Free WiFi net is hackers dream: 4M open WiFi access, passwords stored in plain text
Blatant hacks, stolen documents and public spankings from hackers taught few lessons about security
Probably every user or owner of a wired router with a secondary WiFi capability has had the feeling something is going to waste as they email or Tweet or read online, making use of a tiny fraction of the bandwidth available both over the air and across the wire.
Some generous-minded souls – who are either unconscious about security, or know how to properly encrypt and lock down their own traffic without closing off the WLAN completely – are willing to share their bandwidth with the less well connected.
Usually that's a bad idea for both supplier and user. For users, there's no telling whether an open or "Free WiFI" SSID is a public resource, security honey trap or hacker's snare.
The British FON network tries to address that concern and to unite all the generous WLAN owners into a coherent network that allows members access to free WiFi anywhere other FON members network.
The FON site describes the concept as "crowdsourced WiFi" and advertises "free WiFi roaming" that is secure for both user and provider. It even provides a way for providers to make a little money sometimes.
FON is secure because a member's WLAN is subdivided into an encrypted private stream for use by the owner and a second (also encrypted) link available to paid-up FON members.
FON works for any device, is supported by more than four million members and is free for those who buy a FON-enabled router for between $49 and $99. (Those who don't pay a daily, weekly or hourly fee to either FON or a local carrier.)
Legierski, a FON member who discovered while trying to retrieve a forgotten password, that FON stores passwords of at least some of its 4 million members in plain text – meaning anyone able to penetrate one or two layers of security and get close to the password database would have easy access to the bulk of the usernames and passwords.
You would think all the high-profile hacks earlier this year would have made that particular no-no a NO-NO, especially following the negative publicity and public spanking administered to Sony for storing passwords unencrypted (and protecting them badly from even common SQL injection attacks).
Similar, well-deserved smears for the same thing embarrassed Newegg, hurt the reputations of the leading mobile OS developers by revealing secure data stored as plain text in Android , several iPhone apps, not to mention core parts of both operating systems that collect and store location, usage and other data also in plain text.
So far there's been no response from FON, though there's a long discussion on HackerNews that jumped almost immediately from how insecure plain text is to the ethics of not protecting end-users' private information.
Legierski recommended any FON users change their passwords as quickly as possible.
I'd say, considering how common this particular bit of scandalous behavior apparently is, that you check how securely passwords are stored on some of the other services both you and the users you support log in to.
Users tend to be consistent in the passwords they use, so one cracked account can mean a whole chain of cracked and exploited logins.
That chain that can reach right across from personal or social-networking sites right into the servers they use for work.
Even if the servers at the office encrypt passwords and require passwords long and complex enough to be relatively secure, they won't keep anyone out if the same username and password that gets a user into the customer database is available in plain text across a WiFi network with four million users and a purposely unconstricted approach to security.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.