WIFI Security
 

I am getting the N800 for Christmas and can hardly wait! I am a real newbie here and had some questions about security issues with a public WIFI connection.

Is there a firewall, or software that comes with this device to protect private data? Is there some I should download?

My main use with this will be web surfing. Checking stocks, etc. I really need a secure/private connection.

Thanks!

Re: WIFI Security
 

good question, I asked this and someone said there was a SSL when using some sites on WiFi. not sure though

Re: WIFI Security
 

If you're watching sites which contain your private data (passwords, account info) etc. you should only access those sites through https:// links. This is exactly as when you access such sites from your desktop computer, no difference there. Other than that there's nothing in the N800 to worry about, the way it come set up out of the box. Wi-fi or no wi-fi is not the issue here.

Re: WIFI Security
 

This article has me concerned:

http://www.jiwire.com/wi-fi-security...n-overview.htm

It mentions software and firewalls as a solution; but what's compatible/available with the n800?

So, you are saying that as long as I connect through http sites I'm safe from "sniffers"?

Re: WIFI Security
 

"Firewalls" could merely block sensitive services from being remotely accessible - but the N800 has no such service unless you install it.

PUBLIC WiFi access is generally insecure, as secure access schemes would require you to have an account with the service provider. That is, PUBLIC WiFi is entirely unencrypted and accessible by any stranger, so that anybody in range could forge and inject packets, or even assume the identity of the service provider.

The risk of getting a worm delivered to a N800 via forged packets is marginal, though - Maemo/ARM is way too exotic among platforms to be targetted. You would have to worry when surfing a public WLAN with Windows/Intel devices, though, and even cell phones have already been (rarely) targetted...

As for HTTP being safe from sniffers: Nope. HTTPS would be, though. In general, you should use application-level security (like SSL web sites, SSL/TLS on the mail server, and SSH for shell connections) for anything critical, especially on wireless networks. The N800 supports that, but you still have to configure it, and must use SSL capable web/mail servers (which free services sometimes aren't).

Sevo

Re: WIFI Security
 

Such articles always make me shake my head. There's some truth to parts of it, but what they always seem to forget is this:

1. Your home wi-fi network is exposed to maybe some dozen of people.
2. Your ADSL/cable internet connection, on the other hand, is exposed to millions of people. If you ever get the chance, try running a sniffer at the connection point (outside any firewalls) on your ADSL modem. I've done that: Maybe 20 seconds after you fire it up the prodders start to hammer your network connection, scanning for open ports and the like. The network log at work is very interesting reading - this goes on 24/7.

The _real_ problem is connecting to a site requiring any of your private data: It doesn't _matter_ what kind of connection you use, whether that's wi-fi, ADSL, cable, at work: If it's not encrypted, someone can intercept that information. You _must_ use encryption. It doesn't help with the best WPA2 or any other wi-fi encryption, that part doesn't protect your actual network traffic, it only stops others from using your wi-fi network. It doesn't encrypt any of the actual internet traffic.

Let's say you have an adsl modem, a wi-fi router with its own firewall (most have one). There's a much much bigger chance someone will manage to break through to your home computer(s) through the ADSL modem than through the wi-fi router, simply because there are millions of potential attackers on the other side of the adsl modem but a very limited number in wi-fi range. (There is one potential big security problem with that wi-fi router though: If it allows access to its system setup page through wi-fi then the router can be hacked into and reconfigured to e.g. turn off its firewall. Ideally the router should only allow configuration to be done through one of its LAN ethernet ports.)

The big rule is simple: Whenever you transmit (including watching) private data over a network you should use encryption. For the web this means that the sites you watch should be accessible through https://, which is SSL encrypted, not http:// which isn't. As far as wi-fi is concerned you should think of it, and handle it, as the internet at large.

Your wi-fi router should have a firewall. So should your home computer, as otherwise it's open to external attacks in case the wi-fi router's firewall falls down for some reason.

However, your N800 doesn't have any services that can actually be attacked, unless you install one. If there's no one listening then the attacker can shout all he wants, unlike how it's depicted in films and tv shows you can't just break in just because it's a computer in there.

