A Brief History of Everything Wireless

How Invisible Waves Have Changed the World


Earlier entries Show latest

Author's Blog

To VPN or not to VPN?

2020-04-21 [Petri]

In my book I go through the history of the numerous efforts of providing feasible security to something that is publicly visible for anyone: Wi-Fi communications.

To some extent, this quest has been a hit and miss: there has been issues in providing such a layer of secrecy by software over the years, but the vulnerabilities have been duly patched as new holes have been found out.

These attacks are usually exploiting flaws in the implementation of the security protocols, but there is also another, less common attack vector: triggering special conditions via hardware misuse.

A recently revealed bug in wireless chips that propel the Wi-Fi in over a billion devices has now been verified to open brief segments of the underlying data flow to prying eyes. This is triggered when the wireless protocol is misused by a repeated forced disconnect situation: whatever data was in the buffer of some widely used wireless chips, made by Broadcomm and Cypress, is then sent out without encryption.

This hacking process has been given a fancy title by its finders at ESET: Kr00k.

The emerging new WPA3 encryption protocol is not affected by this, but while it is still rarely deployed in the networks, the manufactures are busy working on a software upgrade that would remove this potential security hole from devices using the currently ubiquitous WPA2 encryption. Unffortunately, which is often the case, some devices have reached the end of their support cycle, and will inevitably fall outside of the coverage of these upgrades

Or even more likely, the users of such devices simply won’t upgrade their software even if an upgrade is available: for the vast majority of the users, wireless devices are seen as "install and forget" apparatus, and any upgrades are only performed by those of us who are more geekly inclined.

The learning from this is that even though we are using a nominally secure Wi-Fi network, we should still make sure that also the actual transmitted data is encrypted as well.

With over a billion free HTTPS certificates doled out by the generous letsencrypt.org, as I describe here, a lot of Internet traffic is already encrypted. But to be solidly on the safe side, Virtual Private Networks, or VPNs, are the ultimate protection: they not only encrypt all of your traffic, but also often protect against the network address resolution (DNS) exploits as well, which are discussed in my book.

And even in these cases there is a caveat: another recent survey found that many VPN providers on the dirt-cheap or completely free end of the spectrum are getting involved in dubious practices while peddling their seemingly safe services: they either want to know way too much about your activities (why would a VPN need access to your smartphone's microphone?), or can be nosing around over the traffic you push through them.

So don’t be a cheapskate: if something is free, you will pay for it by some other way. Just look at Google’s galaxy-class harvesting of our personal data in exchange for their “free” services.

Or the another poster-boy of personal data harvesting and misinformation spreading, Facebook, which still hasn’t done enough to ensure that the next president of the USA is not helped past the arcane Electoral College rule by an office building full of dedicated hackers in St. Petersburg, Russia.

Switching to use a VPN can unfortunately cause a deluge of those pesky “prove that you are not a robot” popups: this is due to the fact that connections made via the VPN proxy can be interpreted as deliberate attempts to hide identity or location. You may also get totally blocked if you use VPN in certain contexts: for example, users try to go around the regional restrictions of Netflix content selection by using a VPN proxy in another country, and recently Netflix has become very aggressive in weeding out such attempts.

Sometimes also the IP address of the proxy is "tainted" due to some hacking activities that have been made by some other user of the same VPN service, causing the address being temporarily blacklisted.

But in the end, this additional layer of non-robotism or temporarily block is a small price to pay for your enhanced security. You usually get around the block simply by just changing your VPN to another proxy node, either in the same country or somewhere else.

In general, there is nothing illegal in the use of proxies: most corporations force all of their outbound web browsing requests transparently through a private proxy for their own security purposes, so a connection that is made through a proxy is a totally normal occurrence.

Another pastime that results in from the use of VPNs is the fun of seeing how your advertisement environment changes when you set your VPN proxy to, say, Cambodia. Novel entertainment like this may be just the ticket that those of us confined to our homes due to the virus outbreak need...

And for the even more paranoid of us, I have also discussed further security/anonymity aspects in this blog article.

Permalink: https://bhoew.com/blog/en/117

Show latest Earlier entries

Kr00k exploits a bug in your Wi-Fi hardware [ESET]


You can purchase A Brief History of Everything Wireless: How Invisible Waves Have Changed the World from Springer or from Amazon US, CA, UK, BR, DE, ES, FR, IT, AU, IN, JP. For a more complete list of verified on-line bookstores by country, please click here.



Earlier entries:
















More


You can purchase A Brief History of Everything Wireless: How Invisible Waves Have Changed the World from Springer or from Amazon US, CA, UK, BR, DE, ES, FR, IT, AU, IN, JP. For a more complete list of verified on-line bookstores by country, please click here.


PRIVACY STATEMENT AND CONTACT INFORMATION: we don't collect anything about your visits to this website: we think that your online history belongs to you alone. However, our blog comment section is managed by Disqus. Please read their privacy statement via this link. To contact the author directly, please costruct an email address from his first name and the name of this website. All product names, logos and brands are property of their respective owners and are used on this website for identification purposes only. © 2018 Petri Launiainen.