With advancement in technology, we often speak of the benefits and advantages it brings.Rarely do we consider that society might actually pay a price, be it in the form of loss of culture or even the loss of privacy.
Most of us have at some point in time connected to an open hotspot, be it connecting to Wireless@sg while nursing a cup of coffee at Starbucks, or connecting to the access point at any national library to research on a topic. We would expect our activities to be private and unless someone was peering over our shoulders, none should be any wiser.
With this aim in mind, I conducted a little experiment, connecting 2 computers at home wirelessly to the router. On the “spy” computer, I fired up Wireshark. Wireshark is a freeware packet analyser used for network analysis. On the “victim” computer, I browsed the net as usual, visiting a few websites and chatrooms while the “spy” computer was sniffing all packets that were being exchanged with the router.Upon analysis of the packets collected, I was surprised at the amount of data that can be collected.
1) All the websites including https websites that I visited were captured.
2) Content such as pictures and even chat log of the IRC chatroom were recorded
3) On certain unsecure websites, my login ID and password were captured in plain text
Armed with only a laptop, network card and freeware, I was able to obtain a large amount of private information such as browsing history, chat logs and even passwords. Can we then, expect any privacy at a public location where there are potentially tens of people sharing the same access point. Anyone could be running a packet capture in the background, secretly spying on all the others in the vicinity.
I believe the issue of privacy in public surfaced long before today. With the invention of the cell phone, people were able to communicate with each other regardless of location. However, when someone answers a call in a public place, it increases the potential for eavesdropping to occur. We tend to downplay the seriousness of such an action as most of the time, eavesdropping does not occur intentionally. Secondly, the information gleaned is often of no substantial value. However, the issue is brought to a whole new ballpark when packet sniffing is concerned. I would take intent out of the question since it is possible to unintentionally capture packets originating from your computer when my actual intent is to diagnose my network issues. One of the reasons why packet sniffing is considered so much more intrusive is because the information at stake is now much more valuable. Assuming that you use the same username and password across various sites, if someone is able to get hold of both the credentials as well as your browsing history, he might be able to take over your entire online identity.
Nevertheless, I believe packet sniffing is simply eavesdropping over an internet connection. Instead of picking up your speech by ear, the computer is now picking up the packets that you are transmitting to the router. If you do not wish to be overheard, you would take precautions such as lowering your voice, or moving to a less crowded area. Similarly, you should be responsible for taking the necessary precautions such as connecting to a private access point or using a Virtual Private Network(VPN) if you do not wish to be sniffed.
This issue is compounded by the fact that the average user is normally uninformed about any potential pitfalls or vulnerabilities in new technologies. They often freely embrace the added convenience and accessibility, without thought to any ramifications that could potentially occur. They feel that the onus is entirely on the developers and engineers to design a system that is both secure and easy to use. However, there is often a trade-off between security and ease of use that many manufacturers have to juggle between. Certain companies focus on making the end user experience as seamless and user friendly as possible. By doing so, they have removed what are deemed as "advanced features" that they believe the average user would not use, introducing potentially serious flaws in their products.
For example, users are unable to forget "remembered networks" on a certain pad when these networks are out of range. However, these networks' settings are still stored in the device and probe requests are still broadcasted. In layman terms, even when my device is connected to NUS network, it is broadcasting a request at regular intervals to check if wireless@sg, linksys(which I use at home) are available. If these networks are available and the signal strength is stronger than the current network I am connected to, the device will automatically switch over to these networks. The problem arises when the hacker is able to capture and analyse these probe requests. He is then able to create an access point with the exact same name, if the actual connection is of open encryption, your device will be "tricked" into believing that the access point is legitimate. The hacker then bridges the connection using another wireless card to provide you with an actual internet connection. All your traffic is now being directed through the hacker's network and as a man-in-the-middle, he can not only monitor your traffic but even modify inbound packets, making it possible to steal passwords and details even over https connection.Unless you check and realise that you are not connected to a different network and not NUS, you would not even know that you are being hacked. All this is possible with only a laptop, 2 network cards and freeware.
The solution to the problem is rather simple, you would have to remember to "forget network" once you are done using open networks. As for existing remembered networks, you would have to create a network with the same name so that you can forget it. However, these solutions actually create more inconveniences that removing that feature caused.
In short, I believe that the responsibility of ensuring privacy and security of information lies with both users as well as IT professionals. While IT professionals must try to ensure that their systems are secure but yet user friendly, users must also educate themselves on the potential risks and loopholes in technology so as to safeguard themselves from such attacks in the future.