However, there's one popular service you may come to install on your N800, and that's an ssh server. If you do, then suddenly you have something listening on port 22 which can give the attacker a login shell. And as the N800s all come with a well-known, fixed root password.. in other words, if you install either dropbear-server or openssh-server then you must take steps to prevent this (change root password, first of all).

Yes. If you meant to say https sites, not http sites. The former are SSL encrypted, the latter are not. Normal web sites are just http sites, they're not encrypted and usually you won't care, if you're just reading Internet Tablet Talk, for example.

There's one popular wi-fi scam that's worth mentioning though: Be careful with wi-fi hotspots requring credit card info to get access to the network. These are HTTPS/SSL encrypted, but the scam is that someone sets up a fake pay-hotspot and you then go on to provide them with your credit card info.. this scam has been seen in airports, for example.

For the rest: As far as your N800 is concerned, you just have to
a) Set up your home wi-fi network with WPA encryption (if you want to keep others from accessing the internet through your wi-fi)
b) Firewalls in the wi-fi router and on your home computer(s)
c) Use SSL (HTTPS) when accessing sites with private data, whether that's from your N800 or from your desktop computer
d) Don't start worrying about your N800 security until you install a server like ssh.
e) That article mentioned VPNs.. yes, if you access your job network then VPN is an easy way to encrypt everything. But then again it's unlikely there's any other way of accessing that network.

Re: WIFI Security
 

Thanks, I think I just beginning to understand.

I have a wired network at home and wasn't planning on using the N800 there. It's only going to be used outside the home.

I'm going to have to read up more to completely comprehend the responses. Right now it suffices to repeat the KISS Rule: Just use HTTPS Sites for secure encryption.

Again, thanks for taking the time to explain it!

Happy Holidays Everyone!

Re: WIFI Security
 

The real simple answer is don't send private data over wifi, ever. With the right equipment it doesn't matter if it's https or not.


http://www.oxid.it/ca_um/topics/apr-https.htm

Re: WIFI Security
 

You WILL want to use your N800 at home... in the bed, in the kitchen and even in the bathroom. Trust me :) Welcome to the family.

Re: WIFI Security
 

Hi,

my friend has the following problem.
Each time his PC running XP Windows boots on
wifi card driver sets ICF (Internet Connection Firewall) provided by Windows off.
He has to set it manually on.
What's wrong ?
Wiruses, trojans , Adware ?

Darius

Re: WIFI Security
 

I'm wandering why you say that. Of course it matters if it's https or not. If https can be broken then it's much more dangerous to send it over the internet at large. It simply couldn't be used.

Re: WIFI Security
 

AFAIK https using SSLv3 is impossible to break at the moment. That's what ebay uses for example. Https using SSLv2 also has some defficiencies but you need quite good knowledge to intercept anything.

WEP is broken in around 3 minutes.

Don't use http for sensitive information. I snoop on my neighboors, he's browsing porn websites. Bad taste (s)he has :)

I use wep (my gateway is a laptop not supporting managed and then wpa2) but https on top of it. The rest I don't care.

Re: WIFI Security
 

That's the thing, https can be decrypted. The question is, does (insert who ever's wifi connection you're using here) do it? That's one of the big problems with wifi. You have absolutely no idea where that access point you're connecting to is. It might be the Starbucks access point you connect to every day at lunch, it might also be that "delivery" van out in the parking lot with an access point set up to look like Startbucks with a 5 watt amp. Most people's laptops will connect to the strongest signal, the dude in the van now has the strongest signal. All he has to do is set up a bridge to the real Starbucks and capture all the traffic. There might be a small hicup in the connection when he starts up his rig, but most people won't notice the difference. The one's that do will make some curse to Microsoft, and reconnect.

Re: WIFI Security
 

Even with this kind of spoofing of your WiFi connection, how does this help the 'attacker' decrypt your SSL encrypted data? Unless he has offered up a bogus secure server certificate which you then unwisely accepted despite all the browser warnings, HTTPS is generally considered to be secure (if it wasn't, internet commerce would collapse overnight). Passing confidential data over HTTP connections (wired or wireless, WEP or WPA) is not clever, but absolutely fine over a properly authenticated HTTPS connection with a valid certificate.

Re: WIFI Security
 

Did you look at the link I posted earlier? That's what I'm talking about. You're basic internet user won't know the difference between an authentic ssl cert and a spoofed one. At least with a wired internet connection you have a pretty good idea of where your packets are going.

