May 11, 2012

The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

From the FBI’s advisory:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.

There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups. I’ve written at least two blog posts about EvilGrade, a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles. The deviousness of this tool is that it can be used to hijack the legitimate updaters built into software already installed on your computer.

If you must update while on the road, make sure that you initiate the update process. Avoid clicking pop-up prompts or anything that looks like it was launched from an auto-updater. When in doubt, always update from the vendor’s Web site. Most importantly — and Rule #1 of Krebs’s 3 Basic Rules for Online Safety covers this nicely — “if you didn’t go looking for it, don’t install it!” Also, using an update tracker, such as Secunia‘s Personal Software Inspector or File Hippo‘s Update Checker, can help you stay on top of the latest security patches for widely-used software, and make it easier for you to plan your software updates ahead of time.


21 thoughts on “FBI: Updates Over Public ‘Net Access = Bad Idea

  1. suzi

    You can turn off wifi on smartphones and laptops so they won’t connect to any wireless networks. I use a 4G Mifi with WPA2 that allows up to 6 devices to connect to it. Much safer.

    1. Rich

      We have stayed at Extended Stay Deluxe who has unsecured WIFI access. As we were staying for an extended period of time we contacted their corporate offices to see if they had plans to make the WIFI secure. They did not reply. When I used Network Discovery I noticed all the adjacent hotels had secure access. When I travel I use a subscription VPN service.

  2. CC

    Is it really a worse idea, than say, downloading a software update from home? Because I don’t believe software update downloads are done thru SSL (the only way it’d be secure), so if people are being attacked with fake software downloads at hotels, why couldn’t that happen at home as well?

    1. george

      @Gunther

      Although no specifics are given, it is not the network provider having malicious intent toward his patrons the main threat. The threat stems from the fact nothing stops a miscreant to setup a fake access point in the room next door or in the car in the parking with the same SSID as the legitimate ones provided by the hotel, airport, etc. Windows will happily connect to the specified SSID with the strongest signal. In (Puppy) linux you get to see there are many access points with their associated signal strengths, but of course, how can you tell if the one you are connecting to belongs to the hotel or to a hacker ? Once connected to the wrong one they can sniff your passwords, phish you or push fake updates to you. This is not that easy to pull when users are at home: the SSID they will connect to (should) have an associated password, the wifi client will not associate with an SSID with the same name but open security set by someone in the street because it cached your own security settings.

      1. Robert

        @ George. One thing to keep in mind regarding wired/wireless networks at hotels is that the great majority of hotel networks make you authenticate through their splash page / gateway. So, if a person were using a rogue wireless access point, there would be no splash page. As one who travels alot, I would be suspicious of not seeing a registration page. There are probably hotel travelers who are not savy enough to know that however. If it doesn’t look legit’, you must quit! 🙂

        1. Stuart Ward

          Adding a copy of the hotels legitimate splash page is tribally easy. Often these are used to capture extra data on the user. The answer is not to trust the network connection. Use https, and if there is a registration page complete this with false information.

          1. prairie_sailor

            I’ve traveled quite a bit myself in the past few years and many of the hotels I’ve stayed at do not use any sort of registration page when you first connect to their Wi-Fi. Also the average user won’t pay attention if they do land on a registration page or not.

            Best answer – if you’re away from home use a VPN.

    2. Ron Doe

      The problem with public networks such as a hotel is that most often the wifi and even wired networks are not using restrictive vlans or firewalls, meaning that you have most or all of the guests on the same collision domain… At home you would only be on that domain with people in your house/network so the risk is a lot lower (hopefully). This isn’t a problem from the provider, it is a problem because guest traffic is not adequately secured.

    3. Nic

      ethernet
      cvs over ssh
      wpa2

      this is a solved problem.

      1. Nic

        I don’t understand the downvotes. CC asked,

        “why couldn’t that happen at home as well?”

        And I answered.

        To the downvoters: Please don’t use a security blog to promote insecure practices.

