Watch Out for Public Wi-Fi

Those public Wi-Fi networks in coffee shops and airports sure are convenient, aren't they? You love 'em. We love 'em. Digital thieves love 'em.

Mike Kershaw, developer of the Kismet wireless network detector and intrusion-detection system, recently spoke at the Black Hat conference warning that they pose 'a bigger security threat than ever to computer users' because attackers use them to 'poison' users' browser caches 'in order to present fake Web pages or even steal data at a later time,' according to industry observer Ellen Messmer.


Evidently it's a relatively simple operation for an attacker over an 802.11 wireless network 'to take control of a Web browser cache by hijacking a common JavaScript file,' Messmer reports Kershaw as saying: In the eyes of a digital thief, 'Once you've left Starbucks, you're owned. I own your cache-control header. You're still loading the cache JavaScript when you go back to work.'

It's not a new thing, either. Security researchers back in 2006 'found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver,' according to an IDGNS news report at the time.

The hack 'will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems (News - Alert) and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California,' the news report said:

'The two researchers used an open-source 802.11 hacking tool called LORCON (Loss of Radio Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.'

The problem, Messmer reported him saying, is open networks. They 'have no client protection. Nothing stops us from spoofing the [wireless access point] and talking directly to the client.'

And 'once the cache is poisoned, it's going to stay there,' Kershaw noted. He suggested continuously manually clearing the cache, or using private-browser mode, asking rhetorically 'who knows how to clear the browser cache in an iPhone (News - Alert)?'

We don't, but we're going to learn.

Kershaw said he had no hard numbers to give an illustration of how many attacks based on poisoning the browser cache via 802.11there are, but said it's such an easy thing to do that corporate security professionals should 'forbid users from taking laptops onto open networks,' Messmer reported, adding that Kershaw admitted, 'Your users may lynch you.'