I've also seen hardware that can decrypt ssl connections in real time for wired connections. I just can't seem to find it at the moment. They are set up for wired network security boxes to check for viruses and whatnot, but they can be used for whatever you want.

Re: WIFI Security
 

The point is HTTPS *is* secure and the connection medium is irrelevant (my wired ADSL connnection can easily be sniffed at the exchange). If a user blindly accepts an invalid certificate, that isn't the fault of SSL/HTTPS - sometimes there is nothing that can be done to protect the really stupid.

Re: WIFI Security
 

Sure, if they have the private key used to initiate the connection and also have the resulting shared secret but what's so special about that? If you're suggesting there are machines capable of decrytping SSL encrypted communication without the aid of the original keys and shared secrets then I would be very, very surpised (as would the NSA, unless it's their machines but then I doubt they would publicise that fact!) SSL 128-bit is very hard to crack on the fly, and next to impossible using brute force - by the time the key has been discovered (several years computational effort) the importance of the message is long since degraded. Lower level SSL encryption such as 40-bit encryption is theoretically possible to crack using brute force in the space of several hundred hours with several hundred computers. But not real time.

Re: WIFI Security
 

Yea, I see your point. I'm just saying I know there's network hardware out there that transparently decrypts, checks for stuff not allowed on your network, then re-encrypts https data. I just can't find it at the moment.

Damn!! You type fast. No, they get the initial keys, I don't know of anything that does it without them.

Re: WIFI Security
 

Interesting, because the HTTPS connection uses a shared secret that is encrypted by the browser using a public key from the remote server such that the shared secret (used to encrypt all subsequent communication synchronously rather than asynchronously) can only be decrypted by the remote server which houses the private key. So any intermediate servers must have access to the private key used by the remote server in order to decrypt and observe the shared secret in order to decrypt the communication in real time, and if this is the case it's a major security breach. Either that, or the intermediate servers are spoofing the entire SSL session and providing their own certificate to the browser in place of the remote server, and maintaining the session so that the correct shared secret is used when forwarding to the remote server - tricky, and it may be possible but I would still expect the browser to barf when it gets the intermediate servers certificate when it is expecting the certificate for amazon.com! :)

There are of course devices (firewalls, proxies etc.) which can and do analyse HTTPS traffic without decrypting the data because the HTTP headers themselves are never encrypted, only the payload is encrypted using SSL.

Load balancing hardware such as BigIP servers offer "SSL termination" (aka hardware accelerated SSL encryption/decryption) however these servers are designed to be used in an situation where they front-end the servers that are hosting the secure service in which case it would be correct to configure the load balancers with the public/private keys for the "remote" server (which would be on the same LAN behind the BigIP servers). Maybe this is the situation you are referring to, although there isn't really any need to re-encrypt the messages once decrypted by the BigIP servers as the now decrypted messages would normally be forwarded on to the remote servers over a private (and hard to sniff) network.

Re: WIFI Security
 

Milhouse described HTTPS security well, so I won't go into details about it myself.

The only currently known wi-fi semi-specific problem you can run into with HTTPS security is the one I described in my posting: The scam where someone sets up a fake pay-hotspot, to e.g. look like a T-mobile hotspot or your local airport hotspot, and you get access by entering your credit card credentials. For any other kind of wi-fi network, where you *don't* "log in" as described, there is no known security risk with HTTPS that isn't already in existence in the internet in general. As I already said, a wi-fi network is available to a handful, the general internet to millions.

And no, it's not true that with the (wired) internet you have a good idea where your packets are going, wi-fi or not isn't the issue. Fake sites with false certificates are on the wired internet (and naturally so -- that's where there's a billion potential victims). As for breaking HTTPS (except the old, poor 40-bit encrypton) it's not considered easy. There are much easier ways to scam you.

As for anything important you do on the network: If you connect to your bank, and the browser complains about the certificate, don't click 'continue anyway'. Leave the site. If you don't, you lose. Whatever network your'e on.

Re: WIFI Security
 

There is the possibility that someone in a wifi hotspot can act like a fake DNS and play man-in-the-middle, hijacking your connection. There should be some warning of this, however; the bad certificate warning mentioned above.

If you can't get an SSL connection, and you're paranoid about how dead-easy it is to traffic sniff on wifi, you can set up an encrypted tunnel using SSH.

I explain how to set up the MicroB browser to use this tunnel (as a SOCKS5 proxy) here. Note that your traffic can be sniffed once it leaves the other end of the tunnel for the Internet, but I have a much higher (probably false) sense of security on the wired Internet.

Re: WIFI Security
 

One more thing; since we're talking about wifi security, please note that you MUST change your root password if you install SSH on your tablet. If a hacker sees you in a cafe with your N800, and she's a moderately good hacker, she can *easily* gain root access using the default root password, and then run any command and copy files to/from your device with SFTP.

When I say easily, I mean DEAD-EASY. All she needs is your IP address and Google, and she's in your tablet and leafing through your files as she sips her mochaccino latte.

Re: WIFI Security
 

Without giving too many details, can you explain how this is achieved? My N800 isn't as far as I know accessible via WiFi unless I initiate the connection, so are you suggesting someone can establish a connection to my device over WiFi once I've brought up the WiFi interface? I wouldn't have thought this was possible as I'm not running an ad-hoc WiFi connection, and I would have thought my N800 will only accept connections via the access point to which I am authenticated.

Re: WIFI Security
 

Milhouse, you're correct that you'd need to have your Wi-Fi connected to be vulnerable. I think that was assumed in qole's scenario. But then anyone else on the same AP can reach your tablet, and if there is no firewall at the cafe then it could even be reached by anyone else on the Internet.

If you have an open port (eg. because you installed SSH) then they could connect to that and start trying ID/passwords to get authenticated. Which is why it is important that you not leave the default password in place after installing SSH.

Re: WIFI Security
 

If you install SSH, it allows anyone to connect remotely to your device if they know your password. The password is widely known for the root account ("rootme"), so anyone who does ssh root@1.2.3.4 (being the IP of the tablet) can use that password to get in.

If you are connected to the same wireless AP as someone, or on the same network as someone they can do this. An assumption was made that if there was a hotspot in the vicinity you'd be on it (being an Internet tablet user and all).

If you do have SSH installed, login as root, and change the root password. If you don't have SSH installed, stop worrying.

Re: WIFI Security
 

Well, if the browser tells you
"Oh somebody is probably trying to hack your computer, do you want to continue" ?
Then
Click No :D

From the ssh client you will see this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
or this
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!

The bad guy will have to trick the person into clicking yes at this.

I would be interested to see a demonstration :D

It's not a problem really of Wireless or Nokias.
If you are in your company with wired network (switched on not), anybody skilled enough can do this on your PC.
Good to know..

Re: WIFI Security
 

Wifi access points are for the most part just hubs. So once you're connected and browsing it shouldn't be too hard to find it. If I get some time later I'll install openssh on my nokia, and do a port scan of it.

Re: WIFI Security
 

OK that makes sense - all users on the same AP are most likely visible to all other users of the same AP unless the AP takes precautions to prevent users from communicating with each other. I had kind of assumed that a public access point wouldn't allow associated computers to communicate with each other as it's a fairly obvious security risk - does anyone know if public access points provide this level of protection? Of course even if some did, it wouldn't be advisable to depend on such protection as you're bound to end up connecting to some cheap @rse access point that leaves you wide open. :)

Re: WIFI Security
 

So far all the public wifi I've ever connected to didn't. They were using higher end Cisco gear.

Re: WIFI Security
 

All APs I ever had could be set up not to route between different addresses within their wireless network, so the trivial attack with a spoofed packet immediately redirecting traffic to the attackers laptop is blockable. But it barely increases security, what with the waves being sniffable for ARP and BIND requests and fake packets being injectable, an attacker can still do spoofed redirects to any pwned computer anywhere on the internet.

Re: WIFI Security
 

Now it's even easier for an attacker. Someone gave the default password in the same thread as my description of the exploit. So you can pretty much assume you will be hacked with SSH and the default password.

Re: WIFI Security
 

The password was widely known before I mentioned it (http://www.google.com/search?q=rootme+nokia)...

There's no reason not to change it, and it's trivial to change.

