Posted by: rolande | March 20, 2013

Public WiFi Man in the Middle

Mobile SpyingI encountered a situation yesterday that both puzzled and scared me at the same time. I was sitting in line yesterday afternoon waiting to pick up my daughters from their school. The school had not let out yet, so I had 5-10 minutes to kill. So, I pull out my phone to check my email and I get a strange prompt for a new SSL certificate. I use GMail and have it set to use SSL for the IMAP connection to send and receive mail. So, I click the details button on the certificate to try to figure out what the deal is. As I scroll through the certificate info, I discover that it is signed by a Fortinet Root CA. This raises a big red flag. This is not a valid certificate from Google. There is no way Google is using Fortinet to sign their certificates as it is not a generally trusted Root CA. Then I realize my phone is using WiFi and not the 3G cellular service. So, I go look at my wireless settings and see that my phone is connected to the school’s public WiFi. I must have set it up at some point when we were there. I disabled wireless and the certificate prompt goes away and my mail updates.

So, I am pretty shocked that the school district has configured a man in the middle scenario on their public WiFi for SSL traffic. I  am reasonably sure that 95% of the users would unwittingly accept the certificate and just trust it without understanding the risk or potential impact it could have on them. The privacy implications are pretty significant. Imagine a Mom is waiting to pickup the kids and decides to login to her mobile banking app to transfer money from savings to checking to cover the bills she just put in the mail. She has no idea that she’s using the school’s public wireless access. She sees a funny popup message asking her to Accept or View more details. She naturally clicks Accept just to get on with it. Anyone who has access to the private key for that Root CA certificate now can potentially have her banking account credentials. The worst part is that anyone who uses this service is now conditioned to just accept that untrusted certificate by default. That is the perfect opportunity for someone malicious to step in and create their own private key and certificate and make it look just like the schools. They could easily attach to the wireless and setup their own man in the middle without anyone having any clue what was going on. That would be an extremely attractive target for any identity thief.

Knowing the tough time all school districts have getting the necessary level of funding just for the fundamentals, as an outsider I would say the odds are pretty high that the schools do not have the resources to have all of the security best practices and processes in place to protect these public user’s private data. Good security does not come cheaply. I know through continuous experience over the past 18 years and it is mostly about the people and process and not the technology. Even For-Profit organizations have a tough enough time finding the appropriate level of funding to do what is right. I can’t imagine that a Not-For-Profit, publicly funded through taxes, could achieve enough funding to do many of those things.

There is really no legitimate reason I can think of that the school district needs to inspect SSL traffic on a public network. If it were a private wireless network with school assets on it, then I would agree to a certain extent. Generally, though, there should not be sensitive data, school assets, or systems housed directly attached to that publicly accessible wireless network. Anyone who uses public WiFi should automatically know that they expose themselves to potential risks from any other client attached to that network, as well as the Internet, although, there are options to prevent clients from communicating to one another.

My hope is that the school district does not take this liability lightly and realizes that they are taking on more risk than it is worth for the little benefit they may be providing, as a result of providing a good intentioned feature of the service.

UPDATE: (4/9/13)

I received a response from the Director of Technology Support Services over a week ago but had missed it, while I was in California last week. The school district staff looked into the configuration and decided to disable this functionality. Their “appliance is no longer scanning SSL traffic on the public wifi network for viruses.  The public wifi is offered as is, like other institutions.” This will definitely close a big gap in one tiny component of the school district’s overall risk management.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: