…or maybe more depending on the range of your laptop’s antenna.
For this example, I’m using my iPhone again to view the internet, and my Mac Mini running Wireshark to intercept and parse the data. First things first, we verify we’re connected to MetroFi-Free, Naperville’s new free 802.11b network:
After that, we’ll navigate to any web site that has a login form which isn’t encrypted with SSL. My own blog works great for this example, but really any web site which has a URL that doesn’t start with https:// is vulnerable, along with pretty much all internet applications (more on that later).
So I enter the URL of my blog’s admin page in to the iPhone browser-
(Click for full size.)
In the Wireshark screenshot above, my iPhone is connecting to a-13.net, submitting a HTTP GET request to my web server, and asking for /wp-admin/. Wireshark even allows you to filter the data that is displayed based on request, so say I want to look up all the captured network traffic which has anything to do with the word “admin”, it’s all just a few clicks away.
Next I enter in my login information in to my iPhone’s browser.
The instant I hit “Login” my iPhone broadcasts my username and password to everyone within 100 feet. Wireshark picks it up the moment my personal information is airborne.
(Click for full size.)
See the HTTP POST line highlighted in grey? That’s my Mac Mini intercepting the data as it is sent to the MetroFi-Free access point. (I can also filter for only POST data, which would display anything that anyone entered in to a non-encrypted web form. Anything from search engine queries to registrations for personal networking sites.) But what exactly was included in that packet of information?
(Click for full size.)
Oh, you know, nothing important… Just the exact URL of the form I just filled out, along with the exact type of device I used to fill it out… but best of all-
log=wifidemo&pwd=secret
Now, say I’m someone who doesn’t take network security that seriously. Chances are I use the same login and password for almost everything. To make it worse, almost all web sites that have a login box use your email address as your username. Facebook, MySpace, etc. They all use your email address, and chances are you’re also using that same password for your email. Any password that doesn’t match the captured password then once someone has access to your email is as easy as clicking “Lost my password” on any page they want access to and then checking your now compromised email account.
While it’s cool that Naperville is rolling out free city-wide WiFi, I’m really disappointed with the complete lack of encryption. Most people aren’t aware of exactly how insecure anything is that is broadcasted over a wireless network that is secured with anything less than WPA with a pre-shared key. The above example took me all of about three minutes.
How I would have done it-
Set up two SSID’s for each node of the Naperville wireless mesh. One wireless network named something like “Free WiFi Sign Up” which would be a captive portal page. (Like if you’ve ever used WiFi at a hotel, it doesn’t allow you to access anything until you load your browser and accept the user agreement.) The captive portal would then feature a simple sign up page where users could enter in an email address and password, encrypted via SSL similar to online banking. Once the user is registered, they could access the real wireless network, named MetroFi-Free or whatever they feel like naming it which the user signs on to an 802.11x encrypted network with the newly created login information.
…But setting up a secure wireless network is more work than just plugging CAT5 in to the back of Access Points, and worse yet, the city of Naperville might have to fork out a dollar or two to hire someone who actually knows what they’re doing.
Just some food for thought, here are some other things which aren’t encrypted at all that feature plain-text broadcasting over wireless networks:
- MOST email traffic unless you have specifically enabled encryption. (Most free/cheap mail hosts don’t even offer any kind of encryption.)
- ALL instant message traffic including AOL Instant Messenger, Yahoo IM, MSN Messenger, and most Jabber configurations.
- ALL FTP sites.
- MOST remote desktop login information, almost all VNC-based remote desktop software uses plain-text authentication.
And it is entirely possible for the city to log ALL network traffic, keeping ALL of your personal data and unencrypted internet activity on file.
Think about it. 
In the time it took me to write this post, these were the images transmitted over MetroFi-Free:
(Click for full size.)
October 26th, 2007 at 5:11 pm
Wow!
Great work Eli, exposing a huge gap in security for Naperville WiFi.
You would think that the powers that be in IT would have figured this one out pre-launch….
This should serve as a wake up call to anyone using the service…And can somebody alert MetroFi and Naperville’s
Free, does not equal, without Risk