  3. Gunther Hust

    “The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

    Pop up windows like these have proliferated the web in general. I think attribution of danger specific to public wifi networks is being overstated. Assuming the network provider has malicious intent towards patrons of their service borders on paranoia. The odds of falling victim to one of these exploits are likely quite low.

  4. FengShui

    Gunther wrote >>
    “Assuming the network provider has malicious intent towards patrons of their service borders on paranoia.”

    Key phrase is “targeting travelers abroad.” Apparently you don’t realize, Gunther, that rarely does an intelligence service have any qualms about setting up a small collection operation in their neighborhood five star hotel frequented by none other than their high value targets.

  5. dobber

    How then with users who can’t switch off 2G? In here only 3G has that option! Failing pro-acitivity in device-developers…

  6. JimV

    Several years ago I was working on an ADB project in NW China (Lanzhou) and the team stayed in a local hotel which provided Internet access in rooms through a wired connection, and a wired connection was also provided in our workplace. So, I had turned off my laptop’s wireless network card at the outset of the assignment and always left it off until I returned to my home base in the US. On occasion when in my hotel room in the evenings or on weekends, to my surprise I would have a window pop up in my browser that was some sort of advertisement — all in Chinese which I couldn’t interpret directly, but used Google’s translate function to identify the nature of its character (i.e., merely commercial solicitation versus malware intrusion, etc.). Each popup was an advertisement for some local establishment outside the hotel and none of the spyware or AV scans I always ran (one always resident and others weekly in manual mode by different vendors) ever flagged anything.

    After the first time it happened, one of my Chinese colleagues later confirmed it was being done through the hotel’s server to everyone with access through that portal, and while perhaps an irritant it was not malevolent. I always wondered if the server’s capability to push such ads would also imply that it could, if hijacked, also push malware onto the users connected to it for some time before anyone became aware, but never had that problem over a period of more than a year (fortunately). I did make certain to keep my AV up-to-date and run the array of weekly scans, though.

    With wireless access in most any public hot spots, though, Brian’s advice to be wary and turn off or minimize exposure is (as always) excellent.

  7. MrUnFixit-Maybe

    Rulez:

    Safe browsing maxim #1: If you don’t feel comfortable about writing the contents of your emails and web browsing on the toilet wall in the public toilets at the local railway station, you shouldn’t be using the internet.

    Safe browsing maxim #2: If you cannot conduct your emails and internet social interactions via a megaphone at the corner of the biggest intersection in your city, you shouldn’t be using the internet.

    If it can be intercepted, it will be.

    This isn’t a technology issue, but a user perception.

    Live with it.

  8. Stuart Ward

    The problem here is the totally disorganised windows software update process. In Linux of course this is not a problem because all software is updated through the repository and each update is signed. No security is vested in the network connection used.

    So the answer is upgrade to Linux

  9. Clark

    “The problem here is the totally disorganised windows software update process. In Linux of course this is not a problem because all software is updated through the repository and each update is signed. No security is vested in the network connection used.”

    *nix is better, but heed this warning:

    Attacks on Package Managers

    http://www.cs.arizona.edu/stork/packagemanagersecurity/faq.html

    1. prairie_sailor

      This is not a new attack – I found an article on CNET dated 1 Aug 2009 that noted security researchers had figured it out. http://news.cnet.com/8301-27080_3-10301485-245.html

      That same article also notes that Microsofts update mechanism is not one of the vulnerable ones because line *nix it also uses signures on its updates. The problem on most platforms is the update mechanisms used by 3rd party developers – some will used a signed system – others won’t.

  10. YOU KNOW IT

    “That same article also notes that Microsofts update mechanism is not one of the vulnerable ones because”

    MiTM attacks and/or ARP/DNS poisoning attacks can make it possible to dupe just about any updater from any service for any software.

    Don’t think it’s not being done.

  11. Cumali

    The only reason peploe think that Idina Menzel was the best was because she was the original, and that’s how peploe know the show/role. All of them are good, otherwise they wouldn’t be on Broadway.

Comments are closed.