxnews about the inheirent risks of using open/free WiFi. I thought it was a fairly good interview that drives home the point of how insecure open/free WiFi is.
P.S. Please note network security and cryptography are two über complex topics. In order to keep this long post manageable I glossed over a ton of details. My main point here is to let everyone know about the potential insecurities of public WiFi and how we can protect ourselves.
- How TOR Works ↩
- Telemetrics are what Google and other large corporations call the practice of characterizing individual internet usage so they can better target their resources. ↩
- Metadata is pretty much data about data, Wikipedia has a much more in-depth explanation https://en.wikipedia.org/wiki/Metadata ↩