Re: WIFI Security
 

Trivial to change perhaps ... BUT ... anyone who hasn't visited this specific thread (most Tablet owners) won't know they need to... !

By the way - as a non-Linux, fairly tech-savvy, user, but not geek - please can someone explain how to change the password ! It may be trivial, but *I* don't know how, just like many other readers of the thread I suspect ;-)

Walter

Re: WIFI Security
 

The linux command for changing the password is...

drums..





suspsense...











passwd

!!
:)

Re: WIFI Security
 

This is a great thread, very informative. Thank you everybody.

A question: If I install ssh (and change the password) then is there a simple (one-click?) way for me to enable/disable ssh so that I can minimize the time I have port 22 open? Ideally, the tablet should boot with ssh disabled.

Re: WIFI Security
 

You'll need xterm and root access:
Take care, with the following steps, ssh will not start anymore at boot!
sudo gainroot
rm /etc/rc2.d/S20ssh

to revert the start at boot:
sudo gainroot
cd /etc/rc2.d
ln -s ../init.d/ssh S20ssh


To start ssh:
sudo gainroot
/etc/init.d/ssh start

To stop it:
/etc/init.d/ssh stop

You can also change the port ssh is listening:
/etc/default/ssh:
SSHD_OPTS="-p 666"
Will listen on port 666

Re: WIFI Security
 

Hi everyone.

I have a bit of knowledge in computer/apps/network security, and I have a N810 nit with SSH server and openvpn to my private server, etc.
I use it with several Wifi hotspots (and HSDPA networks, in Europe, through a 6120c). I use CIFS file sharing, SSH,...

It's true the tablet _is open_ (in terms of UDP/TCP/IP connectivity, i.e. NO firewall on it), and you don't have to install a server software to be vulnerable.
OS2008 is a Linux distro, and as such can be subject to all kind of attacks, even if the probability (it's mainly a _client_ device), impact, and risk (depending on what you store on your nit, and how) are (rather) low.

Right now, I'm looking for/to build a N8x0 firewall, but have few time to play arround with iptables on my tablet. I have a small script I ported from my servers, but cannot achieve what I want to.

Did someone write an app/patch/script such as "tablet firewall" ?
If not, but if there are people willing to make or port such an app ?

I've searched Maemo.org, Garage,... I've not found anything similar.

I have small knowledge of Linux Kernel, iptables, compilation, and right now, I have an (empty ;-) OS2008 dev environnment running...

I can help, and I really want to have at least a FW script (launched through Kerez ?).

XooH


EDIT : This thread is interresting (on NIT/linux/security) :
http://www.internettablettalk.com/fo...light=firewall

Re: WIFI Security
 

Hmm, isn't there a directory you can place scripts in so that when you say "ssh start" in bash or xterm it'd just run that script (it checks the directory then runs the relevant script or program?). I forget which directory it is..

Re: WIFI Security
 

Sure you do. Otherwise there won't _be_ anything to connect to.

A netstat -ant on my N800 shows that it's listening on the following TCP ports:

22 (because I installed an ssh server)
12493 (part of Skype)

Checking UDP:
2049 (dnsmasq)
12493 (part of Skype).

That's it. Without servers listening you're _not_ vulnerable. And using e.g. iptables to block the ports above would simply make those services stop working. (Edit: e.g. SSH must be secured by other means, e.g. using only RSA authentication, or changing password etc.)

Re: WIFI Security
 

while security is certainly a non-trivial issue...some folks out there definitely seem to require a tin-foil-hat 24/7...

I subscribe to the Darwinian idea of personal wireless security...stoopid people should not breed. If someone is arrogantly stoopid enough to splat their info out there w/no regard to proper encryption...they deserve what they get. Eventually these sorts will stop using the internet and the world will once again be safe from the AOL users of the world thus ending the way we are heading toward the Idiocracy style of life.

FYI, most serious wifi hotspot style routers now have full on virtual servers which completely isolate peers (or potential peers) not only from each other but also from the primary network served by the router. So, if desired, nodes cannot see each other over whatever network is being run. Even my travel/pocket Wifi router CTR350 from Cradlepoint has this all built-in...

And remember when getting your tin foil hat, get some ear plugs too so nobody can hear what you are thinking.